“a careless word… a needless sinking” 1943
DESCRIPTION
Does IT Security Matter…. Does Information Security Matter?. Anton Otto Fischer. “A careless word… a needless sinking” 1943. IT Security and Privacy. GROUP 5: - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/1.jpg)
1“A careless word… a needless sinking” 1943
Does IT Security Matter…
Anton Otto Fischer
Does Information Security Matter?
![Page 2: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/2.jpg)
IT Security and IT Security and PrivacyPrivacy
GROUP 5:
Natalia Hardey Christopher Boyce Christopher Rodelas Michael Bruns Irene Budiono
![Page 3: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/3.jpg)
AgendaAgenda1. Introduction
Video IT Security at a Glance Common IT Security Risks & Costs Involved IT Security Technologies Legislations CSO/CISO Roles
2. Case Studies Midwestern University U.S. Army
3. Summary of Best Practices Organizations Individuals
4. Q & A
3
![Page 4: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/4.jpg)
It’s not just the technology…It’s not just the technology…
http://www.youtube.com/watch?v=dy4VJP-lZpA 4
![Page 5: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/5.jpg)
Recent IT BreachesRecent IT Breaches July 2008, University of Nebraska at Kearney –
SSNs unaccounted for on university computers
January 2009, White House – “Chinese hackers crack White House”
January 2009, CheckFree Corp. – Five million E-Pay
records hacked
January 2009, Heartland Payment Systems – Malicious software on payment processing network
January 2009, U.S. Military – soldiers SSNs found on
thrift-store USB drive
5
![Page 6: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/6.jpg)
Information SecurityInformation SecurityInformation Security Definition
◦ Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: Confidentiality : Preserving authorized restrictions on access
and disclosure, including means for protecting personal
privacy and proprietary information;
Integrity: Guarding against improper information
modification or destruction, and includes ensuring information
non-repudiation and authenticity; and
Availability: Ensuring timely and reliable access to and use
of information.
6
![Page 7: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/7.jpg)
Common Security ThreatsCommon Security ThreatsVulnerability Issues
◦ CIA Triad Confidentiality Integrity AvailabilityMainly Concerned with Information.
◦ Parkerian Hexad. CIA TriadPLUS: Possession Authenticity UtilityStill Concerned with Information.
7
![Page 8: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/8.jpg)
Information SecurityInformation SecurityTypes of Information Security
◦Products (Physical Security)◦People (Personal Security)◦Procedures (Organizational Security)
8
![Page 9: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/9.jpg)
Common Security ThreatsCommon Security ThreatsBehavioral
◦Often Referred to as ‘Social Engineering’
Phishing Scams◦Password Cracking◦Disclosure of Financial Information◦Disclosure of Personal InformationOften Used in Conjunction with Malware
Malicious Software (Malware)◦Spyware and Adware◦Bots (Backdoors)◦Viruses, Worms, and Trojans
9
![Page 10: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/10.jpg)
10
The security practitioners ranked “cloud computing”, mobility, cybercrime and databreach as major threats to organizations’ confidential and sensitive data.
