Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Top Information Security Issues Facing Organizations - Pa

advertisement 
Top Information Security
Issues Facing
Organizations
Thomas C Miele, CISSP, ISSMP
What The Fortifications Are
“Man-Made Fortifications Are Just Monuments
To The Stupidity Of Man.
If Rivers And Mountain Ranges Can Be
Breached, So Can Anything Built By Man”
General George S. Patton, Jr.
Thomas C Miele, CISSP, ISSMP
Top Issues
 International Information Systems Security
Certification Consortium (ISC²) Teamed
Auburn University Researchers To ID & Rank
Top Info Sec Issues By Way Of Surveys To
Its Certified Security Professionals World
Wide & USA
 25 Issues Were ID As Most Critical…..

NOTE: I Will Not Read All 25 !!!!
Thomas C Miele, CISSP, ISSMP
4 I Found Of Interest
 #1 Top Management Support
 #2 Legal & Regulatory Issues
 #3 Malware/Social Engineering (Viruses,
Trojans, Worms)
 #4 Awareness Training & Education
Thomas C Miele, CISSP, ISSMP
User Awareness
 If The Users Don’t Know Or Are Not Aware, Then
They Will Get In Trouble & The Company May Suffer
 If Your Company Does Business In All 50 States
Then Your Have About 46 Laws.
 The Laws Say You Must Conduct An Awareness
Program!
 SPAM During 2009:
60% of E-Mail Received!
Thomas C Miele, CISSP, ISSMP
The Less You Know
 It’s Bad When A Laptop Is Lost Containing:




Customer Name
Social Security Number
Credit Card Information
Raises Good Questions:



Should The Data Be On The Notebook?
Should It Be Locked Down On A Server In The
Data Center?
Do We Need To Store All The Information About
Our Customers That We Do?
CSI Alert Feb 2007
Trusted Employees
What About An Inside Job?
Is the Company At Fault?
It Depends……
Deb’s Bank Example
Thomas C Miele, CISSP, ISSMP
Data Not Protected Privacy Lost
 The Big Story Is That The Boundary That
Existed In People’s Lives Between The
Workplace And The Home Has Broken Down!
Total Number of Records Lost Containing
Sensitive Personal Information From Security
Breaches……
354,140,197
Ben Worthen CIO Mag. Feb 15, 2007
Top Breaches Month of April 2010
 AvMed Health Plans – 208,000 records—theft
of laptops.
 Blue Cross/Blue Shield Tenn. – 301,628 – 57
USB Storage Devices Stolen
 Citigroup – 600,000 customers received their
annual tax documents with their Social
Security Numbers on the outside of the
envelope!
OK HOW MANY MORE MUST SUFFER
BEFORE WE DO IT THE RIGHT WAY?
Ben Worthen CIO Mag. Feb 15, 2007
Consumer IT Products
 Thumb Drives – USB Port Connected Can
Provide Gigabytes Of Transportable Storage
 Data Leakage!
 Lost ID’s
 Spread of Any Thing Bad! The Company is
Responsible if an Employee Causes Harm To
Others!
Thomas C Miele, CISSP, ISSMP
Ask Yourself ????
 Are The USB Ports Protected?
 If A User Downloads Information To Any
Portable Device, Can We Detect It?
 Does Your Policies Cover Storage Of
Protected Information On Workstations
And/Or Mobile Devices?
 Testing IT Systems With Live Data????
 Is The Data Ever Encrypted?
 Do You Allow Cell Phones In The Office That
Can Take Pictures?
Thomas C Miele, CISSP, ISSMP
Laws, Laws, & More Laws
Safeguarding Information
 How Many States Do You Do Business In?
 I have 9 States Laws To Look At Dealing With
Privacy & Protection Of Customer Information
 State of PA – 4 Laws With New Ones
Pending
 What If You Do Business In All 50 States? 44
States Have Laws Along With Puerto Rico
and the Virgin Islands
 What About International?
Thomas C Miele, CISSP, ISSMP
Before Your Data Goes
 Organizations Need To Understand Their
Privacy And Security Compliance Obligations
Prior To Sending Data Across Borders
 Nearly 50 Countries Have Some Form Of
Data Protection Law And Many Of Them
Conflict Or Require Specific Security
Measures
Jody R. Westby Information Security Mag.
Legal Frameworks At Play
 Globally There Are 3 Types Of Legal
Frameworks AT Play:



EU’s Regulatory Model
U.S.’s Self-Regulatory Approach
Asia-Pacific Economic Cooperation (APEC)
Forum’s Privacy Framework
Jody R. Westby Information Security Mag.
In Europe, Privacy Is Different
 Personal Information Cannot Be Collected Without




Consumers’ Permission, And They Have The Right
To Review The Data And Correct Inaccuracies
Companies That Process Data Must Register Their
Activities With The Government
Employers Cannot Read Workers’ Private E-Mail
Personal Information Cannot Be Shared By
Companies Or Across Borders Without Express
Permission From The Data Subject
Checkout Clerks Cannot Ask For Shoppers’ Phone
Numbers
Thomas C Miele, CISSP, ISSMP
Global Complications
 Everyone’s Connected

