Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

View transcript

advertisement 
Module 7
Cybersecurity
Rob Clyde: Everyone in an organization owns cyber security. Why? Because we are all
potential targets.
Jagdish Rao: Just as the people who are engaged in protection are becoming better and better,
the same thing is happening for the people who want to penetrate these defenses and take
advantage of them.
Greg Bell: We’re dealing with a changing set of bad actors, a changing set of risks…
Marty Hodgett: Boards of directors don’t always understand the depth and breadth of the
security landscape.
Greg Bell: If an organization is not discussing cyber risk on an annual basis, they are not
performing due care.
Larry Teverbaugh: What new rules do we have to have in place, what new policies do we have to
have in place. How do we prepare our employees as well as our clients and our suppliers for the
introduction of this new technology.
Cybersecurity
The Risk Landscape
Jagdish Rao: The threats that pose the greatest risk not only to our industry but any important
vital player in infrastructure or important industries are the following …
Malware
Jagdish Rao: Malware which is bad software which is injected from the outside, whether its
destructive malware or different kinds of malware which is just interested in stealing
information. The destructive kind of malware is the kind which actually gets deposited
unknowingly and then actually wipes out entire operating systems and causes chaos. The other
kind of malware, which is more traditional, is what comes in unobtrusively and then actually
steals information without you knowing it and takes away your credentials.
Larry Teverbaugh: The way you have to address that is expect that it is going to happen. An
administrative assistant, a data entry clerk, could be the CEO who is doing three things at once,
multi-tasking, someone interrupts them, they’re on the phone, an email comes in, they
inadvertently click on a link on an email that was very targeted to them. And suddenly their
system is compromised and maybe the network is compromised based upon what their access
might be.
Rob Clyde: Every employee is a potential target. Attackers can use employees in order to get to
other employees or other systems. That’s one of the reasons why we are all at risk and it takes
vigilance on the part of every single employee within an organization to make it secure.
Human Error
Marty Hodgett: Human error is going to – are definitely going to happen. We will send emails to
people who shouldn’t get emails. People will lose their phone. People will lose their computer.
We probably will have partners that share data that they shouldn’t share.
John Hotta: One of the big cyber security breaches was for some company that was extremely
secure from the outside, was created by an HR employee who actually downloaded a Facebook
app onto her machine which created a vulnerability within that one person’s computer which
then affected the whole network which then that government was able to access the entire
network and entire system. So that’s an example of how human error, lack of knowledge, lack of
training can create a cyber security risk for a company.
Advanced Persistent Threats
Jagdish Rao: This is what the intelligence community deems today as when you have extremely
well-funded organizations nation states with huge manpower and technology power behind them
launching concerted attacks, which weaken the defenses of an organization. And once they do
so, then they come in through the back door and install destructive malware to take advantage of
at a later date.
The Insider Threat
John Hotta: Cyber security is not only an external issue which I think we think about all the
time. There also are lots of threats within the company as well too. Unhappy employees who are
actually behind the firewall who are accessing data, who are actually creating security risks
within companies.
Jagdish Rao: You can have a very well-fortified perimeter. You can take care of your network.
You can have great resilient infrastructure, but somebody from inside the company exposes you
and actually is the cause for either theft of information or fraud or losses either inadvertently or
deliberately.
Larry Teverbaugh: What policies do you have in place or what technologies do you have in
place to be able to deal with those kind of events? And that goes all the way back to your hiring
practices, what are you doing in terms of your vetting of employees. It goes back to your
practices associated with who has access to this kind of information.
Third Party Threats
Jagdish Rao: Compromise of third-party systems of course is very important because there are a
lot of third parties who actually connect with you. That’s a big threat and a growing threat as
well.
Gail Coury: If you’re going out to use, a third party service, what kind of supplier security and
privacy commitments are you getting from that particular provider? What are they willing to
sign up for and is that data that you’re sending to that service the appropriate data.
