SlideShare una empresa de Scribd logo

Managing IT Risk and Assessing Vulnerability

Descargar como PPTX, PDF
AIS Network
AIS Network

Andrew Iwamoto of AIS Network gave a presentation on managing IT risk and assessing vulnerability at the 2016 ACCS conference. He discussed understanding the landscape for data breaches in education, establishing a risk culture, conducting an IT risk assessment and creating a risk management plan. He also covered tools and tactics for assessing and minimizing vulnerability, prioritizing remediation efforts, and improving security through testing and exercises. The presentation outlined key steps for colleges and universities to protect their networks and data from increasing cyber threats.

Tecnología
1 de 30
Managing IT Risk and Assessing Vulnerability 2016 ACCS Conference, “Exploring the Possibilities” Association of Collegiate Computing Services of Virginia March 17, 2016 Portsmouth, VA
Andrew Iwamoto AIS Network (240) 393-2996 Offices in McLean, Richmond & Chicago Presenter AISNSite: www.aisn.net Facebook: www.facebook.com/AISNetwork Twitter: @AIS_Network YouTube: www.youtube.com/user/AISNVideo
• Contracts Contract VA-120416-AISN (Hosting Services) CAI Virginia IT Contingent Labor Contract Statement of Work (App Development) Contract VA-120413-BPI (Web Apps Maintenance/ Operations) Virginia SWaM Small Business #697064 • Founded 1993 • Premier eGov Services Provider to the Commonwealth of Virginia AIS Network
Select Virginia eGov Clients Agencies and Education
• Understanding the Landscape for Data Breach • Steps Toward Managing IT Risk • Establishing a Risk Culture • IT Risk Assessment & Planning • Mitigating Risk • Tools and Tactics for Assessing and Minimizing Vulnerability • Remediation • Respond and Improve • Q & A Outline
Understanding the Landscape for Data Breach
Source: Privacy Rights Clearinghouse & online media reports
Schools Are Vastly Unprepared Education Ranks #3Among Top Sectors Breached • Tinfoil Security tested 557 state universities with a cross-site scripting (XSS) attack. • One quarter of all networks were vulnerable. • Why Education? • Protecting schools is more difficult than protecting corporations, because schools have a BYOD environment. Schools lack strict control over hardware/software used by faculty and students. Symantec Internet Security Threat Report, 2015
Who Tries to Breach U.S. Campuses? FBI Says…. • Hackers looking to make a profit • Foreign and domestic businesses • Individual entrepreneurs • Competing academics • Foreign intelligence services • Terrorist organizations Villain Ernst Stavro Blofeld, SPECTRE, You Only Live Twice, 1967
Why? Universities are HUGE repositories of monetizable data. • Steal technical information, compromising researchers’ ability to get first-to-market with ideas • Access intellectual property developed through university research (e.g., technologies that serve to protect the U.S. militarily, economically or otherwise) • Gather sensitive/classified research (e.g., facilities that handle bio agents or radiation) • Bypass expensive research and development • Recruit individuals for espionage/ terror groups • Spy for animal rights and eco rights terrorism • Exploit the student visa program for improper purposes • Conduct computer intrusions • Collect sensitive personal/ financial information (identity theft, fraud, etc.) • Compromise campus safety and safety of U.S. students studying abroad • Spread false information for political/other reasons
Data Breach Common Causes • Malware • Hacking • Malicious insider/ outsider • Unsolicited emails/phishing • Unintended disclosure • Payment card fraud • Portable device • Stationary device • Physical loss • Insider • Schools don’t have strict control over hardware/software used on campus Graphic courtesy of KirkpatrickPrice
Steps Toward Managing IT Risk Establishing a Risk Culture IT Risk Assessment & Planning
Why Establish a Risk Culture? Risk Culture Demonstrates • You’re not “driving like you can afford the accident” • Consistent role modeling from senior leadership • Clear/ well articulated risk strategy incorporates physical and behavioral characteristics • Transparent/ unified decision making • Rapid escalation of threats Key Drivers • Regulatory compliance with FERPA, HIPAA, PCI, etc. • Institutional reputation • Leadership/ executive tone • Strategy/ decision making • Risk governance structure • Recruitment and competence • Bottom line
Why a Risk Management Plan? Regulatory Requirements • FERPA. HIPAA, PCI and others require institutions to certify that their data is secure from malicious threats. • Protect against fines/penalties, class action lawsuits, reputational damage and income loss Campus Security • The BYOD culture invites risk issues. • Every time an institution adds new hardware, changes network configurations, installs new software or performs major upgrades, it risks exposing its network unknowingly.
Teamwork • Information Technology • Information Security • Risk Management • Legal • Compliance • Privacy • Human Resources • Physical Security/Campus Police • Communications (Public/Gov’t. Relations) • Board of Directors
Conduct Risk Assessment Survey Identify Risks Assess Risk Importance & Risk Likelihood Create Risk Management Action Plan Implement Risk Management Plan Risk Management Process
