Citadel Information Group - CYBER SECURITY ... › wp-content › uploads › 2010 › ...Meeting...
Transcript of Citadel Information Group - CYBER SECURITY ... › wp-content › uploads › 2010 › ...Meeting...
CYBER SECURITY CHALLENGES AND SOLUTIONS — AN EXECUTIVE BRIEFING
© Copyright 2011. Citadel Information Group, Inc. All Rights Reserved.
Long Beach CalCPA Discussion Group
December 21, 2011
Providing Information Peace of Mind ® to Business and the Not-
for-Profit Community
Stan Stahl, Ph.D. President
Citadel Information Group Phone: 323.428.0441
[email protected] www.Citadel-Information.com
It was the best of times.
It was the worst of times.
Charles Dickens
© Copyright 2011. Citadel Information Group. All Rights Reserved.
Houston ... We Have a Problem
© Copyright 2011. Citadel Information Group. All Rights Reserved.
14
Annual Cost of Online Bank Fraud: $1,000,000,000
© Copyright 2011. Citadel Information Group. All Rights Reserved.
15
Bloomberg, Aug 4, 2011: http://www.bloomberg.com/news/2011-08-04/hackers-take-1-billion-a-year-from-company-accounts-banks-won-t-indemnify.html
Financial Fraud and Identity Theft at Epidemic Levels
542,649,217 Financial Records Reported Breached
January 10, 2005 – December 14, 2011
These count only reported breaches. They count neither (1) discovered but unreported breaches nor
(2) undiscovered breaches.
© Copyright 2011. Citadel Information Group. All Rights Reserved.
16
Average Cost of Data Breach: $214 Per Compromised Record; $7.2 Million Per Event
© Copyright 2011. Citadel Information Group. All Rights Reserved.
17
State-Sponsored Cyber Espionage and Intellectual Property Theft
© Copyright 2011. ISSA-LA. All Rights Reserved.
18
Cyber Crime “World’s Most Dangerous Criminal Threat”
© Copyright 2011. Citadel Information Group. All Rights Reserved.
19
http://www.theage.com.au/technology/security/cyber-crime-is-worlds-most-dangerous-criminal-threat-20100920-15iej.html
Information Risk is Business Risk
Business Information Under Attack
Theft
Financial Fraud & Embezzlement
Stolen Sales Information
Corporate Espionage
Theft of Proprietary Processes, Technologies & Other Intellectual Property
Loss of Protected Information Belonging to Others
Critical Information Unavailable
Systems Used for Illegal Purposes
© Copyright 2011. Citadel Information Group. All Rights Reserved.
20
Information Security Odds Are With Cyber Criminal
Cybercriminals Know vulnerabilities
Choose where, when & how of attack
Attacks blend technology with social engineering
Defenders Inadequately aware of threat
Over-emphasis on yesterday’s technology
Lack of specialized knowledge & training
Staff not trained to be mindful
© Copyright 2011. Citadel Information Group. All Rights Reserved.
21
Meeting the Challenge of Cyber Crime 22
It is said that if you know your enemies
and know yourself, you will not be
imperiled in a hundred battles,
If you do not know your enemies but do
know yourself, you will win one and lose
one,
If you do not know your enemies nor
yourself, you will be imperiled in every
single battle.
Know Your Enemy
© Copyright 2011. Citadel Information Group. All Rights Reserved.
23
Why Would Anyone Break Into Information Systems?
… Because that’s
where the money is!
Willie Sutton
© Copyright 2011. Citadel Information Group. All Rights Reserved.
24
Bank fraud
Other network-based fraud
Sell stolen credit cards, SS#, medical identities
Sell stolen intellectual property
Lease botnets for spam, DDOS attacks, storage
The Growing Global Cyber Criminal Market
Organized Cyber Crime Gangs
State-Sponsored
Cyber Crime
Political Hacktivists
© Copyright 2011. Citadel Information Group. All Rights Reserved.
25
Cyber Crime Underground
CarderPlanet: Ensuring Honor Among Thieves
© Copyright 2011. Citadel Information Group. All Rights Reserved.
26
Wired, January 31, 2007: http://www.wired.com/politics/onlinerights/news/2007/01/72605
Spy Eye: Easy-to-Use Software for the Non-Technical Cyber Criminal
© Copyright 2011. Citadel Information Group. All Rights Reserved.
27
And It’s Only Getting Worse
© Copyright 2011. Citadel Information Group. All Rights Reserved.
