1 / 27

Top Information Security Issues Facing Organizations

Thomas C Miele, CISSP, ISSMP. What The Fortifications Are.

Samuel
Download Presentation

Top Information Security Issues Facing Organizations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Top Information Security Issues Facing Organizations Thomas C Miele, CISSP, ISSMP

    2. Thomas C Miele, CISSP, ISSMP What The Fortifications Are “Man-Made Fortifications Are Just Monuments To The Stupidity Of Man. If Rivers And Mountain Ranges Can Be Breached, So Can Anything Built By Man” General George S. Patton, Jr.

    3. Thomas C Miele, CISSP, ISSMP Top Issues International Information Systems Security Certification Consortium (ISC˛) Teamed Auburn University Researchers To ID & Rank Top Info Sec Issues By Way Of Surveys To Its Certified Security Professionals World Wide & USA 25 Issues Were ID As Most Critical….. NOTE: I Will Not Read All 25 !!!!

    4. Thomas C Miele, CISSP, ISSMP 4 I Found Of Interest #1 Top Management Support #2 Legal & Regulatory Issues #3 Malware/Social Engineering (Viruses, Trojans, Worms) #4 Awareness Training & Education

    5. Thomas C Miele, CISSP, ISSMP User Awareness If The Users Don’t Know Or Are Not Aware, Then They Will Get In Trouble & The Company May Suffer If Your Company Does Business In All 50 States Then Your Have About 46 Laws. The Laws Say You Must Conduct An Awareness Program! SPAM During 2009: 60% of E-Mail Received!

    6. CSI Alert Feb 2007 The Less You Know It’s Bad When A Laptop Is Lost Containing: Customer Name Social Security Number Credit Card Information Raises Good Questions: Should The Data Be On The Notebook? Should It Be Locked Down On A Server In The Data Center? Do We Need To Store All The Information About Our Customers That We Do?

    7. Thomas C Miele, CISSP, ISSMP Trusted Employees What About An Inside Job? Is the Company At Fault? It Depends…… Deb’s Bank Example

    8. Ben Worthen CIO Mag. Feb 15, 2007 Data Not Protected Privacy Lost The Big Story Is That The Boundary That Existed In People’s Lives Between The Workplace And The Home Has Broken Down! Total Number of Records Lost Containing Sensitive Personal Information From Security Breaches…… 354,140,197

    9. Ben Worthen CIO Mag. Feb 15, 2007 Top Breaches Month of April 2010 AvMed Health Plans – 208,000 records—theft of laptops. Blue Cross/Blue Shield Tenn. – 301,628 – 57 USB Storage Devices Stolen Citigroup – 600,000 customers received their annual tax documents with their Social Security Numbers on the outside of the envelope! OK HOW MANY MORE MUST SUFFER BEFORE WE DO IT THE RIGHT WAY?

    10. Thomas C Miele, CISSP, ISSMP Consumer IT Products Thumb Drives – USB Port Connected Can Provide Gigabytes Of Transportable Storage Data Leakage! Lost ID’s Spread of Any Thing Bad! The Company is Responsible if an Employee Causes Harm To Others!

    11. Thomas C Miele, CISSP, ISSMP Ask Yourself ???? Are The USB Ports Protected? If A User Downloads Information To Any Portable Device, Can We Detect It? Does Your Policies Cover Storage Of Protected Information On Workstations And/Or Mobile Devices? Testing IT Systems With Live Data???? Is The Data Ever Encrypted? Do You Allow Cell Phones In The Office That Can Take Pictures?

    12. Thomas C Miele, CISSP, ISSMP Laws, Laws, & More Laws Safeguarding Information How Many States Do You Do Business In? I have 9 States Laws To Look At Dealing With Privacy & Protection Of Customer Information State of PA – 4 Laws With New Ones Pending What If You Do Business In All 50 States? 44 States Have Laws Along With Puerto Rico and the Virgin Islands What About International?

    13. Jody R. Westby Information Security Mag. Before Your Data Goes Organizations Need To Understand Their Privacy And Security Compliance Obligations Prior To Sending Data Across Borders Nearly 50 Countries Have Some Form Of Data Protection Law And Many Of Them Conflict Or Require Specific Security Measures

    14. Jody R. Westby Information Security Mag. Legal Frameworks At Play Globally There Are 3 Types Of Legal Frameworks AT Play: EU’s Regulatory Model U.S.’s Self-Regulatory Approach Asia-Pacific Economic Cooperation (APEC) Forum’s Privacy Framework

    15. Thomas C Miele, CISSP, ISSMP In Europe, Privacy Is Different Personal Information Cannot Be Collected Without Consumers’ Permission, And They Have The Right To Review The Data And Correct Inaccuracies Companies That Process Data Must Register Their Activities With The Government Employers Cannot Read Workers’ Private E-Mail Personal Information Cannot Be Shared By Companies Or Across Borders Without Express Permission From The Data Subject Checkout Clerks Cannot Ask For Shoppers’ Phone Numbers

    16. Jody R. Westby Information Security Mag. Global Complications Everyone’s Connected 240 Countries And 1.1 Billion People Online Fractured Frameworks 51 Countries With Privacy Laws Including 27 EU Countries 8 U.S. Agencies With Privacy Regulations And Enforcement Authority 34 States With Security Breach Notification Laws

    17. Jody R. Westby Information Security Mag. Global Complications Competing Models EU, U.S., APEC Each Have Overlapping Privacy Mandates Multilateral Actions Various Efforts From The EU, G8, APEC, Council Of Europe (CoE) CoE Convention On Data Protection CoE Convention On Cyber crime G8 24/7 High-Tech Crimes Points-Of-Contact Network. HOW DO YOU KEEP UP????????