IT Risk Assessment & Planning • Not reporting lost hardware • Leaving computers unattended • No privacy screen use • Connecting unsecure devices to the work network • Using unencrypted USB drives to store critical files • Traveling with travel devices “fully loaded” Addressing High-Risk Behaviors • Weak passwords • Sharing passwords • Using identical passwords • Using unsecure Internet connections • Failure to purge old files • Manual collection of PII by teachers/assistants • Sloppy vendor practices
Planning Considerations for Action Plan Development • Regulations. The government is not waiting for a breach to inspect your compliance. Use a risk-based perspective when following compliance laws. • Cyber security. Plan to invest in security to prepare to withstand a cyberattack. Also, do you have cyber coverage/ data breach insurance? • Vendors. Vendor risk cannot be outsourced. It must be managed. Are your vendors compliant? If you maintain HIPAA compliance, are vendor BAAs in place? • Privacy/compliance counsel. A privacy/ compliance attorney can guide you on how to work out steps with regard to discovery of an event, forensic investigation/ evaluation of the event, managing the short-term crisis and handling the long-term consequences (identify notification and credit monitoring vendors, call centers, etc.). • Wearable technology and portable devices. Update and enforce your BYOD and secure wearables policies. • The “weakest link.” You’re only as strong as your weakest link. Educate your people and promote healthy security awareness on campus.
IT Risk Management Action Plan Based on Survey Results and Risk Ranking Implement the Plan • Serve as a resource for questions/concerns (e.g., export control matters) • Monitor suspicious incidents closely • Be aware of regional counterintelligence meetings with academics, businesses and US intelligence community personnel • Prepare for continual training/ review Must-Haves • Awareness training for students, researchers, faculty, admin • Specific threat information if available • Brochures or other literature about threats • More robust security procedures if needed • FBI consultation (be prepared to work with them on security concerns)
Mitigating Risk Tools and Tactics for Assessing and Minimizing Vulnerability
Anticipating Attacks: 10 Tips From the FTC 1) Start with security. 2) Control access to data sensibly. 3) Require secure passwords/ authentication. 4) Store sensitive personal info. Securely and protect it during transmission. 5) Segment your network; monitor who is trying to get in/out. 6) Secure remote access to your network. 7) Apply sound security practices when developing new products. 8) Ensure service providers implement reasonable security measures. 9) Put procedures in place to keep your security current and address vulnerabilities that may arise. 10) Secure paper, physical media and devices. “Start With Security: A Guide for Business,” FTC, June 2015.
Security Architecture Mindset Policies Align With Tools Network Infrastructure Understand Identify Protect Monitor/ Detect Respond Improve • Sloppy security days are gone. • Security must be architected now. • Align clear policies against the objectives of the tools that are available. • There’s an amazing array of security innovation today. • Microsoft and VMware are changing the landscape of how applications are built and delivered securely. • Invest and enable.
Assessing Vulnerability Tools to Find, Classify, Verify & Remove Threats • Vulnerability Scanning (External/ Internal) • Penetration Testing • Enterprise Threat Simulation • Continuous Auditing • Data Encryption • DDoS Protection • Event Management • Firewall and VPN Services • Intrusion Detection Services • Malware Protection • Change Management • Two-Factor Authentication • Web Application Firewall • Compliance Management • Log Management • SSL Certificates
IT Checklist Tactics for Minimizing Vulnerability • Keep operating systems up-to-date. • Update a computer program or data regularly with patches. • Patch Management/Maintenance Windows • Standardize the application software. • Block third-party cookies and pop-ups in web browsers. • Delete caches more often. • Use sophisticated passwords. • Monitor sharing. • Encrypt sensitive data. • Manage alerts. • Quantify risks and soft spots.
• Have an “exit policy” for employees/ students who leave the school • Require complex passwords • Maintain clear visibility into access privileges • Manage all privileged accounts IT Checklist Policies for People With Keys to the Kingdom Client Network Components Web Server Application Server/ Backend System Database Server Guest Operating System Hypervisor Host Operating System Shared accounts Individual accounts
Remediation Respond and Improve
In Remediating Vulnerabilities, Prioritize…. • Not all vulnerabilities are equal. • Not all assets are equal. • Encryption is not a panacea. • Remediation actions may be inconvenient to users/ normal operations. • Government policy alone won’t guide you.
Identify Gaps & Improve Apply Your Knowledge to Predict & Prevent • Test environments • Simulations • Tabletop exercises • Threat modeling • Pairing exercises (tester + responder) • Security assessments • Walk through common techniques/ protection mechanisms • Test your communication channels
Q & A
Andrew Iwamoto AIS Network (240) 393-2996 Offices in McLean, Richmond & Chicago Thank You AISNSite: www.aisn.net Facebook: www.facebook.com/AISNetwork Twitter: @AIS_Network YouTube: www.youtube.com/user/AISNVideo