28
Beware the Inside Threat
Crimes include Embezzlement & Financial
Theft
Theft of Intellectual Property
Destruction of Information Assets
Spying on Management & Other Employees
Masquerading as Other Employees
Running Other Businesses
Physical Theft
Resource Misuse
© Copyright 2011. Citadel Information Group. All Rights Reserved.
29
Cyber Crime: A Lucrative Business Model
© Copyright 2011. Citadel Information Group. All Rights Reserved.
30
Likelihood of
Being Caught Opportunities
to Make
Money
Cost of Entry
How Your Computer Gets Owned
© Copyright 2011. Citadel Information Group. All Rights Reserved.
31
We’re Secure. We Have Locks on All the Entrances.
© Copyright 2011. Citadel Information Group. All Rights Reserved.
32
Bypassing the Locks: Firewall
© Copyright 2011. Citadel Information Group. All Rights Reserved.
33
Firewall blocks activity on unneeded ports
Cyber criminals use email and Internet to go through open ports
Bypassing the Locks: Anti-Virus / Anti-Malware Fails to Block 60% of Zeus Attacks
© Copyright 2011. Citadel Information Group. All Rights Reserved.
34
Anti-Virus blocks known malware DNA
Cyber criminals create malware whose DNA changes every time it installs
https://zeustracker.abuse.ch/
Bypassing the Locks: Exploit Flaws in Software
© Copyright 2011. Citadel Information Group. All Rights Reserved.
35
Bypassing the Locks: Social Engineering Phishing & Spear-Phishing
© Copyright 2011. Citadel Information Group. All Rights Reserved.
36
Before: The Nigerian Scam Now: Targeted Spear-Phishing
http://www.citibank.com.us.welcome.
c.track.bridge.metrics.portal.jps.signo
n.online.sessionid.ssl.secure.gkkvnx
s62qufdtl83ldz.udaql9ime4bn1siact3f
.uwu2e4phxrm31jymlgaz.9rjfkbl26xnj
skxltu5o.aq7tr61oy0cmbi0snacj.4yqv
gfy5geuuxeefcoe7.paroquiansdores.
org/
Bypassing the Locks: Install Malware on Legitimate Web Sites to Infect Visitors
Bypassing the Locks: Public Wi-Fi
© Copyright 2011. Citadel Information Group. All Rights Reserved.
38
Bypassing the Locks: Attack Remote Computing Devices
© Copyright 2011. Citadel Information Group. All Rights Reserved.
39
Anatomy of an Attack: Phase 1—Take Control of the Workstation
© Copyright 2011. Citadel Information Group. All Rights Reserved.
40
Spear-Phishing Email Web Site Drive-By SmartPhone Malicious USB Key 0-Day Exploit Social Engineering
ZeuS / SpyEye Trojan Key Logger File Access Botnet Herder
Phase 2 — Steal Money & Sell Information
© Copyright 2011. Citadel Information Group. All Rights Reserved.
41
User IDs and Passwords Credit Card & Bank Numbers Sensitive Information Illegal Computer Use
$$
$$
$
Sensitive In
fo
Co
mp
ute
r
Lowering the Odds: The View From 50,000 Feet
© Copyright 2011. Citadel Information Group. All Rights Reserved.
42
Cyber Security Protection
© Copyright 2011. Citadel Information Group. All Rights Reserved.
43
Information Security Management
Information Security Management
© Copyright 2011. Citadel Information Group. All Rights Reserved.
44
Confidentiality
Laws, Regulations, Contracts & Recommended Practices Establish Standard of Care
US Federal Law Gramm-Leach-Bliley
HIPAA
FTC Rule
US State Laws CA Civil Code 1798.81.5
CA 1386 / SB24 Breach Disclosure
MasterCard and Visa Data Security Standard (PCI)
European & Other Laws
ISO standards ISO 27001
ISO 27002
Government Standards, Guides & Advisories NIST
NSA
US-CERT
Practitioner Standards ISSA
ISACA
(ISC)2
SANS Institute
© Copyright 2011. Citadel Information Group. All Rights Reserved.
45
Meeting Standard of Care Requires Top-Level Management & Leadership
Information security requires CEO attention in their
individual companies … Business Roundtable, 2004
46
© Copyright 2010. Citadel Information Group. All Rights Reserved.
Fundamental Concept: Defense in Depth
© Copyright 2011. Citadel Information Group. All Rights Reserved.
47
Operating Assumption: Cyber criminals will get through any particular defense
Secure from the Bottom Up Manage / Lead from the Top Down
© Copyright 2011. Citadel Information Group. All Rights Reserved.
