Meeting the Information Security Management Challenge in the Cyber-Age

Transcription

1 Meeting the Information Security Management Challenge in the Cyber-Age November 2015 David Lam, CISSP, CPP Vice-President Citadel Information Group Copyright Citadel Information Group. All Rights Reserved.

2 Citadel Information Group: Who We Are 2 Stan Stahl, Ph.D Co-Founder & President 35+ Years Experience Reagan White House Nuclear Missile Control Kimberly Pease, CISSP Co-Founder & VP Former CIO 15+ Years Information Security Experience David Lam, CISSP, CPP VP Technology Management Services Former CIO 20+ Years Information Security Experience

3 Citadel Information Group: What We Do 3 Deliver Information Peace of Mind SM to Business and the Not-for-Profit Community Cyber Security Management Services Information Security Leadership Information Security Management Consulting & Coaching Adverse Termination Assessments & Reviews Executive Management Technical Management

4 Introductions Your company What you hope to get from this session Your major cyberconcerns

5 Media: Tying it Together Cyber-risk Industry specific concerns Trade-secret type concerns

6 Online Fraud: Stealing Bank Credentials

7 Online Fraud: Fooling the Controller 7 From: Your Vendor, Stan Sent: Sunday, December 28, :07 PM To: Bill Hopkins, CFO Subject: Change of Bank Account Hi Bill Just an alert to let you know we ve changed banks. Please use the following from now on in wiring our payments. RTN: Account: I m still planning to be out your way in February. It will be nice to get out of the cold Montreal winter. Great thanks. Cheers - Stan The secret of success is honesty and fair-dealing. If you can fake that, you ve got it made... Groucho Marx

8 8 Company Loses $46 Million to Online Fraud

9 9 CryptoLocker: User Opens Attachment. Hacker Encrypts Files. Demands Ransom.

10 10 Epidemic of Credit Card Theft Medical Records Theft Personnel Records Theft

11 11 Data Breach Costs Expensive. Money Down the Drain. Approximately $150 Per Compromised Record $15 Million Per Event Investigative Costs Breach Disclosure Costs Legal Fees Identity Theft Monitoring Lawsuits Customers Shareholders

12 12 Competitor Steals Information. Bankrupts Company.

13 13 Intellectual Property Theft Economic Death by a Thousand Cuts

14 14 Reputations Damaged, Computer Systems Destroyed for Disrespect

15 15 Organizations Attacked for Political Views

16 16 Organizations Attacked foralleged Violation of Terms of Service

17 17 Disgruntled Employees Sabotage Systems, Steal Information and Extort Money

18 The Bottom Line: Cyber Security Management Is Now An Executive Management Necessity 18 Customer Information Credit Cards and PCI Compliance HIPAA Security Rule Breach Disclosure Laws On-Line Bank Fraud & Embezzlement Theft of Trade Secrets & Other Intellectual Property Critical Information Made Unavailable Systems Used for Illegal Purposes

19 19 Cybercrime s Greatest Impact is on Small & Medium Sized Organizations 30% of victims have fewer than 250 employees 60% of smallbusiness victims are out of business within 6 months 80% of breaches preventable with basic security

20 20 Managing Information Risk Four Key Questions 1. How serious is cybercrime and why should my organization care? 2. How vulnerable are we, really? 3. What do we need to do? 4. How do we do it?

21 21 Why Are We so Vulnerable? Three Inconvenient Truths Internet not designed to be secure Computer technology is riddled with security holes We humans are also imperfect

22 22 Cyber Security Need vs. Reality

23 23 Phishing: Users Unwittingly Open the Door to Cybercrime com.us.welcome.c.tr ack.bridge.metrics.po rtal.jps.signon.online. sessionid.ssl.secure. gkkvnxs62qufdtl83ldz.udaql9ime4bn1siact 3f.uwu2e4phxrm31jy mlgaz.9rjfkbl26xnjskx ltu5o.aq7tr61oy0cmbi 0snacj.4yqvgfy5geuu xeefcoe7.paroquian sdores.org/

24

25 25 Vendors an Increasing Information Security Risk

26 26 Cybercriminals Take Advantage of Insecure Internet

27 27 Cybercriminals Find New Weaknesses to Exploit

28 28 User Behaviors Open the Door to Cybercriminals Fall for Phishing Attacks Click on Links Open Attachments Use Weak Passwords Use Same Passwords on Multiple Accounts Send Personally Identifiable Information (PII) Unencrypted Send s to Wrong Recipient Lose Laptops

29 29 Cybercriminals Take Over Computers by Exploiting Flaws Vulnerabilities in Programs

30 30 Technology Solutions Are Inadequate to Challenge

31 Management Too Often Fails to Set Security Standards for IT Network Hi Bob. Things good? You re keeping us secure now aren t you? Yes sir. Everything s fine. Yes sir. Everything s fine. Senior Management That s great Bob. We re all counting on you. IT Head I appreciate that sir.

32 32 Management Too Often Fails to Properly Fund IT Network Security Hi Bob. Things good? You re keeping us secure now aren t you? Yes sir. Everything s fine but. We need a BYOD Solution. Senior Management I understand. But you know how tight budgets are. IT Head I do. Yes sir.