n=577
![Page 11: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/11.jpg)
Mega Trends – IT SecurityMega Trends – IT Security
Cloud Computing
Mobile Workforce
Cybercrime
Outsourcing
Data Breach
11
![Page 12: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/12.jpg)
Costs of IT Security Incidents to Costs of IT Security Incidents to OrganizationsOrganizations
2008 n=144
12
Although erratic, costs seem to be declining as time progresses
![Page 13: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/13.jpg)
Costs of IT Security Incidents to Costs of IT Security Incidents to OrganizationsOrganizations
http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf
Type of Incident Average Cost per Incident
Financial Fraud $463,100
Bot Computers $345,600
Loss of Proprietary Information $241,000
Loss of Confidential Data $268,000
Virus Incidents $40,141
13
Contrary to what many people believe, viruses are not the most costly incidents that can affect an organization
![Page 14: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/14.jpg)
Security Spending and Security Spending and Justification Justification ( (CSI 2008 Summary)CSI 2008 Summary) 53% of Respondents allocate no
more than 5% of their IT Budget to IT Security
42% Spent less than 1% of their security dollars on awareness programs
Low spending due to perceived financial benefits of security investments◦ (ROI, NPV, IRR)
Security Insurance14
![Page 15: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/15.jpg)
IT Security Technology Used IT Security Technology Used
CSI 2008 Summary
TECHNOLOGY % USE
Anti-virus software 97%
Firewalls 94%
Virtual Private Network (NPV) 85%
Anti-spyware software 80%
Encryption of data in transit 71%
15
![Page 16: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/16.jpg)
Reasons for not reporting an Reasons for not reporting an Incident Incident ( (CSI 2008 Summary)CSI 2008 Summary)
16On a scale of 1-7 with 1 being least important and 7 being most important
![Page 17: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/17.jpg)
Legislation – IT SecurityLegislation – IT Security
American Recovery and Reinvestment Act◦ President Barack H. Obama signed into law the
American Recovery and Reinvestment Act of 2009 (ARRA)
◦ A significant portion of the ARRA's stimulus expenditures and measures are related to health information technology (HIT) and incentives to adopt electronic health record (EHR) systems.
17
![Page 18: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/18.jpg)
18
Legislation – IT SecurityLegislation – IT SecurityFERPA
◦ “The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education” http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.ht
ml
◦ Outcome: Rights transferred from parents once students reach
18, or no longer in high school. Gives “Eligible Students” privacy of their education
results. Rights to inspect, review, and correct their
information. Schools must acknowledge parents and eligible
students their rights each year. 18
![Page 19: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/19.jpg)
Legislation – IT SecurityLegislation – IT SecurityHIPAA
◦ Health Insurance Portability and Accountability Act of 1996.
◦ Establish national standards for the security of electronic health care information.
◦ Outcome: Protects patients’ privacy on their personal
information. Health providers is subject to civil & criminal
penalties if they violate the patients’ rights under HIPAA. Up to $25,000 for multiple violations for the same
standard in a calendar year. Up to $250,000 and/or 10 years in jail, if knowing
any misuse of patients’ information.19
![Page 20: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/20.jpg)
Legislation – IT SecurityLegislation – IT Security Sarbanes-Oxley Act of 2002
Section 404 of the act addresses testing of general computer controls, such as: data center operating controls, system software controls, access security controls, and application system development and maintenance.
20
![Page 21: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/21.jpg)
LEGISLATION – IT SECURITYLEGISLATION – IT SECURITY Federal Information Security Management
Act (2002)
1. Inventory and Categorization of Information Systems
2. Security Controls
3. Risk Assessment
4. System Security Plan
5. Certification
and Accreditation
6. Continues Monitoring
21
![Page 22: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/22.jpg)
LEGISLATION – IT SECURITYLEGISLATION – IT SECURITY Federal Information Security Management
Act (2008)
22
Created the Chief Information Security Officer (CISO) role
Established the CISO Council
Enhanced the continuous monitoring process
Required additional reporting from DHS
![Page 23: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/23.jpg)
Why CISO role created?Why CISO role created?Enforce Security Standards and CompliancesDemonstrate to CxOs positive payback for
the organization’s goals & strategy from IT investments
Control and track IT spending (esp. security costs)
