Cal cpa meeting infosec challenge - 160511
-
Upload
stan-stahl-phd -
Category
Business
-
view
187 -
download
1
Transcript of Cal cpa meeting infosec challenge - 160511
![Page 1: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/1.jpg)
Meeting the Information Security Management Challenge in the Cyber-Age
© Copyright 2016. Citadel Information Group. All Rights Reserved.
Stan Stahl, Ph.D.President
Citadel Information Group
May 2016
![Page 2: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/2.jpg)
2
The number one thing at the Board level and CEO level is to take cybersecurity as seriously as you take business operations and financial operations. It’s not good enough to go to your CIO and say “are we good to go.” You’ve got to be able to ask questions
and understand the answers.
Major Gen Brett Williams, U.S. Air Force (Ret)This Week with George Stephanopoulos, December 2014
![Page 3: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/3.jpg)
![Page 4: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/4.jpg)
Online Fraud: Business Email Compromise Deceives Controller
4
From: Your Vendor, Stan Sent: Sunday, December 28, 2014 12:07 PMTo: Bill Hopkins, Controller Subject: Change of Bank Account
Hi Bill – Just an alert to let you know we’ve changed banks.
Please use the following from now on in wiring our payments.
RTN: 123456789 Account: 0010254742631
I’m still planning to be out your way in February. It will be nice to get out of the cold Montreal winter.
Great thanks.
Cheers - Stan_________________________The secret of success is honesty and fair-dealing. If you can fake that, you’ve got it made ... Groucho Marx
![Page 5: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/5.jpg)
Company Loses $46 Million to Online Fraud
5
![Page 6: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/6.jpg)
FBI Reports $2.3 Billion Lost to Business Email Compromise
![Page 7: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/7.jpg)
Your Money or Your Data: Ransomware Viruses Reach Epidemic Proportions
7
Hollywood Presbyterian Medical Center paid $17,000 to ransomware hackers
![Page 8: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/8.jpg)
Epidemic of Credit Card Theft … Medical Records Theft … Personnel Records Theft
8
![Page 9: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/9.jpg)
Data Breach Costs Expensive.Money Down the Drain.
Approximately $150 Per Compromised Record
$15 Million Per Event
Investigative Costs
Breach Disclosure Costs
Legal Fees
Identity Theft Monitoring
Lawsuits Customers
Shareholders
http://www.ponemon.org/index.php
9
![Page 10: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/10.jpg)
Competitor Steals Information. Bankrupts Company.
10
![Page 11: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/11.jpg)
Intellectual Property Theft —Economic Death by a Thousand Cuts
11
![Page 12: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/12.jpg)
Disgruntled Employees Sabotage Systems, Steal Information and Extort Money
12
![Page 13: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/13.jpg)
Organizations Attacked Because Someone Didn’t Like What They Stood For
13
![Page 14: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/14.jpg)
The Bottom Line: Cyber Security Management Is Now An Executive Management Necessity
Customer Information
Credit Cards and PCI Compliance
HIPAA Security Rule
Breach Disclosure Laws
On-Line Bank Fraud & Embezzlement
Theft of Trade Secrets & Other Intellectual Property
Critical Information Made Unavailable
Systems Used for Illegal Purposes
14
![Page 15: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/15.jpg)
Cybercrime’s Greatest Impact is on Small & Medium Sized Organizations
30% of victims have fewer than 250 employees
60% of small-business victims are out of business within 6 months
80% of breaches preventable with basic security
15
![Page 16: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/16.jpg)
Managing Information Risk — Four Key Questions
1. How serious is cybercrime and why should my organization care?
2. How vulnerable are we, really?
3. What do we need to do?
4. How do we do it?
16
![Page 17: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/17.jpg)
Internet not designed to be secure
Computer technology is riddled with security holes
We humans are also imperfect
Why Are We so Vulnerable? Three Inconvenient Truths
17
![Page 18: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/18.jpg)
Cyber Security Need vs. Reality18
![Page 19: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/19.jpg)
http://www.citibank.
com.us.welcome.c.tr
ack.bridge.metrics.po
rtal.jps.signon.online.
sessionid.ssl.secure.
