SlideShare una empresa de Scribd logo

Managing Risk or Reacting to Compliance

Evan Francen
Evan Francen

This is a presentation given to Compudyne's customers to learn more about FRSecure and information security basics.

Servicios
1 de 24
Protecting Financial Information Managing Risk or Reacting to Compliance Evan Francen, CISSP CISM FRSecure President March 27th, 2014
Managing Risk or Reacting to Compliance Topics Introduction Evan Francen FRSecure Compliance – Reactive Risk – Proactive Real World Examples & Guidance Social Engineering
Managing Risk or Reacting to Compliance Introduction Evan Francen Aka “The Truth”
Managing Risk or Reacting to Compliance Introduction Evan Francen Security Guy
Managing Risk or Reacting to Compliance Introduction Evan Francen Weird - Different
Managing Risk or Reacting to Compliance Introduction Evan Francen For real… • 20+ years of information security experience • Co-founded FRSecure in 2008 • Worked with organizations of all sizes, including Wells Fargo, US Bank, UnitedHealth, ADP, St. Jude, etc. • Risk Management, Security Program Development, Social Engineering, Mentoring, and the projects nobody else wants to do.
Managing Risk or Reacting to Compliance Introduction FRSecure • Information Security Management company. It’s all we do. • Methodology - Develop, use, and share methodologies for a variety of information security projects. • Project Leaders – All of our project leaders have more than 15 years of information security experience, from Fortune 100 to SMBs • Fully Transparent – Empowers our clients to do what we do. • Product Agnostic – Recommendations stand on their own, with no ulterior motive.
Managing Risk or Reacting to Compliance Compliance What is compliance?
Managing Risk or Reacting to Compliance Compliance What is compliance? • Is there any such thing as “GLBA Compliant” or “HIPAA Compliant”? If so, who certifies such things? • Is not “compliance” just doing what the last auditor told you to do? Is what the last auditor told you to do the right thing for you to do?
Managing Risk or Reacting to Compliance Compliance Are compliance and security the same thing? • Many people believe so. • The right answer is NO. Information security is the use of Administrative, Physical and Technical controls to protect the Confidentiality, Integrity, and Availability of data.
Managing Risk or Reacting to Compliance Risk Are we ever “secure”? • It depends. Right? No matter what we do with protection, there will always be a risk associated with unauthorized disclosure, alteration, or destruction of data. • “Secure” is a relative term. • Effectively managing security comes down to managing risk.
Managing Risk or Reacting to Compliance Risk Some risks are acceptable and others are not. • What is risk? • Risk is not intuitive. (more on this later) • Risk = the likelihood of something bad happening + the impact if the bad thing happened. • Risk decisions are management decisions.
Managing Risk or Reacting to Compliance Risk Risk Decisions • Risk Acceptance • Risk Avoidance • Risk Mitigation • Risk Ignorance
Managing Risk or Reacting to Compliance Risk Risk is Not (always) Intuitive • Who is at higher risk of an earthquake, San Francisco or Boston? Turns out that the risk is essentially the same. In general: • People exaggerate spectacular but rare risks and downplay common risks. • People have trouble estimating risks for anything not exactly like their normal situation. • Personified risks are perceived to be greater than anonymous risks. • People underestimate risks they willingly take and overestimate risks in situations they can't control. • People overestimate risks that are being talked about and remain an object of public scrutiny.
Managing Risk or Reacting to Compliance Compliance & Risk Compliance is based on doing what you’re told. Risk is based on likelihood and impact. Compliance is reactive. Managing risk is proactive. Compliance is more costly. Managing risk allows cost/benefit analysis. Compliance is the letter of the law. Managing risk is the intent of the law.
Managing Risk or Reacting to Compliance Real Life Examples Large Healthcare Organization Audit conducted in 2012 Told they needed SIEM and DLP Spent $600,000 on new technology Compliant! Greatest (technical) risk was use of unencrypted mobile devices Cost to mitigate $600,000 Products are not configured or fully utilized Breach occurs in 2013 – Stolen laptop Over $3,000,000 in costs Over $3,600,000 spent. Greatest risk still exists
Managing Risk or Reacting to Compliance Real Life Examples Target Audited regularly & constantly Spend millions on compliance Spend millions on technology Compliant! Were any of these a significant risk? • Vendor risk management • Information security reporting structure • Alerting & monitoring processes • SOC processes and training • Incident response processes Millions of dollars spent. Greatest risk? Last quarter profit down 46%. Estimated costs to exceed $1,000,000,000.
Managing Risk or Reacting to Compliance Social Engineering Social Engineering is exploitation of the human factor in security; tricking a person into giving you information that could benefit you, but bring them harm. Social Engineering is by far the most effective method of gaining unauthorized access to information. We know this, and so do the bad guys.
Managing Risk or Reacting to Compliance Social Engineering Did You Know: There were more than 74,000 unique phishing campaigns discovered during the Q2/2013, leveraging over 110,000 hijacked domains and targeting more than 1,100 brands. Email Attacks (Phishing) • Tricking you into going to a website that looks legitimate, and convincing you to log in (or disclose other information). • Has a 60 – 70% success rate. • How to Avoid Phishing Scams - http://apwg.org/resources/overview/avoid-phishing-scams
Managing Risk or Reacting to Compliance Social Engineering Did You Know: A recent study shows that 30 percent of Americans will open emails, even when they know the message is malicious. Email Attacks (Malicious Attachments) • Tricking you into opening (or downloading/opening) a file that appears to be legitimate, but is in fact malicious. • Has a 30 – 40% success rate. • Don’t have blind trust in your anti-virus software. If you aren’t expecting an attachment, don’t open it. If you’re not sure, call the person who sent it to you and ask.
Managing Risk or Reacting to Compliance Social Engineering Did You Know: Most social engineering attacks go un- reported by the victim. Telephone Attacks • Tricking you into divulging sensitive information over the phone. • People like helping other people, something that an attacker can exploit to receive sensitive information. • Success rate varies greatly. • If you receive a social engineering phone call, ask them for their name, company and phone number. In almost every case, the caller will disconnect when asked questions or placed on hold.
Managing Risk or Reacting to Compliance Social Engineering Did You Know: Physical social engineering attacks can result in physical damage to the facility and safety dangers. Physical Attacks • Tricking you into giving physical access to a restricted area. • Physical social engineering attacks require a bold attacker with a very focused agenda. • Success rate varies greatly. • If you can help it, don’t hold the door for others; especially those who you don’t recognize. It’s OK to ask someone you don’t know if you can help them or ask for identification.
Managing Risk or Reacting to Compliance Social Engineering Want a story? Pick One: • Physical access to Fortune 100 company headquarters. • Password disclosure almost cost someone their retirement. • Police help me carry out an attack. • I don’t really work for NSP. • 60% of bank’s employees give us their domain usernames and passwords.
Managing Risk or Reacting to Compliance Thank you! Questions? Evan Francen, CISSP CISM President – FRSecure evan@frsecure.com 952-467-6384

