SlideShare una empresa de Scribd logo

The Accidental Insider: Managing Internal Risks at Secure360

Descargar como PPT, PDF
Barry Caplin
Barry Caplin

While insider threat is a reality, more problems are caused by mistakes. Workers are stressed and need to get the job done. These “accidental insiders” may be dealing with unclear process, security controls that aren’t well planned, or are just trying to get something done for the customer. In this session we will discuss: How internal process, policy and technical environment can lead to mistakes; Appropriate levels of access control, and; What we can do proactively to prevent these kinds of problems. Secure360 5-11-11 Capella University webcast 3-18-13

Tecnología
1 de 39
BA RRY CA PLIN TH E A CCID EN TA L IN SID ER W ED . M A Y 13, 2014, 1:30P
WELCOME TO SECURE360 2014 Come see my talk tomorrow! The CISO Guide – How Do You Spell CISO? – Wed. 11A
The Accidental Insider Secure360 Tues. May 13, 2014 bcaplin1@fairview.org bc@bjb.org @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com Barry Caplin Chief Information Security Official Fairview Health Services
http://about.me/barrycaplin securityandcoffee.blogspot.com @bcaplin
Fairview Overview • Not-for-profit established in 1906 • Academic Health System since 1997 partnership with University of Minnesota • >22K employees • >3,300 aligned physicians  Employed, faculty, independent • 7 hospitals/medical centers (>2,500 staffed beds) • 40-plus primary care clinics • 55-plus specialty clinics • 47 senior housing locations • 30-plus retail pharmacies 5 2012 data •5.7 million outpatient encounters •74,649 inpatient admissions •$2.8 billion total assets •$3.2 billion total revenue
Who is Fairview? A partnership of North Memorial and Fairview
In The News
In The News
Agenda • What is it? • How big an issue? • What do we do?
Internal Risk Management v Insider Threat
What is Internal Risk Management? • Malicious Insider = Current or former staff who: – intentionally exceeded/misused authorized access to networks, systems or data, and; – affected security of organizations’ data, systems, or daily operations • Insider’s intentions can be good or evil • Actions can be intentional or accidental • Must consider errors and omissions – Accidents – Not following process (CERT/US Secret Service Insider Threat Study)
CSI/FBI Computer Crime Survey • Not a new issue • 2007 – Insiders #1 reported problem. • 2008 – Insider threat decreased • 2009 – Some attributed 60-100% of losses to accidents • 2010/2011 –  40% attributed some loss to malicious insiders  60% attributed some loss to non-malicious insiders (accidents)
Verizon DBIR (Data Breach Investigations Report) • 2008 & 2009 (based on Verizon-only) – Most = external, most costly = internal; 39% multiple parties – Didn’t consider insiders’ “inaction” • 2010 (included US Secret Service) – Most = external, internal 48% (up 26%) • 2011 • Most external; 17% internal (-31%); 9% multiple parties • Simple; targets of opportunity; avoidable; most found by 3rd party • But doesn’t consider accidents
2012 Verizon Breach Report 2012 report (included US Secret Service) • Most = “external”; “internal” greatly decreased • 79% of victims targets of opportunity • 96% of attacks considered not highly difficult • 96% of victims subject to PCI not compliant • 97% were avoidable through simple or intermediate controls
From: Dark Reading http://darkreading.com/insiderthreat
Types of Internal Risks • Fraud: obtaining property or services through deception or trickery. • Theft of Information: stealing confidential or proprietary information. • IT Sabotage: acting with intent to harm an individual, organization, or organization’s data, systems, operations. • Error/Omission: causing damage to assets or disclosure of information because of an unintentional mistake. – Leaving a system vulnerable (not patching, config error, etc.) – Improper disclosure (database accessible, posting to website, etc.)
Risk Calculation Asset, Threat, Vulnerability, Impact => Risk (probability of event × impact = risk)
Attack Surface Vulnerable Assets => “Attack Surface”
Attack Surface Contributing factors: • Open/listening ports on outward facing servers • Services available on the inside of the firewall • Code that processes input • Interfaces, SQL, web forms • An employee with access to sensitive information is socially engineered The Attack Surface Problem, Stephen Northcutt, SANS, 2007
Attack Surface Are problems in these contributing factors primarily due to mistakes (errors and omissions)?
External Attacks Are external attacks made possible because of internal mistakes (errors and omissions)? Caveats: offense v defense attacker skill level I'm not defending the attacker nor blaming the victim
What do we do?
CERT Good Practices • Risk assessments - insider/partners threats • Document and enforce policies and controls. • Security awareness training • Secure the physical environment. • Password and account management. • Separation of duties and least privilege. • SDLC - Consider insider threats
CERT Good Practices • Consider extra controls for privileged users • Change control • Log, monitor, and audit • Defense in Depth • Secure backup and recovery • Incident response plan http://www.cert.org/insider_threat/
According to Schneier Five basic techniques to deal with trusted people (Schneier): • Limit the number of trusted people. • Ensure that trusted people are also trustworthy. • Limit the amount of trust each person has. • Give people overlapping spheres of trust. • Detect breaches of trust after the fact and issue sanctions.
Good Practices I Like • Practical policies • Awareness • SDLC (SLM) • System Review • Vulnerability Management • Configuration Management • Backup • Response/Recovery Get the simple stuff right.
A Simple Approach • SET briefing –Philosophical direction –Previous focus on external threats –New area of focus –Cross-divisional work – Security, IT, Privacy, Audit, Legal, Compliance –Culture change
Examples • Media/device encryption • Privileged accounts/Local Admin/activity • Improved provisioning • Annual recertification • Security Lifecycle Management • Training via audio/video • Improved server control software /logging • Improved change/config management A Simple Approach
To-Do List • Communication and Awareness • Examine current environment and resources • Scope mitigations • Create implementation plan • Execute!
Where to Learn More… • CMU CyLab - http://www.cylab.cmu.edu/ • CERT - http://www.cert.org/insider_threat/ • Data Breach Blog - http://breach.scmagazineblogs.com/ • OSF DataLossdb - http://datalossdb.org/ • Dark Reading - http://darkreading.com/insiderthreat/ • http://slideshare.net/bcaplin
How Do You Spell CISO? Secure360 Wed. May 14, 2014 bcaplin1@fairview.org bc@bjb.org @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com Barry Caplin Chief Information Security Official Fairview Health Services
The Accidental Insider: Managing Internal Risks at Secure360