Assist other senior managers to achieve business goals and protecting their information
Comply with annual auditrequirements
23
![Page 24: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/24.jpg)
24
![Page 25: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/25.jpg)
Company OverviewCompany OverviewUniversity Population: 20,000FY2009 Budget: between $100 & $300
MillionIT Department: Very centralized Employees: ~60IT Spend: 7% (higher than average)IT Security Spend: ~5% of total IT
SpendCustomers : Students, Faculty/Staff,
Guests, Patients
25
![Page 26: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/26.jpg)
Organizational StructureOrganizational Structure
26
![Page 27: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/27.jpg)
Top ThreatsTop ThreatsPhishing (#1 threat)Security AwarenessDenial of ServicePassword SharingMalware, Spyware, Bots, etcHuman error, to which there is no
control overSabotage
27
![Page 28: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/28.jpg)
Denial of ServiceDenial of Service
28
![Page 29: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/29.jpg)
Gaining the Upper-handGaining the Upper-handCentralization
◦ Forces campus wide policies and procedures
Network Access Control (NAC) System◦ Authenticates all IP addresses and user names◦ Continuously ensures that your system is up to date
New threat detection software◦ Allows for immediate response
Exploiting functionality on legacy software that went unused due to lack of staff◦ Legacy: obsolete systems that are still be in use
29
![Page 30: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/30.jpg)
30
Type of Control Student Compute
rs
Faculty Compute
rs
Connected to the NAC YES YES
Administrative rights NO YES
Symantec anti-virus YES YES
Nightly updates YES YES
Security alerted to any virus immediately
YES YES
No installs or changes to registry permitted
YES NO
Restart returns machine to “frozen state”
YES NO
Controls: Student & Controls: Student & FacultyFaculty
![Page 31: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/31.jpg)
Network Access SecurityNetwork Access Security
Port locking in place for wired connection
Wireless access allowed Treated as a hostile network Stores IP and ID information On a different network than University
Allows wireless usage to grow while mitigating threats
31
![Page 32: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/32.jpg)
How a NAC WorksHow a NAC Works
32
![Page 33: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/33.jpg)
Examples of Practices Examples of Practices in Placein PlaceProducts (Physical Security)
◦ Hard drives wiped with GDisk to DOD standards
◦ Stolen property reported to CSO, police◦ Machines with student data encrypted
People (Personal Security)◦ Awareness / Education◦ Staff to assist with issues◦ Free anti-virus software for personal
machinesProcedures (Organizational Security)
◦ SSN Remediation Project◦ General Usage Agreement
33
![Page 34: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/34.jpg)
Difficulties and ChallengesDifficulties and ChallengesLargest obstacle is human (users)
error
The “Higher Education Culture”◦ Staff often lack anti-spy/spam software◦ Staff generally have more sensitive data◦ Staff have unfettered access
No real restrictions except file sharing
34
![Page 35: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/35.jpg)
Recent DevelopmentsRecent Developments
Security awareness is much better
Promotion, persuasion, mandates
Regulatory issues have become high on the priority list
HIPPA, FERPA, Credit Card Transactions RIAA suits
35
![Page 36: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/36.jpg)
Biggest CostsBiggest CostsAnti-Spam software is the most
expensiveData Discovery and Litigation
Lawsuits◦New Jan ’08 Federal Law requires that all
data related to lawsuits (like a hiring discrimination lawsuit) must physically be put into secure locations
Anti-Virus SoftwareFirewall and HardwareNetwork Access Control (NAC)
Software36
![Page 37: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/37.jpg)
New Security TechnologyNew Security TechnologyHost-Based Intrusion Prevention System
◦ Combats attacks at the device and server level
◦ Complements existing investments in network-based IPS without relying on signatures that require near-constant updates
◦ Currently very expensive and used little
Application Firewall ◦ Limits which software applications have
access and type of traffic (Such as Web Browser vs. P2P File-sharing)
37
![Page 38: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/38.jpg)
Chilling Encrypted DataChilling Encrypted Data Princeton computer security researchers discovered
that spraying an inverted can of "canned air" on RAM chips can “freeze” the data stored on the chips.
Less than 1 percent of the bits decaying after 10 minutes without power.
When the DRAM chips were cooled to liquid nitrogen temperatures, the Princeton group observed decay rates of 0.17 percent after 60 minutes without power.