Recomendados

WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language Problem
SecurityStudio
 
WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language Problem
Evan Francen
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language Problem
Evan Francen
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Sandra (Sandy) Dunn
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
Adrian Wright
 
Security Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk ManagementSecurity Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk Management
Resolver Inc.
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
JoAnna Cheshire
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware Dallas
Evan Francen
 

Recomendados

WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language Problem
SecurityStudio
 
WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language Problem
Evan Francen
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language Problem
Evan Francen
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Sandra (Sandy) Dunn
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
Adrian Wright
 
Security Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk ManagementSecurity Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk Management
Resolver Inc.
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
JoAnna Cheshire
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware Dallas
Evan Francen
 
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
centralohioissa
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
George Goodall
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
Art Ocain
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219
Evan Francen
 
Remote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceRemote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC Complaince
JTLeekley
 
Business-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a Disaster
NetWize
 
Bill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-SuiteBill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-Suite
centralohioissa
 
Building Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe HarborBuilding Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe Harbor
Advanced Technology Consulting (ATC)
 
Engage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramEngage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness Program
Ben Woelk, CISSP, CPTC
 
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Polsinelli PC
 
Фишинг — проклятие или возможность для ИБ?
Фишинг — проклятие или возможность для ИБ? Фишинг — проклятие или возможность для ИБ?
Фишинг — проклятие или возможность для ИБ?
Positive Hack Days
 
