Meeting the Information Security Management Challenge in the Cyber-Age April 29. 2015 Stan Stahl, Ph.D. President Citadel Information Group Phone: 323.428.0441 Stan@Citadel-Information.com www.citadel-information.com Copyright 2015. Citadel Information Group. All Rights Reserved.
Objectives Bring you up-to-date on cybercrime and its threat to your organization Show you where and how we are vulnerable to attack Provide practical defense tactics Provide a strategic overview of information security management Help you see that the fundamental information security challenge is cultural Enlist your support as emissaries back to your organizations to begin the process of culture change
3 The number one thing at the Board level and CEO level is to take cybersecurity as seriously as you take business operations and financial operations. It s not good enough to go to your CIO and say are we good to go. You ve got to be able to ask questions and understand the answers. Major Gen Brett Williams, U.S. Air Force (Ret) This Week with George Stephanopoulos, December 2014
Citadel Information Group: Who We Are 4 Stan Stahl, Ph.D Co-Founder & President 30+ Years Experience Reagan White House Nuclear Missile Control President, ISSA-LA Kimberly Pease, CISSP Co-Founder & VP Former CIO 15+ Years Information Security Experience David Lam, CISSP, CPP VP Technology Management Services Former CIO 20+ Years Information Security Experience VP, ISSA-LA
Citadel Information Group: What We Do 5 Deliver Information Peace of Mind to Business and the Not-for-Profit Community Cyber Security Management Services Information Security Leadership Information Security Management Consulting Assessments & Reviews Executive Management Technical Management
6 CyberCrime in the News
7 Cybercrime s Greatest Impact is on Small & Medium Sized Businesses 30% of victims have fewer than 250 employees 60% of smallbusiness victims are out of business within 6 months 80% of these breaches preventable
8 Managing Information Risk Four Key Questions 1. How serious is cybercrime and why should my organization care? 2. How vulnerable are we, really? 3. What do we need to do? 4. How do we do it?
9 Online Financial Fraud Continues To Be Growing Challenge From: Your Vendor, Stan Sent: Sunday, December 28, 2014 12:07 PM To: Bill Hopkins, CFO Subject: Change of Bank Account Hi Bill Just an alert to let you know we ve changed banks. Please use the following from now on in wiring our payments. RTN: 123456789 Account: 0010254742631 I m still planning to be out your way in February. It will be nice to get out of the cold Montreal winter. Great thanks. Cheers - Stan The secret of success is honesty and fair-dealing. If you can fake that, you ve got it made... Groucho Marx
10 Lawyer Clicks on Attachment. Loses $289K. A lawyer who clicked on an email attachment lost $289,000 to hackers who likely installed a virus that recorded his keystrokes. The anonymous lawyer, identified only as John from the San Diego area, told ABC 10 News how it happened. On Feb. 9, John received an email with an address ending in usps.gov. Thinking he had received a legitimate email from the U.S. Postal Service, he clicked on the attachment. "I thought it was legitimate and I clicked on the attachment," said John, an attorney with a local firm, who asked 10News not to identify him for fear of hurting his firm.
11 Hackers Encrypt Your Files, Demand 'Ransom'
12 Data Breach Costs Expensive. Money Down the Drain. $200 Per Compromised Record $5.5 Million Per Event Investigative Costs Breach Disclosure Costs Legal Fees Identity Theft Monitoring Lawsuits Customers Shareholders http://www.ponemon.org/index.php
13 Company Driven Into Bankruptcy by Competitor Hack
14 Sony is Not Only Company Breached for Political Views
15 Disgruntled Employees Sabotage Systems, Steal Information and Extort Money
