Embed Size (px)
Citation preview
Meeting the Information Security Management Challenge in the Cyber-Age
© Copyright 2016. Citadel Information Group. All Rights Reserved.
Stan Stahl, Ph.D.President
Citadel Information Group
July 2016
2
The number one thing at the Board level and CEO level is to take cybersecurity as seriously as you take business operations and financial operations. It’s not good enough to go to your CIO and say “are we good to go.” You’ve got to be able to ask questions
and understand the answers.
Major Gen Brett Williams, U.S. Air Force (Ret)This Week with George Stephanopoulos, December 2014
Online Fraud: Business Email Compromise Deceives Controller
3
From: Your Vendor, Stan Sent: Sunday, December 28, 2014 12:07 PMTo: Bill Hopkins, Controller Subject: Change of Bank Account
Hi Bill – Just an alert to let you know we’ve changed banks.
Please use the following from now on in wiring our payments.
RTN: 123456789 Account: 0010254742631
I’m still planning to be out your way in February. It will be nice to get out of the cold Montreal winter.
Great thanks.
Cheers - Stan_________________________The secret of success is honesty and fair-dealing. If you can fake that, you’ve got it made ... Groucho Marx
Company Loses $46 Million to Online Fraud
5
FBI Reports $2.3 Billion Lost to Business Email Compromise. LA: $14M / Month
Your Money or Your Data: Ransomware Viruses Reach Epidemic Proportions
7
Hollywood Presbyterian Medical Center paid $17,000 to ransomware hackers
Epidemic of Credit Card Theft … Medical Records Theft … Personnel Records Theft
8
Data Breach Costs Expensive.Money Down the Drain.
Approximately $150 Per Compromised Record
$15 Million Per Event
Investigative Costs
Breach Disclosure Costs
Legal Fees
Identity Theft Monitoring
Lawsuits Customers
Shareholders
http://www.ponemon.org/index.php
9
Competitor Steals Information. Bankrupts Company.
10
Intellectual Property Theft —Economic Death by a Thousand Cuts
11
Disgruntled Employees Sabotage Systems, Steal Information and Extort Money
12
Organizations Attacked for Political and Social Reasons
13
The Bottom Line: Cyber Security Management Is Now An Executive Management Necessity
Customer Information
Credit Cards and PCI Compliance
HIPAA Security Rule
Breach Disclosure Laws
On-Line Bank Fraud & Embezzlement
Theft of Trade Secrets & Other Intellectual Property
Critical Information Made Unavailable
Systems Used for Illegal Purposes
14
Cybercrime’s Greatest Impact is on Small & Medium Sized Organizations
30% of victims have fewer than 250 employees
60% of small-business victims are out of business within 6 months
80% of breaches preventable with basic security
15
Managing Information Risk — Four Key Questions
1. How serious is cybercrime and why should my organization care?
2. How vulnerable are we, really?
3. What do we need to do?
4. How do we do it?
16
What the want
Who they are
How they work
The Cyber Underground17
http://krebsonsecurity.com/2016/07/the-value-of-a-hacked-company/
The Value of a Hacked Company
John Mallery, Computer Science & Artificial Intelligence Laboratory, 2011http://www.slideshare.net/zsmav/models-of-escalation-and-deescalation-in-cyber-conflict
https://securityintelligence.com/who-hacked-sony-new-report-raises-more-questions-about-scandalous-breach/
RAT: Remote Access Trojan
http://searchsecurity.techtarget.com/feature/Targeted-Cyber-Attacks
The thriving malware industry: Cybercrime made easy, IBM Software,
https://securityintelligence.com/wp-content/uploads/2015/06/Cybercrime-
Ecosystem-Infographic-Final.jpg
Internet not designed to be secure
Computer technology is riddled with security holes
We humans are also imperfect
Why Are We so Vulnerable? Three Inconvenient Truths
23
Cyber Security Need vs. Reality24
http://www.citibank.
