meeting the information security management challenge in ...€¦ · subject: change of bank...
TRANSCRIPT
Meeting the Information Security Management Challenge in the Cyber-Age
© Copyright 2016. Citadel Information Group. All Rights Reserved.
Stan Stahl, Ph.D.President, Citadel Information Group
President, Secure the Village
September 2016
Michael Sohn
Supervisory Special Agent (SSA)
FBI Los Angeles
Online Financial Fraud: Business Email Compromise Deceives Controller
2
From: Your Vendor, Stan Sent: Sunday, December 28, 2014 12:07 PMTo: Bill Hopkins, Controller Subject: Change of Bank Account
Hi Bill – Just an alert to let you know we’ve changed banks.
Please use the following from now on in wiring our payments.
RTN: 123456789 Account: 0010254742631
I’m still planning to be out your way in February. It will be nice to get out of the cold Montreal winter.
Great thanks.
Cheers - Stan_________________________The secret of success is honesty and fair-dealing. If you can fake that, you’ve got it made ... Groucho Marx
Known Los Angeles BEC
Losses:
$14 Million / Month
Your Money or Your Data: Ransomware Viruses Reach Epidemic Proportions
4
Hollywood Presbyterian Medical Center paid $17,000 to ransomware hackers
Epidemic of Credit Card Theft … Medical Records Theft … Personnel Records Theft
5
Data Breach Costs Expensive.Money Down the Drain.
Approximately $150 or More Per Compromised Record
$15 Million Per Event
Investigative Costs Breach Disclosure Costs Legal Fees Identity Theft Monitoring Lawsuits
Customers Shareholders
http://www.ponemon.org/index.php
6
Organizations Attacked for Political and Social Reasons
7
Why. How. Who. Impact.8
http://krebsonsecurity.com/2016/07/the-value-of-a-hacked-company/
The Value of a Hacked Company
http://searchsecurity.techtarget.com/feature/Targeted-Cyber-Attacks
The thriving malware industry: Cybercrime made easy, IBM Software,
https://securityintelligence.com/wp-content/uploads/2015/06/Cybercrime-
Ecosystem-Infographic-Final.jpg
Cybercrime’s Greatest Impact is on Small & Medium Sized Organizations
30% of victims have fewer than 250 employees
60% of small-business victims are out of business within 6 months
80% of breaches preventable with basic security
12
Five Cybersecurity Tactics
Tactic 1: Pay Attention. 14
If you do not know your enemies nor yourself, you will be imperiled in every single battle.
Tactic 2: Know with Whom You’re Communicating
Email Phishing
Legitimacy
Friend requests
Web-sites
Ads
http://www.citibank.
com.us.welcome.c.tr
ack.bridge.metrics.po
rtal.jps.signon.online.
sessionid.ssl.secure.
gkkvnxs62qufdtl83ldz
.udaql9ime4bn1siact
3f.uwu2e4phxrm31jy
mlgaz.9rjfkbl26xnjskx
ltu5o.aq7tr61oy0cmbi
0snacj.4yqvgfy5geuu
xeefcoe7.paroquian
sdores.org/
Is This Email Really From My Bank??16
Tactic 3: Make Yourself Hard to Impersonate
Passwords
Long
Complex
Unique
Bank / Credit Card password = Yahoo password?
2nd-Factor Authentication
17
Tactic 4: Defend Aggressively
Use anti-malware
Encrypt laptops, smart-devices and external hard drives
Keep programs up-to-date
Religiously Install Updates
18
The Importance of Keeping Programs Up-to-Date!!!
19
Verizon 2016 Breach Report: The Vast Majority of Breaches Exploit
Vulnerabilities for Which Updates Have Been Available for Well-Over a Year
Attacks succeed by exploiting vulnerabilities in programs
Developers issue updates to fix vulnerabilities
Keeping updated blocks attacks
20
FREE Weekend Vulnerability and Patch Report …. Delivered to your in-box … Every Sunday Afternoon … Sign-up at Citadel-Information.com
Tactic 5: Be Prepared.
Test Backups
Law Enforcement
Credit Card Monitoring
Credit Freeze
Monitor Medical
21
Summary: Five Cybersecurity Tactics
Tactic 1: Pay Attention
Tactic 2: Know Who You’re Communicating With
Tactic 3: Make Yourself Hard to Impersonate
Tactic 4: Defend Aggressively
Tactic 5: Be Prepared
Seven Organizational Strategies23
Distrust and caution are the parents of security.
Benjamin Franklin
Strategy 1: Put Someone in Charge. Establish Leadership.
