pminj chapter symposium - 06 may 2019pmp, pmi-acp, pmi-rmp, csm, cspo, psm i, cissp, itil, resilia,...
TRANSCRIPT
Susan Parente
PMP, PMI-ACP, PMI-RMP, CSM, CSPO, PSM I, CISSP, ITIL, RESILIA, CRISC,
MS Eng. Mgmt.
GLS Team- Practice Consultant for Agile Scrum and IT Practice, Senior Instructor
Instructor, University of Virginia: Agile Project Mgmt.
Cybersecurity
Am I at risk…?
PMINJ Chapter
Symposium - 06 May 2019
© International Institute for Learning, Inc. All rights reserved. 2
Susan Parente
• Risk Management and Agile Consultant and Trainer • Master of Science (MSEM — Focus in Marketing of Technology) George Washington University • Bachelor’s in Mechanical Engineering (BS ME)
• Certifications:
Project Management Professional (PMPTM) — 2006
Project Risk Management Professional (PMI-RMPTM) — 2011
Certified Information Systems Security Professional (CISSP) — 2007
RESILIATM — 2006
CRISC — 2018
ITIL Foundations — 2006
Agile Certified Practitioner (PMI-ACPTM) — 2014
Certified Scrum Master (CSM) & CSPO — 2017 Professional Scrum Master I (PSM I) — 2017
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 3
Am I at Risk…?
What is Cybersecurity?
• Why is IT Security so important?
Information Security
Attacks/ Breaches
Common Threats/ Vulnerabilities
• Examples of threats
What Can I Do?
• Prevent (Risk Assessment, Planning, Training)
• React (Recognizing/ Malware Detection)
• Safe and Secure?: Defense Dept.
Cybersecurity
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 4
Cybersecurity: Also known as information technology security
• Includes techniques to protect computers, networks, programs and data from unauthorized access or attacks on one’s computer or systems.
Cyber Attack: A attempt to cause damage or destruction to a computer system or network.
• Targets an individual or enterprise with the intent to disrupt, disable, destroy, or control a computer, its environment, or infrastructure, or to destroy the integrity of data or steal information.
What is Cybersecurity?
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 5
Definitions
Attack: Attempt to obtain unauthorized access to information or services, or to harm or damage IT systems.
Breach: An incident which results in an attack, resulting from bypassing of the system’s security structure.
Attacks/ Breaches
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 6
Attacks/ Breaches
*Verizon, 2015 Data Breach Investigations Report
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 7
Phishing:
A fraudulent practice of sending email masked as coming from a viable source, with the purpose of having individuals divulge personal information. Phishing is very commonly used and unfortunately it often works!
Social Engineering:
Deception by fraudulent parties to manipulate someone into sharing personal or confidential information (sensitive data)
Spyware/ Trojan Horse:
This is a malicious program which is packaged in what appears to be legitimate software. It runs in the background and spies on your computer system, or may delete files.
Viruses:
This is hidden in software. It infects ones computer & attempts to spread to all on your contact list.
Common Threats/ Vulnerabilities
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 8
Phishing Example:
How do you know?
Take a closer look…
Common Threats/ Vulnerabilities
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 9
Phishing Example Identification:
• It looks legitimate
(from HR, your bank, an invoice, shipping confirmation, etc.)
• Hover over the link
If you don’t recognize it don’t click!
• Spelling or grammar errors
• Urgency!! (invoking fear)
Common Threats/ Vulnerabilities
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 10
Ransomware:
You computer data is held ‘hostage’ and you are asked for payment to release it and regain access to your computer. (This is another great reason to backup your data!)
Worm:
One your computer is infected with it, it works on its own, and propagates by sending itself to other computers.
DoS (Denial of Service) Attack:
The goal of this is to hit a specific website or server until the volume of hits takes the system down.
Common Threats/ Vulnerabilities
*Axelos Limited, 2017. RESILIA Frontline Overview
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 11
Common Threats
*Axelos Limited, 2017. RESILIA Frontline Overview
“You need to really work with your people and embark on
conversations with them about the threats that are out there.
That’s what we want to change – we want people to talk
about security, discuss the risks, but help each other out. The
more people talk about security with each other, the better things
will become.”
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 12
Common Threats
*Axelos Limited, 2017. RESILIA Frontline Overview
“It takes 20 years to build a reputation and 5
minutes to ruin it. If you think about that, you’ll
do things differently.”
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 13
Common Threats
*Axelos Limited, 2017. RESILIA Frontline Overview
“It is important companies remain vigilant, taking steps to
proactively and intelligently address cyber security risks.
beyond the technological solutions, we can accomplish even
more through better training, awareness and insight on human
behaviour. Confidence, after all, is not a measure of technological
systems, but of the people entrusted to manage them.”
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 14
Prevent attacks
• Risk Assessment, Planning, Awareness
React to attacks
• Recognizing/ Malware Detection
What can I do…?
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 15
IT Security Guidelines/ Standards
• Develop and implement these to prevent and manage IT security for the organization.
Password Safety:
• Guidance in the creation and management of high-strength passwords to help stop attackers gaining unauthorized access to the organization’s network.
Remote and Mobile Working:
• Safe use of office devices outside of the organizational environment.
General Prevention
*Axelos Limited, 2017. RESILIA Frontline Overview
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 16
Identification of Cybersecurity Risks
Operations Cybersecurity Risks (as per SEI):
• Actions of People- including: unintentional, intentional, lack of action
• Systems and Technology Failures- including: hardware, software, systems
• Failed Internal Processes- including: design of processes, execution of processes, controls for processes, supporting processes
• External Events- including: hazards, legal, business, dependencies of services
Prevent Attacks- Risk Identification
*Reference: SEI (May 2014) “A Taxonomy of Operational Cyber Security Risks Version 2”. Retrieved from
https://resources.sei.cmu.edu/asset_files/TechnicalNote/2014_004_001_91026.pdf
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 17
Enterprise Security Risk Assessment
• Include an assessment of both probability and impact to evaluate the risk exposure
Risk Response Planning
• For those vulnerabilities (risks) which are above the risk tolerance
Prevent Attacks- Risk Awareness
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 18
Prevent Attacks- Awareness
*Axelos Limited, 2017. RESILIA Frontline Overview
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 19
Prevent Attacks- Awareness
*Axelos Limited, 2017. RESILIA Frontline Overview
May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 20 May 6, 2019
© International Institute for Learning, Inc. All rights reserved. 21 May 6, 2019