Recomendados

Role of HR after discovering Fraud
Role of HR after discovering FraudRole of HR after discovering Fraud
Role of HR after discovering FraudNational HRD Network
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Dan Michaluk
 
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemThe Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemEric Vanderburg
 
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesCloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesEric Vanderburg
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breachDan Michaluk
 
Cyber, secrecy and the public body
Cyber, secrecy and the public bodyCyber, secrecy and the public body
Cyber, secrecy and the public bodyDan Michaluk
 
Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Dan Michaluk
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Dan Michaluk
 

Recomendados

Role of HR after discovering Fraud
Role of HR after discovering FraudRole of HR after discovering Fraud
Role of HR after discovering FraudNational HRD Network
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Dan Michaluk
 
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemThe Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemEric Vanderburg
 
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesCloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesEric Vanderburg
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breachDan Michaluk
 
Cyber, secrecy and the public body
Cyber, secrecy and the public bodyCyber, secrecy and the public body
Cyber, secrecy and the public bodyDan Michaluk
 
Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Dan Michaluk
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Dan Michaluk
 
CISOs are from Mars, CIOs are from Venus
CISOs are from Mars, CIOs are from VenusCISOs are from Mars, CIOs are from Venus
CISOs are from Mars, CIOs are from VenusBarry Caplin
 
Costume and prop ideas media as
Costume and prop ideas media asCostume and prop ideas media as
Costume and prop ideas media asisobelbay
 