The Bottom Line: Cyber Security Management Is Now An Executive Management Necessity 16 Customer and Client Information Credit Cards and PCI Compliance HIPAA Security Rule Breach Disclosure Laws On-Line Bank Fraud & Embezzlement Theft of Trade Secrets & Other Intellectual Property Loss of Other Peoples Information Critical Information Made Unavailable Systems Used for Illegal Purposes
17 Why Are We so Vulnerable? Three Inconvenient Truths Internet was not designed to be secure Computer technology is riddled with security holes We humans are also imperfect
18 Cyber Security Need vs. Reality
19 Users Unwittingly Open the Door to Cybercrime http://www.citibank. com.us.welcome.c.tr ack.bridge.metrics.po rtal.jps.signon.online. sessionid.ssl.secure. gkkvnxs62qufdtl83ldz.udaql9ime4bn1siact 3f.uwu2e4phxrm31jy mlgaz.9rjfkbl26xnjskx ltu5o.aq7tr61oy0cmbi 0snacj.4yqvgfy5geuu xeefcoe7.paroquian sdores.org/
20 Vendors an Increasing Information Security Risk
21 Cybercriminals Hack Websites to Infect User Computers with Malware
22 Cybercriminals Hack Ad Servers to Infect User Computers with Malware
23 Bottom Line: We Let Cybercriminals in the Front Door Fall for Phishing Attacks Click on Email Links Open Email Attachments Use Weak Passwords Use Same Passwords on Multiple Accounts Send Personally Identifiable Information (PII) Unencrypted Send Emails to Wrong Recipient Lose Laptops
24 Cybercriminals Exploit Flaws Vulnerabilities in the Programs We Use
25 Technology Solutions Are Inadequate to Challenge http://krebsonsecurity.com/2012/06/a-closer-look-recent-email-based-malware-attacks/
26 Management Too Often Fails to Set Security Standards for IT Network Hi Bob. Things good? You re keeping us secure now aren t you? Yes sir. Everything s fine. Yes sir. Everything s fine. Senior Management That s great Bob. We re all counting on you. IT Head I appreciate that sir. Know how to ask questions and understand answers
27 Management Too Often Fails to Properly Fund IT Network Security Hi Bob. Things good? You re keeping us secure now aren t you? Yes sir. Everything s fine. We need a BYOD Solution. Senior Management I understand. But you know how tight budgets are. IT Head I do. Yes sir. Know how to ask questions and understand answers
28 Meeting the Cybercrime Challenge Distrust and caution are the parents of security. Benjamin Franklin
The Objective of Cyber Security Management is to Manage Information Risk Cyber Fraud Information Theft Ransomware Denial of Service Attack Regulatory / Compliance Disaster Loss of Money Brand Value Competitive Advantage
30 Establish Leadership. Provide Senior Management Education. An organization's ability to learn, and translate that learning into action rapidly, is the ultimate competitive advantage. Jack Welch
31 Take Specific Action to Protect Against Online Financial Fraud Implement Internal Controls Over Payee Change Requests Assume Compromise Out-of-Band Confirmation Use Dedicated On-Line Banking Workstation Keep Patched Use Only for On-Line Banking Work with Bank Dual Control Out-Of-Band Confirmation Strong Controls on Wires
32 Train Staff to Be Mindful. Provide Phishing Defense Training.
33 Provide Information Security Education. Change Culture. If you do not know your enemies nor yourself, you will be imperiled in every single battle. Sun Tzu The Art of War
34 Patch All Vulnerabilities At Least Weekly. Sign Up for Free Citadel Weekend Report.
35 Know What Information Needs To Be Protected and Where It Is Online Banking Credentials Credit cards Employee Health Information Salaries Trade Secrets Intellectual Property Servers Desktops Cloud Home PCs BYOD devices
36 Implement Written Information Security Management Policies and Standards
37 Require IT Staff to Take Information Systems Security Continuing Education Information Security Summit 7 June 4-5, 2015 Monthly Technical Meetings 3 rd Wednesday of Month www.issa-la.org
38 Require Vendor(s) to Meet Security Management Standards Compliance with Information Security Standards Security Management Included in Service Level Agreements Full System & Procedural Documentation Business Associate Agreements (HIPAA) Vendor Access Controls IT Vendor Internal Security Management
