They Did What?!? How Your End Users Are Putting You At Risk

Similar documents
Data Loss Prevention: A Holistic Approach. Sam D Amore, Principal Information Technology Security Office The Vanguard Group (

Information Security It s Everyone s Responsibility

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Internet threats: steps to security for your small business

Parla, Secure Cloud

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Data Loss Prevention Program

Yes MAM: How Mobile Device Management Plus Mobile Application Management Protects and Addresses BYOD

Standard: Information Security Incident Management

SECURITY CONSIDERATIONS FOR LAW FIRMS

National Cyber Security Month 2015: Daily Security Awareness Tips

Auditing emerging cyber threats and IT controls

Security Risk Management Strategy in a Mobile and Consumerised World

10 Quick Tips to Mobile Security

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Information Security Policy

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Your security is our priority

2009 Antispyware Coalition Public Workshop

Digital Consumer s Online Trends and Risks

The Cloud App Visibility Blindspot

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Cybersecurity: What CFO s Need to Know

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

The SMB Cyber Security Survival Guide

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Top five strategies for combating modern threats Is anti-virus dead?

Don t let your SIeM become your Nightmare!

Why The Security You Bought Yesterday, Won t Save You Today

FERPA: Data & Transport Security Best Practices

Ed McMurray, CISA, CISSP, CTGA CoNetrix

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Proxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009

Top Ten Technology Risks Facing Colleges and Universities

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

Cloud Services MDM. ios User Guide

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Training Employees to Recognise & Avoid Advanced Threats

Trend Micro Healthcare Compliance Solutions

A New Era. A New Edge. Phishing within your company

Zscaler Internet Security Frequently Asked Questions

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Securely Yours LLC Top Security Topics for Sajay Rai, CPA, CISSP, CISM

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

Finding Security in the Cloud

Peace Corps Office of the OCIO Information and Information Technology Governance and Compliance Rules of Behavior for General Users

+GAMES. Information Security Advisor. Be a Human Firewall! The Human Firewall' s Top Concerns in the Cyber, People & Physical Domains

<Insert Picture Here> How to protect sensitive data, challenges & risks

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

EndUser Protection. Peter Skondro. Sophos

anomaly, thus reported to our central servers.

Compliance in 5 Steps

Why Encryption is Essential to the Safety of Your Business

Best Practices Guide to Electronic Banking

General Security Best Practices

Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

Modern two-factor authentication: Easy. Affordable. Secure.

Security and Privacy

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Estate Agents Authority

Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 )

White Paper. The Principles of Tokenless Two-Factor Authentication

Don't Be The Next Data Loss Story

Cybersecurity Best Practices

Simplifying the Challenges of Mobile Device Security

Transcription:

They Did What?!? How Your End Users Are Putting You At Risk SESSION ID: HT-F02 Mike Seifert CISSP, CISA, CIPP, CISM, CGEIT Vice President Enterprise Risk & Resilience Fiserv

New/future jobs Cloud Services Security Exceptions Personal PC s Instant Messaging Free Stuff Online admin Privileges Cloud Storage Personal Email XXX Porn User Temptations! Tablets Peer to Peer Printed materials Clients and partners Smartphones Removable storage Sharing via social media Secrets and interesting info Wi-fi access points

User Risks Generally don t have simple technology solutions Incidents prompt us to ask They Did What?!? Are the results of user behaviors Security People Generally aware, responsible and trainable Ignorant (victims) Move this bar! 3

User Risks Are Not Often On Our Radar I m p a c t Catastrophic L M H H H High L M M H H Medium L M M M H We tend to focus Risk Management efforts on these events Low L L M M M Insignificant L L L L L These events are happening as we speak and are enabling larger ones Rare Unlikely Possible Likely Certain Likelihood 4

My Top 8 Removed obvious risks. Focus on: Overlooked Focus Areas Oversimplified Underestimated Phishing Data Loss Security Program Low Priority Not anyone else s responsibility 5

1. Social Engineering and Phishing: Users may not identify external threats, or exercise healthy skepticism, resulting in compromised systems

Cyber-Criminals are Knocking Legit LinkedIn Message Fake Phishing Email 7

Phishing - Facebook connect@faceblock-friend.com 18% clicked through to this fake site 8% entered their login credentials 8

Phishing Mailbox Quota itdept493@marketing38493.com 11.4% Clicked through to fake website 7% Submitted form Yes, please increase my mailbox size. My manager is copied on this email thread. Thank you!! Approved. (reply from above s manager) 9

Effectiveness is Alarming and Evolving Technical defenses are futile! Per 2013 vendor testing stats in small/medium FI s, average response rates exceed 60 %: Employee surveys Mailbox quota exceeded Company social events (company picnic, motorcycle ride and runs) Risks are evolving (QR Codes, text messages, apps, and others) * Stats do not represent Fiserv testing

1. Program and Control Considerations Incident response processes to block phishing and malware sites Standardize associate communications Digitally sign communications Content and SPAM filtering 11

