CYBER SECURITY CHALLENGES AND SOLUTIONS AN EXECUTIVE BRIEFING

Transcription

1 Providing Information Peace of Mind to Business and the Notfor-Profit Community CYBER SECURITY CHALLENGES AND SOLUTIONS AN EXECUTIVE BRIEFING Long Beach CalCPA Discussion Group December 21, 2011 Stan Stahl, Ph.D. President Citadel Information Group Phone: Copyright Citadel Information Group, Inc. All Rights Reserved.

2 It was the best of times. It was the worst of times. Charles Dickens

3

4

5

6

7

8

9

10

11

12

13

14 Houston... We Have a Problem 14

15 Annual Cost of Online Bank Fraud: $1,000,000, Bloomberg, Aug 4, 2011:

16 16 Financial Fraud and Identity Theft at Epidemic Levels 542,649,217 Financial Records Reported Breached January 10, 2005 December 14, 2011 These count only reported breaches. They count neither (1) discovered but unreported breaches nor (2) undiscovered breaches.

17 17 Average Cost of Data Breach: $214 Per Compromised Record; $7.2 Million Per Event

18 18 State-Sponsored Cyber Espionage and Intellectual Property Theft Copyright ISSA-LA. All Rights Reserved.

19 19 Cyber Crime World s Most Dangerous Criminal Threat iej.html

20 Information Risk is Business Risk 20 Business Information Under Attack Theft Financial Fraud & Embezzlement Stolen Sales Information Corporate Espionage Theft of Proprietary Processes, Technologies & Other Intellectual Property Loss of Protected Information Belonging to Others Critical Information Unavailable Systems Used for Illegal Purposes

21 21 Information Security Odds Are With Cyber Criminal Cybercriminals Know vulnerabilities Choose where, when & how of attack Attacks blend technology with social engineering Defenders Inadequately aware of threat Over-emphasis on yesterday s technology Lack of specialized knowledge & training Staff not trained to be mindful

22 Meeting the Challenge of Cyber Crime 22 It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles, If you do not know your enemies but do know yourself, you will win one and lose one, If you do not know your enemies nor yourself, you will be imperiled in every single battle.

23 23 Know Your Enemy

24 Why Would Anyone Break Into Information Systems? 24 Because that s where the money is! Bank fraud Other network-based fraud Sell stolen credit cards, SS#, medical identities Sell stolen intellectual property Lease botnets for spam, DDOS attacks, storage Willie Sutton

25 The Growing Global Cyber Criminal Market 25 Organized Cyber Crime Gangs State- Sponsored Cyber Crime Political Hacktivists Cyber Crime Underground

26 CarderPlanet: Ensuring Honor Among Thieves 26 Wired, January 31, 2007: s/2007/01/72605

27 27 Spy Eye: Easy-to-Use Software for the Non- Technical Cyber Criminal

28 And It s Only Getting Worse 28

29 Beware the Inside Threat 29 Crimes include Embezzlement & Financial Theft Theft of Intellectual Property Destruction of Information Assets Spying on Management & Other Employees Masquerading as Other Employees Running Other Businesses Physical Theft Resource Misuse

30 Cyber Crime: A Lucrative Business Model 30 Opportunities to Make Money Cost of Entry Likelihood of Being Caught

31 31 How Your Computer Gets Owned

32 32 We re Secure. We Have Locks on All the Entrances.

33 Bypassing the Locks: Firewall 33 Firewall blocks activity on unneeded ports Cyber criminals use and Internet to go through open ports

34 34 Bypassing the Locks: Anti-Virus / Anti-Malware Fails to Block 60% of Zeus Attacks Anti-Virus blocks known malware DNA Cyber criminals create malware whose DNA changes every time it installs

35 Bypassing the Locks: Exploit Flaws in Software 35

36 36 Bypassing the Locks: Social Engineering Phishing & Spear-Phishing Before: The Nigerian Scam Now: Targeted Spear-Phishing c.track.bridge.metrics.portal.jps.signo n.online.sessionid.ssl.secure.gkkvnx s62qufdtl83ldz.udaql9ime4bn1siact3f.uwu2e4phxrm31jymlgaz.9rjfkbl26xnj skxltu5o.aq7tr61oy0cmbi0snacj.4yqv gfy5geuuxeefcoe7.paroquiansdores. org/