Silent Sideline Week
Silent Sideline WeekSilent Sideline Week
Silent Sideline WeekJennifer Jaquith
 
IT Consumerization – iPad’ing the Enterprise or BYO Malware?
IT Consumerization – iPad’ing the Enterprise or BYO Malware?IT Consumerization – iPad’ing the Enterprise or BYO Malware?
IT Consumerization – iPad’ing the Enterprise or BYO Malware?Barry Caplin
 
Valley United Soccer Club new coach training
Valley United Soccer Club new coach trainingValley United Soccer Club new coach training
Valley United Soccer Club new coach trainingBarry Caplin
 
Nor'West Soccer LTPD 101
Nor'West Soccer LTPD 101Nor'West Soccer LTPD 101
Nor'West Soccer LTPD 101Jennifer Jaquith
 
Dreaded Embedded sec360 5-17-16
Dreaded Embedded sec360 5-17-16Dreaded Embedded sec360 5-17-16
Dreaded Embedded sec360 5-17-16Barry Caplin
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightCBIZ, Inc.
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya
 
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Fasoo
 
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...Case IQ
 
Stop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudStop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudWynyard Group
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Lawley Insurance
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk GovernanceDan Michaluk
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessCBIZ, Inc.
 
Counterintelligence & The Insider Threat January 2019 (1).pptx
Counterintelligence & The Insider Threat January 2019 (1).pptxCounterintelligence & The Insider Threat January 2019 (1).pptx
Counterintelligence & The Insider Threat January 2019 (1).pptxZakiAhmed70
 
2012 777 The Seven Blind Spots in Business and How to Prevent Them
2012 777 The Seven Blind Spots in Business and How to Prevent Them2012 777 The Seven Blind Spots in Business and How to Prevent Them
2012 777 The Seven Blind Spots in Business and How to Prevent ThemSmith Family Business Initiative at Cornell
 
Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Barry Caplin
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015Health IT Conference – iHT2
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 

Más contenido relacionado

Destacado

CISOs are from Mars, CIOs are from Venus
CISOs are from Mars, CIOs are from VenusCISOs are from Mars, CIOs are from Venus
CISOs are from Mars, CIOs are from VenusBarry Caplin
 
Costume and prop ideas media as
Costume and prop ideas media asCostume and prop ideas media as
Costume and prop ideas media asisobelbay
 
IT Consumerization – iPad’ing the Enterprise or BYO Malware?
IT Consumerization – iPad’ing the Enterprise or BYO Malware?IT Consumerization – iPad’ing the Enterprise or BYO Malware?
IT Consumerization – iPad’ing the Enterprise or BYO Malware?Barry Caplin
 
Valley United Soccer Club new coach training
Valley United Soccer Club new coach trainingValley United Soccer Club new coach training
Valley United Soccer Club new coach trainingBarry Caplin
 
Dreaded Embedded sec360 5-17-16
Dreaded Embedded sec360 5-17-16Dreaded Embedded sec360 5-17-16
Dreaded Embedded sec360 5-17-16Barry Caplin
 

Destacado (7)

CISOs are from Mars, CIOs are from Venus
CISOs are from Mars, CIOs are from VenusCISOs are from Mars, CIOs are from Venus
CISOs are from Mars, CIOs are from Venus
 
Costume and prop ideas media as
Costume and prop ideas media asCostume and prop ideas media as
Costume and prop ideas media as
 
Silent Sideline Week
Silent Sideline WeekSilent Sideline Week
Silent Sideline Week
 
IT Consumerization – iPad’ing the Enterprise or BYO Malware?
IT Consumerization – iPad’ing the Enterprise or BYO Malware?IT Consumerization – iPad’ing the Enterprise or BYO Malware?
IT Consumerization – iPad’ing the Enterprise or BYO Malware?
 
