Citadel Information Group - CYBER SECURITY ... › wp-content › uploads › 2010 › ...Meeting...

CYBER SECURITY CHALLENGES AND SOLUTIONS — AN EXECUTIVE BRIEFING

© Copyright 2011. Citadel Information Group, Inc. All Rights Reserved.

Long Beach CalCPA Discussion Group

December 21, 2011

Providing Information Peace of Mind ® to Business and the Not-

for-Profit Community

Stan Stahl, Ph.D. President

Citadel Information Group Phone: 323.428.0441

[email protected] www.Citadel-Information.com

It was the best of times.

It was the worst of times.

Charles Dickens

© Copyright 2011. Citadel Information Group. All Rights Reserved.

Houston ... We Have a Problem


14

Annual Cost of Online Bank Fraud: $1,000,000,000


15

Bloomberg, Aug 4, 2011: http://www.bloomberg.com/news/2011-08-04/hackers-take-1-billion-a-year-from-company-accounts-banks-won-t-indemnify.html

Financial Fraud and Identity Theft at Epidemic Levels

542,649,217 Financial Records Reported Breached

January 10, 2005 – December 14, 2011

These count only reported breaches. They count neither (1) discovered but unreported breaches nor

(2) undiscovered breaches.


16

Average Cost of Data Breach: $214 Per Compromised Record; $7.2 Million Per Event


17

State-Sponsored Cyber Espionage and Intellectual Property Theft

© Copyright 2011. ISSA-LA. All Rights Reserved.

18

Cyber Crime “World’s Most Dangerous Criminal Threat”


19

http://www.theage.com.au/technology/security/cyber-crime-is-worlds-most-dangerous-criminal-threat-20100920-15iej.html

Information Risk is Business Risk

Business Information Under Attack

Theft

Financial Fraud & Embezzlement

Stolen Sales Information

Corporate Espionage

Theft of Proprietary Processes, Technologies & Other Intellectual Property

Loss of Protected Information Belonging to Others

Critical Information Unavailable

Systems Used for Illegal Purposes


20

Information Security Odds Are With Cyber Criminal

Cybercriminals Know vulnerabilities

Choose where, when & how of attack

Attacks blend technology with social engineering

Defenders Inadequately aware of threat

Over-emphasis on yesterday’s technology

Lack of specialized knowledge & training

Staff not trained to be mindful


21

Meeting the Challenge of Cyber Crime 22

It is said that if you know your enemies

and know yourself, you will not be

imperiled in a hundred battles,

If you do not know your enemies but do

know yourself, you will win one and lose

one,

If you do not know your enemies nor

yourself, you will be imperiled in every

single battle.

Know Your Enemy


23

Why Would Anyone Break Into Information Systems?

… Because that’s

where the money is!

Willie Sutton


24

Bank fraud

Other network-based fraud

Sell stolen credit cards, SS#, medical identities

Sell stolen intellectual property

Lease botnets for spam, DDOS attacks, storage

The Growing Global Cyber Criminal Market

Organized Cyber Crime Gangs

State-Sponsored

Cyber Crime

Political Hacktivists


25

Cyber Crime Underground

CarderPlanet: Ensuring Honor Among Thieves


26

Wired, January 31, 2007: http://www.wired.com/politics/onlinerights/news/2007/01/72605

Spy Eye: Easy-to-Use Software for the Non-Technical Cyber Criminal


27

And It’s Only Getting Worse


28

Beware the Inside Threat

Crimes include Embezzlement & Financial

Theft

Theft of Intellectual Property

Destruction of Information Assets

Spying on Management & Other Employees

Masquerading as Other Employees

Running Other Businesses

Physical Theft

Resource Misuse


29

Cyber Crime: A Lucrative Business Model


30

Likelihood of

Being Caught Opportunities

to Make

Money

Cost of Entry

How Your Computer Gets Owned


31

We’re Secure. We Have Locks on All the Entrances.


32

Bypassing the Locks: Firewall


33

Firewall blocks activity on unneeded ports

Cyber criminals use email and Internet to go through open ports

Bypassing the Locks: Anti-Virus / Anti-Malware Fails to Block 60% of Zeus Attacks


34

Anti-Virus blocks known malware DNA

Cyber criminals create malware whose DNA changes every time it installs

https://zeustracker.abuse.ch/

Bypassing the Locks: Exploit Flaws in Software


35

Bypassing the Locks: Social Engineering Phishing & Spear-Phishing


36

Before: The Nigerian Scam Now: Targeted Spear-Phishing

http://www.citibank.com.us.welcome.

c.track.bridge.metrics.portal.jps.signo

n.online.sessionid.ssl.secure.gkkvnx

s62qufdtl83ldz.udaql9ime4bn1siact3f

.uwu2e4phxrm31jymlgaz.9rjfkbl26xnj

skxltu5o.aq7tr61oy0cmbi0snacj.4yqv

gfy5geuuxeefcoe7.paroquiansdores.

