infosec-for-c-level-introductory-calcpa-orange-county-fall...

CYBER SECURITY CHALLENGES AND

SOLUTIONS — AN EXECUTIVE BRIEFING

© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.

CalCPA

Orange County/Long Beach Chapter

Fall Seminar Series

September 18, 2011Stan Stahl, Ph.D.

President

Citadel Information Group

Phone: 323.428.0441

[email protected]

www.Citadel-Information.com

Delivering Information Peace of Mind ®

to Business and the Not-for-Profit

Community

It was the best of times.

It was the worst of times.

Charles Dickens

Information Security — The CliffsNotes

� Cyber Criminals Want Our Information & Our Computers

� We Are Under Attack

� Our Defenses Are Inadequate

� We Must Do Better

� In our offices

� In our homes

� In our community

15




http://www.citibank.com.us.welcome.c.track.bridge.metrics.portal.jps.signon.online.sessionid.ssl.secure.gkkvnxs62qufdtl83ldz.udaql9ime4bn1siact3f.uwu2e4phxrm31jymlgaz.9rjfkbl26xnjskxltu5o.aq7tr61oy0cmbi0snacj.4yqvgfy5geuuxeefcoe7.paroquiansdores.org/


CyberCrime Step 1: Set the Trap—Install

Malware on Poorly-Secured Web Site19


CyberCrime Step 2: Set the Bait—Get the User

to Visit the Website20



CyberCrime Step 3: Spring the Trap—Exploit

Flaws to Install Malware on User’s PC/Mac


21

Annual Cost of Online Bank Fraud:

$1,000,000,000


22

Bloomberg, Aug 4, 2011: http://www.bloomberg.com/news/2011-08-04/hackers-take-1-billion-a-year-

from-company-accounts-banks-won-t-indemnify.html

August 2009: Cyber Criminal Gangs in Eastern

Europe Stealing Millions in On-Line Bank Fraud


Washington Post, http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html

23

October 2009: On-Line Bank Theft is Cyber

Crime Growth Industry


Washington Post, October 26, 2009: http://voices.washingtonpost.com/securityfix/2009/10/fbi_cyber_gangs_stole_40mi.html

24

November 2010: Known US Commercial Cyber

Threat Victims


Source: http://krebsonsecurity.com/2010/11/charting-the-carnage-from-ebanking-fraud-ii/

25

26

Thursday, July 12, 2012

http://krebsonsecurity.com/2012/07/eu-to-banks-assume-all-pcs-are-infected/

Adding Insult to Injury: Loss Responsibility

Often Falls to Victim


27

Financial Fraud and Identity Theft Up 19% in

2011


28

563,201,803Financial Records Reported Breached

January 10, 2005 – July 31, 2012

These count only reported breaches. They count neither

(1) discovered but unreported breaches nor

(2) undiscovered breaches.

Breach Disclosures at Record Highs


29

A Few More Expensive Breach Disclosures


30

Average Cost of Data Breach

� $194 Per Compromised Record

� $5.5 Million Per Event

� California Civil Code Section 56.36

� $1,000 nominal damages for disclosure of medical information

31


State-Sponsored Intellectual Property Theft:

Death by a Thousand Cuts


32

Bloomberg: Cyber Cold War

33

Operation Aurora: the China Connection


34

State-Sponsored Cyber Attacks Provide

Criminals with Advanced Methods


35

August 2009: IBM Warns “Trust No One”


36

September 2010: Interpol Calls Cyber Crime

“World’s Most Dangerous Criminal Threat”


37

http://www.theage.com.au/technology/security/cyber-crime-is-worlds-most-dangerous-criminal-threat-

20100920-15iej.html

September 2011: Cyber Crime Bigger Than

Drug Trade?


Cyber crime now bigger than the drugs tradeSays cyber security firmBy Brid-Aine Parnell, 7th September 2011 14:17 GMT

The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine, which is estimated at $388bn, a new headline-grabbing study reported.

