Meeting the Information Security Management Challenge in the Cyber-Age

© Copyright 2016. Citadel Information Group. All Rights Reserved.

Stan Stahl, Ph.D.President, Citadel Information Group

President, Secure the Village

September 2016

Michael Sohn

Supervisory Special Agent (SSA)

FBI Los Angeles

Online Financial Fraud: Business Email Compromise Deceives Controller

2

From: Your Vendor, Stan Sent: Sunday, December 28, 2014 12:07 PMTo: Bill Hopkins, Controller Subject: Change of Bank Account

Hi Bill – Just an alert to let you know we’ve changed banks.

Please use the following from now on in wiring our payments.

RTN: 123456789 Account: 0010254742631

I’m still planning to be out your way in February. It will be nice to get out of the cold Montreal winter.

Great thanks.

Cheers - Stan_________________________The secret of success is honesty and fair-dealing. If you can fake that, you’ve got it made ... Groucho Marx

Known Los Angeles BEC

Losses:

$14 Million / Month

Your Money or Your Data: Ransomware Viruses Reach Epidemic Proportions

4

Hollywood Presbyterian Medical Center paid $17,000 to ransomware hackers

Epidemic of Credit Card Theft … Medical Records Theft … Personnel Records Theft

5

Data Breach Costs Expensive.Money Down the Drain.

Approximately $150 or More Per Compromised Record

$15 Million Per Event

Investigative Costs Breach Disclosure Costs Legal Fees Identity Theft Monitoring Lawsuits

Customers Shareholders

http://www.ponemon.org/index.php

6

Organizations Attacked for Political and Social Reasons

7

Why. How. Who. Impact.8

http://krebsonsecurity.com/2016/07/the-value-of-a-hacked-company/

The Value of a Hacked Company

http://searchsecurity.techtarget.com/feature/Targeted-Cyber-Attacks

The thriving malware industry: Cybercrime made easy, IBM Software,

https://securityintelligence.com/wp-content/uploads/2015/06/Cybercrime-

Ecosystem-Infographic-Final.jpg

Cybercrime’s Greatest Impact is on Small & Medium Sized Organizations

30% of victims have fewer than 250 employees

60% of small-business victims are out of business within 6 months

80% of breaches preventable with basic security

12

Five Cybersecurity Tactics

Tactic 1: Pay Attention. 14

If you do not know your enemies nor yourself, you will be imperiled in every single battle.

Tactic 2: Know with Whom You’re Communicating

Email Phishing

Legitimacy

Friend requests

Web-sites

Ads

http://www.citibank.

com.us.welcome.c.tr

ack.bridge.metrics.po

rtal.jps.signon.online.

sessionid.ssl.secure.

gkkvnxs62qufdtl83ldz

.udaql9ime4bn1siact

3f.uwu2e4phxrm31jy

mlgaz.9rjfkbl26xnjskx

ltu5o.aq7tr61oy0cmbi

0snacj.4yqvgfy5geuu

xeefcoe7.paroquian

sdores.org/

Is This Email Really From My Bank??16

Tactic 3: Make Yourself Hard to Impersonate

Passwords

Long

Complex

Unique

Bank / Credit Card password = Yahoo password?

2nd-Factor Authentication

17

Tactic 4: Defend Aggressively

Use anti-malware

Encrypt laptops, smart-devices and external hard drives

Keep programs up-to-date

Religiously Install Updates

18

The Importance of Keeping Programs Up-to-Date!!!

19

Verizon 2016 Breach Report: The Vast Majority of Breaches Exploit

Vulnerabilities for Which Updates Have Been Available for Well-Over a Year

Attacks succeed by exploiting vulnerabilities in programs

Developers issue updates to fix vulnerabilities

Keeping updated blocks attacks

20

FREE Weekend Vulnerability and Patch Report …. Delivered to your in-box … Every Sunday Afternoon … Sign-up at Citadel-Information.com

Tactic 5: Be Prepared.

Test Backups

Law Enforcement

Credit Card Monitoring

Credit Freeze

Monitor Medical

21

Summary: Five Cybersecurity Tactics

Tactic 1: Pay Attention

Tactic 2: Know Who You’re Communicating With

Tactic 3: Make Yourself Hard to Impersonate

Tactic 4: Defend Aggressively

Tactic 5: Be Prepared

Seven Organizational Strategies23

Distrust and caution are the parents of security.

Benjamin Franklin

Strategy 1: Put Someone in Charge. Establish Leadership.

Information Security Manager / Chief Information Security Officer

C-Suite and Board Governance

Independent Perspective from CIO or Technology Director

Supported by Cross-Functional Leadership Team

Supported with Subject-Matter Expertise

24

Information Security Management Objective: Manage Information Risk

Cyber Fraud

Information Theft

Ransomware

Denial of Service Attack

Regulatory / Compliance

Disaster

Loss of Money … Brand Value … Competitive Advantage

Manage Entire Information Security Management Chain

26

Identify Detect Respond RecoverProtect

Risk Transfer and Insurance

Legal and Regulatory Framework

Based Upon: 1. NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 20142. International Standards Organization 27001:2013: Information technology— Security techniques —

Information security management systems — Requirements3. Porter Value Chain: Understanding How Value is Created Within Organizations

Pay Particular Attention to Risk of Online Financial Fraud

Implement Internal Controls Over Payee Change Requests

Assume all email or fax requests from vendors or company President are fraudulent

Use Out-of-Band Confirmation

Use Dedicated On-Line Banking Workstation

Keep Patched

Use Only for On-Line Banking

Work with Bank

Dual Control

Out-Of-Band Confirmation

Strong Controls on Wires

27

See our blog:https://citadel-information.com/2016/02/business-e-mail-compromise-dont-be-a-victim/