38
![Page 39: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/39.jpg)
Biggest Lessons LearnedBiggest Lessons LearnedMore often than not, it takes a critical
situation for security to be taken seriously
Human error is always the largest threat
The security is only as good as the people using it
39
![Page 40: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/40.jpg)
40
![Page 41: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/41.jpg)
41
U.S. Army Signal Corps U.S. Army Signal Corps OverviewOverviewSizeU.S. Army:
◦547,000 Active Duty◦358,200 Nat’l Guard◦206,000 Army Reserve◦ 65,000 Signal Corps
BudgetU.S. Army: $140.7 Billion (FY09)
41
![Page 42: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/42.jpg)
Signal Corps Mission Signal Corps Mission StatementStatement The mission of the Signal Corps is to provide and manage
communications and information systems support for the command and control of combined arms forces. Signal support includes Network Operations (information assurance, information dissemination management, and network management) and management of the electromagnetic spectrum. Signal support encompasses all aspects of designing, installing, maintaining, and managing information networks to include communications links, computers, and other components of local and wide area networks. Signal forces plan, install, operate, and maintain voice and data communications networks that employ single and multi-channel satellite, tropospheric scatter, terrestrial microwave, switching, messaging, video-teleconferencing, visual information, and other related systems. They integrate tactical, strategic and sustaining base communications, information processing and management systems into a seamless global information network that supports knowledge dominance for Army, joint and coalition operations.
42
![Page 43: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/43.jpg)
US Army Signal CorpsUS Army Signal CorpsChain of CommandChain of Command
NETCOM, the 9th Signal Command, has 17,000 soldiers, civilians, and contractors working for it and the various units under its command 43
![Page 44: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/44.jpg)
44
U.S. Federal and U.S. Federal and Department of the Army Department of the Army ICT Spending ICT Spending (in Billions $)(in Billions $)
Category Federal
Army
Data Processing & Telecommunications
$25.4 $3.1
Communication and Detection Equipment
15.4 6.7
Automatic Data Processing Equipment
10.4 3.7
Contracts for Fiber Optics 0.12 0.03
![Page 45: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/45.jpg)
Structure of Security Structure of Security NetworkNetworkDOD Network Structure
3 Types of Networks:1. DOD Machines on Non-DOD Network2. DOD Machines on DOD Network
NIPR Network SIPR Network
3. Tactical Networks Constraints
Satellite Bandwidth Small Units still communicate primarily by radio.
Physical Security of Fiber and Cable
45
![Page 46: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/46.jpg)
Structure of Security Structure of Security NetworkNetworkDOD Network Security
◦ Software Security DOD centrally disseminates security updates for
software Activity of all users monitored and logged
◦ Physical Security Measures No USB Devices allowed on DOD Networks Offices are secured Checklists exist for users and administrators Vaulted computers for highly sensitive
information
46
![Page 47: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/47.jpg)
Structure of Security Structure of Security NetworkNetworkDOD Network Security
◦ Network Security Measures Three Layers of Network Security
DOD Army Installation – Level
Password Management Passwords must be changed every 90 days Can’t roll back to previous 6 passwords
Network Breaches Happen rarely, typically a ‘people problem’, not
a network problem
47
![Page 48: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/48.jpg)
DOD Information DOD Information SecuritySecurityDOD Information Security
◦ Unclassified Info Open to all Need to Know (Not Subject to FOIA)
◦ Classified InfoAll Classified Information is Need to Know Secret Top-Secret Special Security Information
48
![Page 49: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/49.jpg)
Largest IT ThreatsLargest IT ThreatsWhat keeps IT Pros in the Army up at
night?◦ People not following security regulations!◦ People are the weakest link in the
Information Security chain◦ Software Security/Vulnerabilities aren’t a
big concern!