Risky Business
Risky BusinessRisky Business
Risky Business
Michael Scheidell
 
Technology Risk Management
Technology Risk ManagementTechnology Risk Management
Technology Risk Management
Social Tables
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
ishan parikh production
 
Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Windstream Cloud Security Checklist
Windstream Cloud Security Checklist
Ideba
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
Karina Elise
 
Tim Nolan
Tim NolanTim Nolan
Tim Nolan
timnolan1961
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk Assessment
Resolver Inc.
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
EC-Council
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
Stephen Cobb
 
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security culture
Craig McGill
 

Más contenido relacionado

La actualidad más candente

Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
centralohioissa
 
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Polsinelli PC
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
Karina Elise
 

La actualidad más candente (20)

Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219
 
Remote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceRemote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC Complaince
 
Business-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a Disaster
 
Bill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-SuiteBill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-Suite
 
Building Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe HarborBuilding Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe Harbor
 
Engage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramEngage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness Program
 
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
 
Фишинг — проклятие или возможность для ИБ?
Фишинг — проклятие или возможность для ИБ? Фишинг — проклятие или возможность для ИБ?
Фишинг — проклятие или возможность для ИБ?
 
Risky Business
Risky BusinessRisky Business
Risky Business
 
Technology Risk Management
Technology Risk ManagementTechnology Risk Management
Technology Risk Management
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
 
Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Windstream Cloud Security Checklist
Windstream Cloud Security Checklist
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
 
Tim Nolan
Tim NolanTim Nolan
Tim Nolan
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk Assessment
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
 

Similar a Managing Risk or Reacting to Compliance

Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
Matthew Rosenquist
 

Similar a Managing Risk or Reacting to Compliance (20)

The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security culture
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & Manufacturing
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
 
Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
 
Stop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudStop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraud
 
Treat Cyber Like a Disease
Treat Cyber Like a DiseaseTreat Cyber Like a Disease
Treat Cyber Like a Disease
 
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security SummitKeynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security Defense
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
6 Keys to Preventing and Responding to Workplace Violence
6 Keys to Preventing and Responding to Workplace Violence6 Keys to Preventing and Responding to Workplace Violence
6 Keys to Preventing and Responding to Workplace Violence
 
ISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series PresentationISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series Presentation
 
People Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language ProblemPeople Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language Problem
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
Accidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionAccidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 Version
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
 

Más de Evan Francen

People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
Evan Francen
 

Más de Evan Francen (16)

Managing Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyManaging Third-Party Risk Effectively
Managing Third-Party Risk Effectively
 
Step Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksStep Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party Risks
 
Simple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudSimple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment Fraud
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917
 
People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017
 
AFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionAFCOM - Information Security State of the Union
AFCOM - Information Security State of the Union
 
TIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceTIES 2013 Education Technology Conference
TIES 2013 Education Technology Conference
 
Mobile Information Security
Mobile Information SecurityMobile Information Security
Mobile Information Security
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environment
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
 
Information Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderInformation Security For Leaders, By a Leader
Information Security For Leaders, By a Leader
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
FRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByFRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) By
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
 
An Introduction to Information Security
An Introduction to Information SecurityAn Introduction to Information Security
An Introduction to Information Security
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
 

Último

Vip profile Call Girls In Hyderabad 9748763073 For Genuine Sex Service At Jus...
Vip profile Call Girls In Hyderabad 9748763073 For Genuine Sex Service At Jus...Vip profile Call Girls In Hyderabad 9748763073 For Genuine Sex Service At Jus...
Vip profile Call Girls In Hyderabad 9748763073 For Genuine Sex Service At Jus...
Monika Rani
 
Mysore Call girl service 6289102337 Mysore escort service
Mysore Call girl service 6289102337 Mysore escort serviceMysore Call girl service 6289102337 Mysore escort service
Mysore Call girl service 6289102337 Mysore escort service
maheshsingh64440
 
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Sana Rajpoot
 
Udupi Call girl service 6289102337 Udupi escort service
Udupi Call girl service 6289102337 Udupi escort serviceUdupi Call girl service 6289102337 Udupi escort service
Udupi Call girl service 6289102337 Udupi escort service
maheshsingh64440
 
