infosec-for-c-level-introductory-calcpa-orange-county-fall...
TRANSCRIPT
Page 1
CYBER SECURITY CHALLENGES AND
SOLUTIONS — AN EXECUTIVE BRIEFING
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
CalCPA
Orange County/Long Beach Chapter
Fall Seminar Series
September 18, 2011Stan Stahl, Ph.D.
President
Citadel Information Group
Phone: 323.428.0441
www.Citadel-Information.com
Delivering Information Peace of Mind ®
to Business and the Not-for-Profit
Community
It was the best of times.
It was the worst of times.
Charles Dickens
Page 2
Page 3
Page 4
Page 5
Information Security — The CliffsNotes
� Cyber Criminals Want Our Information & Our Computers
� We Are Under Attack
� Our Defenses Are Inadequate
� We Must Do Better
� In our offices
� In our homes
� In our community
15
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Page 6
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
http://www.citibank.com.us.welcome.c.track.bridge.metrics.portal.jps.signon.online.sessionid.ssl.secure.gkkvnxs62qufdtl83ldz.udaql9ime4bn1siact3f.uwu2e4phxrm31jymlgaz.9rjfkbl26xnjskxltu5o.aq7tr61oy0cmbi0snacj.4yqvgfy5geuuxeefcoe7.paroquiansdores.org/
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Page 7
CyberCrime Step 1: Set the Trap—Install
Malware on Poorly-Secured Web Site19
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
CyberCrime Step 2: Set the Bait—Get the User
to Visit the Website20
http://www.citibank.com.us.welcome.c.track.bridge.metrics.portal.jps.signon.online.sessionid.ssl.secure.gkkvnxs62qufdtl83ldz.udaql9ime4bn1siact3f.uwu2e4phxrm31jymlgaz.9rjfkbl26xnjskxltu5o.aq7tr61oy0cmbi0snacj.4yqvgfy5geuuxeefcoe7.paroquiansdores.org/
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
CyberCrime Step 3: Spring the Trap—Exploit
Flaws to Install Malware on User’s PC/Mac
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
21
Page 8
Annual Cost of Online Bank Fraud:
$1,000,000,000
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
22
Bloomberg, Aug 4, 2011: http://www.bloomberg.com/news/2011-08-04/hackers-take-1-billion-a-year-
from-company-accounts-banks-won-t-indemnify.html
August 2009: Cyber Criminal Gangs in Eastern
Europe Stealing Millions in On-Line Bank Fraud
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Washington Post, http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html
23
October 2009: On-Line Bank Theft is Cyber
Crime Growth Industry
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Washington Post, October 26, 2009: http://voices.washingtonpost.com/securityfix/2009/10/fbi_cyber_gangs_stole_40mi.html
24
Page 9
November 2010: Known US Commercial Cyber
Threat Victims
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Source: http://krebsonsecurity.com/2010/11/charting-the-carnage-from-ebanking-fraud-ii/
25
26
Thursday, July 12, 2012
http://krebsonsecurity.com/2012/07/eu-to-banks-assume-all-pcs-are-infected/
Adding Insult to Injury: Loss Responsibility
Often Falls to Victim
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
27
Page 10
Financial Fraud and Identity Theft Up 19% in
2011
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
28
563,201,803Financial Records Reported Breached
January 10, 2005 – July 31, 2012
These count only reported breaches. They count neither
(1) discovered but unreported breaches nor
(2) undiscovered breaches.
Breach Disclosures at Record Highs
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
29
A Few More Expensive Breach Disclosures
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
30
Page 11
Average Cost of Data Breach
� $194 Per Compromised Record
� $5.5 Million Per Event
� California Civil Code Section 56.36
� $1,000 nominal damages for disclosure of medical information
31
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
State-Sponsored Intellectual Property Theft:
Death by a Thousand Cuts
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
32
Bloomberg: Cyber Cold War
33
Page 12
Operation Aurora: the China Connection
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
34
State-Sponsored Cyber Attacks Provide
Criminals with Advanced Methods
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
35
August 2009: IBM Warns “Trust No One”
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
36
Page 13
September 2010: Interpol Calls Cyber Crime
“World’s Most Dangerous Criminal Threat”
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
37
http://www.theage.com.au/technology/security/cyber-crime-is-worlds-most-dangerous-criminal-threat-
20100920-15iej.html
September 2011: Cyber Crime Bigger Than
Drug Trade?