Recomendados

Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCapri Insurance
 
Security analysis
Security analysisSecurity analysis
Security analysisYulisa Rosliana S.Kom
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecuritySecurity Bootcamp
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyResilient Systems
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataStephen Cobb
 
Information security
Information security Information security
Information security razendar79
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets PersonalNicholas Davis
 

Recomendados

Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCapri Insurance
 
Security analysis
Security analysisSecurity analysis
Security analysisYulisa Rosliana S.Kom
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecuritySecurity Bootcamp
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyResilient Systems
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataStephen Cobb
 
Information security
Information security Information security
Information security razendar79
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets PersonalNicholas Davis
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09Tammy Clark
 
Chapter 8 securing information systems MIS
Chapter 8 securing information systems MISChapter 8 securing information systems MIS
Chapter 8 securing information systems MISAmirul Shafiq Ahmad Zuperi
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceJeff Lemmermann
 
2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum 2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum Carolyn Slade, MS-HIM
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9Amanda Case
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestJay McLaughlin
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)ITNet
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and TrainingPriyank Hada
 
Isys20261 lecture 04
Isys20261 lecture 04Isys20261 lecture 04
Isys20261 lecture 04Wiliam Ferraciolli
 
Network security # Lecture 2
Network security # Lecture 2Network security # Lecture 2
Network security # Lecture 2Kabul Education University
 
Cyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickCyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickJacqueline Fick
 
The need for effective information security awareness practices.
The need for effective information security awareness practices.The need for effective information security awareness practices.
The need for effective information security awareness practices.CAS
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threatzhihaochen
 
Chapter 10, part 1
Chapter 10, part 1Chapter 10, part 1
Chapter 10, part 1misecho
 
Mis
MisMis
Mismisecho
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and HealthcareJonathon Coulter
 
Intro.ppt
Intro.pptIntro.ppt
Intro.pptRamaNingaiah
 

Más contenido relacionado

La actualidad más candente

Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09Tammy Clark
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceJeff Lemmermann
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9Amanda Case
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestJay McLaughlin
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)ITNet
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and TrainingPriyank Hada
 
Cyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickCyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickJacqueline Fick
 
The need for effective information security awareness practices.
The need for effective information security awareness practices.The need for effective information security awareness practices.
The need for effective information security awareness practices.CAS
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threatzhihaochen
 
Chapter 10, part 1
Chapter 10, part 1Chapter 10, part 1
Chapter 10, part 1misecho
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 

La actualidad más candente (20)

Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
 
Chapter 8 securing information systems MIS
Chapter 8 securing information systems MISChapter 8 securing information systems MIS
Chapter 8 securing information systems MIS
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 Conference
 
2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum 2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, West
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and Training
 
Isys20261 lecture 04
Isys20261 lecture 04Isys20261 lecture 04
Isys20261 lecture 04
 
Network security # Lecture 2
Network security # Lecture 2Network security # Lecture 2
Network security # Lecture 2
 
Cyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickCyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fick
 
The need for effective information security awareness practices.
The need for effective information security awareness practices.The need for effective information security awareness practices.
The need for effective information security awareness practices.
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up Summary
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threat
 
Chapter 10, part 1
Chapter 10, part 1Chapter 10, part 1
Chapter 10, part 1
 
Mis
MisMis
Mis
 
Information security management
Information security managementInformation security management
Information security management
 

Similar a Managing IT Risk and Assessing Vulnerability

Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and HealthcareJonathon Coulter
 
5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management ProgramTripwire
 
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxC4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxbakhtinasiriav
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya
 
Ch15 power point
Ch15 power pointCh15 power point
Ch15 power pointbodo-con
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategyCyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategyJames Mulhern
 
Chapter 13
Chapter 13Chapter 13
Chapter 13bodo-con
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are comingErnest Staats
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfMansoorAhmed57263
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 

Similar a Managing IT Risk and Assessing Vulnerability (20)

Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and Healthcare
 
Intro.ppt
Intro.pptIntro.ppt
Intro.ppt
 
5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program
 
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxC4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
 
Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky Breaches
 
Ch15 power point
Ch15 power pointCh15 power point
Ch15 power point
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategyCyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
 
Chapter 13
Chapter 13Chapter 13
Chapter 13
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are coming
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Goans-Helms-IT Security at Georgia Tech Library
Goans-Helms-IT Security at Georgia Tech LibraryGoans-Helms-IT Security at Georgia Tech Library
Goans-Helms-IT Security at Georgia Tech Library
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Resum
ResumResum
Resum
 

Último

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Último (20)

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Managing IT Risk and Assessing Vulnerability