48
Keep Systems
Patched
“Intrusion Detection &
Prevention” Train Staff
Information Security
Governance
Information Security
Policies
Compliance
Management
Classify & Control
Information
IT Security
Management
Physical & Personnel
Security
Plan for Incidents Trust. But Verify. Manage 3rd-Parties
Manage Information Security Like Other Quality Programs
9/29-30/2010 © Copyright 2010. Citadel Information Group. All Rights Reserved.
49
Demonstrate Continuous
Process Improvement
of Organization's
Ability to Secure
Sensitive Information
A5: Security Policy
A6: Organization
A7: Asset Management
A8: Human Resources
A9: Physical /
Environmental
A10: Communication &
Operations Management
A11: Access Control
A12: Acquisition,
Development &
Maintenance
A13: Incident Management
A14: Business Continuity
A15: Compliance
ISO 27001, Annex ISO 27002
Continuous Process Improvement Engine
Information Security Management System
Getting Started: The As-Is
© Copyright 2010. Citadel Information Group. All Rights Reserved.
50
If You Don’t Know Where You Are, a Map Won’t Help
Getting Started: The To-Be
© Copyright 2010. Citadel Information Group. All Rights Reserved.
51
If you don’t know where you’re going, when you get there you’ll be lost. Yogi Berra
An Ounce of Prevention is Worth a Pound of Cure
Security Prevention Costs • Technology costs • Security management
costs • Executive • IT security
management • Security overhead costs
Security Incident Costs • Cold hard cash • Direct incident recovery
costs • Lost productivity costs • Intellectual property
losses • Breach disclosure costs • Legal & attorney costs,
including investigations and fines
• Loss of brand value • Loss of competitive
advantage
© Copyright 2011. Citadel Information Group. All Rights Reserved.
52
The Objective: Information Peace of Mind ®
© Copyright 2009. Citadel Information Group. All Rights Reserved.
53
Protect Business
Meet Information Security Standard of Care
Lower Total Cost of Information Security SM
Greatest Challenge: Organizational Leadership
Awareness of Risk Knowledge and Ability to
Act Enthusiasm for Getting
Involved Eagerness to Create a
Culture of Cyber Security Mindfulness
Attitude that “Failure is not an option”
Continually asks “What don’t I know that I don’t know I don’t know”
© Copyright 2011. Citadel Information Group. All Rights Reserved.
54
Lowering the Odds: Some Specifics
© Copyright 2011. Citadel Information Group. All Rights Reserved.
55
Keep Software Patched and Updated
© Copyright 2011. Citadel Information Group. All Rights Reserved.
56
Reduce Risk of On-Line Bank Fraud
Use Stand-Alone Workstation for On-Line Banking Use Only for On-Line Banking
No email
No web browsing
Best to Have Separate Internet Connection
Best if Separate from Corporate Network
Strongly Manage Security of Necessary Connection
Out-Of-Band Confirmation from Bank
Daily Out-of-Band Reconciliation
Train Staff to Limit Information Posted on Social Networks
Control Use of Social Networks from Office
Be Suspicious
It’s Not Paranoia if They are Out to Get You
57
© Copyright 2011. Citadel Information Group. All Rights Reserved.
Passwords: Easier Than Ever
Corporate, Banking, eCommerce Long passphrase
Web65mailers$
Lovemyjob$$$3
Different on Different Sites
Registration Passwords qwertyu7
Use Secure Password Manager … Carefully Roboform
Keepass
58
© Copyright 2011. Citadel Information Group. All Rights Reserved.
Be Careful with File Transfer Services
Extremely Useful … When Used with Care
Responsibility with User
Know what you’re buying
Having security feature ≠ feature implemented correctly
Train staff on (in)secure use
59
© Copyright 2011. Citadel Information Group. All Rights Reserved.
The Cloud: Yes … But Look Before You Leap
Cloud Services Salesforce
Authorize.net
iCloud, Google, Amazon S3
Gmail, Office 365
Private clouds
Desktop as a Service
Security as a Service
Security and Legal Challenges Security & privacy
responsibility
Information availability
Legal compliance
60
© Copyright 2011. Citadel Information Group. All Rights Reserved.
Use Encryption to Protect Sensitive Data
Encryption at Rest
Laptops
External & USB drives
Sensitive databases
Encryption in Transit
HTTPS:
WPA2 for Wi-Fi
Dropbox
Disk & File Encryption Tools
Windows BitLocker: Hard drive encryption
Truecrypt: Hard drive encryption
Axcrypt: File encryption
WinZip: File encryption
Key Performance Parameters
Encryption algorithm
Key length
Key security
Time to encrypt / decrypt
61
© Copyright 2011. Citadel Information Group. All Rights Reserved.