Hyderabad ❤CALL GIRL 9874883814 ❤CALL GIRLS IN Hyderabad ESCORT SERVICE❤CALL ...
Hyderabad ❤CALL GIRL 9874883814 ❤CALL GIRLS IN Hyderabad ESCORT SERVICE❤CALL ...Hyderabad ❤CALL GIRL 9874883814 ❤CALL GIRLS IN Hyderabad ESCORT SERVICE❤CALL ...
Hyderabad ❤CALL GIRL 9874883814 ❤CALL GIRLS IN Hyderabad ESCORT SERVICE❤CALL ...
oyomaster143
 
Karachi Sexy Girls || 03280288848 || Sex services in Karachi
Karachi Sexy Girls || 03280288848 || Sex services in KarachiKarachi Sexy Girls || 03280288848 || Sex services in Karachi
Karachi Sexy Girls || 03280288848 || Sex services in Karachi
Awais Yousaf
 
Jodhpur Call Girl 97487*63073 Call Girls in Jodhpur Escort service book now
Jodhpur Call Girl 97487*63073 Call Girls in Jodhpur Escort service book nowJodhpur Call Girl 97487*63073 Call Girls in Jodhpur Escort service book now
Jodhpur Call Girl 97487*63073 Call Girls in Jodhpur Escort service book now
apshanarani255
 
➥🔝9953056974 🔝▻ Anand Vihar Call-girl in Women Seeking Men 🔝Delhi🔝 NCR
➥🔝9953056974 🔝▻ Anand Vihar Call-girl in Women Seeking Men 🔝Delhi🔝 NCR➥🔝9953056974 🔝▻ Anand Vihar Call-girl in Women Seeking Men 🔝Delhi🔝 NCR
➥🔝9953056974 🔝▻ Anand Vihar Call-girl in Women Seeking Men 🔝Delhi🔝 NCR
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Haldwani call girls 📞 8617697112 At Low Cost Cash Payment Booking
Haldwani call girls 📞 8617697112 At Low Cost Cash Payment BookingHaldwani call girls 📞 8617697112 At Low Cost Cash Payment Booking
Haldwani call girls 📞 8617697112 At Low Cost Cash Payment Booking
Nitya salvi
 
Chennai ❣️ Call Girl 97487*63073 Call Girls in Chennai Escort service book now
Chennai ❣️ Call Girl 97487*63073 Call Girls in Chennai Escort service book nowChennai ❣️ Call Girl 97487*63073 Call Girls in Chennai Escort service book now
Chennai ❣️ Call Girl 97487*63073 Call Girls in Chennai Escort service book now
apshanarani255
 
Call Girls in Sialkot || 🥵👙 || 03280288848
Call Girls in Sialkot || 🥵👙 || 03280288848Call Girls in Sialkot || 🥵👙 || 03280288848
Call Girls in Sialkot || 🥵👙 || 03280288848
Ifra Zohaib
 
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
nishacall1
 
Call Girls | 😏💦 03274100048 | Call Girls Near Me
Call Girls | 😏💦 03274100048 | Call Girls Near MeCall Girls | 😏💦 03274100048 | Call Girls Near Me
Call Girls | 😏💦 03274100048 | Call Girls Near Me
Ifra Zohaib
 
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book now
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book nowIndore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book now
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book now
apshanarani255
 
Bhopal Call girl service 6289102337 bhopal escort service
Bhopal Call girl service 6289102337 bhopal escort serviceBhopal Call girl service 6289102337 bhopal escort service
Bhopal Call girl service 6289102337 bhopal escort service
maheshsingh64440
 
Night Service in Karachi | 03274100048 | Sex Girls Karachi
Night Service in Karachi | 03274100048 | Sex Girls KarachiNight Service in Karachi | 03274100048 | Sex Girls Karachi
Night Service in Karachi | 03274100048 | Sex Girls Karachi
Awais Yousaf
 

Último (20)

Vip profile Call Girls In Hyderabad 9748763073 For Genuine Sex Service At Jus...
Vip profile Call Girls In Hyderabad 9748763073 For Genuine Sex Service At Jus...Vip profile Call Girls In Hyderabad 9748763073 For Genuine Sex Service At Jus...
Vip profile Call Girls In Hyderabad 9748763073 For Genuine Sex Service At Jus...
 