Valley United Soccer Club new coach training
Valley United Soccer Club new coach trainingValley United Soccer Club new coach training
Valley United Soccer Club new coach training
 
Nor'West Soccer LTPD 101
Nor'West Soccer LTPD 101Nor'West Soccer LTPD 101
Nor'West Soccer LTPD 101
 
Dreaded Embedded sec360 5-17-16
Dreaded Embedded sec360 5-17-16Dreaded Embedded sec360 5-17-16
Dreaded Embedded sec360 5-17-16
 

Similar a The Accidental Insider: Managing Internal Risks at Secure360

Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightCBIZ, Inc.
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya
 
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Fasoo
 
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...Case IQ
 
Stop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudStop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudWynyard Group
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Lawley Insurance
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk GovernanceDan Michaluk
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessCBIZ, Inc.
 
Counterintelligence & The Insider Threat January 2019 (1).pptx
Counterintelligence & The Insider Threat January 2019 (1).pptxCounterintelligence & The Insider Threat January 2019 (1).pptx
Counterintelligence & The Insider Threat January 2019 (1).pptxZakiAhmed70
 
Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Barry Caplin
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 
Clasify information in education field
Clasify information in education fieldClasify information in education field
Clasify information in education fieldNebojsa Stefanovic
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Asad Zaman
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension Inc.
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceEvan Francen
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 

Similar a The Accidental Insider: Managing Internal Risks at Secure360 (20)

Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky Breaches
 
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
 
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
 
Stop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudStop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraud
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk Governance
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
 
Counterintelligence & The Insider Threat January 2019 (1).pptx
Counterintelligence & The Insider Threat January 2019 (1).pptxCounterintelligence & The Insider Threat January 2019 (1).pptx
Counterintelligence & The Insider Threat January 2019 (1).pptx
 
2012 777 The Seven Blind Spots in Business and How to Prevent Them
2012 777 The Seven Blind Spots in Business and How to Prevent Them2012 777 The Seven Blind Spots in Business and How to Prevent Them
2012 777 The Seven Blind Spots in Business and How to Prevent Them
 
Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
 
Clasify information in education field
Clasify information in education fieldClasify information in education field
Clasify information in education field
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to Compliance
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 

Más de Barry Caplin

Healing healthcare security
Healing healthcare securityHealing healthcare security
Healing healthcare securityBarry Caplin
 
It’s not If but When 20160503
It’s not If but When 20160503It’s not If but When 20160503
It’s not If but When 20160503Barry Caplin
 
It’s not if but when 20160503
It’s not if but when 20160503It’s not if but when 20160503
It’s not if but when 20160503Barry Caplin
 
Online Self Defense - Passwords
Online Self Defense - PasswordsOnline Self Defense - Passwords
Online Self Defense - PasswordsBarry Caplin
 
The CISO Guide – How Do You Spell CISO?
The CISO Guide – How Do You Spell CISO?The CISO Guide – How Do You Spell CISO?
The CISO Guide – How Do You Spell CISO?Barry Caplin
 
Bullying and Cyberbullying
Bullying and CyberbullyingBullying and Cyberbullying
Bullying and CyberbullyingBarry Caplin
 
3 factors of fail sec360 5-15-13
3 factors of fail sec360 5-15-133 factors of fail sec360 5-15-13
3 factors of fail sec360 5-15-13Barry Caplin
 
Tech smart preschool parent 2 13
Tech smart preschool parent 2 13Tech smart preschool parent 2 13
Tech smart preschool parent 2 13Barry Caplin
 
Embracing the IT Consumerization Imperative NG Security
Embracing the IT Consumerization Imperative NG SecurityEmbracing the IT Consumerization Imperative NG Security
Embracing the IT Consumerization Imperative NG SecurityBarry Caplin
 
Online Self Defense
Online Self DefenseOnline Self Defense
Online Self DefenseBarry Caplin
 
Embracing the IT Consumerization Imperitive
Embracing the IT Consumerization ImperitiveEmbracing the IT Consumerization Imperitive
Embracing the IT Consumerization ImperitiveBarry Caplin
 