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Cyber crime now bigger than the drugs tradeSays cyber security firmBy Brid-Aine Parnell, 7th September 2011 14:17 GMT
The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine, which is estimated at $388bn, a new headline-grabbing study reported.
• US Annual Losses at $114B
• One million victims of cybercrime every day
38
September 2012: Under Increasing Attack
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
39
Page 14
Connecting the Dots: Information Risk is
Business Risk
Business Information Under Attack
Theft
Financial Fraud & Embezzlement
Stolen Sales Information
Corporate Espionage
Theft of Proprietary Processes, Technologies
& Other Intellectual Property
Loss of Protected Information Belonging to
Others
Critical Information Unavailable
Systems Used for Illegal Purposes
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
40
Connecting the Dots: Cyber Crime Costs Real
Money
Embezzlement and Fraud
Direct Incident Recovery Costs
Lost Productivity Costs
Intellectual Property Losses
Breach Disclosure Costs
Legal & Attorney Costs, including
Investigations & Fines
Loss of Brand Value
Loss of Competitive Advantage
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
41
Right Now: The Enemies are Winning
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
42
Opportunitiesto Make Money
and Cause Harm
Cost of Entry Likelihood ofBeing Caught
Page 15
Meeting the Challenge of Cyber Crime
43
It is said that if you know your enemies
and know yourself, you will not be
imperiled in a hundred battles,
If you do not know your enemies but do
know yourself, you will win one and lose
one,
If you do not know your enemies nor
yourself, you will be imperiled in every
single battle.
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Know Your Enemy
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
44
Why Would Anyone Break Into Information
Systems?
… Because that’s where the money is!
Willie Sutton
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
� Bank fraud� Other network-based fraud� Sell stolen credit cards, SS#, medical identities� Sell stolen intellectual property� Lease botnets for spam, DDOS attacks, storage
45
Page 16
Why Would Anyone Break Into Information
Systems?
… Because that’s where the competitive advantage is!
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
46
Why Would Anyone Break Into Information
Systems?
… To mess with our way of life!
… To achieve political objectives!
… Because they can!© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
47
CarderPlanet: Ensuring Honor Among Thieves
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Wired, January 31, 2007:
http://www.wired.com/politics/onlinerights/new
s/2007/01/72605
48
Page 17
profsoyuz.biz: Reshipping Turns Hot Cards into
Hot Stuff
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.http://krebsonsecurity.com/2011/10/turning-hot-credit-cards-into-hot-stuff/
49
Spy Eye: Easy-to-Use Software for the Non-
Technical Cyber Criminal
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
50
And It’s Only Getting Worse
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
51
Page 18
Cyber Crime: A Lucrative Business Model
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Likelihood of Being Caught
Opportunities to Make Money
Cost of Entry
52
Insider Abuse: Still a Problem
� Crimes include
� Embezzlement & Financial Theft
� Theft of Intellectual Property
� Destruction of Information Assets
� Spying on Management & Other Employees
� Masquerading as Other Employees
� Running Other Businesses
� Physical Theft
� Resource Misuse
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
53
Network-Based Fraud: Underneath the
Accounting System; Below the Controls
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
54
Page 19
How Cyber Criminals Get On Your Computer55
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Between the Bars
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
56
Between the Bars: Install Malware on Poorly
Protected Web Sites
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
57
Page 20
Between the Bars: Use Celebrities as Bait
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
58
Between the Bars: Exploit Flaws on PCs, Macs,
Tablets & Smartphones
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
59
Between the Bars: Go Through the Firewall as
Ordinary Traffic
