it security/online loss prevention bill finnerty assistant director of information technology...
TRANSCRIPT
IT Security/Online Loss Prevention
Bill FinnertyAssistant Director of Information TechnologyCumberland County
What is your gender?
Fem
ale
Mal
e
38%
62%
1. Female2. Male
What age group do you fall into?
25
or le
ss
26
to 3
5
36
to 4
5
46
to 5
5
56
or m
ore
0% 0%
14%
64%
21%
1. 25 or less2. 26 to 353. 36 to 454. 46 to 555. 56 or more
What job classification best fits you?
Ele
cted
Offi
ce
Hum
an R
esourc
es
County
Adm
inis
tratio
n
Fin
ance
Crim
inal
Just
ice
Hum
an R
esourc
es IT
Oth
er
0%
8% 8%
0%
15%
0%0%
69%
1. Elected Office2. Human Resources3. County
Administration4. Finance5. Criminal Justice6. Human Resources7. IT8. Other
I am attending this session because
I am
a g
eek
at h
eart
I am
sca
red
out o
f m...
Ther
e w
as n
othin
g el..
I hea
rd th
ere
would b
e...
42%
8%
42%
8%
1. I am a geek at heart
2. I am scared out of my mind
3. There was nothing else that interested me in this time slot
4. I heard there would be free food
I am confident in my organization’s IT security
Stro
ngly A
gree
Agre
e
Neu
tral
Dis
agre
e
Stro
ngly D
isag
ree
54%
31%
0%
8%8%
1. Strongly Agree2. Agree3. Neutral4. Disagree5. Strongly
Disagree
Who is the average hacker?
Age – 16 to 19 Gender – 90% male Residence – 70% United States Spend an average of 57 hours working
on a computer a week Knows c, c++, or perl
1. Albert Gonzalez
2. Cody Reigle
3. Stephen Watt
4. Kevin Mitnick
Who is the hacker?
Alb
ert G
onza
lez
Cody
Reigl
e
Ste
phen W
att
Kev
in M
itnic
k
0%
33%
25%
42%1) 2)
3) 4)
How much would you be willing to pay for a security assessment?
Less than$10k
$10k to $30k $30k to $50k More than$50k
27%
9%9%
55%1. Less than $10k2. $10k to $30k3. $30k to $50k4. More than $50k
Online Fraud 2009
Over $560 million lost in online fraud Zeus botnet is able to over write online bank
reports to cover fraud trail FBI investigates Citibank hack by Russian
organized crime 2010
Zeus botnet adds licensing module and automatic notification via IM
Most exploits sold in online black markets for $5000 or less
Cumberland County Redevelopment Authority Hack September 22, 2009 $479,000 lost Attack mechanism
Clampi Virus Replaced banking website with maintenance
message Used remote session to access the bank
account Used Electronic Fund Transfers to quickly move
money
Breach of Personal Information Notification Act § 2303. Notification of breach
An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person … notice shall be made without unreasonable delay
What can we learn from a 3,000 year old Irish fort about IT security?
Defense in depth
The key is to have enough warning and delays to be able to react
Perimeter Security
Firewall Intrusion Prevention Email gateway Web proxy server
Internal Security
Anti-virus, Anti-malware, Anti-spam, etc
Desktop firewall Host based instruction detection Permissions
IT Security Policy Cover what is needed for your environment
Email Internet access Social media Hardware Software Anti-virus, Anti-malware, Anti-spam
Use plain English, these are not for the legal and IT departments
Does your organization regularly present IT security training?
Yes N
o
64%
36%
1. Yes2. No
Security Training
Know your learners Vary the delivery methods
Presentations Video Blogs Contests
Gotcha training
What type of bank(s) does your organization do business with?
Cre
dit Uni
ons
Reg
ional
Nat
ional
0% 0%
100%1. Credit Unions2. Regional3. National
Coordinating with your Business Partners Establish a
relationship with your banks IT security staff
Service level agreements in contracts related to IT security
Resources
Budget Man hours Internal vs. External
Assessing IT Security Readiness
Industry standards ISO 27001 and 27002 NIST Special Publication 800-53A PCI Security Standard
Independent external assessment IT responsibilities Business unit responsibilities
Remediation
Questions
http://www.govloop.com/profiles/blogs/ccap-administration-conference