Embracing the IT Consumerization Imperitive
Embracing the IT Consumerization ImperitiveEmbracing the IT Consumerization Imperitive
Embracing the IT Consumerization ImperitiveBarry Caplin
 
Stuff my ciso says
Stuff my ciso saysStuff my ciso says
Stuff my ciso saysBarry Caplin
 
Toys in the office 11
Toys in the office 11Toys in the office 11
Toys in the office 11Barry Caplin
 
Teens 2.0 - Teens and Social Networks
Teens 2.0 - Teens and Social NetworksTeens 2.0 - Teens and Social Networks
Teens 2.0 - Teens and Social NetworksBarry Caplin
 
Laws of the Game For Valley United Soccer Club travel soccer refs
Laws of the Game For Valley United Soccer Club travel soccer refsLaws of the Game For Valley United Soccer Club travel soccer refs
Laws of the Game For Valley United Soccer Club travel soccer refsBarry Caplin
 
Laws of the Game for Valley Athletic Assn (VAA) Community Soccer refs
Laws of the Game for Valley Athletic Assn (VAA) Community Soccer refsLaws of the Game for Valley Athletic Assn (VAA) Community Soccer refs
Laws of the Game for Valley Athletic Assn (VAA) Community Soccer refsBarry Caplin
 
How to be a Tech-Smart Parent
How to be a Tech-Smart ParentHow to be a Tech-Smart Parent
How to be a Tech-Smart ParentBarry Caplin
 
Internet Safety for Families and Children
Internet Safety for Families and ChildrenInternet Safety for Families and Children
Internet Safety for Families and ChildrenBarry Caplin
 
Security Lifecycle Management
Security Lifecycle ManagementSecurity Lifecycle Management
Security Lifecycle ManagementBarry Caplin
 

Más de Barry Caplin (20)

Healing healthcare security
Healing healthcare securityHealing healthcare security
Healing healthcare security
 
It’s not If but When 20160503
It’s not If but When 20160503It’s not If but When 20160503
It’s not If but When 20160503
 
It’s not if but when 20160503
It’s not if but when 20160503It’s not if but when 20160503
It’s not if but when 20160503
 
Online Self Defense - Passwords
Online Self Defense - PasswordsOnline Self Defense - Passwords
Online Self Defense - Passwords
 
The CISO Guide – How Do You Spell CISO?
The CISO Guide – How Do You Spell CISO?The CISO Guide – How Do You Spell CISO?
The CISO Guide – How Do You Spell CISO?
 
Bullying and Cyberbullying
Bullying and CyberbullyingBullying and Cyberbullying
Bullying and Cyberbullying
 
3 factors of fail sec360 5-15-13
3 factors of fail sec360 5-15-133 factors of fail sec360 5-15-13
3 factors of fail sec360 5-15-13
 
Tech smart preschool parent 2 13
Tech smart preschool parent 2 13Tech smart preschool parent 2 13
Tech smart preschool parent 2 13
 
Embracing the IT Consumerization Imperative NG Security
Embracing the IT Consumerization Imperative NG SecurityEmbracing the IT Consumerization Imperative NG Security
Embracing the IT Consumerization Imperative NG Security
 
Online Self Defense
Online Self DefenseOnline Self Defense
Online Self Defense
 
Embracing the IT Consumerization Imperitive
Embracing the IT Consumerization ImperitiveEmbracing the IT Consumerization Imperitive
Embracing the IT Consumerization Imperitive
 
Embracing the IT Consumerization Imperitive
Embracing the IT Consumerization ImperitiveEmbracing the IT Consumerization Imperitive
Embracing the IT Consumerization Imperitive
 
Stuff my ciso says
Stuff my ciso saysStuff my ciso says
Stuff my ciso says
 
Toys in the office 11
Toys in the office 11Toys in the office 11
Toys in the office 11
 
