self-assessment » find a consultant » links & resources » news & headlines » educational...

Self-Assessment »

Find a Consultant »

Links & Resources »

News & Headlines »

Educational & Training Resources »

Steve Peters, President

Community Information and Telecommunications Alliance Co Chair, Arizona Cyber Security Alliance

Matt Hymowitz, PartnerGMP Networks

Co Chair, Arizona Cyber Security Alliance

http://www.azsecurity.org/toolkit_home.asp

Self-Assessment »



News & Headlines »


This Presentation

Intro to the Arizona Cyber Security Alliance

Overview of cyber crimes and security threats

Tips to prevent compromise of your systems and information

Strategies to insure business continuity and disaster recovery if they are compromised


Self-Assessment »



News & Headlines »


Arizona Cyber Security Alliance

A project of CITA, Tucson's nonprofit Community Information and Telecommunications Alliance

This statewide security Alliance will help the Arizona community:

understand the rising security threats

develop strategies to reduce personal, customer and business risks


Self-Assessment »



News & Headlines »


Targeting

Small business and nonprofit executives

IT professionals

Home users

Includes large and small businesses, non-profits, law enforcement, government, and information technology and security professional


Self-Assessment »



News & Headlines »


Secure Computer

The only secure computer is one that is turned off, locked in a safe, and buried twenty feet down in a secret location--and I'm not completely confident of that one, either.”

– BRUCE SCHNEIER, E-MAIL SECURITY: HOW TO KEEP YOUR ELECTRONIC MESSAGES PRIVATE (1995)

Internet crime is the fastest growing crimein the U.S


Self-Assessment »



News & Headlines »


Five Key Messages

The frequency and seriousness of threats are growing

Whether you have

• a single computer

• or a corporate network

• you are at risk Securing your system will help secure

the Internet


Self-Assessment »



News & Headlines »


Five Key Messages (2)

Information security is a core business requirement, not just a technology problem.

Don’t rely just on hardware and software solutions. You also need to address:

• security policies and plans

• employee awareness programs

• insurance and legal issues

• business continuity and disaster recovery plans

Hardware and software are essential, but people are the key


Self-Assessment »



News & Headlines »


What is Vulnerable

Computer Systems

VoIP Phone systems

PDAs and cell phones

Wired and wireless networks

Xbox and Tivo

Internet Relay Chat, peer-to-peer networks, instant messaging

Web based applications and browsers

RFID Tags


Self-Assessment »



News & Headlines »


Threats

Cyber Threats

Physical Threats

Internal Threats

External Threats

Intentional Threats

Unintentional Threats


Self-Assessment »



News & Headlines »


Cyber Threats

Wired & Wireless Intrusions

Destructive worms, viruses and trojans

Spam and Spyware (keyboard and event logging)

Phishing, Identity Theft, and Fraud (Websites, URLs, Spoofing, & Redirection)

Your computer as a bot to attack other computers

Applications and OS vulnerabilities

Denial of Service Attacks

Cyber terrorism

Ransomware


Self-Assessment »



News & Headlines »


Cyber Threats (2)

Cyber attacks

Damage computers and destroy data

Monitor or interrupt communications

Provide access to private information

Monitor your computer and browsing behavior

Make your computer a bot to attack other computers

Deny access to your websites

Steal information and money

Support Cyber terrorism


Self-Assessment »



News & Headlines »


Recent Trends

Professional cyber criminals, gangs, cyber terrorism

While past attacks were designed to destroy data, today’s attacks are increasingly designed to silently steal data for profit without doing noticeable damage that would alert a user to its presence.

using bot networks

targeted attacks on Web applications and Web browsers

Targeted phising attacks

Narrow focused attacks aiming at specific companies

Growing Regulatory Compliance Requirements


Self-Assessment »



News & Headlines »


ThreatsPhysical Threats Fire, theft, natural disasters

Internal Threats (70% of crimes) employee errors and attacks

disgruntled employees

opening attachments

downloading and use of unauthorized software (IM)

unauthorized use of computer systems

cyber loafing

wireless networks (rogue)

theft – systems and data


Self-Assessment »



News & Headlines »


Over 112,438 old and new viruses in 2004 - estimated $55 Billion in businesses damages in 2003

Arizona ranked No. 1 for identity theft in 2003 with 6,832 reported cases

70-80% attacks are internal

18 million phishing attempts in 2004

An unprotected computer could be compromised in less than 20 minutes after being connected to the Internet

e-mail messages that include a virus 1 in 16

spam 73 % of all e-mail

A Few Stats


Self-Assessment »



News & Headlines »


Question

What will happen to your business or organization if your communications are disrupted or your information is compromised or stolen?

Direct losses

Indirect Losses

Legal and Insurance issues

Will You Be Out of Business?


Self-Assessment »



News & Headlines »


Why Should You Care?

Direct Losses

Operational and customer information

Network, computer and communications systems

Money


Self-Assessment »



News & Headlines »


Indirect Losses

interrupted communications

reduced productivity and damage to operations

loss of potential sales & disrupted revenue flow

reduced customer confidence and negative branding impact

loss of competitive advantage

loss of goodwill

continuity and recovery expenses


Self-Assessment »



News & Headlines »


Legal Exposure and Insurance Failure to meet business obligations

Compromised confidential client information

Illegal user activity

Director liability

Losses not covered by insurance

Lack of business continuity and disaster recovery coverage

Regulatory Compliance

• HIPPA, GLBA, SARBOX,

Due diligence is the key


Self-Assessment »



News & Headlines »


Security Technologies

Virus Protection

Hardware and Software Firewalls

Back-up Solutions

Managed Services - Outsourcing

Intrusion Detection Systems

Spyware protection programs

Encryption and Virtual Private Networks

Applications and OS patches

Content Filtering: Inbound / Outbound


Self-Assessment »



News & Headlines »


Security Checklist

Are You Protected?

Current antivirus protection updated daily

Firewalls (hardware/software) or Intrusion Detection Systems

Security patches for your software & OS

Spyware (2-3 programs)

Do not open unexpected e-mail attachments from strangers or acquaintances

Daily backups


Self-Assessment »



News & Headlines »


Security Checklist (2) Business assessment -can your business survive

a security disaster?

Outside Security Assessments

Avoid legal liabilities for failure to exercise due diligence, to protect confidential information, or if you cannot fulfill business obligations

• California’s Data Breach Law SB 1386 and Privacy Laws

• Gramm-Leach Bliley Act

• USA Patriot Act and the Banking Secrecy Act

• HIPAA and Sarbanes-Oxley Act

• CAN-SPAM Act


Self-Assessment »



News & Headlines »


Security Checklist (3) Insure that your insurance coverage will

cover business continuity, disaster recovery and legal costs

Physically secure your machines and backups from theft, fire and natural disasters

Designate an employee or a trusted vendor to be responsible for your Cyber Security, including updates

Know what normal computer, network and Internet behavior looks like so that you can tell what's abnormal

Control access to your systems & information


Self-Assessment »



News & Headlines »


Security Checklist (4) Use complex passwords (8-10 characters)

and change them regularly (~mY*sEcrE1T)

Don’t share passwords or post them on your computer

Log off when your computer is not being used

Disconnect from the Internet when you do not need to be online

Perform reference checks on new employees, and background checks for IT staff. Have employees sign a non-disclosure agreement

Turn OFF the Outlook "Preview Pane"


Self-Assessment »



News & Headlines »


Security Checklist (5)

Cleanup old machines before you dispose of them

Develop written plans and policies

• Internet use

• cyber and physical security

• business continuity and disaster recovery

Provide regular security training and awareness programs for your employees

• security strategies

• employee responsibilities?


Self-Assessment »



News & Headlines »


New Laws

The Gramm-Leach-Bliley Act,

• Provides for criminal and civil liability for businesses who do not adequately protect personal and financial information. Applies to any financial institution that provides financial products or services to consumers

Sarbanes-Oxley Act of 2002

• Prevents destruction of documents relevant to audits of companies that report their financial information to the SEC

• Regulation S-X requires accountants to retain certain records for a period of seven years after an audit or review of financial statements


Self-Assessment »



News & Headlines »


New Laws (2)

Health Insurance Portability and Accountability Act

• A covered entity may not use or disclose an individual’s protected health information (PHI) to any person including a business associate, except as permitted or required by the privacy rules.

• A covered entity MUST secure individually identifiable information

USA Patriot Act Title III Applies to - Financial Institutions

• Amended the Bank Secrecy Act regarding strict customer identification, retention of records for 5 years after close of account, and checking terrorist lists every 2 weeks


Self-Assessment »



News & Headlines »


California’s Data Breach Law SB 1386

• Requires companies to notify California residents of any actual or suspected breach of the security of the system that contains personal information - applies to any online business with California customers, even if the company is not based in California

California SB 27 - “Shine the Light Bill”

• Gives consumers the right to ask about what information an organization has about them and where has it been shared

California AB 68 - “Online Privacy Protection Act”

• Commercial websites or online services that collect personal information on California residents must post and comply with a privacy policy


Self-Assessment »



News & Headlines »


If you have an incident

Bottom Line Protect Your Systems and Your Data

Advise Your Clients To Protect Their Systems and Your Data

Call a professional!

Keep all records

• Logs

• Dates times etc.

Freeze the machine(s Protect


Self-Assessment »



News & Headlines »


1, 2, 3, 4

Whether you have a single computer or a

corporate network you are at risk Provide technology solutions - virus protection,

firewalls, security patches, spyware programs

Develop written plans and policies

Provide regular security training and awareness programs for your employees


Self-Assessment »



News & Headlines »


Contact Info

Steve Peters

Community Information and Telecommunications Alliance

520 - 321-1309

[email protected]

Matt Hymowitz, PartnerGMP Networks

520-577-3891 x11

[email protected]


self-assessment » find a consultant » links & resources » news & headlines » educational...

Documents

information security

security threats tips

rising security threats

security professional

key slide

internet slide

statewide security alliance

security policies