37 Bypassing the Locks: Install Malware on Legitimate Web Sites to Infect Visitors

38 Bypassing the Locks: Public Wi-Fi 38

39 39 Bypassing the Locks: Attack Remote Computing Devices

40 40 Anatomy of an Attack: Phase 1 Take Control of the Workstation Spear-Phishing Web Site Drive-By SmartPhone Malicious USB Key 0-Day Exploit Social Engineering ZeuS / SpyEye Trojan Key Logger File Access Botnet Herder

41 $$$$$ Phase 2 Steal Money & Sell Information 41 User IDs and Passwords Credit Card & Bank Numbers Sensitive Information Illegal Computer Use Sensitive Info Computer

42 42 Lowering the Odds: The View From 50,000 Feet

43 Cyber Security Protection 43 Information Security Management

44 Information Security Management 44 Confidentiality

45 45 Laws, Regulations, Contracts & Recommended Practices Establish Standard of Care US Federal Law Gramm-Leach-Bliley HIPAA FTC Rule US State Laws CA Civil Code CA 1386 / SB24 Breach Disclosure MasterCard and Visa Data Security Standard (PCI) European & Other Laws ISO standards ISO ISO Government Standards, Guides & Advisories NIST NSA US-CERT Practitioner Standards ISSA ISACA (ISC) 2 SANS Institute

46 46 Meeting Standard of Care Requires Top-Level Management & Leadership Information security requires CEO attention in their individual companies Business Roundtable, 2004 Copyright Citadel Information Group. All Rights Reserved.

47 Fundamental Concept: Defense in Depth 47 Operating Assumption: Cyber criminals will get through any particular defense

48 48 Secure from the Bottom Up Manage / Lead from the Top Down Information Security Governance Information Security Policies Compliance Management Plan for Incidents Manage 3 rd -Parties Trust. But Verify. Classify & Control Information IT Security Management Physical & Personnel Security Keep Systems Patched Intrusion Detection & Prevention Train Staff

49 49 Manage Information Security Like Other Quality Programs ISO 27001, Annex ISO A5: Security Policy A6: Organization A7: Asset Management A8: Human Resources A9: Physical / Environmental A10: Communication & Operations Management A11: Access Control A12: Acquisition, Development & Maintenance A13: Incident Management A14: Business Continuity A15: Compliance Copyright Citadel Information Group. All Rights Reserved. Information Security Management System Continuous Process Improvement Engine Demonstrate Continuous Process Improvement of Organization's Ability to Secure Sensitive Information 9/29-30/2010

50 Getting Started: The As-Is 50 If You Don t Know Where You Are, a Map Won t Help Copyright Citadel Information Group. All Rights Reserved.

51 Getting Started: The To-Be 51 If you don t know where you re going, when you get there you ll be lost. Yogi Berra Copyright Citadel Information Group. All Rights Reserved.

52 52 An Ounce of Prevention is Worth a Pound of Cure Security Prevention Costs Technology costs Security management costs Executive IT security management Security overhead costs Security Incident Costs Cold hard cash Direct incident recovery costs Lost productivity costs Intellectual property losses Breach disclosure costs Legal & attorney costs, including investigations and fines Loss of brand value Loss of competitive advantage

53 The Objective: Information Peace of Mind Protect Business Meet Information Security Standard of Care Lower Total Cost of Information Security SM 53 Copyright Citadel Information Group. All Rights Reserved.

54 Greatest Challenge: Organizational Leadership 54 Awareness of Risk Knowledge and Ability to Act Enthusiasm for Getting Involved Eagerness to Create a Culture of Cyber Security Mindfulness Attitude that Failure is not an option Continually asks What don t I know that I don t know I don t know

55 55 Lowering the Odds: Some Specifics

56 Keep Software Patched and Updated 56

57 Reduce Risk of On-Line Bank Fraud 57 Use Stand-Alone Workstation for On- Line Banking Use Only for On-Line Banking No No web browsing Best to Have Separate Internet Connection Best if Separate from Corporate Network Strongly Manage Security of Necessary Connection Out-Of-Band Confirmation from Bank Daily Out-of-Band Reconciliation Train Staff to Limit Information Posted on Social Networks Control Use of Social Networks from Office Be Suspicious It s Not Paranoia if They are Out to Get You

58 Passwords: Easier Than Ever 58 Corporate, Banking, ecommerce Long passphrase Web65mailers$ Lovemyjob$$$3 Different on Different Sites Registration Passwords qwertyu7 Use Secure Password Manager Carefully Roboform Keepass