Teens 2.0 - Teens and Social Networks
Teens 2.0 - Teens and Social NetworksTeens 2.0 - Teens and Social Networks
Teens 2.0 - Teens and Social Networks
 
Laws of the Game For Valley United Soccer Club travel soccer refs
Laws of the Game For Valley United Soccer Club travel soccer refsLaws of the Game For Valley United Soccer Club travel soccer refs
Laws of the Game For Valley United Soccer Club travel soccer refs
 
Laws of the Game for Valley Athletic Assn (VAA) Community Soccer refs
Laws of the Game for Valley Athletic Assn (VAA) Community Soccer refsLaws of the Game for Valley Athletic Assn (VAA) Community Soccer refs
Laws of the Game for Valley Athletic Assn (VAA) Community Soccer refs
 
How to be a Tech-Smart Parent
How to be a Tech-Smart ParentHow to be a Tech-Smart Parent
How to be a Tech-Smart Parent
 
Internet Safety for Families and Children
Internet Safety for Families and ChildrenInternet Safety for Families and Children
Internet Safety for Families and Children
 
Security Lifecycle Management
Security Lifecycle ManagementSecurity Lifecycle Management
Security Lifecycle Management
 

Último

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Último (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

The Accidental Insider: Managing Internal Risks at Secure360

  • 2. WELCOME TO SECURE360 2014 Come see my talk tomorrow! The CISO Guide – How Do You Spell CISO? – Wed. 11A
  • 3. The Accidental Insider Secure360 Tues. May 13, 2014 bcaplin1@fairview.org bc@bjb.org @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com Barry Caplin Chief Information Security Official Fairview Health Services
  • 5. Fairview Overview • Not-for-profit established in 1906 • Academic Health System since 1997 partnership with University of Minnesota • >22K employees • >3,300 aligned physicians  Employed, faculty, independent • 7 hospitals/medical centers (>2,500 staffed beds) • 40-plus primary care clinics • 55-plus specialty clinics • 47 senior housing locations • 30-plus retail pharmacies 5 2012 data •5.7 million outpatient encounters •74,649 inpatient admissions •$2.8 billion total assets •$3.2 billion total revenue
  • 6. Who is Fairview? A partnership of North Memorial and Fairview
  • 9.
  • 10.
  • 11.
  • 12. Agenda • What is it? • How big an issue? • What do we do?
  • 13. Internal Risk Management v Insider Threat
  • 14. What is Internal Risk Management? • Malicious Insider = Current or former staff who: – intentionally exceeded/misused authorized access to networks, systems or data, and; – affected security of organizations’ data, systems, or daily operations • Insider’s intentions can be good or evil • Actions can be intentional or accidental • Must consider errors and omissions – Accidents – Not following process (CERT/US Secret Service Insider Threat Study)
  • 15. CSI/FBI Computer Crime Survey • Not a new issue • 2007 – Insiders #1 reported problem. • 2008 – Insider threat decreased • 2009 – Some attributed 60-100% of losses to accidents • 2010/2011 –  40% attributed some loss to malicious insiders  60% attributed some loss to non-malicious insiders (accidents)
  • 16. Verizon DBIR (Data Breach Investigations Report) • 2008 & 2009 (based on Verizon-only) – Most = external, most costly = internal; 39% multiple parties – Didn’t consider insiders’ “inaction” • 2010 (included US Secret Service) – Most = external, internal 48% (up 26%) • 2011 • Most external; 17% internal (-31%); 9% multiple parties • Simple; targets of opportunity; avoidable; most found by 3rd party • But doesn’t consider accidents
  • 17. 2012 Verizon Breach Report 2012 report (included US Secret Service) • Most = “external”; “internal” greatly decreased • 79% of victims targets of opportunity • 96% of attacks considered not highly difficult • 96% of victims subject to PCI not compliant • 97% were avoidable through simple or intermediate controls
  • 18. From: Dark Reading http://darkreading.com/insiderthreat
  • 19.
  • 20.