Leadership Responsibility: Continuous Improvement

28

Leadership & Organizational Improvements

Security Management of IT Network

Security Improvements to IT Network

Improve constantly and forever the system of

production and service, to improve quality and

productivity, and thus constantly decrease costs

W. Edwards Deming 14 Key Principles for Improving

Organizational Effectiveness

Strategy 2: Implement Risk-Driven Information Security Policies & Standards

29

Establish Commitment

Establish Standards and Provide Guidance

Users

Managers

IT

Required for HIPAA and other information security laws / regulations

Aspirational

Strategy 3: Identify, Document and Control Sensitive Information

30

Online Banking CredentialsCredit cardsEmployee Health InformationSalariesTrade SecretsIntellectual PropertyCustomer Information

ServersDesktopsCloudHome PCsBYOD devices

Access to Sensitive Information Based on Need-to-Know

Strategy 4: Train and Educate Personnel31

From: Facebook [mailto:notification+zrdodp6ihooz@facebookmail.com] Sent: Saturday, July 23, 2011 4:32 PM To: Kathrine Hepburn Subject: See Your Friends at 20th High School Reunion

Facebook

Hi Kate

Mark your calendar.

June 18 is the 20th Anniversary of our graduation from Algonquin High.

Visit Our Facebook Page for More Information.

Visit Page

See All Requests

Demonstrate Information Security Mindfulness. Change Culture.

32

Be the change you want to see.

Strategy 5: Manage Vendor Security33

Strategy 6: Manage IT Infrastructure from “Information Security Point of View”

IT Infrastructure Security

Architecture

Device configuration

Network & end-point protection

Vulnerability & patch management

Mobile devices

Cloud security

Web-site

Email Security

Spam Management

Logging & Review

Back ups. Incident Response. Business Continuity

Encryption

Access Management

Documentation

Training & Education

34

Ensure IT has Aggressive Vulnerability and Patch Management Program.

35

Verizon 2016 Breach Report: The Vast Majority of Breaches Exploit

Vulnerabilities for Which Updates Have Been Available for Well-Over a Year

Strategy 7: Be Prepared. Incident Response & Business Continuity Planning.

36

In preparing for battle I have always found that plans are useless, but planning is indispensable.

General Dwight Eisenhower

Failing to Plan is Planning to Fail

Make Sure Critical Information Available in Disaster or Ransomware Attack

37

Trust … But Verify.

Develop and Practice Recovery Procedures

38

Be Prepared … Collect, Protect and Analyze Evidence

Ensure IT is logging all potentially-relevant events

Make sure IT staff doesn’t unknowingly destroy valuable evidence

Use trained experts to conduct incident forensics

39

FBI: Please Talk to Us About That Ransomware Attack

40

All the information, all the evidence we need, sits in

private hands in the United States and that is a

wonderful thing,” FBI Director James Comey

Summary: Seven Key Information Security Management Strategies

41

Strategy 1: Put Someone in Charge. Establish Leadership.

Strategy 2: Implement Formal Risk-Driven Information Security Policies

and Standards

Strategy 3: Identify, Document and Control Sensitive Information

Strategy 4: Train and Educate Personnel. Change Culture.

Strategy 5: Manage Vendor Security

Strategy 6: Manage IT Infrastructure from “Information Security Point

Of View”

Strategy 7: Be Prepared. Incident Response and Business Continuity

Planning.

A Roadmap for Getting Started42

Put Someone in Charge

Review IT Network

Management Compliance with

Security Standards

Conduct IT Network

Vulnerability Scan

Establish Policies & Standards

Train Staff

Develop Strategy. Plan the Work.Work the Plan.

43

The number one thing at the Board level and CEO level is to take cybersecurity as seriously as you take business operations and financial operations. It’s not good enough to go to your CIO and say “are we good to go.” You’ve got to be able to ask questions

and understand the answers.

Major Gen Brett Williams, U.S. Air Force (Ret)This Week with George Stephanopoulos, December 2014

Information Security is Proactively Managed

Information Security Standard of Care

Total Cost of Information Security SM

Information Security Proactively Managed

Commercially Reasonable Information Security Practices

Lower Total Cost of Information Security SM

Citadel Information Group: Who We Are

45

Stan Stahl, Ph.DCo-Founder & President

35+ Years ExperienceReagan White House

Nuclear Missile Control

Kimberly Pease, CISSP

Co-Founder & VP

Former CIO15+ Years Information

Security Experience

David Lam, CISSP, CPPVP Technology

Management Services

Former CIO20+ Years Information

Security Experience

Citadel Information Group: What We Do46

Deliver Information Peace of Mind SM

to Business and the Not-for-Profit Community

Cyber Security Management Services

Information Security Leadership

Information Security Management Consulting & Coaching

Assessments & Reviews … Executive Management …Technical Management

Secure Network Engineering … Secure Software Engineering

Incident Response / Business Continuity Planning

Adverse Termination

For More Information

Stan Stahl Stan@citadel-information.com 323-428-0441 LinkedIn: Stan Stahl Twitter: @StanStahl

Citadel Information Group: www.citadel-information.comInformation Security Resource LibraryFree: Cyber Security News of the WeekFree: Weekend Vulnerability and Patch Report

FBI’s Southern California Cyber Fraud Unit: sccf@leo.gov.

47

Meeting the Information Security Management Challenge in the Cyber-Age

© Copyright 2016. Citadel Information Group. All Rights Reserved.

Stan Stahl, Ph.D.President, Citadel Information Group

President, Secure the Village

Michael Sohn

Supervisory Special Agent (SSA)

FBI Los Angeles