• US Annual Losses at $114B

• One million victims of cybercrime every day

38

September 2012: Under Increasing Attack


39

Connecting the Dots: Information Risk is

Business Risk

Business Information Under Attack

Theft

Financial Fraud & Embezzlement

Stolen Sales Information

Corporate Espionage

Theft of Proprietary Processes, Technologies

& Other Intellectual Property

Loss of Protected Information Belonging to

Others

Critical Information Unavailable

Systems Used for Illegal Purposes


40

Connecting the Dots: Cyber Crime Costs Real

Money

Embezzlement and Fraud

Direct Incident Recovery Costs

Lost Productivity Costs

Intellectual Property Losses

Breach Disclosure Costs

Legal & Attorney Costs, including

Investigations & Fines

Loss of Brand Value

Loss of Competitive Advantage


41

Right Now: The Enemies are Winning


42

Opportunitiesto Make Money

and Cause Harm

Cost of Entry Likelihood ofBeing Caught

Meeting the Challenge of Cyber Crime

43

It is said that if you know your enemies

and know yourself, you will not be

imperiled in a hundred battles,

If you do not know your enemies but do

know yourself, you will win one and lose

one,

If you do not know your enemies nor

yourself, you will be imperiled in every

single battle.


Know Your Enemy


44

Why Would Anyone Break Into Information

Systems?

… Because that’s where the money is!

Willie Sutton


� Bank fraud� Other network-based fraud� Sell stolen credit cards, SS#, medical identities� Sell stolen intellectual property� Lease botnets for spam, DDOS attacks, storage

45


Systems?

… Because that’s where the competitive advantage is!


46


Systems?

… To mess with our way of life!

… To achieve political objectives!

… Because they can!© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.

47

CarderPlanet: Ensuring Honor Among Thieves


Wired, January 31, 2007:

http://www.wired.com/politics/onlinerights/new

s/2007/01/72605

48

profsoyuz.biz: Reshipping Turns Hot Cards into

Hot Stuff

© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.http://krebsonsecurity.com/2011/10/turning-hot-credit-cards-into-hot-stuff/

49

Spy Eye: Easy-to-Use Software for the Non-

Technical Cyber Criminal


50

And It’s Only Getting Worse


51

Cyber Crime: A Lucrative Business Model


Likelihood of Being Caught

Opportunities to Make Money

Cost of Entry

52

Insider Abuse: Still a Problem

� Crimes include

� Embezzlement & Financial Theft

� Theft of Intellectual Property

� Destruction of Information Assets

� Spying on Management & Other Employees

� Masquerading as Other Employees

� Running Other Businesses

� Physical Theft

� Resource Misuse


53

Network-Based Fraud: Underneath the

Accounting System; Below the Controls


54

How Cyber Criminals Get On Your Computer55


Between the Bars


56

Between the Bars: Install Malware on Poorly

Protected Web Sites


57

Between the Bars: Use Celebrities as Bait


58

Between the Bars: Exploit Flaws on PCs, Macs,

Tablets & Smartphones


59

Between the Bars: Go Through the Firewall as

Ordinary Traffic


Firewall blocks activity on unneeded ports

Cyber criminals use email and Internet to go

through open ports

60

Between the Bars: Anti-Virus & Anti-Malware

Increasingly Ineffective


Anti-Virus blocks known malware DNA

Cyber criminals create malware whose DNA

changes every time it installs

61

Between the Bars: 30 Days in June

62

http://krebsonsecurity.com/2012/06/a-closer-look-recent-email-based-malware-attacks/© Copyright 2012. Citadel Information Group, Inc. All Rights Reserved.