gkkvnxs62qufdtl83ldz
.udaql9ime4bn1siact
3f.uwu2e4phxrm31jy
mlgaz.9rjfkbl26xnjskx
ltu5o.aq7tr61oy0cmbi
0snacj.4yqvgfy5geuu
xeefcoe7.paroquian
sdores.org/
Phishing: Users Unwittingly Open the Door to Cybercrime
19
![Page 20: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/20.jpg)
Vendors an Increasing Information Security Risk
20
![Page 21: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/21.jpg)
Visiting a Website Can Expose You to Cyberattack
21
![Page 22: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/22.jpg)
Clicking an Ad Can Expose You to Cyberattack
22
![Page 23: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/23.jpg)
Cyberattacks Succeed Because ofFlaws — Vulnerabilities — in Programs
23
![Page 24: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/24.jpg)
Technology Solutions Are Inadequate to Challenge
http://krebsonsecurity.com/2012/06/a-closer-look-recent-email-based-malware-attacks/
24
![Page 25: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/25.jpg)
Management Too Often Fails to Set Security Standards for IT Network
Senior Management
IT Head
That’s great
Bob. We’re all
counting on
you.
You’re
keeping us
secure now
aren’t you?
Yes sir.
Everything’s
fine.
Yes sir.
Everything’s
fine.
Hi Bob.
Things
good?
I appreciate
that sir.
![Page 26: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/26.jpg)
Management Too Often Fails to Properly Fund IT Network Security
26
Senior Management
IT Head
I understand.
But you know
how tight
budgets are.
You’re
keeping us
secure now
aren’t you?
Yes sir.
Everything’s
fine.
We need a
BYOD
Solution.
Hi Bob.
Things
good?
I do. Yes sir.
![Page 27: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/27.jpg)
We Make It Way Too Easy: 80% of Breaches are “Low Difficulty”
Inadequate training of people
Inadequate security management of IT networks
Inadequate involvement by senior management
27
Verizon 2015 Data Breach Investigations Report:
http://www.verizonenterprise.com/DBIR/
![Page 28: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/28.jpg)
Securing Your Organization28
Distrust and caution are the parents of security.
Benjamin Franklin
![Page 29: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/29.jpg)
The Objective of Information Security Management is to Manage Information Risk
Cyber Fraud
Information Theft
Ransomware
Denial of Service Attack
Regulatory / Compliance
Disaster
Loss of Money … Brand Value … Competitive Advantage
![Page 30: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/30.jpg)
The Four Elements of Information Risk
Confidentiality … Assuring information is only accessible to those authorized to use it
Integrity … Assuring that information is changed in accordance with authorized procedures by authorized people
Availability … Assuring that information and systems are available to users when they need it
Authenticity … Assuring that a received message is really from the purported sender
30
![Page 31: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/31.jpg)
The Information Security Management Chain
31
Identify Detect Respond RecoverProtect
Continuous Security Management Improvement
Risk Transfer and Insurance
Legal and Regulatory Framework
Based Upon: 1. NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 20142. International Standards Organization 27001:2013: Information technology— Security techniques —
Information security management systems — Requirements3. Porter Value Chain: Understanding How Value is Created Within Organizations
![Page 32: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/32.jpg)
Don’t Try to Reinvent Wheel: Use an Accepted Information Security Management Framework
Information Security Policies
Organization of Information Security
Human Resource Security
Asset Management
Access Control
Cryptography
Physical / Environmental Security
Operations Security
Communications Security
System Acquisition, Development & Maintenance
Supplier Relationships
Information Security Incident Management
Information Security Aspects of Business Continuity Management
Compliance
32
![Page 33: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/33.jpg)
Manage Information Security Like Everything Else. Establish Leadership.
33
An organization's ability to learn, and translate
that learning into action rapidly, is the ultimate
competitive advantage.
Jack Welch
![Page 34: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/34.jpg)
Take Specific Action to Protect Against Online Financial Fraud
Implement Internal Controls Over Payee Change Requests
Assume all email or fax requests from vendors or company President are fraudulent
Use Out-of-Band Confirmation
Use Dedicated On-Line Banking Workstation
Keep Patched
Use Only for On-Line Banking
Work with Bank
Dual Control
Out-Of-Band Confirmation
Strong Controls on Wires
34
See our blog:https://citadel-information.com/2016/02/business-e-mail-compromise-dont-be-a-victim/
![Page 35: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/35.jpg)
Know What Information Needs To Be Protected and Where It Is
35
Online Banking CredentialsCredit cardsEmployee Health InformationSalariesTrade SecretsIntellectual PropertyCustomer Information
ServersDesktopsCloudHome PCsBYOD devices
![Page 36: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/36.jpg)
Implement Written Information Security Management Policies and Standards
36
![Page 37: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/37.jpg)
Train Staff to Be Mindful. Provide Phishing Defense Training.
