How a Company s IT Systems Can Be Breached Despite Strict Security Protocols

Similar documents
SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

The Business Case for Security Information Management

Incident Reporting Guidelines for Constituents (Public)

Security Controls What Works. Southside Virginia Community College: Security Awareness

Information Security Incident Management Guidelines

Presented by Evan Sylvester, CISSP

IBM Security Strategy

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Data Breach and Senior Living Communities May 29, 2015

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Defending Against Data Beaches: Internal Controls for Cybersecurity

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Cybersecurity: Protecting Your Business. March 11, 2015

Hengtian Information Security White Paper

Privacy and Data Breach Protection Modular application form

Cybersecurity: What CFO s Need to Know

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

BSHSI Security Awareness Training

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

External Supplier Control Requirements

Client Security Risk Assessment Questionnaire

Incident Response. Proactive Incident Management. Sean Curran Director

Data Security Incident Response Plan. [Insert Organization Name]

PII Compliance Guidelines

10 Smart Ideas for. Keeping Data Safe. From Hackers

SECURITY. Risk & Compliance Services

Information Security Threat Trends

SUPPLIER SECURITY STANDARD

A Case for Managed Security

Altius IT Policy Collection Compliance and Standards Matrix

Best Practices For Department Server and Enterprise System Checklist

Data Management Policies. Sage ERP Online

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

I ve been breached! Now what?

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Passing PCI Compliance How to Address the Application Security Mandates

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

SANS Top 20 Critical Controls for Effective Cyber Defense

Technical Standards for Information Security Measures for the Central Government Computer Systems

Logging In: Auditing Cybersecurity in an Unsecure World

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Detailed Description about course module wise:

Managed Security Services

Music Recording Studio Security Program Security Assessment Version 1.1

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

How-To Guide: Cyber Security. Content Provided by

AlienVault for Regulatory Compliance

Protecting your business from fraud

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

Cyber Security. John Leek Chief Strategist

SECURITY RISK MANAGEMENT

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Top Ten Technology Risks Facing Colleges and Universities

SIEM is only as good as the data it consumes

National Cyber Security Month 2015: Daily Security Awareness Tips

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Cyber Security Metrics Dashboards & Analytics

Five keys to a more secure data environment

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com

Common Cyber Threats. Common cyber threats include:

FACT SHEET: Ransomware and HIPAA

Cyber Security An Exercise in Predicting the Future

Cyber Security for SCADA/ICS Networks

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

FISMA / NIST REVISION 3 COMPLIANCE

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

DATA BREACH COVERAGE

The Key to Secure Online Financial Transactions

Transcription:

How a Company s IT Systems Can Be Breached Despite Strict Security Protocols Brian D. Huntley, CISSP, PMP, CBCP, CISA Senior Information Security Advisor Information Security Officer, IDT911

Overview Good enough never is. The strongest, most secure systems can be breached by hackers. It can happen to anyone. What does it look and feel like? What risks and threats should you be on the lookout for? Time-telling and clock building. Program monitoring, program management, and continuous improvement are critical success factors.

Information Security Is Never Done Why isn t it a one-and-done? What kinds of change are behind this? How do these changes affect the risk baseline to introduce risk at the margins? The core? What are the most critical changes in this regard? How do you deal with them?

Setting the Stage Security Protocol Information Security Risk Triples Data Breach Threat Spectrum Information Security Program Program Management Program Monitoring Program Update

Security Protocol Defined Internet Host Configuration Vendor Management Physical Security Risk Assessment Encryption Remote Access Security Access Management BC/DRP Data Security Acceptable Use Electronic Communications Security Third-Party Access Firewalls Record Retention Patch Management Information Management Password Management Incident Response Vulnerabilities Management Information Classification Network Security Awareness and Training Application Security Intrusion Monitoring and Detection

Information Security Risk Triples

Information Security Risk Triples Example -- ASSET Customer Data Protected, Regulated Information Non-Public Personal information (PII; GLBA, et al) Protected health information (PHI; HIPAA, et al) Primary credit card account numbers (PANs; PCI, et al)

Information Security Risk Triples Example -- VULNERABILITY testuser The password fields on the [? YOUR WEBSITE HERE?] page do not have autocomplete attribute set to off.

Information Security Risk Triples Example -- ASSET VULNERABILITY testuser THREAT Customer Data Protected, Regulated Information Personal information (PII; GLBA, et al) Protected health info (PHI; HIPAA, et al) Primary credit card account numbers (PANs; PCI, et al) The password fields on the [? YOUR WEBSITE HERE?] page do not have autocomplete attribute set to off. As a result, the browser pops up a remember password dialog box to the user upon submission of a login or change password request. If the user selects the remember password option, the browser saves the password for the user profile in the browser cache. An attacker with access to the same system as the victim user may find the credentials of the valid user in the browser. The attacker may then use the credentials for unauthorized access to the account of the victim user and compromise it. RISK DATA SECURITY BREACH

The Cyber Threat Spectrum (abridged) Threat Type Non- *Both Types Threat Category Data Integrity* Denial of Service (DoS) Attack Infiltration Malicious Code Unauthorized Access* WWW Services Disruption Fraud Information Spillage Lost Asset Reputation Theft

