2. Managing Risk or Reacting to Compliance
Topics
Introduction
Evan Francen
FRSecure
Compliance – Reactive
Risk – Proactive
Real World Examples & Guidance
Social Engineering
3. Managing Risk or Reacting to Compliance
Introduction
Evan Francen
Aka “The Truth”
4. Managing Risk or Reacting to Compliance
Introduction
Evan Francen
Security Guy
5. Managing Risk or Reacting to Compliance
Introduction
Evan Francen
Weird - Different
6. Managing Risk or Reacting to Compliance
Introduction
Evan Francen
For real…
• 20+ years of information security experience
• Co-founded FRSecure in 2008
• Worked with organizations of all sizes, including Wells Fargo, US Bank,
UnitedHealth, ADP, St. Jude, etc.
• Risk Management, Security Program Development, Social Engineering,
Mentoring, and the projects nobody else wants to do.
7. Managing Risk or Reacting to Compliance
Introduction
FRSecure
• Information Security Management company. It’s all we do.
• Methodology - Develop, use, and share methodologies for a variety of
information security projects.
• Project Leaders – All of our project leaders have more than 15 years
of information security experience, from Fortune 100 to SMBs
• Fully Transparent – Empowers our clients to do what we do.
• Product Agnostic – Recommendations stand on their own, with no
ulterior motive.
8. Managing Risk or Reacting to Compliance
Compliance
What is compliance?
9. Managing Risk or Reacting to Compliance
Compliance
What is compliance?
• Is there any such thing as “GLBA Compliant” or “HIPAA
Compliant”?
If so, who certifies such things?
• Is not “compliance” just doing what the last auditor told you
to do?
Is what the last auditor told you to do the
right thing for you to do?
10. Managing Risk or Reacting to Compliance
Compliance
Are compliance and security the same thing?
• Many people believe so.
• The right answer is NO.
Information security is the use of Administrative, Physical and
Technical controls to protect the Confidentiality, Integrity, and
Availability of data.
11. Managing Risk or Reacting to Compliance
Risk
Are we ever “secure”?
• It depends. Right?
No matter what we do with protection, there will always be a
risk associated with unauthorized disclosure, alteration, or
destruction of data.
• “Secure” is a relative term.
• Effectively managing security comes down to managing risk.
12. Managing Risk or Reacting to Compliance
Risk
Some risks are acceptable and others are not.
• What is risk?
• Risk is not intuitive. (more on this later)
• Risk = the likelihood of something bad happening + the
impact if the bad thing happened.
• Risk decisions are management decisions.
14. Managing Risk or Reacting to Compliance
Risk
Risk is Not (always) Intuitive
• Who is at higher risk of an earthquake, San Francisco or
Boston?
Turns out that the risk is essentially the same.
In general:
• People exaggerate spectacular but rare risks and downplay common risks.
• People have trouble estimating risks for anything not exactly like their normal situation.
• Personified risks are perceived to be greater than anonymous risks.
• People underestimate risks they willingly take and overestimate risks in situations they can't
control.
• People overestimate risks that are being talked about and remain an object of public scrutiny.
15. Managing Risk or Reacting to Compliance
Compliance & Risk
Compliance is based on doing what you’re told.
Risk is based on likelihood and impact.
Compliance is reactive.
Managing risk is proactive.
Compliance is more costly.
Managing risk allows cost/benefit analysis.
Compliance is the letter of the law.
Managing risk is the intent of the law.
16. Managing Risk or Reacting to Compliance
Real Life Examples
Large Healthcare Organization
Audit conducted in 2012
Told they needed SIEM and DLP
Spent $600,000 on new technology
Compliant!
Greatest (technical) risk was use of
unencrypted mobile devices
Cost to mitigate $600,000
Products are not configured or fully utilized
Breach occurs in 2013 – Stolen laptop
Over $3,000,000 in costs
Over $3,600,000 spent. Greatest risk still exists
17. Managing Risk or Reacting to Compliance
Real Life Examples
Target
Audited regularly & constantly
Spend millions on compliance
Spend millions on technology
Compliant!
Were any of these a significant risk?
• Vendor risk management
• Information security reporting structure
• Alerting & monitoring processes
• SOC processes and training
• Incident response processes
Millions of dollars spent. Greatest risk? Last quarter profit down 46%.
Estimated costs to exceed $1,000,000,000.
18. Managing Risk or Reacting to Compliance
Social Engineering
Social Engineering is exploitation of the human factor in security; tricking a
person into giving you information that could benefit you, but bring them
harm.
Social Engineering is by far the most effective method of gaining
unauthorized access to information. We know this, and so do the bad guys.
19. Managing Risk or Reacting to Compliance
Social Engineering
Did You Know:
There were more than 74,000 unique
phishing campaigns discovered during the
Q2/2013, leveraging over 110,000
hijacked domains and targeting more than
1,100 brands.
Email Attacks (Phishing)
• Tricking you into going to a website that looks legitimate, and convincing
you to log in (or disclose other information).
• Has a 60 – 70% success rate.
• How to Avoid Phishing Scams -
http://apwg.org/resources/overview/avoid-phishing-scams
20. Managing Risk or Reacting to Compliance
Social Engineering
Did You Know:
A recent study shows that 30 percent of
Americans will open emails, even when
they know the message is malicious.
Email Attacks (Malicious Attachments)
• Tricking you into opening (or downloading/opening) a file that appears to
be legitimate, but is in fact malicious.
• Has a 30 – 40% success rate.
• Don’t have blind trust in your anti-virus software. If you aren’t
expecting an attachment, don’t open it. If you’re not sure, call
the person who sent it to you and ask.
21. Managing Risk or Reacting to Compliance
Social Engineering
Did You Know:
Most social engineering attacks go un-
reported by the victim.
Telephone Attacks
• Tricking you into divulging sensitive information over the phone.
• People like helping other people, something that an attacker can exploit
to receive sensitive information.
• Success rate varies greatly.
• If you receive a social engineering phone call, ask them for
their name, company and phone number. In almost every case,
the caller will disconnect when asked questions or placed on
hold.
22. Managing Risk or Reacting to Compliance
Social Engineering
Did You Know:
Physical social engineering attacks can
result in physical damage to the facility
and safety dangers.
Physical Attacks
• Tricking you into giving physical access to a restricted area.
• Physical social engineering attacks require a bold attacker with a very
focused agenda.
• Success rate varies greatly.
• If you can help it, don’t hold the door for others; especially
those who you don’t recognize. It’s OK to ask someone you
don’t know if you can help them or ask for identification.
23. Managing Risk or Reacting to Compliance
Social Engineering
Want a story? Pick One:
• Physical access to Fortune 100 company headquarters.
• Password disclosure almost cost someone their retirement.
• Police help me carry out an attack.
• I don’t really work for NSP.
• 60% of bank’s employees give us their domain usernames and
passwords.
24. Managing Risk or Reacting to Compliance
Thank you!
Questions?
Evan Francen, CISSP CISM
President – FRSecure
evan@frsecure.com
952-467-6384