39 Critical Information Available in Disaster? Trust But Verify.
40 Be Prepared: It s Not If But When
41 Be Prepared to Collect, Protect and Analyze Evidence Ensure IT is logging all potentially-relevant events Make sure IT staff doesn t unknowingly destroy valuable evidence Use trained experts to conduct incident forensics
42 Build Continuous Performance Improvement Into Information Security Management Decide Information Security Improvement Objectives Information Security Requirements & Expectations Assess Current Information Security Capabilities and Needs Plan Information Security Improvement Implementation Information Security Management System Continuous Improvement Implement Information Security Improvement Plan Improve constantly and forever the system of production and service, to improve quality and productivity, and thus constantly decrease costs W. Edwards Deming 14 Key Principles for Improving Organizational Effectiveness
43 Getting Started: If You Don t Know Where You Are, a Map Won t Help. Risk-Driven Information Security Assessment Information to Protect Donor and Client Information Staff Information Credit Cards Trade Secrets & Intellectual Property Compliance Responsibilities Payment Card Industry PCI DSS HIPAA Security Rule Organizational Strengths / Weaknesses Technology Management Strengths / Weaknesses IT Network Weaknesses
44 Use Assessment Findings to Build Improvement Roadmap Organizational Weaknesses No one in charge No policies or standards Information dispersed No user awareness Online banking security inadequate Uncontrolled use of Dropbox No vendor security management No cyber insurance Technology Management Weaknesses No vulnerability management IT vendor weaknesses Backups not tested Gap between C-Suite & IT No Disaster Recovery planning No incident response planning BYOD not managed IT Network Weaknesses No VPN for remote use Missing patches Laptops not encrypted
Don t Try to Reinvent Wheel: Use an Accepted Information Security Management Framework 45 Information Security Policies Communications Security Organization of Information Security System Acquisition, Development & Maintenance Human Resource Security Supplier Relationships Asset Management Access Control Cryptography Physical / Environmental Security Operations Security Information Security Incident Management Information Security Aspects of Business Continuity Management Compliance
46 Get Information Systems Security Subject Matter Expertise 7 th Annual Information Security Summit Los Angeles Convention Center June 4-5, 2015 June 4: The Executive Forum for Board & C-Suite June 4: Technical Management Speakers and Tracks June 5: Information Security Management Boot Camp for IT Professionals www.summit.issa-la.org 20% Promotional Code for June 4 Summit: 7Summit_SS_20
47 Manage the Security of Information as Seriously as Operations and Finance Implement Formal Information Security Management System 1. Information Security Manager / Chief Information Security Officer a. C-Suite Access b. Independent of CIO or Technology Director c. Provide Cross-Functional Support 2. Implement Formal Risk-Driven Information Security Policies and Standards 3. Identify, Document and Control Sensitive Information 4. Train and Educate Personnel. Change Culture. 5. Manage Vendor Security 6. Manage IT Infrastructure from information security point of view
Information Security is Proactively Managed Security is Meet Proactively Information Managed Security Standard of Care ation Security Lower Standard Total Cost of Care of Information Security SM
For More Information 49 Stan Stahl Stan@citadel-information.com 323-428-0441 LinkedIn: Stan Stahl Twitter: @StanStahl Citadel Information Group: www.citadel-information.com Information Security Resource Library Free: Cyber Security News of the Week Free: Weekend Vulnerability and Patch Report ISSA-LA: www.issa-la.org Technical Meetings: 3 rd Wednesday of Month Financial Services Security Forum: 4 th Friday of Month CISO Forum: Quarterly 7 th Annual Information Security Summit: June 4-5, 2015
Meeting the Information Security Management Challenge in the Cyber-Age Copyright 2015. Citadel Information Group. All Rights Reserved.
The Insurance Related Financial Impact and Costs of Cyber Crime/Privacy Liability Ted Doolittle Senior Vice President Risk Placement Services, Inc.
What is Cyber Liability/ Privacy Liability? Define it by what its meant to cover data Terminology 1 st and 3 rd party coverage Distinctions in 1 st party coverage
Potential Costs to Your Organization Financial Policy holder costs Regulatory requirements Downstream costs/liability Customer data/3 rd party data Frictional costs Downtime Staffing Company Focus Reputational
Coverage Triggers Generic privacy coverage (typically 3 rd party related) Privacy and Network Security Acts, Errors, Omissions (accidents) Hacking (social engineering, phishing, unauthorized access) Employees vs. Outside forces Online/offline, hardcopy/softcopy, inside network/outside network, portable devices Privacy Regulatory
What Else Do You Get With Privacy Liability Programs? Breach Services Breach Coach Security Vendors Legal Counsel Additional Coverage Professional Services Media Liability Cyber/Network Extortion Crisis Management/PR
Factors in Securing Privacy Liability Coverage Process Application requirements Application PII Revenue Marketplace Carriers Ever changing exposures Ever changing products
Factors in Securing Privacy Liability Coverage (Continued) Cost Minimum premiums/deductibles Capacity/competition Industry Higher Education Financial Institutions Retail/POS related Healthcare
For More Information Ted Doolittle Ted_Doolittle@rpsins.com 312-803-5975 www.rpsins.com
Thank You!! Ted Doolittle Senior Vice President Risk Placement Services, Inc.