Jagdish Rao: You could be very well fortified, but if the machines of your customers and clients
have got bad software on them or are not protected, that can actually flow through into your
systems.
Gail Coury: You can outsource your operation, but you can’t outsource your accountability for
your customer information or the information that you’re gathering on your ecommerce
transactions you are ultimately accountable as the business owner of that information.
Denial of Service Attacks
Jagdish Rao: Denial of service attacks, which are increasingly being perpetrated all the time.
This is where you have massive activity of people, basically machines trying to access your
systems and, therefore, they clog down and slow down the system to an extent where genuine
customers can’t get in anymore.
Compromised Systems
Jagdish Rao: And finally, compromising of the embedded systems themselves, which take a long
time to get detected. Sophisticated targeted attacks on applications, planting of back doors inside
applications which enable access by people who are unauthorized to access those systems and
applications from the outside. It’s often years before you know that your system got
compromised maybe at the time when it was being developed itself.
Mitigating Risk: The Board’s Role
Larry Taverbaugh: While there’s been an increase in boards looking at governance as it relates
to cyber security, there is still a lot that can be done and should be done associated with
managing that type of risk.
Rob Clyde: One of the questions I like is, how do we know that we haven’t been attacked or
infected? What type of assurance and mechanisms do we have in place? And many times the
honest answer is we don't, but here’s how we might find out if we have.
Larry Taverbaugh: Do we have policies in place that basically say that every board meeting
we’re going to get a report as it relates back to our risk profile and on that risk profile, what
metrics are we using to be able to identify that risk profile? Do we have policies in place both
from an insurance standpoint as well as a legal standpoint? Do we have a team of people that are
ready to be able to respond to this?
Rob Clyde: Questions that I would be asking management would be, for example, who do we
have that is in charge of this internally? What’s the structure? Do we have, for example, an
information security officer, also often called a CISO, who does he report to or she report to? Is
that the CIO? How does that flow up into the CEO?
Greg Bell: When the business need, the technology deployment and the control environment
becomes out of alignment, that’s where risk really starts to get introduced. Any time there is
significant business change, an acquisition or a merger or we’re expanding our services or taking
some big massive change, it’s often a good time to say what does this do to our control
environment.
Gail Coury: So making sure there’s that structure and that there’s regular assessments going on
and that the board is getting reported to at least annually, at a minimum, on the state of security
until the board has a certain amount of confidence that the business has been able to address the
risks and put in the proper controls to prevent these types of incidents.
Larry Teverbaugh: In the event that there is a data breach, Is our communications department
prepared to be able to respond to the media and what is our plan for actually reaching out to the
clients, to our suppliers, to the public at large or regulatory agencies we don't have time to put
together something when it happens, these things have to be prepared in advance and practiced.
Rob Clyde: And ideally have some type of independent verification that in fact attests that
you’re doing things that will, in fact, meet industry norms and do in fact mitigate the risk to a
level that is acceptable.
Related documents
70 Birthday of Professor Jagdish Bhagwati Message from Prime Minister of India
70 Birthday of Professor Jagdish Bhagwati Message from Prime Minister of India
Broucher
Broucher
Virtual Worlds - Cyberspace Law and Policy Centre
Virtual Worlds - Cyberspace Law and Policy Centre
Capabilities Briefing - GliaCell Technologies
Capabilities Briefing - GliaCell Technologies
Larry Jackson Scholarship Application Larry Jackson, deceased
Larry Jackson Scholarship Application Larry Jackson, deceased
Cyber Security is everybody`s responsibility
Cyber Security is everybody`s responsibility
Theory of Commercial Policy and Growth
Theory of Commercial Policy and Growth
apdf nov 4 - 0910 sakada
apdf nov 4 - 0910 sakada
Features list
Features list
Grade 8 and US History STAAR
Grade 8 and US History STAAR
here - Iberville Bank
here - Iberville Bank
Jagdish Bhagwati`s Contributions to the Theory of Comparative
Jagdish Bhagwati`s Contributions to the Theory of Comparative
Download
advertisement