The Cyber Threat Spectrum (abridged) Threat Category Threat Signature Threat Type Infiltration Compromised Database Server Cyber-Espionage Security Information & Event Monitor (SIEM) System Event Correlation Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) Alerts Disappearing Host WWW Services Disruption Website Compromise or Defacement DNS Fraud (external) SQL Injection Attack Web Application Attack

The Cyber Threat Spectrum (abridged) Threat Category Threat Signature Threat Type Malicious Code Anti-Virus Program Detection of virus or phishingrelated files, email Crimeware Malicious Scripting Trojan Programs Virus Infection Worm Programs Zero-Day Vulnerability Event Unauthorized Access Unauthorized Access Attempt Unauthorized System Changes Unknown Wireless Access Point Telecommuting/Remote Access Compromise

The Cyber Threat Spectrum (abridged) Threat Category Threat Signature Threat Type Denial of Service (DoS) Attack Data Integrity Cloud Storage Upload Storm Distributed DoS (DDoS) Agent Infestation Domain Name System (DNS) Server Denial of Service DoS/DDoS Attack (external) File Integrity Monitor sensitive file system change alerts External data source contamination Non-technical

The Cyber Threat Spectrum (abridged) Threat Category Threat Signature Threat Type The Information Cyber Spillage Improper Threat disposal Spectrum (abridged) Non-technical Mis-handled classified documents Non-technical Mis-mailed classified documents Unencrypted classified email Customer/client- misdirected/mishandled classified data Unknown exfiltration Non-technical Non-technical Non-technical Non-technical Fraud Fraud Non-technical General Anonymous Threat Non-technical Suspicious Activity Non-technical Lost Asset Missing/Unaccounted for IT Equipment Non-technical

The Cyber Threat Spectrum (abridged) Threat Category Threat Signature Threat Type Reputation 3 rd Party Fraud Monitoring Service Alert Non-technical Adverse Internet Reputation Report Non-technical Adverse Media Reputation Report Non-technical Copyright Infringement Non-technical Targeted Social Media/Twitter Storm Non-technical Violations of Acceptable Use Policy Non-technical Theft Insider Theft Non-technical Lost/Stolen Laptop PC/Mobile Device Non-technical Stolen Documents Non-technical Theft of Intellectual Property or Client Data Non-technical Unauthorized Access Physical Intruder Non-technical

A Different Kind of Change Management CHANGE Amount of Rate of.. Type of. Impact of time

A Different Kind of Change Management Information }? 2015? Knowledge Data

Assets as a Function of Time ASSET POPULATION Hardware Software Applications Processes Websites Addresses Physical Locations INFORMATION time

Vulnerabilities as a Function of Time CVEs; January, 1999 August, 2015 80000 70000 60000 50000 40000 30000 20000 10000 0 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Source: U.S. NIST National Vulnerability Database (NVD)

Threats as a Function of Time Script Kiddies Organized Crime THE CYBER CRIME INDUSTRY time Q. E. D.

Creating Holes in the Line Vendors, Service Providers and Other Third Parties Organizational Changes New Business Ventures Significant Technological Changes

Vendor/Third Party Risk User Control Considerations Sufficient transparency; apparency? Rules of Entropy apply -- R < 1 R < 1 R 2 < R

Risk Introduced by Organizational Change Here again Entropy Rules Relative skill sets, experience Relative values, motivations Toxic Combinations

Toxic Combinations

New Business Ventures are Risky! Mergers Acquisitions De Novo / Greenfield Risk = Likelihood x Consequences Uncertainty Strategy Reputation Liquidity Market Legal and Regulatory

What is Significant Technology Change? Disruptive Forklift Upgrade New Applications and Systems Application and System Enhancements Routine Moves, Additions, and Changes Significant Technology Change

Bridging the Gaps Vendor Management Organizational Change Management Personnel Security Information Security Monitoring and Testing Information Security Program Management

Vendor Management Vendor Management Policy Due Diligence Reviews Initial Qualifying Ongoing Contractual Safeguards Mutual Non-Disclosure Agreement (NDA) Bi-Lateral Data Security Breach Notification Proof of Cyber Coverage and Liability Insurance Controls Certification

Organizational Change Management Transition Planning Communication Information Security Awareness and Training Terminations and Transfers Management Logical Access Reviews

Personnel Security Background Checks Pre-Employment Post-Employment Employment Agreements Separation of Duties Dual Control Job Rotation Mandatory Vacation

Information Security Program Monitoring Controls Testing Existence Effectiveness Asset Inventories Key Statistics Reporting Information Security Risk Assessment Benchmarking and Gap Analysis Independent Third-Party Assessment Trusted Advisor(s)

Information Security Program Management Information Security Risk Assessment Assigned Roles and Responsibilities Management Reporting Board Education User Awareness and Training

Top 5 Takeaways Information Security work is never done Mind the gaps User Control Considerations Toxic Combinations Information Security Program Management

Thank You Brian Huntley, CISSP, PMP, CBCP, CISA Sr. Information Security Advisor Information Security Officer, IDT911 IDT911 Consulting 1501 Broadway Suite 1616 New York, NY 10036 P: 480.322.2389 E: bhuntley@idt911consulting.com www.idt911consulting.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information