100 likes | 219 Views
Information Security. Jim Cusson, CISSP. Largest Breaches. Recent Breaches. 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical Center 1,500,000 2009-11-19 Health Net 80,000 2009-11-18 Universal American Insurance.
E N D
Information Security Jim Cusson, CISSP
Largest Breaches Recent Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical Center 1,500,000 2009-11-19 Health Net 80,000 2009-11-18 Universal American Insurance 130,000,000 2009-01-20 Heartland Payment Systems 94,000,000 2007-01-17 TJX Companies Inc. 90,000,000 1984-06-01 TRW, Sears Roebuck 76,000,000 2009-10-05 National Archives and Records Administration
Cost of a Breach Largest Breaches 40,000,000 2005-06-19 CardSystems, Visa, MasterCard, American Express 30,000,000 2004-06-24 America Online 26,500,000 2006-05-22 U.S. Department of Veterans Affairs 25,000,000 2007-11-20 HM Revenue and Customs, TNT 17,000,000 2008-10-06 T-Mobile, Deutsche Telekom 16,000,000 1986-11-01 Canada Revenue Agency In its study of 43 companies that suffered a data breach last year, the Ponemon Institute found the cost per compromised record in 2008 to be $202 per record
Actual CostsLegal, Credit Monitoring, Reputation, Mailings, Stock Price, etc • The security breach at TJX Companies Inc. could cost the company $100 per lost record, or a total of $4.5 billion • Heartland Breach Cost Company $32 Million So Far (August 2009) • According to the Ponemon Institute's study, the Heartland breach will likely be more costly than the theft of data from TJX • In 2008 - $6.6 million per incident • Costs include the costs of detecting and responding to the loss of data, along with legal and administrative expenses, customer defections and opportunity loss
Identity Theft • As of November 24, 2009 the total number of breaches reported by the ITRC (Identity Theft Resource Center) is 444 • The taking of the victim’s identity to obtain credit, credit cards from banks and retailers, steal money from the victim’s existing accounts, apply for loans, establish accounts with utility companies, rent an apartment, file bankruptcy or obtain a job using the victim’s name • Identity theft is "an absolute epidemic”. • Increased in the last four or five years. • It is nationwide. • Affects everybody • You can't detect it until it's probably too late.
Types Of Breaches • Document Disposal – Paper documents improperly disposed • Stolen Laptops – Laptop stolen and info retrieved from hard drive • Virus – Malicious software, key loggers, etc send info off site • Web – Vulnerability in web server exploited • Lost Disk Drive – Lost/sold hard drive accessed to retrieve data • Hack – Password guessed, system hacked • Fraud – Social Engineering, people duped into giving bank accounts • Lost Backup Tape – Backup tapes lost/stolen, accessed to retrieve data • Internal – Trusted employees steal data and sell it
What Is Information Security • Information security is the process of protecting information. It protects its confidentiality, integrity and availability. • Confidentiality – Ensuring data is accessed only by those who should • Integrity – Ensuring data is not modified • Availability – Ensuring data is accessible
How To Secure Information • Network Design • Access Control • Firewalls • Intrusion Detection/Protection Systems • Anti-Virus • Backups • Disaster Recovery/Business Continuity
Challenges • Cost – Protection is expensive • Compliance – GLBA, HIPPA, PCI, SOX • Proving Effectiveness – How to show they’re getting value
Communication! Communication is huge! • Project Teams – Most members don’t know security • Management – Often aren’t technical • Enforcement – How to tell someone “it’s not secure” • Policy – Writing for end users, enforcement