Embed Size (px)
Citation preview
Presented by: Doug Jambor
Turner and Associates
Financial information company that provides credit and risk management solutions to financial institutions
Data and applications used by thousands of financial institutions and accounting firms across North America
Awards ◦ Named to Inc. 500 lit of fastest growing privately
held companies in the U.S.
◦ Named to Deloitte Technology Fast 500
Turner and Associates, Inc., was formed in 1994 in Columbus, Ohio to address the financial needs of small businesses and the lending functions of Banks.
Data Breaches ◦ Lessons Learned
◦ Key Takeaways
So, what are data breaches?
◦ Unintended disclosure of sensitive information
◦ Cyber Attacks
◦ Payment card fraud
Data breaches are also caused by:
◦ Malicious insiders
◦ Physical data loss
◦ Portable device loss
Lastly, data breaches could be caused by:
◦ Hardware loss
◦ Unknown data loss
History of the 10 largest data breaches:
1. Shanghai Roadway (March, 2012) 150 Million records
2. Heartland Payment Systems (January, 2009) 130 Million records
3. T.J. Maxx (January 2007) 94 Million Records
History of the 10 largest data breaches:
4. TRW / Sears Roebuck (June,1984) 90 Million records
5. Sony Corporation (April, 2011) 77 Million records
6. Unknown Company (August, 2008) 50 Million Records
History of the 10 largest data breaches:
7. Card Systems (June, 2005) 40 Million records
8. Tianya (December, 2011) 40 Million records
9. Steam On-line Gaming (November, 2011) 35 Million Records
History of the 10 largest data breaches:
10. SK Communications (July, 2011) 35 Million records
2011 was a game changer
◦ Four of the top
10 biggest data
breaches happened
this year
2011 was a game changer
◦ Hackivism come
through the doors
Larry Ponemon
2012 RSA
Conference in
San Francisco
Can we stop data breaches? ◦ No
What are the primary motives behind data breaches? ◦ Criminal element & $$$
◦ Verizon 2012 DBIR:
Who is behind data breaches? ◦ Verizon 2012
DBIR:
How do data breaches occur? ◦ Verizon 2012
DBIR:
What commonalities exist between data
breaches? ◦ Verizon 2012 DBIR:
Industry groups represented by percent of breaches ◦ Verizon 2012 DBIR:
Industry groups represented by percent of breaches ◦ Verizon 2012 DBIR:
Threat agents over time by percent of breaches ◦ Verizon
2012 DBIR:
Compromised assets by percent of breaches and records ◦ Verizon
2012 DBIR:
Timespan of events by percent of breaches ◦ Verizon
2012 DBIR:
So why are data breaches so damaging?
◦ They impact your organization’s bottom line
◦ Average cost is almost $18K per day
◦ All industries are susceptible data breaches
Average annualized cyber crime cost weighted by attack frequency ◦ Ponemon:
Percentage cost for external consequences ◦ Ponemon:
Responding to a data breach - percentage cost by internal activity centers ◦ Ponemon:
What should we consider prior to a data breach? ◦ Ensure you have developed and tested an Incident
Response Plan
Incident Response Plan
Step one ◦ Build a response team
Incident Response Plan
Step two ◦ Assign a lead/liaison
Incident Response Plan
Step three ◦ Ensure everyone knows their job tasks
Incident Response Plan
Step four ◦ Create the contact list
Incident Response Plan
Step five ◦ Create a checklist
Incident Response Plan
Step six ◦ Document the entire process
Incident Response Plan
Step seven ◦ Notify customers
How do you limit your exposure to a data breach? ◦ Perform due diligence on pen testers, internal
auditors, and critical vendors
How do you limit your exposure to a data breach? ◦ Read penetration test EL
How do you limit your exposure to a data breach? ◦ Smaller institutions
How do you limit your exposure to a data breach? ◦ Perform gap analysis of the SANS 20 Critical
Security Controls
How do you limit your exposure to a data breach? ◦ If you see bad behavior, call it out
How do you limit your exposure to a data breach? ◦ Invest in security
Data breaches described in today’s webinar have been publicly reported and easily available over the Internet.
Major Sources include: ◦ http://www.ponemon.org
◦ http://datalossdb.org/
◦ https://www.privacyrights.org/
◦ http://www.databreaches.net/
◦ http://www.ftc.gov/
◦ Verizon 2012 Data Breach Investigations Report
Website: www.sageworksinc.com
Phone: (919)-851-7474 ext. 693
Helpful links and resources: ◦ www.sageworksanalyst.com/resources.aspx
◦ web.sageworksinc.com/bank-webinars/
Find us on twitter: sageworksdata