240 Countries And 1.1 Billion People Online
 Fractured Frameworks



51 Countries With Privacy Laws Including 27
EU Countries
8 U.S. Agencies With Privacy Regulations And
Enforcement Authority
34 States With Security Breach Notification
Laws
Jody R. Westby Information Security Mag.
Global Complications
 Competing Models
 EU, U.S., APEC Each Have Overlapping Privacy
Mandates
 Multilateral Actions
 Various Efforts From The EU, G8, APEC, Council Of
Europe (CoE)
 CoE Convention On Data Protection
 CoE Convention On Cyber crime
 G8 24/7 High-Tech Crimes Points-Of-Contact Network.
 HOW DO YOU KEEP UP????????
Jody R. Westby Information Security Mag.
Privacy Lost ?????
 Most Americans Say They Are Concerned About





Privacy
60% Feel Their Privacy Is “Slipping Away”
Only 7% Change Behaviors To Preserve Privacy
Carnegie Mellon Test Shows People Will Give SSN
To Get 50-Cents-Off Coupon
Don’t Lose A Laptop With Personal Information!!!!!!!!!!
Veterans Admin, ChoicePoint, LexisNexis, Bank Of
America, And Other Firms –Loss or Theft Of
Personal Information !!!! Were At The End Of
Righteous Indignation By Public And Lawmakers..
Thomas C Miele, CISSP, ISSMP
What’s A CEO To Do???
 Companies Want to Contact Their Customers
Or Potential Customers
 Customers Want Privacy
 Laws Say We Must Protect Their
Privacy/Information
 So, We Have A Balancing Act
 Make Sure You Know How Far You Can Go
With Your Customers Information
Thomas C Miele, CISSP, ISSMP
Social Engineering
 Attacker Uses Human Interaction (Social
Skills) To Obtain Or Compromise Information
About An Organization Or Its Computer
Network/Systems
 May Seem Unassuming And Respectable
 Claiming To Be A New Employee
 Repair Person
 USB Trick
 Asking Questions – Infiltrate A Network
Thomas C Miele, CISSP, ISSMP
Good Security Practices-Security
First, Then Compliance
 Don’t Click On Links Within Pop-Up Windows
 Be Wary Of Free Downloadable Software
 Don’t Follow E-mail Links Claiming To Offer
Anti-Spyware Software
 Delete E-mails From Senders You Don’t
Know !!!!!
 Don’t Get Complacent! Never Ever Think You
Are Done! Always keep thinking How
Security Can Be Breached.
Thomas C Miele, CISSP, ISSMP
Defense-in-Depth 6 Layers To
Consider
 Proactive Software Assurance
 Blocking Attacks: Network Based





IPS & Detection (IDS)
Wireless Intrusion Prevention
Network Behavior Analysis
Firewalls
Secure Web Gateways
 Blocking Attacks: Host Based

Endpoint Security
SANS What Works in Internet Security
Defense-in-Depth 6 Layers To
Consider
 Blocking Attacks: Host Based



Endpoint Security
Network Access Control
System Integrity Checking Tools
 Eliminating Security Vulnerabilities




Network Discovery Tools
Vulnerability Management
Attack & Penetration Testing
Patch & Security Configuration Management
SANS What Works in Internet Security
Defense-in-Depth 6 Layers To
Consider
 Safely Supporting Authorized Users



Identity & Access Management
Mobile Data Protection & Encryption
Content Monitoring/Data Leak Prevention
 Tools to Manage Security



Log Management & Event Management
Media Sanitization and Mobile Device
Recovery and Erasure
Security Awareness Training
SANS What Works in Internet Security
Defense-in-Depth 6 Layers To
Consider
 Tools to Manage Security



Security Awareness Training
Forensics Tools
Governance, Risk & Compliance Mgt Tools


GLBA, SOX, PCI, HIPAA
Disaster Recovery and Business Continuity
SANS What Works in Internet Security
Why I Worry About Social
Engineering & Spyware
 Loss Of Corporate Information And Data
 Average Cost Per Breach $4.8 Million
 Legal Liability
 If Companies Close Down And/Or Go Out Of
Business Then People Will Not Be Paying
Into The Social Security Fund !!!
 We All Pay The Price, However, CEO Will
Pay The Biggest Price!!!
Thomas C Miele, CISSP, ISSMP
Privacy Resources
 U.S. Safe Harbor Program
www.export.gov/safeHarbor/sh_overview.html
 U.S. Federal Trade Commission
www.ftc.gov/privacy/index.html
 EU Data Protection Directive
http://ec.europa.eu/justice_home/fsj/privacy/inde
x_en.htm
 Council of Europe Cybercrime Convention
http://conventions.coe.int/Treaty/EN/Treaties/Ht
ml/185.htm
Jody R. Westby Information Security Mag.
Related documents
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Lecture for Chapter 2.3 (Fall 09)
Lecture for Chapter 2.3 (Fall 09)
Instance Based Social Network Representation
Instance Based Social Network Representation
Using Social Media in Research: Privacy, Trust, & Ethics
Using Social Media in Research: Privacy, Trust, & Ethics
DS1 - Claran Mc Mahon CyPsy RCSI
DS1 - Claran Mc Mahon CyPsy RCSI
Final project PowerPoint
Final project PowerPoint
Miele w 3371 review.pdf
Miele w 3371 review.pdf
A Range Like No Other.
A Range Like No Other.
PPT
PPT
Fast, safe and reliable New: PS 1201B small steam steriliser
Fast, safe and reliable New: PS 1201B small steam steriliser
Download
advertisement