1. Education and Associate Engagement Make it personal Does this message, in this context make sense? Try reactive approach Identify and report 12

2. Insiders Knowledgeable insiders will attempt to circumvent or disable controls

A Control Environment Effective controls have dependencies and are complimentary The Basics are essential! Bad guys look for opportunities Change Management Workstation and End User Controls Data Loss Prevention Assurance Secure App Development System Configuration Call Centers and Support Patches and Updating Monitoring Access Controls 14

Data Loss Control Dependencies

Understand Data Movement Channels Network Access Cloud Storage Mobile Webmail FTP USB Devices Browser A Browser B 16

Apply Controls Network Access Cloud Storage Mobile Webmail FTP USB Devices Browser A Browser B 17

Standardize and Monitor Network Access Cloud Storage Mobile Webmail Standard Browser C FTP Removable Storage Browser A Browser B 18

2. Program and Control Considerations Robust Data Loss Prevention Monitor controlled channels for data movement, block or disable everything else Thorough and continuous gap assessments Personnel controls Layers Workstation and device security configurations Company docs to personal email accounts 19

2. Education and Associate Engagement Don t understate your detection capabilities Closely guard monitoring capabilities and gaps Train security and technology associates on controls!!! Train users on approved channels Equip users to educate third parties on requirements 20

3. Data Proliferation User actions and poor business processes contribute to the proliferation of company data (removing data from system of record)

How Is Information Really Handled? Transferred to Other Users Exported Dataset Controlled System of Record End User s PC 22

3. Program and Control Considerations Keep information in its original, controlled system of record Restrict access for data exports DLP Discover capabilities 23

3. Education and Associate Engagement The best way to secure data is to not have it in the first place Don t create, don t duplicate, destroy 24

4. Discretion Users do not properly identify sensitive data or apply appropriate discretion in their information handling practices

Discretion Applies to All Actions Transmission Generation Disclosure Storage 26

4. Program and Control Considerations Data classification and labeling system Monitor data movement systematically (DLP) Automated controls: labeling 27

4. Education and Associate Engagement Make issue personal Appropriate data usage, labeling, storage and handling Know and understand who you are disclosing information to 28

5. User Entitlement Users feel entitled to any information/data they can access. If it can be accessed, it will be abused

Data at the mercy of your users Common DLP Incidents Relationships: Confidential data to spouse, friend, others Terms/ Resignations: Removing data prior to resigning Egress points: Users will copy data anywhere you let them Disguise: Renaming documents or data Ignorance, Entitlement and Access: Unauthorized, misused and feelings of entitlement to data

5. Program and Control Considerations Fast, effective incident response Effective access controls Data Loss Prevention and monitoring programs Digital Rights Management Extra Benefits! Phishing Response Rates Page Views General Population Negative Reputation Positive Reputation DLP Violators 31

5. Education and Associate Engagement Training on Acceptable Use Policy (security awareness) Monitor for, summarize and train on common risky behaviors 32

6. Separate Work and Personal Users intermingle personal and work computing resources magnifying the impact of other risks

End User s Computing Universe 34

Go Old School 35

6. Program and Control Considerations Restrict corporate data to corporate assets Containerize data on mobile devices Removable media controls Block or monitor cloud services and webmail 36

6. Education and Associate Engagement Segregate business and personal info Understand approved technologies and usage policies Know who to go to with questions 37

7. Millenialization User consumer computing behavior and demands are driving business technology use-cases, preferred tools and product features

Convenience Prevails Over Control MS Office ios Winzip 39

7. Program and Control Considerations Continually assess your environment Control workstations and mobile devices via policy Only permit assessed and approved software/services 40

7. Education and Associate Engagement Consult with security professionals prior to utilizing services Differences between work and personal information security imperatives 41

8. Enforce Standards User ignorance, neglect or circumvention of security standards/policies will undermine strategy and comprehensive, layered security approaches

The Fiserv Model - Standards and Policies Security and Control Standards Code of Conduct and Business Ethics Acceptable Use and Secure Computing Standards* Enterprise Security Awareness Training Fiserv Security Awareness Security and Controls Policy * Summary document of relevant standards and policy items directly impacting end-users and secure computing behavior * Significant input from Fiserv incident data

Exceptions and Accommodations VS. Productivity or Vanity? 44

8. Program and Control Considerations Enterprise standards program Require compliance and align with auditors, regulators, etc. Strong Tone at the Top Have consequences for non-compliance Robust, objectives-based exception process Segregate environments if necessary 45

8. Education and Associate Engagement Understand and utilize your program Importance and benefits Negative event stories with a personal twist Leaders setting a positive example 46

Conclusion

Conclusion Essentials for Risk Management 1. Fast, effective incident response 2. Education what, why and consequences 3. Understand controls, focus on objectives 4. Standardization 5. Never assume anything Time Maturity Culture Habitual Expected Top of mind Easily recognized Accountability Moving the bar Cohesive

49 Mike Seifert w: mike.seifert@fiserv.com p: mike.seifert@nym.hush.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information