org/

Bypassing the Locks: Install Malware on Legitimate Web Sites to Infect Visitors

Bypassing the Locks: Public Wi-Fi


38

Bypassing the Locks: Attack Remote Computing Devices


39

Anatomy of an Attack: Phase 1—Take Control of the Workstation


40

Spear-Phishing Email Web Site Drive-By SmartPhone Malicious USB Key 0-Day Exploit Social Engineering

ZeuS / SpyEye Trojan Key Logger File Access Botnet Herder

Phase 2 — Steal Money & Sell Information


41

User IDs and Passwords Credit Card & Bank Numbers Sensitive Information Illegal Computer Use

$$

$$

$

Sensitive In

fo

Co

mp

ute

r

Lowering the Odds: The View From 50,000 Feet


42

Cyber Security Protection


43

Information Security Management

Information Security Management


44

Confidentiality

Laws, Regulations, Contracts & Recommended Practices Establish Standard of Care

US Federal Law Gramm-Leach-Bliley

HIPAA

FTC Rule

US State Laws CA Civil Code 1798.81.5

CA 1386 / SB24 Breach Disclosure

MasterCard and Visa Data Security Standard (PCI)

European & Other Laws

ISO standards ISO 27001

ISO 27002

Government Standards, Guides & Advisories NIST

NSA

US-CERT

Practitioner Standards ISSA

ISACA

(ISC)2

SANS Institute


45

Meeting Standard of Care Requires Top-Level Management & Leadership

Information security requires CEO attention in their

individual companies … Business Roundtable, 2004

46


Fundamental Concept: Defense in Depth


47

Operating Assumption: Cyber criminals will get through any particular defense

Secure from the Bottom Up Manage / Lead from the Top Down


48

Keep Systems

Patched

“Intrusion Detection &

Prevention” Train Staff

Information Security

Governance

Information Security

Policies

Compliance

Management

Classify & Control

Information

IT Security

Management

Physical & Personnel

Security

Plan for Incidents Trust. But Verify. Manage 3rd-Parties

Manage Information Security Like Other Quality Programs

9/29-30/2010 © Copyright 2010. Citadel Information Group. All Rights Reserved.

49

Demonstrate Continuous

Process Improvement

of Organization's

Ability to Secure

Sensitive Information

A5: Security Policy

A6: Organization

A7: Asset Management

A8: Human Resources

A9: Physical /

Environmental

A10: Communication &

Operations Management

A11: Access Control

A12: Acquisition,

Development &

Maintenance

A13: Incident Management

A14: Business Continuity

A15: Compliance

ISO 27001, Annex ISO 27002

Continuous Process Improvement Engine

Information Security Management System

Getting Started: The As-Is


50

If You Don’t Know Where You Are, a Map Won’t Help

Getting Started: The To-Be


51

If you don’t know where you’re going, when you get there you’ll be lost. Yogi Berra

An Ounce of Prevention is Worth a Pound of Cure

Security Prevention Costs • Technology costs • Security management

costs • Executive • IT security

management • Security overhead costs

Security Incident Costs • Cold hard cash • Direct incident recovery

costs • Lost productivity costs • Intellectual property

losses • Breach disclosure costs • Legal & attorney costs,

including investigations and fines

• Loss of brand value • Loss of competitive

advantage


52

The Objective: Information Peace of Mind ®


53

Protect Business

Meet Information Security Standard of Care

Lower Total Cost of Information Security SM

Greatest Challenge: Organizational Leadership

Awareness of Risk Knowledge and Ability to

Act Enthusiasm for Getting

Involved Eagerness to Create a

Culture of Cyber Security Mindfulness

Attitude that “Failure is not an option”

Continually asks “What don’t I know that I don’t know I don’t know”


54

Lowering the Odds: Some Specifics


55

Keep Software Patched and Updated


56

Reduce Risk of On-Line Bank Fraud

Use Stand-Alone Workstation for On-Line Banking Use Only for On-Line Banking

No email

No web browsing

Best to Have Separate Internet Connection

Best if Separate from Corporate Network

Strongly Manage Security of Necessary Connection

Out-Of-Band Confirmation from Bank

Daily Out-of-Band Reconciliation

Train Staff to Limit Information Posted on Social Networks

Control Use of Social Networks from Office

Be Suspicious

It’s Not Paranoia if They are Out to Get You

57


Passwords: Easier Than Ever

Corporate, Banking, eCommerce Long passphrase

Web65mailers$

Lovemyjob$$$3

Different on Different Sites

Registration Passwords qwertyu7

Use Secure Password Manager … Carefully Roboform

Keepass

58


Be Careful with File Transfer Services

Extremely Useful … When Used with Care

Responsibility with User

Know what you’re buying

Having security feature ≠ feature implemented correctly

Train staff on (in)secure use

59


The Cloud: Yes … But Look Before You Leap

Cloud Services Salesforce

Authorize.net

iCloud, Google, Amazon S3

Gmail, Office 365

Private clouds

Desktop as a Service

Security as a Service

Security and Legal Challenges Security & privacy

responsibility

Information availability

Legal compliance

60


Use Encryption to Protect Sensitive Data

Encryption at Rest

Laptops

External & USB drives

Sensitive databases

Encryption in Transit

HTTPS:

WPA2 for Wi-Fi

Email

Dropbox

Disk & File Encryption Tools

Windows BitLocker: Hard drive encryption

Truecrypt: Hard drive encryption

Axcrypt: File encryption

WinZip: File encryption

Key Performance Parameters

Encryption algorithm

Key length

Key security

Time to encrypt / decrypt

61


Protect Remote Computing Devices

Laptops and Netbooks Protect like desktops Encrypt hard drives

iPads, Smartphones, Tablets Minimize sensitive

processing Manage Wi-Fi Encrypt when available Password protect Remote find & kill Beware of Android Apps

Use VPN when available

62


When Things Go Wrong

Incident Response

Information Continuity

The Trade-Off Back to work

Evidence Preservation

Be Prepared Network logs

Plans

Tests

Training

63


Meeting the Challenge of Cyber Crime 64

It is said that if you know your enemies

and know yourself, you will not be

imperiled in a hundred battles,

If you do not know your enemies but do

know yourself, you will win one and lose

one,

If you do not know your enemies nor

yourself, you will be imperiled in every

single battle.

Securing the Community


It Takes the Village to Protect the Village

65

ISSA-LA: Creating the Los Angeles Cyber Security Management Learning Village

66

Problems cannot be solved by the same

level of thinking that created them

Albert Einstein


ISSA: 27 Years of Information Security Management Experience

67

Banking, Insurance, Fraud Control:

Data Integrity & Availability

National Security: Confidentiality & Availability

PC and Network Security:

CIA

Internet Security:

CIA, Identity Theft, Bank Fraud, etc 10,000+ members 140 chapters 70 Countries CISSP

ISSA: Providing National Cyber Security Leadership


68

December 22, 2009: ISSA International

Board President Howard Schmidt Takes

New Responsibility as President Obama’s

White House Cyber Security Coordinator.

ISSA-LA: Proactively Driving “Information Systems Security” Thinking in the Community


69

ISSA-LA’s Mission The premier catalyst and information source in the Los Angeles community for improving the

practice of information security.

Education, networking and support to our direct constituents • Information security practitioners

• IT practitioners with information security responsibilities • Information security vendors

Outreach, advocacy and education to the broader Los Angeles

community

It Takes the Village to Secure the Village SM

It Takes the Village to Secure the Village SM


70

ISSA-LA Law

Enforcement

Business

Community

InfoSec

Community IT

Community

Not-for-Profit

Community

Schools &

Education

Government

Families

ISSA-LA Community Outreach Activities

Monthly Lunch Meetings [9 per year]

Quarterly Dinner Meetings

Annual Information Security Summit in Spring

Quarterly CISO Forum

Professional Study Groups

Collaboration with Colleges, Universities, Professional Associations

2012 Initiatives Community-Based Web

Site

Community Outreach Speaker’s Bureau

Quarterly Executive Management Forum

Quarterly CIO Forum

Quarterly IT Security Briefing

Family & Children Cyber Security Program

71


An Information Security Ethical Standard of Behavior


Protect your neighbor's information as you would want your neighbor to

protect yours.

72

For More Information


73

www.citadel-information.com [email protected] 323-428-0441 LinkedIn: http://www.linkedin.com/pub/stan-stahl-phd/0/455/105 ISSA-LA: www.issa-la.org LinkedIn Group Technical: ISSA Los Angeles Chapter Networking LinkedIn Group Community: Friends of ISSA-LA Subscribe to our blogs: Cyber Security News of the Week Weekly Patch and Vulnerability Report Coming soon: CitadelOnSecurity: Citadel’s portal to information security awareness training and education

CYBER SECURITY CHALLENGES AND SOLUTIONS — AN EXECUTIVE BRIEFING

© Copyright 2011. Citadel Information Group, Inc. All Rights Reserved.

Thank You!

Providing Information Peace of Mind ® to Business and the Not-

for-Profit Community

Citadel Information Group - CYBER SECURITY ... › wp-content › uploads › 2010 › ...Meeting...

Documents

Transcript of Citadel Information Group - CYBER SECURITY ... › wp-content › uploads › 2010 › ...Meeting...