BARASAT CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
BARASAT CALL GIRL 7857803690 LOW PRICE ESCORT SERVICEBARASAT CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
BARASAT CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
 
Mysore Call girl service 6289102337 Mysore escort service
Mysore Call girl service 6289102337 Mysore escort serviceMysore Call girl service 6289102337 Mysore escort service
Mysore Call girl service 6289102337 Mysore escort service
 
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
 
Udupi Call girl service 6289102337 Udupi escort service
Udupi Call girl service 6289102337 Udupi escort serviceUdupi Call girl service 6289102337 Udupi escort service
Udupi Call girl service 6289102337 Udupi escort service
 
Hyderabad ❤CALL GIRL 9874883814 ❤CALL GIRLS IN Hyderabad ESCORT SERVICE❤CALL ...
Hyderabad ❤CALL GIRL 9874883814 ❤CALL GIRLS IN Hyderabad ESCORT SERVICE❤CALL ...Hyderabad ❤CALL GIRL 9874883814 ❤CALL GIRLS IN Hyderabad ESCORT SERVICE❤CALL ...
Hyderabad ❤CALL GIRL 9874883814 ❤CALL GIRLS IN Hyderabad ESCORT SERVICE❤CALL ...
 
Karachi Sexy Girls || 03280288848 || Sex services in Karachi
Karachi Sexy Girls || 03280288848 || Sex services in KarachiKarachi Sexy Girls || 03280288848 || Sex services in Karachi
Karachi Sexy Girls || 03280288848 || Sex services in Karachi
 
Jodhpur Call Girl 97487*63073 Call Girls in Jodhpur Escort service book now
Jodhpur Call Girl 97487*63073 Call Girls in Jodhpur Escort service book nowJodhpur Call Girl 97487*63073 Call Girls in Jodhpur Escort service book now
Jodhpur Call Girl 97487*63073 Call Girls in Jodhpur Escort service book now
 
Hire 💕 8617370543 Uttara Kannada Call Girls Service Call Girls Agency
Hire 💕 8617370543 Uttara Kannada Call Girls Service Call Girls AgencyHire 💕 8617370543 Uttara Kannada Call Girls Service Call Girls Agency
Hire 💕 8617370543 Uttara Kannada Call Girls Service Call Girls Agency
 
Rajkot Call Girls Contact Number +919358341802 Call Girls In Rajkot
Rajkot Call Girls Contact Number +919358341802 Call Girls In RajkotRajkot Call Girls Contact Number +919358341802 Call Girls In Rajkot
Rajkot Call Girls Contact Number +919358341802 Call Girls In Rajkot
 
➥🔝9953056974 🔝▻ Anand Vihar Call-girl in Women Seeking Men 🔝Delhi🔝 NCR
➥🔝9953056974 🔝▻ Anand Vihar Call-girl in Women Seeking Men 🔝Delhi🔝 NCR➥🔝9953056974 🔝▻ Anand Vihar Call-girl in Women Seeking Men 🔝Delhi🔝 NCR
➥🔝9953056974 🔝▻ Anand Vihar Call-girl in Women Seeking Men 🔝Delhi🔝 NCR
 
Haldwani call girls 📞 8617697112 At Low Cost Cash Payment Booking
Haldwani call girls 📞 8617697112 At Low Cost Cash Payment BookingHaldwani call girls 📞 8617697112 At Low Cost Cash Payment Booking
Haldwani call girls 📞 8617697112 At Low Cost Cash Payment Booking
 
Chennai ❣️ Call Girl 97487*63073 Call Girls in Chennai Escort service book now
Chennai ❣️ Call Girl 97487*63073 Call Girls in Chennai Escort service book nowChennai ❣️ Call Girl 97487*63073 Call Girls in Chennai Escort service book now
Chennai ❣️ Call Girl 97487*63073 Call Girls in Chennai Escort service book now
 
Call Girls in Sialkot || 🥵👙 || 03280288848
Call Girls in Sialkot || 🥵👙 || 03280288848Call Girls in Sialkot || 🥵👙 || 03280288848
Call Girls in Sialkot || 🥵👙 || 03280288848
 
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
 
Call Girls | 😏💦 03274100048 | Call Girls Near Me
Call Girls | 😏💦 03274100048 | Call Girls Near MeCall Girls | 😏💦 03274100048 | Call Girls Near Me
Call Girls | 😏💦 03274100048 | Call Girls Near Me
 
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book now
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book nowIndore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book now
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book now
 
BADDI CALL GIRL 92628/71154 BADDI CALL G
BADDI CALL GIRL 92628/71154 BADDI CALL GBADDI CALL GIRL 92628/71154 BADDI CALL G
BADDI CALL GIRL 92628/71154 BADDI CALL G
 
Bhopal Call girl service 6289102337 bhopal escort service
Bhopal Call girl service 6289102337 bhopal escort serviceBhopal Call girl service 6289102337 bhopal escort service
Bhopal Call girl service 6289102337 bhopal escort service
 
Night Service in Karachi | 03274100048 | Sex Girls Karachi
Night Service in Karachi | 03274100048 | Sex Girls KarachiNight Service in Karachi | 03274100048 | Sex Girls Karachi
Night Service in Karachi | 03274100048 | Sex Girls Karachi
 

Managing Risk or Reacting to Compliance

  • 1. Protecting Financial Information Managing Risk or Reacting to Compliance Evan Francen, CISSP CISM FRSecure President March 27th, 2014
  • 2. Managing Risk or Reacting to Compliance Topics Introduction Evan Francen FRSecure Compliance – Reactive Risk – Proactive Real World Examples & Guidance Social Engineering
  • 3. Managing Risk or Reacting to Compliance Introduction Evan Francen Aka “The Truth”
  • 4. Managing Risk or Reacting to Compliance Introduction Evan Francen Security Guy
  • 5. Managing Risk or Reacting to Compliance Introduction Evan Francen Weird - Different
  • 6. Managing Risk or Reacting to Compliance Introduction Evan Francen For real… • 20+ years of information security experience • Co-founded FRSecure in 2008 • Worked with organizations of all sizes, including Wells Fargo, US Bank, UnitedHealth, ADP, St. Jude, etc. • Risk Management, Security Program Development, Social Engineering, Mentoring, and the projects nobody else wants to do.
  • 7. Managing Risk or Reacting to Compliance Introduction FRSecure • Information Security Management company. It’s all we do. • Methodology - Develop, use, and share methodologies for a variety of information security projects. • Project Leaders – All of our project leaders have more than 15 years of information security experience, from Fortune 100 to SMBs • Fully Transparent – Empowers our clients to do what we do. • Product Agnostic – Recommendations stand on their own, with no ulterior motive.
  • 8. Managing Risk or Reacting to Compliance Compliance What is compliance?
  • 9. Managing Risk or Reacting to Compliance Compliance What is compliance? • Is there any such thing as “GLBA Compliant” or “HIPAA Compliant”? If so, who certifies such things? • Is not “compliance” just doing what the last auditor told you to do? Is what the last auditor told you to do the right thing for you to do?
  • 10. Managing Risk or Reacting to Compliance Compliance Are compliance and security the same thing? • Many people believe so. • The right answer is NO. Information security is the use of Administrative, Physical and Technical controls to protect the Confidentiality, Integrity, and Availability of data.
  • 11. Managing Risk or Reacting to Compliance Risk Are we ever “secure”? • It depends. Right? No matter what we do with protection, there will always be a risk associated with unauthorized disclosure, alteration, or destruction of data. • “Secure” is a relative term. • Effectively managing security comes down to managing risk.
  • 12. Managing Risk or Reacting to Compliance Risk Some risks are acceptable and others are not. • What is risk? • Risk is not intuitive. (more on this later) • Risk = the likelihood of something bad happening + the impact if the bad thing happened. • Risk decisions are management decisions.
  • 13. Managing Risk or Reacting to Compliance Risk Risk Decisions • Risk Acceptance • Risk Avoidance • Risk Mitigation • Risk Ignorance
  • 14. Managing Risk or Reacting to Compliance Risk Risk is Not (always) Intuitive • Who is at higher risk of an earthquake, San Francisco or Boston? Turns out that the risk is essentially the same. In general: • People exaggerate spectacular but rare risks and downplay common risks. • People have trouble estimating risks for anything not exactly like their normal situation. • Personified risks are perceived to be greater than anonymous risks. • People underestimate risks they willingly take and overestimate risks in situations they can't control. • People overestimate risks that are being talked about and remain an object of public scrutiny.
  • 15. Managing Risk or Reacting to Compliance Compliance & Risk Compliance is based on doing what you’re told. Risk is based on likelihood and impact. Compliance is reactive. Managing risk is proactive. Compliance is more costly. Managing risk allows cost/benefit analysis. Compliance is the letter of the law. Managing risk is the intent of the law.
  • 16. Managing Risk or Reacting to Compliance Real Life Examples Large Healthcare Organization Audit conducted in 2012 Told they needed SIEM and DLP Spent $600,000 on new technology Compliant! Greatest (technical) risk was use of unencrypted mobile devices Cost to mitigate $600,000 Products are not configured or fully utilized Breach occurs in 2013 – Stolen laptop Over $3,000,000 in costs Over $3,600,000 spent. Greatest risk still exists
  • 17. Managing Risk or Reacting to Compliance Real Life Examples Target Audited regularly & constantly Spend millions on compliance Spend millions on technology Compliant! Were any of these a significant risk? • Vendor risk management • Information security reporting structure • Alerting & monitoring processes • SOC processes and training • Incident response processes Millions of dollars spent. Greatest risk? Last quarter profit down 46%. Estimated costs to exceed $1,000,000,000.
  • 18. Managing Risk or Reacting to Compliance Social Engineering Social Engineering is exploitation of the human factor in security; tricking a person into giving you information that could benefit you, but bring them harm. Social Engineering is by far the most effective method of gaining unauthorized access to information. We know this, and so do the bad guys.
  • 19. Managing Risk or Reacting to Compliance Social Engineering Did You Know: There were more than 74,000 unique phishing campaigns discovered during the Q2/2013, leveraging over 110,000 hijacked domains and targeting more than 1,100 brands. Email Attacks (Phishing) • Tricking you into going to a website that looks legitimate, and convincing you to log in (or disclose other information). • Has a 60 – 70% success rate. • How to Avoid Phishing Scams - http://apwg.org/resources/overview/avoid-phishing-scams
  • 20. Managing Risk or Reacting to Compliance Social Engineering Did You Know: A recent study shows that 30 percent of Americans will open emails, even when they know the message is malicious. Email Attacks (Malicious Attachments) • Tricking you into opening (or downloading/opening) a file that appears to be legitimate, but is in fact malicious. • Has a 30 – 40% success rate. • Don’t have blind trust in your anti-virus software. If you aren’t expecting an attachment, don’t open it. If you’re not sure, call the person who sent it to you and ask.
  • 21. Managing Risk or Reacting to Compliance Social Engineering Did You Know: Most social engineering attacks go un- reported by the victim. Telephone Attacks • Tricking you into divulging sensitive information over the phone. • People like helping other people, something that an attacker can exploit to receive sensitive information. • Success rate varies greatly. • If you receive a social engineering phone call, ask them for their name, company and phone number. In almost every case, the caller will disconnect when asked questions or placed on hold.
  • 22. Managing Risk or Reacting to Compliance Social Engineering Did You Know: Physical social engineering attacks can result in physical damage to the facility and safety dangers. Physical Attacks • Tricking you into giving physical access to a restricted area. • Physical social engineering attacks require a bold attacker with a very focused agenda. • Success rate varies greatly. • If you can help it, don’t hold the door for others; especially those who you don’t recognize. It’s OK to ask someone you don’t know if you can help them or ask for identification.
  • 23. Managing Risk or Reacting to Compliance Social Engineering Want a story? Pick One: • Physical access to Fortune 100 company headquarters. • Password disclosure almost cost someone their retirement. • Police help me carry out an attack. • I don’t really work for NSP. • 60% of bank’s employees give us their domain usernames and passwords.
  • 24. Managing Risk or Reacting to Compliance Thank you! Questions? Evan Francen, CISSP CISM President – FRSecure evan@frsecure.com 952-467-6384