  • 21. Types of Internal Risks • Fraud: obtaining property or services through deception or trickery. • Theft of Information: stealing confidential or proprietary information. • IT Sabotage: acting with intent to harm an individual, organization, or organization’s data, systems, operations. • Error/Omission: causing damage to assets or disclosure of information because of an unintentional mistake. – Leaving a system vulnerable (not patching, config error, etc.) – Improper disclosure (database accessible, posting to website, etc.)
  • 22. Risk Calculation Asset, Threat, Vulnerability, Impact => Risk (probability of event × impact = risk)
  • 23. Attack Surface Vulnerable Assets => “Attack Surface”
  • 24. Attack Surface Contributing factors: • Open/listening ports on outward facing servers • Services available on the inside of the firewall • Code that processes input • Interfaces, SQL, web forms • An employee with access to sensitive information is socially engineered The Attack Surface Problem, Stephen Northcutt, SANS, 2007
  • 25. Attack Surface Are problems in these contributing factors primarily due to mistakes (errors and omissions)?
  • 26. External Attacks Are external attacks made possible because of internal mistakes (errors and omissions)? Caveats: offense v defense attacker skill level I'm not defending the attacker nor blaming the victim
  • 27.
  • 28. What do we do?
  • 29. CERT Good Practices • Risk assessments - insider/partners threats • Document and enforce policies and controls. • Security awareness training • Secure the physical environment. • Password and account management. • Separation of duties and least privilege. • SDLC - Consider insider threats
  • 30. CERT Good Practices • Consider extra controls for privileged users • Change control • Log, monitor, and audit • Defense in Depth • Secure backup and recovery • Incident response plan http://www.cert.org/insider_threat/
  • 31. According to Schneier Five basic techniques to deal with trusted people (Schneier): • Limit the number of trusted people. • Ensure that trusted people are also trustworthy. • Limit the amount of trust each person has. • Give people overlapping spheres of trust. • Detect breaches of trust after the fact and issue sanctions.
  • 32. Good Practices I Like • Practical policies • Awareness • SDLC (SLM) • System Review • Vulnerability Management • Configuration Management • Backup • Response/Recovery Get the simple stuff right.
  • 33. A Simple Approach • SET briefing –Philosophical direction –Previous focus on external threats –New area of focus –Cross-divisional work – Security, IT, Privacy, Audit, Legal, Compliance –Culture change
  • 34.
  • 35. Examples • Media/device encryption • Privileged accounts/Local Admin/activity • Improved provisioning • Annual recertification • Security Lifecycle Management • Training via audio/video • Improved server control software /logging • Improved change/config management A Simple Approach
  • 36. To-Do List • Communication and Awareness • Examine current environment and resources • Scope mitigations • Create implementation plan • Execute!
  • 37. Where to Learn More… • CMU CyLab - http://www.cylab.cmu.edu/ • CERT - http://www.cert.org/insider_threat/ • Data Breach Blog - http://breach.scmagazineblogs.com/ • OSF DataLossdb - http://datalossdb.org/ • Dark Reading - http://darkreading.com/insiderthreat/ • http://slideshare.net/bcaplin
  • 38. How Do You Spell CISO? Secure360 Wed. May 14, 2014 bcaplin1@fairview.org bc@bjb.org @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com Barry Caplin Chief Information Security Official Fairview Health Services

Notas del editor

  1. Check out my about.me, with links to twitter feed and Security and Coffee blog.
  2. April 9, 2009. Bob Quick, Britain's most senior counterterrorism officer, was forced to stand down today after an embarrassing security leak resulted in a major anti-terror operation, designed to foil an alleged al-Qaida plot to bomb Britain, being rushed forward.
  3. Accidents don’t only cause data loss… accidental outages can have highly negative results.
  4. Twenty-five percent of respondents said more than 60 percent of financial losses came from accidental breaches by insiders, not external hacks, and 16.1 percent said 81 to 100 percent of all losses came from accidental breaches as well.
  5. datalossdb