49
![Page 50: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/50.jpg)
Upcoming TechnologiesUpcoming TechnologiesStatic Analysis Tools
◦Used to augment software testing◦Looks for errors in code that cause
security vulnerabilities◦Doesn’t need to run program
50
![Page 51: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/51.jpg)
Upcoming TechnologiesUpcoming Technologies
Preventing Internal Theft of Information and Hardware◦Design architecture that runs all processes
on a secure server and accepts only mouse and keyboard input from users and returns compressed streaming video Place limits on video bandwidth and print
bandwidth Firewall all servers, allow only trusted programs
to run Physically secure server location Don’t allow any processes to run on user
terminals 51
![Page 52: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/52.jpg)
Upcoming TechnologiesUpcoming Technologies
Future Combat Systems◦Often derided as “Cell Phones for Soldiers”
Provide secure communications; Using a self-organizing network, With Radios that act as both transmitter and
receiver, And provide voice, text, picture, and limited
video communications◦Biggest Challenge: TCP/IP is not a
sufficiently capable protocol for FCS wireless ad-hoc or mesh networks. FCS will require a new network structure.
52
![Page 53: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/53.jpg)
Consolidation of Consolidation of LandWarNetLandWarNetOrganizational Changes
◦NETCOM now has technical authority over all network hardware and software
People Changes◦No important changes
Product Changes◦There will be a standardized “enterprise
software suite” that will be made available to all Army personnel
◦Hardware will be centralized, capabilities standardized
53
![Page 54: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/54.jpg)
54
![Page 56: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/56.jpg)
Best Practices - Best Practices - OrganizationsOrganizationsCentralizeStandardize (ERP)Manage usersAwareness Training
◦ Level of security awareness: Education: 9.2% Government: 22.2%
Use separate machines to access sensitive information (case # 2)
Using Password Manager Helps◦ Users store passwords securely in either in
computer hard drive, mobile devices, or online website
◦ To Encrypt personal files or data sent via email
56
![Page 57: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/57.jpg)
Awareness TrainingAwareness TrainingInvolve Top ManagementSet up topicsClearly communicate
goals of each training sessionsDefine and explain each topic to
trainee◦Ensure they receive training of each
topic (and risks) and that they are equipped with prevention methods at the end of session
Regular (annual) sessions, and for new staff
57
![Page 58: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/58.jpg)
Characteristics of Effective Characteristics of Effective Security GovernanceSecurity Governance An Enterprise-wide issue Leaders are accountable Viewed as a business requirement Risk-based Roles, responsibilities, and segregation of duties
defined Addressed and enforced in policy Adequate resources committed Staff aware and trained A development life cycle requirement
58
![Page 59: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/59.jpg)
Information Security Policy within Information Security Policy within an Organization an Organization (CSI 2008 Summary)(CSI 2008 Summary)
59
![Page 60: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/60.jpg)
Techniques Used to Evaluate Techniques Used to Evaluate Security Technology Security Technology (CSI 2008 Summary)(CSI 2008 Summary)
60
Organizations are using a variety of methods to evaluate security technologies
![Page 61: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/61.jpg)
What this means for What this means for CISOCISO(s)(s)??Information Security is
IMPORTANT!!Business Success depends on IT
(security)Work towards IT centralizationAwareness Training is essential
◦To keep people aware of current & potential information risks and how to keep away from them
Plan the security strategy61
![Page 62: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/62.jpg)
Security StrategySecurity Strategy“Five Principles of Security”
1. Planning2. Proactive3. Protection4. Prevention5. Pitfalls
62
![Page 63: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/63.jpg)
What Can I Do?What Can I Do?