Protect Remote Computing Devices
Laptops and Netbooks Protect like desktops Encrypt hard drives
iPads, Smartphones, Tablets Minimize sensitive
processing Manage Wi-Fi Encrypt when available Password protect Remote find & kill Beware of Android Apps
Use VPN when available
62
© Copyright 2011. Citadel Information Group. All Rights Reserved.
When Things Go Wrong
Incident Response
Information Continuity
The Trade-Off Back to work
Evidence Preservation
Be Prepared Network logs
Plans
Tests
Training
63
© Copyright 2011. Citadel Information Group. All Rights Reserved.
Meeting the Challenge of Cyber Crime 64
It is said that if you know your enemies
and know yourself, you will not be
imperiled in a hundred battles,
If you do not know your enemies but do
know yourself, you will win one and lose
one,
If you do not know your enemies nor
yourself, you will be imperiled in every
single battle.
Securing the Community
© Copyright 2011. Citadel Information Group. All Rights Reserved.
It Takes the Village to Protect the Village
65
ISSA-LA: Creating the Los Angeles Cyber Security Management Learning Village
66
Problems cannot be solved by the same
level of thinking that created them
Albert Einstein
© Copyright 2010. Citadel Information Group. All Rights Reserved.
ISSA: 27 Years of Information Security Management Experience
67
Banking, Insurance, Fraud Control:
Data Integrity & Availability
National Security: Confidentiality & Availability
PC and Network Security:
CIA
Internet Security:
CIA, Identity Theft, Bank Fraud, etc 10,000+ members 140 chapters 70 Countries CISSP
ISSA: Providing National Cyber Security Leadership
© Copyright 2011. Citadel Information Group. All Rights Reserved.
68
December 22, 2009: ISSA International
Board President Howard Schmidt Takes
New Responsibility as President Obama’s
White House Cyber Security Coordinator.
ISSA-LA: Proactively Driving “Information Systems Security” Thinking in the Community
© Copyright 2011. ISSA-LA. All Rights Reserved.
69
ISSA-LA’s Mission The premier catalyst and information source in the Los Angeles community for improving the
practice of information security.
Education, networking and support to our direct constituents • Information security practitioners
• IT practitioners with information security responsibilities • Information security vendors
Outreach, advocacy and education to the broader Los Angeles
community
It Takes the Village to Secure the Village SM
It Takes the Village to Secure the Village SM
© Copyright 2011. ISSA-LA. All Rights Reserved.
70
ISSA-LA Law
Enforcement
Business
Community
InfoSec
Community IT
Community
Not-for-Profit
Community
Schools &
Education
Government
Families
ISSA-LA Community Outreach Activities
Monthly Lunch Meetings [9 per year]
Quarterly Dinner Meetings
Annual Information Security Summit in Spring
Quarterly CISO Forum
Professional Study Groups
Collaboration with Colleges, Universities, Professional Associations
2012 Initiatives Community-Based Web
Site
Community Outreach Speaker’s Bureau
Quarterly Executive Management Forum
Quarterly CIO Forum
Quarterly IT Security Briefing
Family & Children Cyber Security Program
71
© Copyright 2011. ISSA-LA. All Rights Reserved.
An Information Security Ethical Standard of Behavior
© Copyright 2011. Citadel Information Group. All Rights Reserved.
Protect your neighbor's information as you would want your neighbor to
protect yours.
72
For More Information
© Copyright 2011. Citadel Information Group. All Rights Reserved.
73
www.citadel-information.com [email protected] 323-428-0441 LinkedIn: http://www.linkedin.com/pub/stan-stahl-phd/0/455/105 ISSA-LA: www.issa-la.org LinkedIn Group Technical: ISSA Los Angeles Chapter Networking LinkedIn Group Community: Friends of ISSA-LA Subscribe to our blogs: Cyber Security News of the Week Weekly Patch and Vulnerability Report Coming soon: CitadelOnSecurity: Citadel’s portal to information security awareness training and education
CYBER SECURITY CHALLENGES AND SOLUTIONS — AN EXECUTIVE BRIEFING
© Copyright 2011. Citadel Information Group, Inc. All Rights Reserved.
Thank You!
Providing Information Peace of Mind ® to Business and the Not-
for-Profit Community