    18. Thomas C Miele, CISSP, ISSMP Privacy Lost ????? Most Americans Say They Are Concerned About Privacy 60% Feel Their Privacy Is “Slipping Away” Only 7% Change Behaviors To Preserve Privacy Carnegie Mellon Test Shows People Will Give SSN To Get 50-Cents-Off Coupon Don’t Lose A Laptop With Personal Information!!!!!!!!!! Veterans Admin, ChoicePoint, LexisNexis, Bank Of America, And Other Firms –Loss or Theft Of Personal Information !!!! Were At The End Of Righteous Indignation By Public And Lawmakers..

    19. Thomas C Miele, CISSP, ISSMP What’s A CEO To Do??? Companies Want to Contact Their Customers Or Potential Customers Customers Want Privacy Laws Say We Must Protect Their Privacy/Information So, We Have A Balancing Act Make Sure You Know How Far You Can Go With Your Customers Information

    20. Thomas C Miele, CISSP, ISSMP Social Engineering Attacker Uses Human Interaction (Social Skills) To Obtain Or Compromise Information About An Organization Or Its Computer Network/Systems May Seem Unassuming And Respectable Claiming To Be A New Employee Repair Person USB Trick Asking Questions – Infiltrate A Network

    21. Thomas C Miele, CISSP, ISSMP Good Security Practices-Security First, Then Compliance Don’t Click On Links Within Pop-Up Windows Be Wary Of Free Downloadable Software Don’t Follow E-mail Links Claiming To Offer Anti-Spyware Software Delete E-mails From Senders You Don’t Know !!!!! Don’t Get Complacent! Never Ever Think You Are Done! Always keep thinking How Security Can Be Breached.

    22. Defense-in-Depth 6 Layers To Consider Proactive Software Assurance Blocking Attacks: Network Based IPS & Detection (IDS) Wireless Intrusion Prevention Network Behavior Analysis Firewalls Secure Web Gateways Blocking Attacks: Host Based Endpoint Security SANS What Works in Internet Security Proactive Software Assurance – single most effective step in stopping attacks is to design applications and code with fewer security flaws. Blocking Attacks: Network Based – A lot of damaging attacks will come from inside, malicious traffic from the outside makes up the vast majority of all recorded attacks. Blocking Attacks: Host Based – If an attack gets through the network defenses, the PCs, workstations, and servers should be prepared to stop it.Proactive Software Assurance – single most effective step in stopping attacks is to design applications and code with fewer security flaws. Blocking Attacks: Network Based – A lot of damaging attacks will come from inside, malicious traffic from the outside makes up the vast majority of all recorded attacks. Blocking Attacks: Host Based – If an attack gets through the network defenses, the PCs, workstations, and servers should be prepared to stop it.

    23. Defense-in-Depth 6 Layers To Consider Blocking Attacks: Host Based Endpoint Security Network Access Control System Integrity Checking Tools Eliminating Security Vulnerabilities Network Discovery Tools Vulnerability Management Attack & Penetration Testing Patch & Security Configuration Management SANS What Works in Internet Security Eliminating Security Vulnerabilities – Vendors sell software & hardware with vulnerabilities baked in. Our programmers make mistakes.Eliminating Security Vulnerabilities – Vendors sell software & hardware with vulnerabilities baked in. Our programmers make mistakes.

    24. Defense-in-Depth 6 Layers To Consider Safely Supporting Authorized Users Identity & Access Management Mobile Data Protection & Encryption Content Monitoring/Data Leak Prevention Tools to Manage Security Log Management & Event Management Media Sanitization and Mobile Device Recovery and Erasure Security Awareness Training SANS What Works in Internet Security Safely Supporting Authorized Users – Help to insure that authorized users are not unduly impacted by security requirements while the bad guys are blocked! Tools to Manage Security – This area focuses on the tools that manage and improve security processes, as well as on tools needed to reduce the damage done in a successful attack.Safely Supporting Authorized Users – Help to insure that authorized users are not unduly impacted by security requirements while the bad guys are blocked! Tools to Manage Security – This area focuses on the tools that manage and improve security processes, as well as on tools needed to reduce the damage done in a successful attack.

    25. Defense-in-Depth 6 Layers To Consider Tools to Manage Security Security Awareness Training Forensics Tools Governance, Risk & Compliance Mgt Tools GLBA, SOX, PCI, HIPAA Disaster Recovery and Business Continuity SANS What Works in Internet Security

    26. Thomas C Miele, CISSP, ISSMP Why I Worry About Social Engineering & Spyware Loss Of Corporate Information And Data Average Cost Per Breach $4.8 Million Legal Liability If Companies Close Down And/Or Go Out Of Business Then People Will Not Be Paying Into The Social Security Fund !!! We All Pay The Price, However, CEO Will Pay The Biggest Price!!!

    27. Jody R. Westby Information Security Mag. Privacy Resources U.S. Safe Harbor Program www.export.gov/safeHarbor/sh_overview.html U.S. Federal Trade Commission www.ftc.gov/privacy/index.html EU Data Protection Directive http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm Council of Europe Cybercrime Convention http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm

More Related