Use multiple strong passwordsUse Antivirus and Antispyware
software and keep it updatedUse a firewallDownload Windows security
updatesStay informed with current email
viruses and phishing scams
63
![Page 64: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/64.jpg)
Example of a SiteKeyExample of a SiteKey
64
![Page 65: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/65.jpg)
Time to crack *your* Time to crack *your* passwordpassword
65
Character Set
Password Length
26 - Letters 36 - Letters and Digits52 Letters and Digits with
upper and lower case
3 0.18 seconds 0.47 seconds 1.41 seconds
4 4.57 seconds 16.8 seconds 1.22 minutes
5 1.98 minutes 10.1 minutes 1.06 hours
6 51.5 minutes 6.05 hours 13.7 days
7 22.3 hours 9.07 days 3.91 months
8 24.2 days 10.7 months 17.0 years
9 1.72 years 32.2 years 8.82 centuries
10 44.8 years 1.16 millennia 45.8 millennia
11 11.6 centuries 41.7 millennia 2,384 millennia
12 30.3 millennia 1,503 millennia 123,946 millennia
![Page 66: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/66.jpg)
Identity TheftIdentity Theft
http://www.youtube.com/watch?v=ZIC57kbD_W8 66
![Page 67: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/67.jpg)
New Future Technology - New Future Technology - Fee Fee By FingerPrintBy FingerPrint
http://www.youtube.com/watch?v=frnYEJK8XMA 67
![Page 68: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/68.jpg)
Internet Security in a Internet Security in a nutshellnutshell
Threat How it happens
What it does How to Stop it
Spyware Downloading files and installing free or unknown software from untrusted sources.
Computer can become unstable or unusable, keystroke logging
Use Anti-spyware, Regular scans, avoid the unknown
Virus, worms, malware, trojans
Opening unsolicited email, attachments, clicking on pop-ups
Files can be destroyed, hackers can gain control, replication and distribution on network
Install and update anti-virus and firewall software, avoid the unknown
Phishing scams and identity theft
Replying to or clicking on links in emails that appear legitimate but aren’t, conducting business on unsecure sites
Can compromise your identity, financial information and security
Encrypted financial transactions, never reply to emails asking for passwords or personal information, cookie notification
68
![Page 69: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/69.jpg)
ReferencesReferencesSlide 1- “A careless word… a needless sinking” Anton Otto Fischer ; Artist, 1943, Office of War Information
Slide 4 Heartland Payment Systems:http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html All others: http://www.privacyrights.org/ar/ChronDataBreaches.htm#2009White House: Anonymous, (2009), Information Management Journal, Jan/Feb 2009, 43, 1, pg. 10
Slides 6 & 8http://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003542----000-.html
Slide 7http://www.zdnetasia.com/techguide/security/0,39044901,62044759,00.htm
Slide 9http://www.albany.edu/its/security_threats.htm
Slides 10 & 11http://www.lumension.com/viewDocument.jsp?id=148524
Slide 12-16 & 59-60http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf 69
![Page 70: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/70.jpg)
ReferencesReferencesSlide 17 & 20
http://www.iasplus.com/dttpubs/0502soxfpi.pdf
http://www.foley.com/publications/pub_detail.aspx?pubid=5726
Slide 18
http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
Slide 19
http://proquest.umi.com/pqdweb?index=11&did=1469228581&SrchMo
http://proquest.umi.com/pqdweb?index=11&did=1469228581&SrchMode=1&sid=1&Fmt=6&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1240504144&clientId=45249
How to Protect Your Data When You’re on the Web, Adarsh K. Gupta DO, MS (2008)
Slides 21 & 22
http://blog.isc2.org/isc2_blog/2008/10/fisma-2008---wh.html
http://www.sec-oig.gov/Reports/AuditsInspections/2008/451final.pdfSlide 23Mechling, J. (2009). What does your CIO really need to know?, Government Finance Review, Feb 2009, 25, 1, pg. 79. Accessed from ABI/INFORM Global database. Rau, K. G. (2004). Effective Governance of IT: Design Objectives, Roles, and Relationships, Information Systems Management, Fall 2004, 21, 4, pg. 35.