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Firewall blocks activity on unneeded ports
Cyber criminals use email and Internet to go
through open ports
60
Page 21
Between the Bars: Anti-Virus & Anti-Malware
Increasingly Ineffective
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Anti-Virus blocks known malware DNA
Cyber criminals create malware whose DNA
changes every time it installs
61
Between the Bars: 30 Days in June
62
http://krebsonsecurity.com/2012/06/a-closer-look-recent-email-based-malware-attacks/© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Between the Bars: Zeus More Powerful than
Anti-Virus
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
https://zeustracker.abuse.ch/
63
Page 22
Between the Bars: Take Advantage of Human
Weakness
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Before: The Nigerian Scam
Now: Targeted Spear-Phishing
http://www.citibank.com.us.welcome.c.track.bridge.metrics.portal.jps.signon.online.sessionid.ssl.secure.gkkvnxs62qufdtl83ldz.udaql9ime4bn1siact3f.uwu2e4phxrm31jymlgaz.9rjfkbl26xnjskxltu5o.aq7tr61oy0cmbi0snacj.4yqvgfy5geuuxeefcoe7.paroquiansdores.org/
64
Between the Bars: Shift Attacks from Servers
to End-User Devices
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
65
Between the Bars: Compromise Physical Media
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
66
Page 23
Between the Bars: Take Advantage of Insecure
Public Wi-Fi
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
67
Between the Bars: Attack Remote Computing
Devices
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
68
Between the Bars: Attack Password
Weaknesses
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
69
Page 24
Between the Bars: Attack Encryption
Weaknesses
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
70
34,000,000 Stolen Credit Cards• $24 million to Banks• $40.9 million FTC agreement to
pay issuers• $9.7 million settlement to 41
state Attorneys General• $107 million set-aside in 2007
Between the Bars: Attack Weaknesses in 2nd-
Factor Authentication
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
71
September 2009
Anatomy of an Attack: Phase 1—Take Control
of the Workstation
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Spear-Phishing Email
Web Site Drive-By
SmartPhone
Malicious USB Key
0-Day Exploit
Social Engineering
ZeuS / SpyEye Trojan
Key Logger
File Access
Botnet Herder
72
Page 25
Phase 2 — Steal Money & Sell Information
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
User IDs and Passwords
Credit Card & Bank Numbers
Sensitive Information
Illegal Computer Use
$$
$$
$
Se
nsitiv
e In
fo
Co
mp
ute
r
73
Know the Enemy … Know Thyself
74
It is said that if you know your enemies
and know yourself, you will not be
imperiled in a hundred battles,
If you do not know your enemies but do
know yourself, you will win one and lose
one,
If you do not know your enemies nor
yourself, you will be imperiled in every
single battle.
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
… Imperiled in Every Single Battle
� Cybercriminals
� Know vulnerabilities
� Choose where, when & how of attack
� Attacks blend technology with social engineering
� Defenders
� Inadequately aware of threats
� Overly optimistic about defenses
� Inadequate management / leadership
� Over-emphasis on yesterday’s technology
� Lack of specialized knowledge & training
� Staff not trained to be mindful
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
75
Page 26
Cyber Security Management—Three Key
Strategies76
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Strategy 1: Proactively Manage Information
Risk Across Three “Business Domains”
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
77
Information Security
Management
Strategy 2: Implement a Risk-Driven Layered
Approach to Achieve Defense in Depth
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
78
Operating Assumption: Cyber criminals will get through any particular defense
The Citadel. Halifax, Nova Scotia.
Page 27
Strategy 3: Learn About Cyber Security. Train
Your People.
� Management & Board� Laws, regulations, etc
� Governance / Management principles
� Staff� In the office
� At home
� On the road
� IT Staff / Vendors� Secure IT management
� Secure configuration
� Suppliers and Trading Partners
79
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
What Don’t You Know
That You Don’t Know
You Don’t Know?
Strategy 3a: Learn About Cyber Security. Train
Your Family.
