Slide 1

Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Tighten Up Your Firms Cyber Security Presented by Robert Listerman, CPA, CITRMS Slide 2 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Robert Listerman (Bob) is a licensed Certified Public Accountant, State of Michigan and has over 30 years of experience as a process improvement business consultant. He graduated from Michigan State University and became a CPA while employed at Touche Ross & Co., Detroit, now known as a member firm of Deloitte & Touche USA LLP Bob added the Certified Identity Theft Risk Management Specialist (CITRMS) designation issued by The Institute of Fraud Risk Management in 2007. The designation is in recognition of his knowledge and experience in identity theft risk management. Today Bob focuses his practice on data security compliance. Over 50% of identity theft can be traced back to unlawful or mishandling of non-public data within the workplace. Currently Bob serves his professional community as an active Board Member for the Institute of Management Accountants (IMA), Mid Atlantic Council IMA-MAC. He is currently servicing as President of IMA-MAC (2011-2013). He is a regular seminar presenter for the IMA, Pennsylvania Institute of CPAs (PICPA), and the Michigan Association of CPAs (MACPA). Bob serves on, and is a past chair of the MACPAs Management Information & Business Show committee which enjoys serving over 1000 CPAs in attendance each year. He is Continuing Education Chair of the PICPAs IT Assurance Committee. Bob serves his local community as a member of the Kennett Township, PA Planning Commission, Communications, Business Advisory, and Safety Committees. He is an active board member of the Longwood Rotary Club. He serves his Rotary District 7450 as their Interact Club Chair (Rotary in High School) since 2010. Past professional and civic duties include serving on the Board of Directors for the Michigan Association of Certified Public Accountants (1997-2000), past board member of the Delaware Chapter of the IMA and past Chapter president for the IMA Oakland County, Michigan (1994-1995). www.linkedin.com/in/boblistermanidriskmanager/ Slide 3 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com How Computers (Servers) get Infected Hacked through the Internet Cloud File brought in via a USB (Thumb) Drive Slide 4 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com How Computers (Servers) get Infected Downloaded program, picture, document, Email or from a shared file folder Key logger mimicking what they have learned Slide 5 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com How Computers (Servers) get Infected From employees conduct / behavior Culture at the top Slide 6 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Data security can seem mindboggling Slide 7 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com An Internet service provider (ISP, also called Internet access provider) is a business or organization that offers users access to the Internet and related services. Many ISPs are telephone companies or other telecommunication providers. They provide services such as Internet access, Internet transit, domain name registration and hosting, dial-up access, leased line access and colocation. Internet service providers may be organized in various forms, such as commercial, community- owned, non-profit, or otherwise privately owned. Source: http://en.wikipedia.org/wiki/Internet_service_provider#Access_providershttp://en.wikipedia.org/wiki/Internet_service_provider#Access_providers Definition Slide 8 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com a.k.a: the CLOUD Slide 9 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Slide 10 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com The Internet Web Topography Slide 11 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Prize for first person who raises their hand AND can identify what these numbers are! Slide 12 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com IP Tracer Source: http://www.ip-adress.com/ip_tracer/http://www.ip-adress.com/ip_tracer/ Slide 13 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Slide 14 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Terms Malware/Viruses Key Logger Hacker Hacktivism (Anonymous) Zero Day Attack Botnet Slide 15 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Slide 16 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Zero Day Attack A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability. This means that the developers have had zero days to address and patch the vulnerability. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability. Slide 17 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com BOTNET The term "botnet" can be used to refer to any group of computers, such as IRC bots, but the term is generally used to refer to a collection of computers (called zombie computers) that have been recruited by running malicious software. It could be used to send spam email or participate in Denial of service attacks. The word botnet stems from the two words robot and network. Slide 18 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Slide 19 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Email Attack on Vendor Set Up Breach at Target* * Source: http://krebsonsecurity.com/ The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware- laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation. Last week, KrebsOnSecurity reported that investigators believe the source of the Target intrusion traces back to network credentials that Target had issued to Fazio Mechanical, a heating, air conditioning and refrigeration firm in Sharpsburg, Pa. Slide 20 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Security is a layered solution Physical Safeguards Administrative Safeguards (Culture of Security) Technical Safeguards FenceCameras Barred Windows Sensitive Data Walls Strong Password Dead BoltsGuards ______________________ Virus Detection VPN Fire Wall 2 nd Verification Intrusion Detection Slide 21 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Physical Safeguards Premise & surroundings Physical access simple key user identifying access (key pad or card) Internal areas, floors, hallways, office doors, files, etc Document flow through the facility and at rest Storage Written procedures Environmental safeguards Computer monitor/screen guards Clean desk policy Slide 22 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Education backed by Policy & Procedures Employee training on handling data from its source through to storage Documented procedures Computer Usage Policy Sensitive Data Handling Policy Data Security Policy including B.Y.O.D. Employee signed acknowledgement of being trained Criminal background check on anyone who handles or has access to data Administrative Safeguards Slide 23 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Technical Safeguards Risk assessment Internal vulnerability assessment Malware/Virus checking software Spam filters Encryption Strong Passwords Intrusion detection Employee education on IT security policy and procedures Slide 24 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Bring Your Own Device (BYOD) Right to access device for forensic and data integrity assessment Remote wipe if lost, stolen, or just not in control of employee anymore Signed written agreement prior to company data access Slide 25 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Securing Data In Motion Secured leased lines Use of VPN connections (Virtual Private Networks) Know if you are on a secure site https:// Send/receive encrypted files (Adobe documents have security options) Use private email clients such as hushmail.com Slide 26 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com SSLSSL S S L SSLSSL VPNVPN V P N Slide 27 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Sample cloud based VPN solution pricing model: Slide 28 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com SaaS: Whats in (not in?) the Cloud? Limited Only By Your Imagination Slide 29 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com IaaS: Your Hardware in the CLOUD? Slide 30 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Case Study* Medium-sized mortgage brokerage firm * Source: Qnectus.com 99.99% uptime Enterprise-level firewall protection Encryption, and virus protection Flexibility across both platforms and devices Managed applications and upgrades Simplified user provisioning 24/7/365 customer service support Saved upwards of 50% over thirty (30) months Slide 31 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com What to look for in a Cloud Service Provider Strong contract regarding breach notifications Systems are monitored 24/7 Maintains user log-in history Require strong passwords with limited life Your data is backed-up & stored locally Segregation of Data (Criminal Investigation of Others) Has Documented Disaster Recovery Plan Annually certified SSAE 16 (formally SAS 70) Slide 32 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Security convenience myth Most security upgrades can be tied to behavior awareness Small changes can deliver large improvements Most secure tools are as easy to use as standard email New direction of technology (i.e. SaaS & IaaS) is wrapped around security Create, train, & administer YOUR policies and procedures Slide 33 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Culture of Security The Federal Trade Commissions PII Guide for employers: Slide 34 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Take this 20 Question Assessment to Score Your Risk Level Slide 35 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com Update your software every time on time Keep operating system up to date Keep malware/virus protection updated Six Take a ways (if this is all you do ) Be aware of todays vulnerabilities Assess your entities Risk Level Score New opportunities when ready to upgrade Slide 36 Data Security Compliance Advisors Certified Identity Theft Risk Management Specialists 873 East Baltimore Pike #501 Kennett Square, PA 19348 610-444-5295 www.BTR-Security.com