Information Security Manager / Chief Information Security Officer
C-Suite and Board Governance
Independent Perspective from CIO or Technology Director
Supported by Cross-Functional Leadership Team
Supported with Subject-Matter Expertise
24
Information Security Management Objective: Manage Information Risk
Cyber Fraud
Information Theft
Ransomware
Denial of Service Attack
Regulatory / Compliance
Disaster
Loss of Money … Brand Value … Competitive Advantage
Manage Entire Information Security Management Chain
26
Identify Detect Respond RecoverProtect
Risk Transfer and Insurance
Legal and Regulatory Framework
Based Upon: 1. NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 20142. International Standards Organization 27001:2013: Information technology— Security techniques —
Information security management systems — Requirements3. Porter Value Chain: Understanding How Value is Created Within Organizations
Pay Particular Attention to Risk of Online Financial Fraud
Implement Internal Controls Over Payee Change Requests
Assume all email or fax requests from vendors or company President are fraudulent
Use Out-of-Band Confirmation
Use Dedicated On-Line Banking Workstation
Keep Patched
Use Only for On-Line Banking
Work with Bank
Dual Control
Out-Of-Band Confirmation
Strong Controls on Wires
27
See our blog:https://citadel-information.com/2016/02/business-e-mail-compromise-dont-be-a-victim/
Leadership Responsibility: Continuous Improvement
28
Leadership & Organizational Improvements
Security Management of IT Network
Security Improvements to IT Network
Improve constantly and forever the system of
production and service, to improve quality and
productivity, and thus constantly decrease costs
W. Edwards Deming 14 Key Principles for Improving
Organizational Effectiveness
Strategy 2: Implement Risk-Driven Information Security Policies & Standards
29
Establish Commitment
Establish Standards and Provide Guidance
Users
Managers
IT
Required for HIPAA and other information security laws / regulations
Aspirational
Strategy 3: Identify, Document and Control Sensitive Information
30
Online Banking CredentialsCredit cardsEmployee Health InformationSalariesTrade SecretsIntellectual PropertyCustomer Information
ServersDesktopsCloudHome PCsBYOD devices
Access to Sensitive Information Based on Need-to-Know
Strategy 4: Train and Educate Personnel31
From: Facebook [mailto:[email protected]] Sent: Saturday, July 23, 2011 4:32 PM To: Kathrine Hepburn Subject: See Your Friends at 20th High School Reunion
Hi Kate
Mark your calendar.
June 18 is the 20th Anniversary of our graduation from Algonquin High.
Visit Our Facebook Page for More Information.
Visit Page
See All Requests
Demonstrate Information Security Mindfulness. Change Culture.
32
Be the change you want to see.
Strategy 5: Manage Vendor Security33
Strategy 6: Manage IT Infrastructure from “Information Security Point of View”
IT Infrastructure Security
Architecture
Device configuration
Network & end-point protection
Vulnerability & patch management
Mobile devices
Cloud security
Web-site
Email Security
Spam Management
Logging & Review
Back ups. Incident Response. Business Continuity
Encryption
Access Management
Documentation
Training & Education
34
Ensure IT has Aggressive Vulnerability and Patch Management Program.
35
Verizon 2016 Breach Report: The Vast Majority of Breaches Exploit
Vulnerabilities for Which Updates Have Been Available for Well-Over a Year
Strategy 7: Be Prepared. Incident Response & Business Continuity Planning.
36
In preparing for battle I have always found that plans are useless, but planning is indispensable.
General Dwight Eisenhower
Failing to Plan is Planning to Fail
Make Sure Critical Information Available in Disaster or Ransomware Attack
37
Trust … But Verify.
Develop and Practice Recovery Procedures
38
Be Prepared … Collect, Protect and Analyze Evidence
Ensure IT is logging all potentially-relevant events
Make sure IT staff doesn’t unknowingly destroy valuable evidence
Use trained experts to conduct incident forensics
39
FBI: Please Talk to Us About That Ransomware Attack
40
All the information, all the evidence we need, sits in
private hands in the United States and that is a
wonderful thing,” FBI Director James Comey
Summary: Seven Key Information Security Management Strategies
41
Strategy 1: Put Someone in Charge. Establish Leadership.
Strategy 2: Implement Formal Risk-Driven Information Security Policies
and Standards
Strategy 3: Identify, Document and Control Sensitive Information
Strategy 4: Train and Educate Personnel. Change Culture.
Strategy 5: Manage Vendor Security
Strategy 6: Manage IT Infrastructure from “Information Security Point
Of View”
Strategy 7: Be Prepared. Incident Response and Business Continuity
Planning.
A Roadmap for Getting Started42
Put Someone in Charge
Review IT Network
Management Compliance with
Security Standards
Conduct IT Network
Vulnerability Scan
Establish Policies & Standards
Train Staff
Develop Strategy. Plan the Work.Work the Plan.
43
The number one thing at the Board level and CEO level is to take cybersecurity as seriously as you take business operations and financial operations. It’s not good enough to go to your CIO and say “are we good to go.” You’ve got to be able to ask questions
and understand the answers.
Major Gen Brett Williams, U.S. Air Force (Ret)This Week with George Stephanopoulos, December 2014
Information Security is Proactively Managed
Information Security Standard of Care
Total Cost of Information Security SM
Information Security Proactively Managed
Commercially Reasonable Information Security Practices
Lower Total Cost of Information Security SM
Citadel Information Group: Who We Are
45
Stan Stahl, Ph.DCo-Founder & President
35+ Years ExperienceReagan White House
Nuclear Missile Control
Kimberly Pease, CISSP
Co-Founder & VP
Former CIO15+ Years Information
Security Experience
David Lam, CISSP, CPPVP Technology
Management Services
Former CIO20+ Years Information
Security Experience
Citadel Information Group: What We Do46
Deliver Information Peace of Mind SM
to Business and the Not-for-Profit Community
Cyber Security Management Services
Information Security Leadership
Information Security Management Consulting & Coaching
Assessments & Reviews … Executive Management …Technical Management
Secure Network Engineering … Secure Software Engineering
Incident Response / Business Continuity Planning
Adverse Termination
For More Information
Stan Stahl [email protected] 323-428-0441 LinkedIn: Stan Stahl Twitter: @StanStahl
Citadel Information Group: www.citadel-information.comInformation Security Resource LibraryFree: Cyber Security News of the WeekFree: Weekend Vulnerability and Patch Report
FBI’s Southern California Cyber Fraud Unit: [email protected].
47
Meeting the Information Security Management Challenge in the Cyber-Age
© Copyright 2016. Citadel Information Group. All Rights Reserved.
Stan Stahl, Ph.D.President, Citadel Information Group
President, Secure the Village
Michael Sohn
Supervisory Special Agent (SSA)
FBI Los Angeles