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
80
Cyber Security Management — Managing
Information Risk81
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Page 28
Meet Information Security Laws, Regulations,
Contracts & Appropriate Practices
� US Federal Law
� HIPAA HITECH
� Gramm-Leach-Bliley
� FTC Rule
� US State Laws
� CA Breach Disclosure
� Other Breach Disclosure
� CA Civil Code 1798.81.5
� MasterCard and Visa Data Security Standard (PCI)
� European & Other Laws
� ISO standards
� ISO 27001
� ISO 27002
� Government Standards, Guides & Advisories
� NIST
� NSA
� US-CERT
� Practitioner Standards
� ISSA
� ISACA
� (ISC)2
� SANS Institute
82
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Implement Information Security Policies and
Standards
� Security Management
Policies
� 3rd-Party Security Standards
� Security Reviews
� Classification and Control
Standards
� Standards for Information
Users
� Staffing & Personnel
Standards
� Physical Security Standards
� IT Infrastructure Standards
� IT Security Management
� Vendor Selection and Management
� Securing the IT Infrastructure
� Application Security, including Websites
� Change Control
� Logging and Review
� Back-up, Incident Response, etc
� Access Control Management
� Encryption
� Training & Education
83
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Citadel: Seven Requirements for Successfully Implementing Information Security Policies
Develop Information Inventory
� Information of Others� Names, Address, PII
� Social security numbers
� Credit card numbers
� Health information
� Information of Firm� Online bank credentials
� Pricing information
� Sales histories
� Inventories
� R&D
� Trade Secrets
� Classify Information� Public
� Internal Use Only
� Restricted
� Assign Owners to sensitive information� Identify access
restrictions
� Identify servers and workstations where stored
84
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Page 29
Provide Top-Level Management & Leadership
Information security requires CEO attention in thei r individual companies … Business Roundtable, 2004
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
85
Secure from the Bottom Up
Manage / Lead from the Top Down
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Keep Systems
Patched
“Intrusion Detection &
Prevention”Train Staff
Information Security
Governance
Information Security
Policies
Compliance
Management
Classify & Control
Information
IT Security
Management
Physical & Personnel
Security
Plan for Incidents Trust. But Verify.Manage 3rd-Parties
86
Manage Information Security Like Other
Quality Programs
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Demonstrate
Continuous
Process
Improvement
of
Organization's
Ability to
Secure
Sensitive
Information
A5: Security Policy
A6: Organization
A7: Asset Management
A8: Human Resources
A9: Physical / Environmental
A10: Communication & Operations Management
A11: Access Control
A12: Acquisition, Development & Maintenance
A13: Incident Management
A14: Business Continuity
A15: Compliance
ISO 27001, Annex
ISO 27002
Continuous Process
Improvement Engine
Information Security Management
System
87
Page 30
Getting Started: The To-Be
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
If you don’t know
where you’re
going, when you
get there you’ll be
lost.
Yogi Berra
88
What Security Do You Need?
Getting Started: The As-Is
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
If You Don’t Know Where You Are,
a Map Won’t Help
89
What is Your Current Security Posture?
Implementing the Information Security
Management System
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
90
Page 31
An Ounce of Prevention is Worth a Pound of
Cure
Security Prevention Costs• Technology costs
• Security management
costs
• Executive
• IT security
management
• Security overhead costs
Security Incident Costs• Cold hard cash
• Direct incident recovery
costs
• Lost productivity costs
• Intellectual property
losses
• Breach disclosure costs
• Legal & attorney costs,
including investigations
and fines
• Loss of brand value
• Loss of competitive
advantage
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
91
Greatest Challenge: Organizational Leadership
� Awareness of Risk
� Knowledge and Ability to Act
� Enthusiasm for Getting Involved
� Eager to Create a Culture of Cyber Security Mindfulness
� Attitude that “Failure is not an option”
� Continually asks “What don’t I know that I don’t know I don’t know”
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
92
Cyber Security Management —Tactics93
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Page 32
Protect Against Online Bank Fraud
� Use Stand-Alone Workstation for On-Line Banking
� Use Only for On-Line Banking
� No email
� No web browsing
� Best to Have Separate Internet Connection
� Best if Separate from Corporate Network
� Strongly Manage Security of Necessary Connection
� Out-Of-Band
� Confirmation from Bank
� Daily Reconciliation
� Manage Authorization
� Positive Pay
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
94
Keep Computers Patched and Updated
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
95
Report Available: Citadel. ISSA-LA. LinkedIn. Facebook. RSS. Twitter. FBI InfraGard. eMail.