Accessed from ABI/INFORM Global database. 70
![Page 71: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/71.jpg)
ReferencesReferencesSlides 25-27, 36-37
Interview
Slide 28
http://static.howstuffworks.com/gif/zombie-computer-3d.jpg
Slide 29
http://www.answers.com/topic/legacy-system
Slide 35
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5_ps10264_Products_Data_Sheet.html
Slide 38
Swartz, Nikki. (2008). Chilling Encrypted Data, Information Management Journal, May/June 2008, 42-3, pg. 12
Slide 41
http://www.army.mil/aps/08/critical_challenges/critical_challenges.html Accessed 21 Apr 09
http://www.gordon.army.mil/Signal/pdf_2009/GoSignal.pdf
Slide 42
http://www.branchorientation.com/signal/mission.html
71
![Page 72: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/72.jpg)
ReferencesReferencesSlide 43
http://www.netcom.army.mil/about/docs/NETCOM_Brochure.pdf
Slide 44
http://usaspending.gov/
Slide 50
MILCOM 2008, Improving Software Reliability and Security with Automated Analysis, IEEE Database, Paul Anderson
Slide 51
MILCOM 2008, Global Virtual Vault: Preventing Unauthorized Physical Disclosure by the Insider, Fisk, Miller, and Kent, IEEE Database
Slide 52
Striki, McAuley, and Morera. Modeling Topology Dissemination for Routing in Future Force Networks. MILCOM 2008. 16 – 19 Nov. 2008. IEEE Explore Database. Accessed 26 Apr 2009. http://ieeexplore.ieee.org/search/searchresult.jsp?queryText=(future+combat+systems+%3Cin%3E+metadata)+%3Cand%3E+(4753027+%3Cin%3E+isnumber)&coll2=ieeecnfs&coll3=ieecnfs&history=yes&reqloc=others&scope=metadata&imageField2.x=0&imageField2.y=0
72
![Page 73: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/73.jpg)
ReferencesReferencesSlide 52
Wang, Hag, Schmidt, and Corsaro. Toward an Adaptive Data Distribution Service for Dynamic Large-Scale Network-Centric Operation and Warfare (NCOW) Systems. MILCOM 2008. 16 – 19 Nov. 2008. IEEE Explore Database. Accessed 26 Apr 2009. http://ieeexplore.ieee.org/search/searchresult.jsp?queryText=(future+combat+systems+%3Cin%3E+metadata)+%3Cand%3E+(4753027+%3Cin%3E+isnumber)&coll2=ieeecnfs&coll3=ieecnfs&history=yes&reqloc=others&scope=metadata&imageField2.x=0&imageField2.y=0
Slides 45-49, 53
Personal Interview with Lt. Col. Warren Griggs.
Slides 56-57
http://www.cp-lab.com/
Rotvold, G. (2008), How to Create a Security Culture in Your Organization, Information Management Journal, 42, 6, pg. 32. Accessed from ABI/INFORM Database.
Slide 58
Allen, J. H. (2007). Governing for Enterprise Security, Carnegie Mellon University, Software Engineering Institute.
Slide 61 Mechling, J. (2009). What does your CIO really need to know?, Government
Finance Review, Feb 2009, 25, 1, pg. 79. Accessed from ABI/INFORM Global database.
73
![Page 74: “A careless word… a needless sinking” 1943](https://reader035.vdocuments.site/reader035/viewer/2022081418/56814916550346895db64dcb/html5/thumbnails/74.jpg)
ReferencesReferencesSlide 62
Pollitt, D. (2005). Energis trains employees and customers in IT security, Human Resource Management International Digest, 13, 2, p. 25. Accessed from ABI/INFORM Database.
Slide 63
http://www.btcoinc.com/images/security300x350.jpg
http://www.jisclegal.ac.uk/graphics/esecurity.jpg
Slide 65
http://www.oit.osu.edu/networking/osunet/Password_Best_Practices.pdf
Slide 66
http://www.youtube.com/watch?v=ZIC57kbD_W8
Slide 67
http://www.youtube.com/watch?v=frnYEJK8XMA
74