270 likes | 489 Views
Thomas C Miele, CISSP, ISSMP. What The Fortifications Are.
E N D
1. Top Information Security Issues Facing Organizations
Thomas C Miele, CISSP, ISSMP
2. Thomas C Miele, CISSP, ISSMP What The Fortifications Are Man-Made Fortifications Are Just Monuments To The Stupidity Of Man.
If Rivers And Mountain Ranges Can Be Breached, So Can Anything Built By Man
General George S. Patton, Jr.
3. Thomas C Miele, CISSP, ISSMP Top Issues International Information Systems Security Certification Consortium (ISC˛) Teamed Auburn University Researchers To ID & Rank Top Info Sec Issues By Way Of Surveys To Its Certified Security Professionals World Wide & USA
25 Issues Were ID As Most Critical
..
NOTE: I Will Not Read All 25 !!!!
4. Thomas C Miele, CISSP, ISSMP 4 I Found Of Interest #1 Top Management Support
#2 Legal & Regulatory Issues
#3 Malware/Social Engineering (Viruses, Trojans, Worms)
#4 Awareness Training & Education
5. Thomas C Miele, CISSP, ISSMP User Awareness If The Users Dont Know Or Are Not Aware, Then They Will Get In Trouble & The Company May Suffer
If Your Company Does Business In All 50 States Then Your Have About 46 Laws.
The Laws Say You Must Conduct An Awareness Program!
SPAM During 2009:
60% of E-Mail Received!
6. CSI Alert Feb 2007 The Less You Know Its Bad When A Laptop Is Lost Containing:
Customer Name
Social Security Number
Credit Card Information
Raises Good Questions:
Should The Data Be On The Notebook?
Should It Be Locked Down On A Server In The Data Center?
Do We Need To Store All The Information About Our Customers That We Do?
7. Thomas C Miele, CISSP, ISSMP Trusted Employees What About An Inside Job?
Is the Company At Fault?
It Depends
Debs Bank Example
8. Ben Worthen CIO Mag. Feb 15, 2007 Data Not Protected Privacy Lost The Big Story Is That The Boundary That Existed In Peoples Lives Between The Workplace And The Home Has Broken Down!
Total Number of Records Lost Containing Sensitive Personal Information From Security Breaches
354,140,197
9. Ben Worthen CIO Mag. Feb 15, 2007 Top Breaches Month of April 2010 AvMed Health Plans 208,000 recordstheft of laptops.
Blue Cross/Blue Shield Tenn. 301,628 57 USB Storage Devices Stolen
Citigroup 600,000 customers received their annual tax documents with their Social Security Numbers on the outside of the envelope!
OK HOW MANY MORE MUST SUFFER BEFORE WE DO IT THE RIGHT WAY?
10. Thomas C Miele, CISSP, ISSMP Consumer IT Products Thumb Drives USB Port Connected Can Provide Gigabytes Of Transportable Storage
Data Leakage!
Lost IDs
Spread of Any Thing Bad! The Company is Responsible if an Employee Causes Harm To Others!
11. Thomas C Miele, CISSP, ISSMP Ask Yourself ???? Are The USB Ports Protected?
If A User Downloads Information To Any Portable Device, Can We Detect It?
Does Your Policies Cover Storage Of Protected Information On Workstations And/Or Mobile Devices?
Testing IT Systems With Live Data????
Is The Data Ever Encrypted?
Do You Allow Cell Phones In The Office That Can Take Pictures?
12. Thomas C Miele, CISSP, ISSMP Laws, Laws, & More Laws Safeguarding Information How Many States Do You Do Business In?
I have 9 States Laws To Look At Dealing With Privacy & Protection Of Customer Information
State of PA 4 Laws With New Ones Pending
What If You Do Business In All 50 States? 44 States Have Laws Along With Puerto Rico and the Virgin Islands
What About International?
13. Jody R. Westby Information Security Mag. Before Your Data Goes Organizations Need To Understand Their Privacy And Security Compliance Obligations Prior To Sending Data Across Borders
Nearly 50 Countries Have Some Form Of Data Protection Law And Many Of Them Conflict Or Require Specific Security Measures
14. Jody R. Westby Information Security Mag. Legal Frameworks At Play Globally There Are 3 Types Of Legal Frameworks AT Play:
EUs Regulatory Model
U.S.s Self-Regulatory Approach
Asia-Pacific Economic Cooperation (APEC) Forums Privacy Framework
15. Thomas C Miele, CISSP, ISSMP In Europe, Privacy Is Different Personal Information Cannot Be Collected Without Consumers Permission, And They Have The Right To Review The Data And Correct Inaccuracies
Companies That Process Data Must Register Their Activities With The Government
Employers Cannot Read Workers Private E-Mail
Personal Information Cannot Be Shared By Companies Or Across Borders Without Express Permission From The Data Subject
Checkout Clerks Cannot Ask For Shoppers Phone Numbers
16. Jody R. Westby Information Security Mag. Global Complications Everyones Connected
240 Countries And 1.1 Billion People Online
Fractured Frameworks
51 Countries With Privacy Laws Including 27 EU Countries
8 U.S. Agencies With Privacy Regulations And Enforcement Authority
34 States With Security Breach Notification Laws
17. Jody R. Westby Information Security Mag. Global Complications Competing Models
EU, U.S., APEC Each Have Overlapping Privacy Mandates
Multilateral Actions
Various Efforts From The EU, G8, APEC, Council Of Europe (CoE)
CoE Convention On Data Protection
CoE Convention On Cyber crime
G8 24/7 High-Tech Crimes Points-Of-Contact Network.