Between the Bars: Zeus More Powerful than

Anti-Virus


https://zeustracker.abuse.ch/

63

Between the Bars: Take Advantage of Human

Weakness


Before: The Nigerian Scam

Now: Targeted Spear-Phishing


64

Between the Bars: Shift Attacks from Servers

to End-User Devices


65

Between the Bars: Compromise Physical Media


66

Between the Bars: Take Advantage of Insecure

Public Wi-Fi


67

Between the Bars: Attack Remote Computing

Devices


68

Between the Bars: Attack Password

Weaknesses


69

Between the Bars: Attack Encryption

Weaknesses


70

34,000,000 Stolen Credit Cards• $24 million to Banks• $40.9 million FTC agreement to

pay issuers• $9.7 million settlement to 41

state Attorneys General• $107 million set-aside in 2007

Between the Bars: Attack Weaknesses in 2nd-

Factor Authentication


71

September 2009

Anatomy of an Attack: Phase 1—Take Control

of the Workstation


Spear-Phishing Email

Web Site Drive-By

SmartPhone

Malicious USB Key

0-Day Exploit

Social Engineering

ZeuS / SpyEye Trojan

Key Logger

File Access

Botnet Herder

72

Phase 2 — Steal Money & Sell Information


User IDs and Passwords

Credit Card & Bank Numbers

Sensitive Information

Illegal Computer Use

$$

$$

$

Se

nsitiv

e In

fo

Co

mp

ute

r

73

Know the Enemy … Know Thyself

74

It is said that if you know your enemies

and know yourself, you will not be

imperiled in a hundred battles,

If you do not know your enemies but do

know yourself, you will win one and lose

one,

If you do not know your enemies nor

yourself, you will be imperiled in every

single battle.


… Imperiled in Every Single Battle

� Cybercriminals

� Know vulnerabilities

� Choose where, when & how of attack

� Attacks blend technology with social engineering

� Defenders

� Inadequately aware of threats

� Overly optimistic about defenses

� Inadequate management / leadership

� Over-emphasis on yesterday’s technology

� Lack of specialized knowledge & training

� Staff not trained to be mindful


75

Cyber Security Management—Three Key

Strategies76


Strategy 1: Proactively Manage Information

Risk Across Three “Business Domains”


77

Information Security

Management

Strategy 2: Implement a Risk-Driven Layered

Approach to Achieve Defense in Depth


78

Operating Assumption: Cyber criminals will get through any particular defense

The Citadel. Halifax, Nova Scotia.

Strategy 3: Learn About Cyber Security. Train

Your People.

� Management & Board� Laws, regulations, etc

� Governance / Management principles

� Staff� In the office

� At home

� On the road

� IT Staff / Vendors� Secure IT management

� Secure configuration

� Suppliers and Trading Partners

79


What Don’t You Know

That You Don’t Know

You Don’t Know?

Strategy 3a: Learn About Cyber Security. Train

Your Family.


80

Cyber Security Management — Managing

Information Risk81


Meet Information Security Laws, Regulations,

Contracts & Appropriate Practices

� US Federal Law

� HIPAA HITECH

� Gramm-Leach-Bliley

� FTC Rule

� US State Laws

� CA Breach Disclosure

� Other Breach Disclosure

� CA Civil Code 1798.81.5

� MasterCard and Visa Data Security Standard (PCI)

� European & Other Laws

� ISO standards

� ISO 27001

� ISO 27002

� Government Standards, Guides & Advisories

� NIST

� NSA

� US-CERT

� Practitioner Standards

� ISSA

� ISACA

� (ISC)2

� SANS Institute

82


Implement Information Security Policies and

Standards

� Security Management

Policies

� 3rd-Party Security Standards

� Security Reviews

� Classification and Control

Standards

� Standards for Information

Users

� Staffing & Personnel

Standards

� Physical Security Standards

� IT Infrastructure Standards

� IT Security Management

� Vendor Selection and Management

� Securing the IT Infrastructure

� Application Security, including Websites

� Change Control

� Logging and Review

� Back-up, Incident Response, etc

� Access Control Management

� Encryption

� Training & Education

83


Citadel: Seven Requirements for Successfully Implementing Information Security Policies

Develop Information Inventory

� Information of Others� Names, Address, PII

� Social security numbers

� Credit card numbers

� Health information

� Information of Firm� Online bank credentials

� Pricing information

� Sales histories

� Inventories

� R&D

� Trade Secrets

� Classify Information� Public

� Internal Use Only

� Restricted

� Assign Owners to sensitive information� Identify access

restrictions

� Identify servers and workstations where stored

84


Provide Top-Level Management & Leadership

Information security requires CEO attention in thei r individual companies … Business Roundtable, 2004