33 33 We Make It Way Too Easy: 80% of Breaches are Low Difficulty Inadequate training of people Inadequate security management of IT networks Inadequate involvement by senior management Verizon 2013 Data Breach Investigations Report:

34 34 Securing Your Organization Distrust and caution are the parents of security. Benjamin Franklin

35 The Objective of Cyber Security Management is to Manage Information Risk Cyber Fraud Information Theft Ransomware Denial of Service Attack Regulatory / Compliance Disaster Loss of Money Brand Value Competitive Advantage

36 The Four Elements of Information Risk 36 Confidentiality Assuring information is only accessible to those authorized to use it Integrity Assuring that information is changed in accordance with authorized procedures by people authorized to change it Availability Assuring that information and systems are available so users have access to critical information when they need it Authenticity Assuring that a received message is really from the purported sender

37 37 The Information Security Management Chain Identify Protect Detect Respond Recover Continuous Security Management Improvement Risk Transfer and Insurance Legal and Regulatory Framework Based Upon: 1. NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, International Standards Organization 27001:2013: Information technology Security techniques Information security management systems Requirements 3. Porter Value Chain: Understanding How Value is Created Within Organizations

38 Don t Try to Reinvent Wheel: Use an Accepted Information Security Management Framework 38 Information Security Policies Organization of Information Security Human Resource Security Asset Management Access Control Cryptography Physical / Environmental Security Operations Security Communications Security System Acquisition, Development & Maintenance Supplier Relationships Information Security Incident Management Information Security Aspects of Business Continuity Management Compliance

39 39 Manage Information Security Like Everything Else. Establish Leadership. An organization's ability to learn, and translate that learning into action rapidly, is the ultimate competitive advantage. Jack Welch

40 40 Take Specific Action to Protect Against Online Financial Fraud Implement Internal Controls Over Payee Change Requests Assume Compromise Out-of-Band Confirmation Use Dedicated On-Line Banking Workstation Keep Patched Use Only for On-Line Banking Work with Bank Dual Control Out-Of-Band Confirmation Strong Controls on Wires

41 41 Know What Information Needs To Be Protected and Where It Is Online Banking Credentials Credit cards Employee Health Information Salaries Trade Secrets Intellectual Property Customer Information Servers Desktops Cloud Home PCs BYOD devices

42 42 Implement Written Information Security Management Policies and Standards

43 43 Train Staff to Be Mindful. Provide Phishing Defense Training.

44 44 Provide Information Security Education. Change Culture. If you do not know your enemies nor yourself, you will be imperiled in every single battle.

45 45 Ensure IT has Aggressive Vulnerability and Patch Management Program.

46 46 Require Vendors to Meet Security Management Standards Security Management included in Service Level Agreements Comply with Information Security Standards Business Associate Agreements (HIPAA) Information Security Continuing Education

47 47 Critical Information Available in Disaster? Trust But Verify (really).

48 48 Be Prepared: It s Not If But When

49 49 Be Prepared Collect, Protect and Analyze Evidence Ensure IT is logging all potentially-relevant events Make sure IT staff doesn t unknowingly destroy valuable evidence Use trained experts to conduct incident forensics

50 50 Getting Started: If You Don t Know Where You Are, a Map Won t Help. Risk-Driven Information Security Assessment Information to Protect Customer / Client Information Staff Information Credit Cards Trade Secrets & Intellectual Property Compliance Responsibilities Payment Card Industry PCI DSS HIPAA Security Rule GLBA Organizational Strengths / Weaknesses Technology Management Strengths / Weaknesses IT Network Weaknesses

51 51 Build Continuous Performance Improvement Into Information Security Management Improve constantly and forever the system of production and service, to improve quality and productivity, and thus constantly decrease costs W. Edwards Deming 14 Key Principles for Improving Organizational Effectiveness

52 52 Summary: Manage the Security of Information as Seriously as Operations & Finance Implement Formal Information Security Management System 1. Information Security Manager / Chief Information Security Officer a. Independent C-Suite Access b. Provide Cross-Functional Support c. Support with Subject-Matter Expertise 2. Implement Formal Risk-Driven Information Security Policies and Standards 3. Identify, Document and Control Sensitive Information 4. Train and Educate Personnel. Change Culture. 5. Manage Vendor Security 6. Manage IT Infrastructure from information security point of view

53 53 The number one thing at the Board level and CEO level is to take cybersecurity as seriously as you take business operations and financial operations. It s not good enough to go to your CIO and say are we good to go. You ve got to be able to ask questions and understand the answers. Major Gen Brett Williams, U.S. Air Force (Ret) This Week with George Stephanopoulos, December 2014

54 54 Eight Cyber Security Management Questions for the Board and C-Suite 1. What are the company s information crown jewels? 2. What management expertise does the company have to manage its information security needs? 3. What awareness training and continuing education do staff have so they know their information security responsibilities? 4. What technical capabilities does the company have in place to detect, deter, identify and recover from malicious events? 5. What is the company s response plan in the event of a breach/attack? How often is the response plan tested? 6. What security capabilities and controls are required of 3rd-parties having access to company information systems? 7. What relationships does the company have/need to develop with government and other third-party organizations to respond effectively to a breach? 8. How frequently does the board receive cyber threat briefings from the company? See, e.g., The Board s Role in Cybersecurity, Richard Clarke and Jacob Olcott, The Conference Board, March 2014; available on

55 Information Security is Proactively Managed ation Security is Meet Proactively Information Managed Security Standard of Care formation Security Lower Standard Total Cost of Care of Information Security SM Total Cost of Information Security SM

56 For More Information 56 David Lam Citadel Information Group: Information Security Resource Library Free: Cyber Security News of the Week Free: Weekend Vulnerability and Patch Report

57 Meeting the Information Security Management Challenge in the Cyber-Age David Lam, CISSP, CPP Vice-President Citadel Information Group Copyright Citadel Information Group. All Rights Reserved.