com.us.welcome.c.tr
ack.bridge.metrics.po
rtal.jps.signon.online.
sessionid.ssl.secure.
gkkvnxs62qufdtl83ldz
.udaql9ime4bn1siact
3f.uwu2e4phxrm31jy
mlgaz.9rjfkbl26xnjskx
ltu5o.aq7tr61oy0cmbi
0snacj.4yqvgfy5geuu
xeefcoe7.paroquian
sdores.org/
Phishing: Users Unwittingly Open the Door to Cybercrime
25
Vendors an Increasing Information Security Risk
26
Visiting a Website Can Expose You to Cyberattack
27
Clicking an Ad Can Expose You to Cyberattack
28
Cyberattacks Succeed Because ofFlaws — Vulnerabilities — in Programs
29
Technology Solutions Are Inadequate to Challenge
http://krebsonsecurity.com/2012/06/a-closer-look-recent-email-based-malware-attacks/
30
Management Too Often Fails to Set Security Standards for IT Network
Senior Management
IT Head
That’s great
Bob. We’re all
counting on
you.
You’re
keeping us
secure now
aren’t you?
Yes sir.
Everything’s
fine.
Yes sir.
Everything’s
fine.
Hi Bob.
Things
good?
I appreciate
that sir.
Management Too Often Fails to Properly Fund IT Network Security
32
Senior Management
IT Head
I understand.
But you know
how tight
budgets are.
You’re
keeping us
secure now
aren’t you?
Yes sir.
Everything’s
fine.
We need a
BYOD
Solution.
Hi Bob.
Things
good?
I do. Yes sir.
We Make It Way Too Easy: 80% of Breaches are “Low Difficulty”
Inadequate training of people
Inadequate security management of IT networks
Inadequate involvement by senior management
33
Verizon 2015 Data Breach Investigations Report:
http://www.verizonenterprise.com/DBIR/
Securing Your Organization34
Distrust and caution are the parents of security.
Benjamin Franklin
The Objective of Information Security Management is to Manage Information Risk
Cyber Fraud
Information Theft
Ransomware
Denial of Service Attack
Regulatory / Compliance
Disaster
Loss of Money … Brand Value … Competitive Advantage
The Four Elements of Information Risk
Confidentiality … Assuring information is only accessible to those authorized to use it
Integrity … Assuring that information is changed in accordance with authorized procedures by authorized people
Availability … Assuring that information and systems are available to users when they need it
Authenticity … Assuring that a received message is really from the purported sender
36
The Information Security Management Chain
37
Identify Detect Respond RecoverProtect
Continuous Security Management Improvement
Risk Transfer and Insurance
Legal and Regulatory Framework
Based Upon: 1. NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 20142. International Standards Organization 27001:2013: Information technology— Security techniques —
Information security management systems — Requirements3. Porter Value Chain: Understanding How Value is Created Within Organizations
Don’t Try to Reinvent Wheel: Use an Accepted Information Security Management Framework
Information Security Policies
Organization of Information Security
Human Resource Security
Asset Management
Access Control
Cryptography
Physical / Environmental Security
Operations Security
Communications Security
System Acquisition, Development & Maintenance
Supplier Relationships
Information Security Incident Management
Information Security Aspects of Business Continuity Management
Compliance
38
Manage Information Security Like Everything Else. Establish Leadership.
39
An organization's ability to learn, and translate
that learning into action rapidly, is the ultimate
competitive advantage.
Jack Welch
Take Specific Action to Protect Against Online Financial Fraud
Implement Internal Controls Over Payee Change Requests
Assume all email or fax requests from vendors or company President are fraudulent
Use Out-of-Band Confirmation
Use Dedicated On-Line Banking Workstation
Keep Patched
Use Only for On-Line Banking
Work with Bank
Dual Control
Out-Of-Band Confirmation
Strong Controls on Wires
40
See our blog:https://citadel-information.com/2016/02/business-e-mail-compromise-dont-be-a-victim/
Know What Information Needs To Be Protected and Where It Is
41
Online Banking CredentialsCredit cardsEmployee Health InformationSalariesTrade SecretsIntellectual PropertyCustomer Information
ServersDesktopsCloudHome PCsBYOD devices
Implement Written Information Security Management Policies and Standards
42
Train Staff to Be Mindful. Provide Phishing Defense Training.