  • 1. Managing IT Risk and Assessing Vulnerability 2016 ACCS Conference, “Exploring the Possibilities” Association of Collegiate Computing Services of Virginia March 17, 2016 Portsmouth, VA
  • 2. Andrew Iwamoto AIS Network (240) 393-2996 Offices in McLean, Richmond & Chicago Presenter AISNSite: www.aisn.net Facebook: www.facebook.com/AISNetwork Twitter: @AIS_Network YouTube: www.youtube.com/user/AISNVideo
  • 3. • Contracts Contract VA-120416-AISN (Hosting Services) CAI Virginia IT Contingent Labor Contract Statement of Work (App Development) Contract VA-120413-BPI (Web Apps Maintenance/ Operations) Virginia SWaM Small Business #697064 • Founded 1993 • Premier eGov Services Provider to the Commonwealth of Virginia AIS Network
  • 4. Select Virginia eGov Clients Agencies and Education
  • 5. • Understanding the Landscape for Data Breach • Steps Toward Managing IT Risk • Establishing a Risk Culture • IT Risk Assessment & Planning • Mitigating Risk • Tools and Tactics for Assessing and Minimizing Vulnerability • Remediation • Respond and Improve • Q & A Outline
  • 7. Source: Privacy Rights Clearinghouse & online media reports
  • 8. Schools Are Vastly Unprepared Education Ranks #3Among Top Sectors Breached • Tinfoil Security tested 557 state universities with a cross-site scripting (XSS) attack. • One quarter of all networks were vulnerable. • Why Education? • Protecting schools is more difficult than protecting corporations, because schools have a BYOD environment. Schools lack strict control over hardware/software used by faculty and students. Symantec Internet Security Threat Report, 2015
  • 9. Who Tries to Breach U.S. Campuses? FBI Says…. • Hackers looking to make a profit • Foreign and domestic businesses • Individual entrepreneurs • Competing academics • Foreign intelligence services • Terrorist organizations Villain Ernst Stavro Blofeld, SPECTRE, You Only Live Twice, 1967
  • 10. Why? Universities are HUGE repositories of monetizable data. • Steal technical information, compromising researchers’ ability to get first-to-market with ideas • Access intellectual property developed through university research (e.g., technologies that serve to protect the U.S. militarily, economically or otherwise) • Gather sensitive/classified research (e.g., facilities that handle bio agents or radiation) • Bypass expensive research and development • Recruit individuals for espionage/ terror groups • Spy for animal rights and eco rights terrorism • Exploit the student visa program for improper purposes • Conduct computer intrusions • Collect sensitive personal/ financial information (identity theft, fraud, etc.) • Compromise campus safety and safety of U.S. students studying abroad • Spread false information for political/other reasons
  • 11. Data Breach Common Causes • Malware • Hacking • Malicious insider/ outsider • Unsolicited emails/phishing • Unintended disclosure • Payment card fraud • Portable device • Stationary device • Physical loss • Insider • Schools don’t have strict control over hardware/software used on campus Graphic courtesy of KirkpatrickPrice
  • 12. Steps Toward Managing IT Risk Establishing a Risk Culture IT Risk Assessment & Planning
  • 13. Why Establish a Risk Culture? Risk Culture Demonstrates • You’re not “driving like you can afford the accident” • Consistent role modeling from senior leadership • Clear/ well articulated risk strategy incorporates physical and behavioral characteristics • Transparent/ unified decision making • Rapid escalation of threats Key Drivers • Regulatory compliance with FERPA, HIPAA, PCI, etc. • Institutional reputation • Leadership/ executive tone • Strategy/ decision making • Risk governance structure • Recruitment and competence • Bottom line
  • 14. Why a Risk Management Plan? Regulatory Requirements • FERPA. HIPAA, PCI and others require institutions to certify that their data is secure from malicious threats. • Protect against fines/penalties, class action lawsuits, reputational damage and income loss Campus Security • The BYOD culture invites risk issues. • Every time an institution adds new hardware, changes network configurations, installs new software or performs major upgrades, it risks exposing its network unknowingly.
  • 15. Teamwork • Information Technology • Information Security • Risk Management • Legal • Compliance • Privacy • Human Resources • Physical Security/Campus Police • Communications (Public/Gov’t. Relations) • Board of Directors
  • 16. Conduct Risk Assessment Survey Identify Risks Assess Risk Importance & Risk Likelihood Create Risk Management Action Plan Implement Risk Management Plan Risk Management Process
  • 17. IT Risk Assessment & Planning • Not reporting lost hardware • Leaving computers unattended • No privacy screen use • Connecting unsecure devices to the work network • Using unencrypted USB drives to store critical files • Traveling with travel devices “fully loaded” Addressing High-Risk Behaviors • Weak passwords • Sharing passwords • Using identical passwords • Using unsecure Internet connections • Failure to purge old files • Manual collection of PII by teachers/assistants • Sloppy vendor practices
  • 18. Planning Considerations for Action Plan Development • Regulations. The government is not waiting for a breach to inspect your compliance. Use a risk-based perspective when following compliance laws. • Cyber security. Plan to invest in security to prepare to withstand a cyberattack. Also, do you have cyber coverage/ data breach insurance? • Vendors. Vendor risk cannot be outsourced. It must be managed. Are your vendors compliant? If you maintain HIPAA compliance, are vendor BAAs in place? • Privacy/compliance counsel. A privacy/ compliance attorney can guide you on how to work out steps with regard to discovery of an event, forensic investigation/ evaluation of the event, managing the short-term crisis and handling the long-term consequences (identify notification and credit monitoring vendors, call centers, etc.). • Wearable technology and portable devices. Update and enforce your BYOD and secure wearables policies. • The “weakest link.” You’re only as strong as your weakest link. Educate your people and promote healthy security awareness on campus.
  • 19. IT Risk Management Action Plan Based on Survey Results and Risk Ranking Implement the Plan • Serve as a resource for questions/concerns (e.g., export control matters) • Monitor suspicious incidents closely • Be aware of regional counterintelligence meetings with academics, businesses and US intelligence community personnel • Prepare for continual training/ review Must-Haves • Awareness training for students, researchers, faculty, admin • Specific threat information if available • Brochures or other literature about threats • More robust security procedures if needed • FBI consultation (be prepared to work with them on security concerns)
  • 20. Mitigating Risk Tools and Tactics for Assessing and Minimizing Vulnerability
  • 21. Anticipating Attacks: 10 Tips From the FTC 1) Start with security. 2) Control access to data sensibly. 3) Require secure passwords/ authentication. 4) Store sensitive personal info. Securely and protect it during transmission. 5) Segment your network; monitor who is trying to get in/out. 6) Secure remote access to your network. 7) Apply sound security practices when developing new products. 8) Ensure service providers implement reasonable security measures. 9) Put procedures in place to keep your security current and address vulnerabilities that may arise. 10) Secure paper, physical media and devices. “Start With Security: A Guide for Business,” FTC, June 2015.
  • 22. Security Architecture Mindset Policies Align With Tools Network Infrastructure Understand Identify Protect Monitor/ Detect Respond Improve • Sloppy security days are gone. • Security must be architected now. • Align clear policies against the objectives of the tools that are available. • There’s an amazing array of security innovation today. • Microsoft and VMware are changing the landscape of how applications are built and delivered securely. • Invest and enable.
  • 23. Assessing Vulnerability Tools to Find, Classify, Verify & Remove Threats • Vulnerability Scanning (External/ Internal) • Penetration Testing • Enterprise Threat Simulation • Continuous Auditing • Data Encryption • DDoS Protection • Event Management • Firewall and VPN Services • Intrusion Detection Services • Malware Protection • Change Management • Two-Factor Authentication • Web Application Firewall • Compliance Management • Log Management • SSL Certificates
  • 24. IT Checklist Tactics for Minimizing Vulnerability • Keep operating systems up-to-date. • Update a computer program or data regularly with patches. • Patch Management/Maintenance Windows • Standardize the application software. • Block third-party cookies and pop-ups in web browsers. • Delete caches more often. • Use sophisticated passwords. • Monitor sharing. • Encrypt sensitive data. • Manage alerts. • Quantify risks and soft spots.
  • 25. • Have an “exit policy” for employees/ students who leave the school • Require complex passwords • Maintain clear visibility into access privileges • Manage all privileged accounts IT Checklist Policies for People With Keys to the Kingdom Client Network Components Web Server Application Server/ Backend System Database Server Guest Operating System Hypervisor Host Operating System Shared accounts Individual accounts
  • 27. In Remediating Vulnerabilities, Prioritize…. • Not all vulnerabilities are equal. • Not all assets are equal. • Encryption is not a panacea. • Remediation actions may be inconvenient to users/ normal operations. • Government policy alone won’t guide you.
  • 28. Identify Gaps & Improve Apply Your Knowledge to Predict & Prevent • Test environments • Simulations • Tabletop exercises • Threat modeling • Pairing exercises (tester + responder) • Security assessments • Walk through common techniques/ protection mechanisms • Test your communication channels
  • 29. Q & A
  • 30. Andrew Iwamoto AIS Network (240) 393-2996 Offices in McLean, Richmond & Chicago Thank You AISNSite: www.aisn.net Facebook: www.facebook.com/AISNetwork Twitter: @AIS_Network YouTube: www.youtube.com/user/AISNVideo