59 Be Careful with File Transfer Services 59 Extremely Useful When Used with Care Responsibility with User Know what you re buying Having security feature feature implemented correctly Train staff on (in)secure use

60 The Cloud: Yes But Look Before You Leap 60 Cloud Services Salesforce Authorize.net icloud, Google, Amazon S3 Gmail, Office 365 Private clouds Desktop as a Service Security as a Service Security and Legal Challenges Security & privacy responsibility Information availability Legal compliance

61 Use Encryption to Protect Sensitive Data 61 Encryption at Rest Laptops External & USB drives Sensitive databases Encryption in Transit HTTPS: WPA2 for Wi-Fi Dropbox Disk & File Encryption Tools Windows BitLocker: Hard drive encryption Truecrypt: Hard drive encryption Axcrypt: File encryption WinZip: File encryption Key Performance Parameters Encryption algorithm Key length Key security Time to encrypt / decrypt

62 Protect Remote Computing Devices 62 Laptops and Netbooks Protect like desktops Encrypt hard drives ipads, Smartphones, Tablets Minimize sensitive processing Manage Wi-Fi Encrypt when available Password protect Remote find & kill Beware of Android Apps Use VPN when available

63 When Things Go Wrong 63 Incident Response Information Continuity The Trade-Off Back to work Evidence Preservation Be Prepared Network logs Plans Tests Training

64 Meeting the Challenge of Cyber Crime 64 It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles, If you do not know your enemies but do know yourself, you will win one and lose one, If you do not know your enemies nor yourself, you will be imperiled in every single battle.

65 65 Securing the Community It Takes the Village to Protect the Village

66 ISSA-LA: Creating the Los Angeles Cyber Security Management Learning Village 66 Problems cannot be solved by the same level of thinking that created them Albert Einstein Copyright Citadel Information Group. All Rights Reserved.

67 ISSA: 27 Years of Information Security Management Experience 10,000+ members 140 chapters 70 Countries CISSP Internet Security: CIA, Identity Theft, Bank Fraud, etc PC and Network Security: CIA National Security: Confidentiality & Availability Banking, Insurance, Fraud Control: Data Integrity & Availability 67

68 68 ISSA: Providing National Cyber Security Leadership December 22, 2009: ISSA International Board President Howard Schmidt Takes New Responsibility as President Obama s White House Cyber Security Coordinator.

69 69 ISSA-LA: Proactively Driving Information Systems Security Thinking in the Community ISSA-LA s Mission The premier catalyst and information source in the Los Angeles community for improving the practice of information security. Education, networking and support to our direct constituents Information security practitioners IT practitioners with information security responsibilities Information security vendors Outreach, advocacy and education to the broader Los Angeles community It Takes the Village to Secure the Village SM Copyright ISSA-LA. All Rights Reserved.

70 It Takes the Village to Secure the Village SM 70 Business Community InfoSec Community IT Community Law Enforcement ISSA-LA Schools & Education Not-for-Profit Community Families Government Copyright ISSA-LA. All Rights Reserved.

71 ISSA-LA Community Outreach Activities 71 Monthly Lunch Meetings [9 per year] Quarterly Dinner Meetings Annual Information Security Summit in Spring Quarterly CISO Forum Professional Study Groups Collaboration with Colleges, Universities, Professional Associations 2012 Initiatives Community-Based Web Site Community Outreach Speaker s Bureau Quarterly Executive Management Forum Quarterly CIO Forum Quarterly IT Security Briefing Family & Children Cyber Security Program Copyright ISSA-LA. All Rights Reserved.

72 72 An Information Security Ethical Standard of Behavior Protect your neighbor's information as you would want your neighbor to protect yours.

73 For More Information LinkedIn: ISSA-LA: LinkedIn Group Technical: ISSA Los Angeles Chapter Networking LinkedIn Group Community: Friends of ISSA-LA Subscribe to our blogs: Cyber Security News of the Week Weekly Patch and Vulnerability Report Coming soon: CitadelOnSecurity: Citadel s portal to information security awareness training and education

74 Thank You! CYBER SECURITY CHALLENGES AND SOLUTIONS AN EXECUTIVE BRIEFING Providing Information Peace of Mind to Business and the Notfor-Profit Community Copyright Citadel Information Group, Inc. All Rights Reserved.