43
Provide Information Security Education. Change Culture.
44
If you do not know your enemies nor yourself, you will be imperiled in every single battle.
Ensure IT has Aggressive Vulnerability and Patch Management Program.
45
Verizon 2016 Breach Report: The Vast Majority of Breaches Exploit
Vulnerabilities for Which Upgrades Have Been Available for Well-Over a Year
Require Vendors to Meet Security Management Standards
Security Management included in Service Level Agreements
Comply with Information Security Standards
Business Associate Agreements (HIPAA)
Information Security Continuing Education
46
Make Sure Critical Information Available in Disaster or Ransomware Attack
47
Trust … But Verify.
Be Prepared: It’s Not “If” But “When”48
In preparing for battle I have always found that plans are useless, but planning is indispensable.
General Dwight Eisenhower
Failing to Plan is Planning to Fail
Getting Started: Implement Basics. Assess IT Security. Develop Strategy.
49
Put Someone in Charge
Review IT Network
Management Compliance with
Security Standards
Conduct IT Network
Vulnerability Scan
Establish Policies & Standards
Train Staff
Develop Strategy
Create Steering Committee to Manage Ongoing Information Security
50
Leadership & Organizational Improvements
Security Management of IT Network
Security Improvements to IT Network
Improve constantly and forever the system of
production and service, to improve quality and
productivity, and thus constantly decrease costs
W. Edwards Deming 14 Key Principles for Improving
Organizational Effectiveness
Organize Information Security Management Learning Group
51
Summary: Manage Security of Information as Rigorously as Operations & Finance
Implement Formal Information Security Management System1. Information Security Manager / Chief Information Security Officer
a. C-Suite and Board Governanceb. Independent Perspective from CIO or Technology Directorc. Supported by Cross-Functional Leadership Teamd. Supported with Subject-Matter Expertise
2. Implement Formal Risk-Driven Information Security Policies and Standards
3. Identify, Document and Control Sensitive Information 4. Train and Educate Personnel. Change Culture.5. Manage Vendor Security6. Manage IT Infrastructure from “information security point of view”7. Be prepared. Incident Response and Business Continuity Planning.
52
Information Security is Proactively Managed
Information Security Standard of Care
Total Cost of Information Security SM
Information Security Proactively Managed
Commercially Reasonable Information Security Practices
Lower Total Cost of Information Security SM
Citadel Information Group: Who We Are
54
Stan Stahl, Ph.DCo-Founder & President
35+ Years ExperienceReagan White House
Nuclear Missile Control
Kimberly Pease, CISSP
Co-Founder & VP
Former CIO15+ Years Information
Security Experience
David Lam, CISSP, CPPVP Technology
Management Services
Former CIO20+ Years Information
Security Experience
Citadel Information Group: What We Do55
Deliver Information Peace of Mind SM
to Business and the Not-for-Profit Community
Cyber Security Management Services
Information Security Leadership
Information Security Management Consulting & Coaching
Assessments & Reviews … Executive Management …Technical Management
Secure Network Engineering … Secure Software Engineering
Incident Response / Business Continuity Planning
Adverse Termination
For More Information
Stan Stahl [email protected] 323-428-0441 LinkedIn: Stan Stahl Twitter: @StanStahl
Citadel Information Group: www.citadel-information.comInformation Security Resource Library
Free: Cyber Security News of the WeekFree: Weekend Vulnerability and Patch Report
56
Meeting the Information Security Management Challenge in the Cyber-Age
© Copyright 2016. Citadel Information Group. All Rights Reserved.
Stan Stahl, Ph.D.President
Citadel Information Group