HOW DO YOU KEEP UP????????
18. Thomas C Miele, CISSP, ISSMP Privacy Lost ????? Most Americans Say They Are Concerned About Privacy
60% Feel Their Privacy Is Slipping Away
Only 7% Change Behaviors To Preserve Privacy
Carnegie Mellon Test Shows People Will Give SSN To Get 50-Cents-Off Coupon
Dont Lose A Laptop With Personal Information!!!!!!!!!!
Veterans Admin, ChoicePoint, LexisNexis, Bank Of America, And Other Firms Loss or Theft Of Personal Information !!!! Were At The End Of Righteous Indignation By Public And Lawmakers..
19. Thomas C Miele, CISSP, ISSMP Whats A CEO To Do??? Companies Want to Contact Their Customers Or Potential Customers
Customers Want Privacy
Laws Say We Must Protect Their Privacy/Information
So, We Have A Balancing Act
Make Sure You Know How Far You Can Go With Your Customers Information
20. Thomas C Miele, CISSP, ISSMP Social Engineering Attacker Uses Human Interaction (Social Skills) To Obtain Or Compromise Information About An Organization Or Its Computer Network/Systems
May Seem Unassuming And Respectable
Claiming To Be A New Employee
Repair Person
USB Trick
Asking Questions Infiltrate A Network
21. Thomas C Miele, CISSP, ISSMP Good Security Practices-Security First, Then Compliance Dont Click On Links Within Pop-Up Windows
Be Wary Of Free Downloadable Software
Dont Follow E-mail Links Claiming To Offer Anti-Spyware Software
Delete E-mails From Senders You Dont Know !!!!!
Dont Get Complacent! Never Ever Think You Are Done! Always keep thinking How Security Can Be Breached.
22. Defense-in-Depth 6 Layers To Consider Proactive Software Assurance
Blocking Attacks: Network Based
IPS & Detection (IDS)
Wireless Intrusion Prevention
Network Behavior Analysis
Firewalls
Secure Web Gateways
Blocking Attacks: Host Based
Endpoint Security SANS What Works in Internet Security Proactive Software Assurance single most effective step in stopping attacks is to design applications and code with fewer security flaws.
Blocking Attacks: Network Based A lot of damaging attacks will come from inside, malicious traffic from the outside makes up the vast majority of all recorded attacks.
Blocking Attacks: Host Based If an attack gets through the network defenses, the PCs, workstations, and servers should be prepared to stop it.Proactive Software Assurance single most effective step in stopping attacks is to design applications and code with fewer security flaws.
Blocking Attacks: Network Based A lot of damaging attacks will come from inside, malicious traffic from the outside makes up the vast majority of all recorded attacks.
Blocking Attacks: Host Based If an attack gets through the network defenses, the PCs, workstations, and servers should be prepared to stop it.
23. Defense-in-Depth 6 Layers To Consider Blocking Attacks: Host Based
Endpoint Security
Network Access Control
System Integrity Checking Tools
Eliminating Security Vulnerabilities
Network Discovery Tools
Vulnerability Management
Attack & Penetration Testing
Patch & Security Configuration Management SANS What Works in Internet Security Eliminating Security Vulnerabilities Vendors sell software & hardware with vulnerabilities baked in. Our programmers make mistakes.Eliminating Security Vulnerabilities Vendors sell software & hardware with vulnerabilities baked in. Our programmers make mistakes.
24. Defense-in-Depth 6 Layers To Consider Safely Supporting Authorized Users
Identity & Access Management
Mobile Data Protection & Encryption
Content Monitoring/Data Leak Prevention
Tools to Manage Security
Log Management & Event Management
Media Sanitization and Mobile Device Recovery and Erasure
Security Awareness Training SANS What Works in Internet Security Safely Supporting Authorized Users Help to insure that authorized users are not unduly impacted by security requirements while the bad guys are blocked!
Tools to Manage Security This area focuses on the tools that manage and improve security processes, as well as on tools needed to reduce the damage done in a successful attack.Safely Supporting Authorized Users Help to insure that authorized users are not unduly impacted by security requirements while the bad guys are blocked!
Tools to Manage Security This area focuses on the tools that manage and improve security processes, as well as on tools needed to reduce the damage done in a successful attack.
25. Defense-in-Depth 6 Layers To Consider Tools to Manage Security
Security Awareness Training
Forensics Tools
Governance, Risk & Compliance Mgt Tools
GLBA, SOX, PCI, HIPAA
Disaster Recovery and Business Continuity SANS What Works in Internet Security
26. Thomas C Miele, CISSP, ISSMP Why I Worry About Social Engineering & Spyware Loss Of Corporate Information And Data
Average Cost Per Breach $4.8 Million
Legal Liability
If Companies Close Down And/Or Go Out Of Business Then People Will Not Be Paying Into The Social Security Fund !!!
We All Pay The Price, However, CEO Will Pay The Biggest Price!!!
27. Jody R. Westby Information Security Mag. Privacy Resources U.S. Safe Harbor Program
www.export.gov/safeHarbor/sh_overview.html
U.S. Federal Trade Commission
www.ftc.gov/privacy/index.html
EU Data Protection Directive
http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm
Council of Europe Cybercrime Convention
http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm