self-assessment » find a consultant » links & resources » news & headlines » educational...
TRANSCRIPT
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Steve Peters, President
Community Information and Telecommunications Alliance Co Chair, Arizona Cyber Security Alliance
Matt Hymowitz, PartnerGMP Networks
Co Chair, Arizona Cyber Security Alliance
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
This Presentation
Intro to the Arizona Cyber Security Alliance
Overview of cyber crimes and security threats
Tips to prevent compromise of your systems and information
Strategies to insure business continuity and disaster recovery if they are compromised
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Arizona Cyber Security Alliance
A project of CITA, Tucson's nonprofit Community Information and Telecommunications Alliance
This statewide security Alliance will help the Arizona community:
understand the rising security threats
develop strategies to reduce personal, customer and business risks
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Targeting
Small business and nonprofit executives
IT professionals
Home users
Includes large and small businesses, non-profits, law enforcement, government, and information technology and security professional
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Secure Computer
The only secure computer is one that is turned off, locked in a safe, and buried twenty feet down in a secret location--and I'm not completely confident of that one, either.”
– BRUCE SCHNEIER, E-MAIL SECURITY: HOW TO KEEP YOUR ELECTRONIC MESSAGES PRIVATE (1995)
Internet crime is the fastest growing crimein the U.S
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Five Key Messages
The frequency and seriousness of threats are growing
Whether you have
• a single computer
• or a corporate network
• you are at risk Securing your system will help secure
the Internet
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Five Key Messages (2)
Information security is a core business requirement, not just a technology problem.
Don’t rely just on hardware and software solutions. You also need to address:
• security policies and plans
• employee awareness programs
• insurance and legal issues
• business continuity and disaster recovery plans
Hardware and software are essential, but people are the key
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
What is Vulnerable
Computer Systems
VoIP Phone systems
PDAs and cell phones
Wired and wireless networks
Xbox and Tivo
Internet Relay Chat, peer-to-peer networks, instant messaging
Web based applications and browsers
RFID Tags
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Threats
Cyber Threats
Physical Threats
Internal Threats
External Threats
Intentional Threats
Unintentional Threats
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Cyber Threats
Wired & Wireless Intrusions
Destructive worms, viruses and trojans
Spam and Spyware (keyboard and event logging)
Phishing, Identity Theft, and Fraud (Websites, URLs, Spoofing, & Redirection)
Your computer as a bot to attack other computers
Applications and OS vulnerabilities
Denial of Service Attacks
Cyber terrorism
Ransomware
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Cyber Threats (2)
Cyber attacks
Damage computers and destroy data
Monitor or interrupt communications
Provide access to private information
Monitor your computer and browsing behavior
Make your computer a bot to attack other computers
Deny access to your websites
Steal information and money
Support Cyber terrorism
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Recent Trends
Professional cyber criminals, gangs, cyber terrorism
While past attacks were designed to destroy data, today’s attacks are increasingly designed to silently steal data for profit without doing noticeable damage that would alert a user to its presence.
using bot networks
targeted attacks on Web applications and Web browsers
Targeted phising attacks
Narrow focused attacks aiming at specific companies
Growing Regulatory Compliance Requirements
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
ThreatsPhysical Threats Fire, theft, natural disasters
Internal Threats (70% of crimes) employee errors and attacks
disgruntled employees
opening attachments
downloading and use of unauthorized software (IM)
unauthorized use of computer systems
cyber loafing
wireless networks (rogue)
theft – systems and data
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Over 112,438 old and new viruses in 2004 - estimated $55 Billion in businesses damages in 2003
Arizona ranked No. 1 for identity theft in 2003 with 6,832 reported cases
70-80% attacks are internal
18 million phishing attempts in 2004
An unprotected computer could be compromised in less than 20 minutes after being connected to the Internet
e-mail messages that include a virus 1 in 16
spam 73 % of all e-mail
A Few Stats
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Question
What will happen to your business or organization if your communications are disrupted or your information is compromised or stolen?
Direct losses
Indirect Losses
Legal and Insurance issues
Will You Be Out of Business?
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Why Should You Care?
Direct Losses
Operational and customer information
Network, computer and communications systems
Money
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Indirect Losses
interrupted communications
reduced productivity and damage to operations
loss of potential sales & disrupted revenue flow
reduced customer confidence and negative branding impact
loss of competitive advantage
loss of goodwill
continuity and recovery expenses
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Legal Exposure and Insurance Failure to meet business obligations
Compromised confidential client information
Illegal user activity
Director liability
Losses not covered by insurance
Lack of business continuity and disaster recovery coverage
Regulatory Compliance
• HIPPA, GLBA, SARBOX,
Due diligence is the key
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Security Technologies
Virus Protection
Hardware and Software Firewalls
Back-up Solutions
Managed Services - Outsourcing
Intrusion Detection Systems
Spyware protection programs
Encryption and Virtual Private Networks
Applications and OS patches
Content Filtering: Inbound / Outbound
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Security Checklist
Are You Protected?
Current antivirus protection updated daily
Firewalls (hardware/software) or Intrusion Detection Systems
Security patches for your software & OS
Spyware (2-3 programs)
Do not open unexpected e-mail attachments from strangers or acquaintances
Daily backups
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Security Checklist (2) Business assessment -can your business survive
a security disaster?
Outside Security Assessments
Avoid legal liabilities for failure to exercise due diligence, to protect confidential information, or if you cannot fulfill business obligations
• California’s Data Breach Law SB 1386 and Privacy Laws
• Gramm-Leach Bliley Act
• USA Patriot Act and the Banking Secrecy Act
• HIPAA and Sarbanes-Oxley Act
• CAN-SPAM Act
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Security Checklist (3) Insure that your insurance coverage will
cover business continuity, disaster recovery and legal costs
Physically secure your machines and backups from theft, fire and natural disasters
Designate an employee or a trusted vendor to be responsible for your Cyber Security, including updates
Know what normal computer, network and Internet behavior looks like so that you can tell what's abnormal
Control access to your systems & information
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Security Checklist (4) Use complex passwords (8-10 characters)
and change them regularly (~mY*sEcrE1T)
Don’t share passwords or post them on your computer
Log off when your computer is not being used
Disconnect from the Internet when you do not need to be online
Perform reference checks on new employees, and background checks for IT staff. Have employees sign a non-disclosure agreement
Turn OFF the Outlook "Preview Pane"
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Security Checklist (5)
Cleanup old machines before you dispose of them
Develop written plans and policies
• Internet use
• cyber and physical security
• business continuity and disaster recovery
Provide regular security training and awareness programs for your employees
• security strategies
• employee responsibilities?
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
New Laws
The Gramm-Leach-Bliley Act,
• Provides for criminal and civil liability for businesses who do not adequately protect personal and financial information. Applies to any financial institution that provides financial products or services to consumers
Sarbanes-Oxley Act of 2002
• Prevents destruction of documents relevant to audits of companies that report their financial information to the SEC
• Regulation S-X requires accountants to retain certain records for a period of seven years after an audit or review of financial statements
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
New Laws (2)
Health Insurance Portability and Accountability Act
• A covered entity may not use or disclose an individual’s protected health information (PHI) to any person including a business associate, except as permitted or required by the privacy rules.
• A covered entity MUST secure individually identifiable information
USA Patriot Act Title III Applies to - Financial Institutions
• Amended the Bank Secrecy Act regarding strict customer identification, retention of records for 5 years after close of account, and checking terrorist lists every 2 weeks
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
California’s Data Breach Law SB 1386
• Requires companies to notify California residents of any actual or suspected breach of the security of the system that contains personal information - applies to any online business with California customers, even if the company is not based in California
California SB 27 - “Shine the Light Bill”
• Gives consumers the right to ask about what information an organization has about them and where has it been shared
California AB 68 - “Online Privacy Protection Act”
• Commercial websites or online services that collect personal information on California residents must post and comply with a privacy policy
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
If you have an incident
Bottom Line Protect Your Systems and Your Data
Advise Your Clients To Protect Their Systems and Your Data
Call a professional!
Keep all records
• Logs
• Dates times etc.
Freeze the machine(s Protect
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
1, 2, 3, 4
Whether you have a single computer or a
corporate network you are at risk Provide technology solutions - virus protection,
firewalls, security patches, spyware programs
Develop written plans and policies
Provide regular security training and awareness programs for your employees
Self-Assessment »
Find a Consultant »
Links & Resources »
News & Headlines »
Educational & Training Resources »
Contact Info
Steve Peters
Community Information and Telecommunications Alliance
520 - 321-1309
Matt Hymowitz, PartnerGMP Networks
520-577-3891 x11