The Role of the CISO Ron Baklarz CISSP, CISA, CISM, NSA-IAM/IEM **Warning sexually graphic content and subject matter** 1 Internal Factors Affecting the CISO Role ◦ ◦ ◦ ◦ ◦ Top 10 Coolest Information Security Jobs What Makes a Good CISO? Corporate culture To Whom does the CISO report? What are budget and staffing levels? External Factors Affecting the CISO Role ◦ Regulatory aspects ◦ Risk factors of the organization Personal Experience Agenda 2 The Top 10 of the 20 Coolest Jobs in Information Security 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Information Security Crime Investigator/Forensic Expert System, Network and/or Web Penetration Tester Forensic Analyst Incident Responder Security Architect Malware Analyst Network Security Engineer Security Analyst Computer Crime Investigator CISO/ISO or Director of Security www.sans.org 3 “Key responsibilities of a CSO include asset management, security assessments, development of a security strategy and risk management plan, certification and audit. In a nutshell, the CSO manages risks for the organization and advises senior management about risks to the business and recommends a treatment for the risk. “ May 30, 2007 Nalneesh Gaur www.csoonline.com 4 What makes a good CISO? - The ability to affect change. - An understanding of how business processes and information interact. - An understanding of the technologies used in your organization - An understanding of legal and compliance issues. May 15, 2009 Boaz Gelbord 5 Experience ◦ ◦ ◦ ◦ ◦ ◦ Military-focused organization Government Private Sector Humanitarian Healthcare Transportation Corporate Cultures 6 GLBA SOX HIPAA PCI FISMA Regulatory Aspects 7 Titles: CISO, CSO, CRO, ISSO, Director, Manager Reports To: CIO, CFO, CRO, CEO, CTO Never realized convergence of physocal and logical security Reporting & Organizational Structures 8 Wearing the Chief Risk Officer Hat 9 Chronology of Data Breaches - Started in 2005 subsequent to the Choicepoint breach - As of September 25, 2009: 263, 674,426 records compromised www.privacyrights.org 10 Category Lost/Stolen Computers Hackers On-line Exposures General Exposures Lost/Stolen Media Insiders Email Exposures Fraud Number of Breaches 341 210 201 167 120 61 32 30 Percentage of Total 30% 18% 17% 14% 10% 5% 3% 3% www.privacyrights.org 11 $3.5 Billion non-profit Largest healthcare system in the Washington DC-Baltimore area 8 hospitals and over 50 offices and services 25,000 employees 5,000 affiliates Personal Experience - MedStar Health 12 Wearing the Chief Hacking Officer Hat 13 Website medstarhealthvna.org mppdocs.org mdcancer.org medstardiabetes.org medstarresearch.org whcenter.org Totals Critical Issues 6 13 82 13 0 446 High Issues 10 74 18 18 3 9 Medium Issues 188 1450 1241 123 230 2773 Low Issues 365 2720 2351 222 452 5077 Totals By Site 569 4257 3692 376 685 8305 560 132 6,005 11,187 17,884 MedStar Health – 2007 WebInspect 14 Wearing the Chief Investigative Officer Hat 15 Investigation/Incident Summary Metrics Carryover 2007 Jan 2008 Feb 2008 Email Abuse/Issue 96 4 3 Internet Abuse/Issue 30 3 2 HIPAA & Privacy Issues 14 2 2 Lost / Stolen Media/Computers HR/Legal/Compliance Support Forensic Analysis 8 1 2 Others 5 Subject TOTALS March 2008 April 2008 2 2008 Totals 10 10 5 5 Aggregate Totals 106 40 19 13 8 4 4 12 2 1 2 11 7 3 1 38 5 6 201 163 3 4 1 1 1 10 10 Personal Experience – MedStar Health 16 What is DLP? DLP – Data Loss Prevention 17 DLP – First 45 minutes 18 Date File Date March April April April May May May June June June June June July July July August August 3/19/2007 4/11/2007 4/18/2007 4/25/2007 5/1/2007 5/11/2007 5/24/2007 6/4/2007 6/5/2007 6/16/2007 6/21/2007 6/25/2007 7/5/2007 7/16/2007 7/30/2007 8/2/2007 8/17/2007 DOW Mon Wed Wed Wed Tue Fri Thur Mon Tue Sat Thur Mon Thur Mon Mon Thur Fri Start Time 17:08 18:26 17:03 19:55 19:25 22:25 17:36 8:00 18:08 18:55 17:13 18:16 8:00 18:03 17:17 17:40 20:51 End Time 19:25 19:48 18:33 21:06 20:13 22:50 18:07 8:17 19:03 19:38 19:11 18:57 8:26 19:19 18:12 20:05 22:36 Duration 2:15 1:20 1:30 1:00 0:45 0:25 0:30 0:17 1:00 0:45 2:00 0:40 0:26 1:15 1:00 2:15 1:30 # of Images # CP 45 205 266 344 182 208 231 113 607 351 368 53 247 514 300 122 580 45 25 25 75 20 10 5 5 10 10 10 5 15 10 10 0 15 4736 295 DLP – First 45 minutes & More 19 Affiliated physician Coming in through VPN with static IP assignment Had VPN trail, firewall trail, DLP corroboration DLP easily assembled cases FBI/BCPD investigated – confiscated work computer DLP – First 45 minutes & More 20 DLP – First 45 minutes DLP – “The Officer is not a gentleman” 21 “Attachments F and G are screenshots from direct access to PC xxx.xxx.xxx.xxx and specifically the “My Pictures/Pics” folder. The details of this folder show that there are 49 subfolders with a total of over 1,300 mostly pornographic images of different women compartmentalized on a by-folder basis. “ Excerpt from investigative report CISO.2007.155 dated October 1, 2007 DLP – “The Officer is not a gentleman” 22 Q&A End of Presentation 23