85

Secure from the Bottom Up

Manage / Lead from the Top Down


Keep Systems

Patched

“Intrusion Detection &

Prevention”Train Staff


Governance


Policies

Compliance

Management

Classify & Control

Information

IT Security

Management

Physical & Personnel

Security

Plan for Incidents Trust. But Verify.Manage 3rd-Parties

86

Manage Information Security Like Other

Quality Programs


Demonstrate

Continuous

Process

Improvement

of

Organization's

Ability to

Secure

Sensitive

Information

A5: Security Policy

A6: Organization

A7: Asset Management

A8: Human Resources

A9: Physical / Environmental

A10: Communication & Operations Management

A11: Access Control

A12: Acquisition, Development & Maintenance

A13: Incident Management

A14: Business Continuity

A15: Compliance

ISO 27001, Annex

ISO 27002

Continuous Process

Improvement Engine

Information Security Management

System

87

Getting Started: The To-Be


If you don’t know

where you’re

going, when you

get there you’ll be

lost.

Yogi Berra

88

What Security Do You Need?

Getting Started: The As-Is


If You Don’t Know Where You Are,

a Map Won’t Help

89

What is Your Current Security Posture?

Implementing the Information Security

Management System


90

An Ounce of Prevention is Worth a Pound of

Cure

Security Prevention Costs• Technology costs

• Security management

costs

• Executive

• IT security

management

• Security overhead costs

Security Incident Costs• Cold hard cash

• Direct incident recovery

costs

• Lost productivity costs

• Intellectual property

losses

• Breach disclosure costs

• Legal & attorney costs,

including investigations

and fines

• Loss of brand value

• Loss of competitive

advantage


91

Greatest Challenge: Organizational Leadership

� Awareness of Risk

� Knowledge and Ability to Act

� Enthusiasm for Getting Involved

� Eager to Create a Culture of Cyber Security Mindfulness

� Attitude that “Failure is not an option”

� Continually asks “What don’t I know that I don’t know I don’t know”


92

Cyber Security Management —Tactics93


Protect Against Online Bank Fraud

� Use Stand-Alone Workstation for On-Line Banking

� Use Only for On-Line Banking

� No email

� No web browsing

� Best to Have Separate Internet Connection

� Best if Separate from Corporate Network

� Strongly Manage Security of Necessary Connection

� Out-Of-Band

� Confirmation from Bank

� Daily Reconciliation

� Manage Authorization

� Positive Pay


94

Keep Computers Patched and Updated


95

Report Available: Citadel. ISSA-LA. LinkedIn. Facebook. RSS. Twitter. FBI InfraGard. eMail.

Set Computers to Have “Limited” Authority


96

Windows is Designed to Block Standard Accounts From Installing

Programs and Making Security-Relevant Changes

Be Wary of eMail and Links on Internet &

Social Media Sites97

Be Very Cautious on Social Media Networks


98

Install a Full-Featured Anti-Malware Product

and Keep it Updated


99

Use Strong Passwords as a Basic Line of

Defense

� Corporate, Banking, eCommerce

� Long passphrase: 12+

� Lovemyjob$$$3

� Different on Different Sites

� Registration Passwords

� qwertyu7

� Use Secure Password Manager

� RoboForm

� Keepass

� Carefully … 20+ Passphrase

100


Use Encryption to Protect Sensitive Data

� Encryption at Rest

� Laptops

� External & USB drives

� Sensitive databases

� Encryption in Transit

� HTTPS:

� WPA2 for Wi-Fi

� Email

� Disk & File Encryption Tools

� Windows BitLocker: Hard drive encryption

� Truecrypt: Hard drive encryption

� Axcrypt: File encryption

� WinZip: File encryption

� Key Performance Parameters

� Encryption algorithm

� Key length

� Key security

� Time to encrypt / decrypt


101

Use Wi-Fi Safely

� SOHO

� Hide SSID

� WPA2 Encryption

� Long Passphrase

� Turn Off WPS (Wi-Fi Protected Setup)� Buy different router

� On the Road

� Avoid Free Wi-Fi

� Don’t Automatically Connect

� Connect Only When Needed

� “Forget” When Done

102


Be Careful with File Transfer Services

� Extremely Useful …

When Used with Care

� Responsibility with User

� Know what you’re buying

� Having security feature ≠

feature implemented

correctly

� Train staff on (in)secure

use


103

Protect Remote Computing Devices

� Laptops and Netbooks� Protect like desktops

� Encrypt hard drives

� iPads, Smartphones, Tablets� Password protect

� Minimize sensitive information / processing

� Manage Wi-Fi

� Encrypt when available

� Remote find & kill

� Use VPN when available


104

Avoid P2P File Sharing Networks

� Used to illegally share

movies and music

� Opens a dangerous

hole on your

computer

105


The Cloud: Yes … But Look Before You Leap

� Understand Differences in Cloud Services

� Salesforce.com

� Authorize.net

� Dropbox

� iCloud, Google, Amazon S3

� Google Docs

� Gmail, Office 365

� Private clouds

� Desktop as a Service

� Security as a Service

� Security - Legal - Insurance

� Security & privacy responsibility

� Information availability

� Legal compliance

� Insurability

106


http://www.citadel-information.com/2012/03/eight-security-concerns-before-jumping-into-the-cloud/

Be Prepared: Not a Matter of If, But When

� Incident Response

� Disaster Recovery

� Information Continuity

� Issues

� Back to Work

� Evidence Preservation

� Crisis Management

� Be Prepared

� Management Plans

� Information

� Network Logs

� Tests

� Training

107


In preparing for battle I have always

found that plans are useless, but

planning is indispensable.

Dwight D. Eisenhower

Conduct Independent Risk and Vulnerability

Review


108

What Don’t You

Know That You

Don’t Know You

Don’t Know?

Protect Organization

Meet Information Security Standard of Care

Lower Total Cost of Information Security SM


110

Join the Cyber Security Team

� Keep Home Computers Patched

� Be Cyber-Aware Consumer

� Citadel: Personal Guide

to Staying Safe Online

� Stop. Think. Connect.

� It’s Not Paranoia if They are Out to Get You

� Train Spouse & Children

� Be a Leader at Work

111


Require Technical Staff and IT Vendors to Get

Specialized Information Security Training


112

Communication

Collaboration

Cooperation

ISSA-LA

Open Source Web Application

Security Project (OWASP-LA)

Cloud Security Alliance (CSA-LA)

(ISC)2

Help Our Nonprofits

Security Needs High. Resources Low.


113

Cyber Security Legislation: Three Things We

Need From Washington

� Mandatory Minimum

Standards

� Information Sharing

� Privacy Protection

114


For More Information


Stan [email protected]

323-428-0441 LinkedIn: Stan Stahl Twitter: @StanStahl

Citadel Information Group: www.citadel-information.comCitadel Guides

Information Security Resource Library

Cyber Security News

Weekly Patch and Vulnerability Report

ISSA-LA: www.issa-la.org Technical Meetings: 3rd Wednesday of Month

5th Annual Information Security Summit: May 21, 2013

Coming Soon: CitadelOnSecurity—Awareness Training and Education

115

The Final Words116


Problems cannot be

solved by the same

level of thinking that

created them

Albert Einstein

Information Risk = Threats ∗ � VulnerabilitiesCountermeasures�


PPPProtect your neighbor's rotect your neighbor's rotect your neighbor's rotect your neighbor's information as you information as you information as you information as you would want your would want your would want your would want your

neighbor to protect yoursneighbor to protect yoursneighbor to protect yoursneighbor to protect yours


CYBER SECURITY CHALLENGES AND

SOLUTIONS — AN EXECUTIVE BRIEFING


Thank You!

Delivering Information Peace of Mind ®

to Business and the Not-for-Profit

Community

infosec-for-c-level-introductory-calcpa-orange-county-fall...

Documents