37
![Page 38: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/38.jpg)
Provide Information Security Education. Change Culture.
38
If you do not know your enemies nor yourself, you will be imperiled in every single battle.
![Page 39: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/39.jpg)
Ensure IT has Aggressive Vulnerability and Patch Management Program.
39
![Page 40: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/40.jpg)
Require Vendors to Meet Security Management Standards
Security Management included in Service Level Agreements
Comply with Information Security Standards
Business Associate Agreements (HIPAA)
Information Security Continuing Education
40
![Page 41: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/41.jpg)
Make Sure Critical Information Available in Disaster or Ransomware Attack
41
Trust … But Verify.
![Page 42: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/42.jpg)
Be Prepared: It’s Not “If” But “When”42
![Page 43: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/43.jpg)
Getting Started: Implement Basics. Assess IT Security. Develop Strategy.
43
Put Someone in Charge
Review IT Network
Management Compliance with
Security Standards
Conduct IT Network
Vulnerability Scan
Establish Policies & Standards
Train Staff
Develop Strategy
![Page 44: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/44.jpg)
Create Steering Committee to Manage Ongoing Information Security
44
Leadership & Organizational Improvements
Security Management of IT Network
Security Improvements to IT Network
Improve constantly and forever the system of
production and service, to improve quality and
productivity, and thus constantly decrease costs
W. Edwards Deming 14 Key Principles for Improving
Organizational Effectiveness
![Page 45: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/45.jpg)
Join a Secure The Village Roundtable45
![Page 46: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/46.jpg)
Summary: Manage Security of Information as Rigorously as Operations & Finance
Implement Formal Information Security Management System1. Information Security Manager / Chief Information
Security Officera. Independent C-Suite Accessb. Provide Cross-Functional Supportc. Support with Subject-Matter Expertise
2. Implement Formal Risk-Driven Information Security Policies and Standards
3. Identify, Document and Control Sensitive Information 4. Train and Educate Personnel. Change Culture.5. Manage Vendor Security6. Manage IT Infrastructure from “information security point
of view”
46
![Page 47: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/47.jpg)
Information Security is Proactively Managed
Information Security Standard of Care
Total Cost of Information Security SM
Information Security Proactively Managed
Commercially Reasonable Information Security Practices
Lower Total Cost of Information Security SM
![Page 48: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/48.jpg)
Citadel Information Group: Who We Are
48
Stan Stahl, Ph.DCo-Founder & President
35+ Years ExperienceReagan White House
Nuclear Missile Control
Kimberly Pease, CISSP
Co-Founder & VP
Former CIO15+ Years Information
Security Experience
David Lam, CISSP, CPPVP Technology
Management Services
Former CIO20+ Years Information
Security Experience
![Page 49: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/49.jpg)
Citadel Information Group: What We Do49
Deliver Information Peace of Mind SM
to Business and the Not-for-Profit Community
Cyber Security Management Services
Information Security Leadership
Information Security Management Consulting & Coaching
Assessments & Reviews … Executive Management …Technical Management
Secure Network Engineering … Secure Software Engineering
Incident Response / Business Continuity Planning
Adverse Termination
![Page 50: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/50.jpg)
For More Information
Stan Stahl [email protected] 323-428-0441 LinkedIn: Stan Stahl Twitter: @StanStahl
Citadel Information Group: www.citadel-information.comInformation Security Resource Library
Free: Cyber Security News of the WeekFree: Weekend Vulnerability and Patch Report
50
![Page 51: Cal cpa meeting infosec challenge - 160511](https://reader033.fdocuments.us/reader033/viewer/2022052313/58792b471a28ab7c448b5643/html5/thumbnails/51.jpg)
Meeting the Information Security Management Challenge in the Cyber-Age
© Copyright 2016. Citadel Information Group. All Rights Reserved.
Stan Stahl, Ph.D.President
Citadel Information Group