Set Computers to Have “Limited” Authority
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
96
Windows is Designed to Block Standard Accounts From Installing
Programs and Making Security-Relevant Changes
Page 33
Be Wary of eMail and Links on Internet &
Social Media Sites97
Be Very Cautious on Social Media Networks
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
98
Install a Full-Featured Anti-Malware Product
and Keep it Updated
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
99
Page 34
Use Strong Passwords as a Basic Line of
Defense
� Corporate, Banking, eCommerce
� Long passphrase: 12+
� Lovemyjob$$$3
� Different on Different Sites
� Registration Passwords
� qwertyu7
� Use Secure Password Manager
� RoboForm
� Keepass
� Carefully … 20+ Passphrase
100
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Use Encryption to Protect Sensitive Data
� Encryption at Rest
� Laptops
� External & USB drives
� Sensitive databases
� Encryption in Transit
� HTTPS:
� WPA2 for Wi-Fi
� Disk & File Encryption Tools
� Windows BitLocker: Hard drive encryption
� Truecrypt: Hard drive encryption
� Axcrypt: File encryption
� WinZip: File encryption
� Key Performance Parameters
� Encryption algorithm
� Key length
� Key security
� Time to encrypt / decrypt
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
101
Use Wi-Fi Safely
� SOHO
� Hide SSID
� WPA2 Encryption
� Long Passphrase
� Turn Off WPS (Wi-Fi Protected Setup)� Buy different router
� On the Road
� Avoid Free Wi-Fi
� Don’t Automatically Connect
� Connect Only When Needed
� “Forget” When Done
102
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Page 35
Be Careful with File Transfer Services
� Extremely Useful …
When Used with Care
� Responsibility with User
� Know what you’re buying
� Having security feature ≠
feature implemented
correctly
� Train staff on (in)secure
use
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
103
Protect Remote Computing Devices
� Laptops and Netbooks� Protect like desktops
� Encrypt hard drives
� iPads, Smartphones, Tablets� Password protect
� Minimize sensitive information / processing
� Manage Wi-Fi
� Encrypt when available
� Remote find & kill
� Use VPN when available
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
104
Avoid P2P File Sharing Networks
� Used to illegally share
movies and music
� Opens a dangerous
hole on your
computer
105
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Page 36
The Cloud: Yes … But Look Before You Leap
� Understand Differences in Cloud Services
� Salesforce.com
� Authorize.net
� Dropbox
� iCloud, Google, Amazon S3
� Google Docs
� Gmail, Office 365
� Private clouds
� Desktop as a Service
� Security as a Service
� Security - Legal - Insurance
� Security & privacy responsibility
� Information availability
� Legal compliance
� Insurability
106
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
http://www.citadel-information.com/2012/03/eight-security-concerns-before-jumping-into-the-cloud/
Be Prepared: Not a Matter of If, But When
� Incident Response
� Disaster Recovery
� Information Continuity
� Issues
� Back to Work
� Evidence Preservation
� Crisis Management
� Be Prepared
� Management Plans
� Information
� Network Logs
� Tests
� Training
107
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
In preparing for battle I have always
found that plans are useless, but
planning is indispensable.
Dwight D. Eisenhower
Conduct Independent Risk and Vulnerability
Review
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
108
What Don’t You
Know That You
Don’t Know You
Don’t Know?
Page 37
Protect Organization
Meet Information Security Standard of Care
Lower Total Cost of Information Security SM
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
110
Join the Cyber Security Team
� Keep Home Computers Patched
� Be Cyber-Aware Consumer
� Citadel: Personal Guide
to Staying Safe Online
� Stop. Think. Connect.
� It’s Not Paranoia if They are Out to Get You
� Train Spouse & Children
� Be a Leader at Work
111
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Page 38
Require Technical Staff and IT Vendors to Get
Specialized Information Security Training
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
112
Communication
Collaboration
Cooperation
ISSA-LA
Open Source Web Application
Security Project (OWASP-LA)
Cloud Security Alliance (CSA-LA)
(ISC)2
Help Our Nonprofits
Security Needs High. Resources Low.
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
113
Cyber Security Legislation: Three Things We
Need From Washington
� Mandatory Minimum
Standards
� Information Sharing
� Privacy Protection
114
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Page 39
For More Information
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Stan [email protected]
323-428-0441 LinkedIn: Stan Stahl Twitter: @StanStahl
Citadel Information Group: www.citadel-information.comCitadel Guides
Information Security Resource Library
Cyber Security News
Weekly Patch and Vulnerability Report
ISSA-LA: www.issa-la.org Technical Meetings: 3rd Wednesday of Month
5th Annual Information Security Summit: May 21, 2013
Coming Soon: CitadelOnSecurity—Awareness Training and Education
115
The Final Words116
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Problems cannot be
solved by the same
level of thinking that
created them
Albert Einstein
Information Risk = Threats ∗ � VulnerabilitiesCountermeasures�
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Page 40
PPPProtect your neighbor's rotect your neighbor's rotect your neighbor's rotect your neighbor's information as you information as you information as you information as you would want your would want your would want your would want your
neighbor to protect yoursneighbor to protect yoursneighbor to protect yoursneighbor to protect yours
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
CYBER SECURITY CHALLENGES AND
SOLUTIONS — AN EXECUTIVE BRIEFING
© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.
Thank You!
Delivering Information Peace of Mind ®
to Business and the Not-for-Profit
Community