SlideShare una empresa de Scribd logo

IT Security Presentation - IIMC 2014 Conference

Jeff Lemmermann
Jeff Lemmermann

This document discusses information technology security and fraud prevention. It begins by outlining the top IT security concerns, including data security, network security, and managing risk. It then examines specific threats like data breaches, hacking, and internal fraud. The document provides examples of major data incidents and their impacts. It emphasizes the importance of physical security, access controls, encryption, and policies/procedures to mitigate risks. Throughout, it stresses planning, governance, training, and incident response to help organizations strengthen their security posture.

Tecnología
1 de 23
Descargar para leer sin conexión
Information Technology Security: Where are Your Problems? Precision Plus, Inc. Jeffrey T. Lemmermann, CPA, CITP, CISA, CEH LemmermannJ@preplus.com International Institute of Municipal Clerks 2014 Conference May 17 - 22, 2014 – Milwaukee, WI
1 Information Security 1. Managing & retaining data (2) 2. Securing the IT environment (1) 3. Managing IT risk & compliance 4. Ensuring privacy 5. Managing system implementation (6) Topping The Charts Everywhere! AICPA 2013 Top 10 Technology Initiatives 6. Preventing & responding to fraud (9) 7. Enabling decision support & managing performance 8. Governing & managing IT investment/spending 9. Leveraging emerging technologies (6) 10.Managing vendors and service providers Importance of Data Security  Regulations  HIPAA  GLBA / SOX 404  FACTA  Red Flag Rules  PCI Standards  Publicity “No such thing is bad publicity …except your own obituary.” - Brendan Behan, Irish Dramatist  Damage to reputation.  Loss of consumer confidence.  Redirection of resources SONY 77 Million User Accounts – 12 Million Unencrypted CC #s Playstation Network Taken Down – Cost’s over $178 M Fidelity Info Services $13M Loss – Unauthorized Credit Card Activities SEGA 1.3M subscribers: names, birth dates, e-mail addresses, and passwords UW - Milwaukee Names and SS #s of 75,000 Students and Staff Regulation Changes 1. Electronic documents are treated the same as physical documents! 2. Requires Organizations to know what data you have and in which format it exists. 3. Forensic Professionals on many sides of a case: 1. Recovering lost or unintentionally deleted items 2. Producing evidence that opponent said was not available 4. Handling of computer evidence 1. Preserve evidence 2. Maintain chain of custody Changes to the Federal Rules of Civil Procedure Enacted December 1, 2006
2 Where Is Your Data?  The Obvious  Network File/Data Servers  Laptop Computers  Backup Storage Media  The Obscure  Smartphones / Tablets  Portable Storage (USB Drives)  E-Mail Attachments  The Forgotten  Disposed Equipment – LEASED Equipment! Proper Disposal Rules “Disposal practices that are reasonable and appropriate to prevent unauthorized access to –or use of- information in a consumer report.”  Burn, pulverize, or shred papers so they cannot be reconstructed.  Destroy or erase electronic files or media so information cannot be read or reconstructed.  Conduct due diligence and hire a document destruction contractor.  Due diligence could include:  Reviewing contractor’s independent audit  Obtain information from several references  Require certification by recognized trade association  Review contractor’s information security policies or procedures Hard Drive Data  Study of 2nd Hand Drives  O & O Company:  2004: 88% of Disks from EBay contained recoverable data.  2005: 71%  Edith Cowan University – Annual study of 2nd hand hard drives  2006: 48% 2009: 39% 2012: 47%  2007: 40% 2010:  2008: 38% 2011:  Type of recoverable data:  Internal company memos  Legal correspondence of governmental agency  Credit ratings (Bank owned hard drive)  File erasing Utilities  Eraser (Freeware - up to 35 overwrite passes)  Steganos Security Suite (up to 100 passes)
3 Hard Drive Data Worries  What About Smartphones?  Deleting Apps Might Not Delete Data  SD Card Storage  Data Stored By Service Providers  Tablet Computers – Same Issues as Smartphones  Solid State Drives (SSDs)  Traditional Disk Wiping Utilities Do Not Work  “Nearly impossible to completely delete data from SSD’s”  Physical Destruction Highly Recommended  Newer SSDs – Deletion Utilities with Drives Data Security How can we keep our data safe?  Case Study: Open Records  How “open” do you mean?
4 Security Points Five Key Points of Data Security: Physical Security Network Security Application Security External Security Planning & Governance Physical Security  Access to Equipment  Locked server room, mobile equipment logs  Theft Prevention Procedures  Cameras, user policies on mobile equipment  Separation of Duties  Ordering / Inventory separate from Installers  Hardware Inventory  Serial numbers, internal configurations, assignments Network Security  Password Policies  Minimum characters, forced changes, complexity  No sticky notes!  Unattended Terminal Protection  Password protected screensavers, firm policies  Network File Structure Security  User site of files, annual review process!  Auditing Logs  Activate logging, review logs  Control of Backup Tapes  Physical security, password protection
5 Password Complexity Demo  Importance of non-dictionary passwords  Dictionaries now including numbers added to words  Alternate spelling meth0ds 1nclud3d  Importance of length  Ease of brute-force attacks  Flaw in some encryption methods  Importance of other characters  Adds to password possibilities  Helps to beat dictionary cracks Password Recommendations  Secure Password Techniques:  Use modified pass phrases  4score&7yearsago  Let’sg0r3d  Connect words with modifier in middle  Milwaukeejtl07Bucks  Aries01thejtlram  Stick with constant formulas  Use secure password database managers  PC / PocketPC – KeePass (http://keepass.sourceforge.net)  Android – KeePass, LastPass, SplashId  iPhone / iPad – DataVault Password Manager (iTunes store) Application Security  Key Application Security  Accounting, HR, or other sensitive data applications  Follow password standards of network  Segregation of duties / Reporting Controls  Anti-Virus Protection (Symantec, McAfee, etc.)  Server based, automatic updates of workstations  E-mail protection  Patch Maintenance  Windows Update Services  Employee Training  Dangerous Files, E-Mail Concerns, Web Surfing  Spyware Protection
6 Spyware – Detecting & Eliminating  Signs you have been infected:  Random “Security” Pop-up windows appear when browsing.  Normal home page has been replaced.  Drop in computer performance.  New search bars have appeared in web browser.  Removal help:  Cleaning Programs: ComboFix, SpyBot Search & Destroy  Monitoring & Prevention: SuperAntiSpyware, MS Defender  Other Tools:  Startup Inspector  Pop-up Blocker - Google  www.processlibrary.com External Access Security  Cannot have without other elements!  Weakness in other areas can defeat the best external security.  Access method security (vpn, citrix, etc.)  Data Encryption  User Education  Activities to avoid  Popular methods of capturing data:  Shoulder surfing  Key logging / capturing programs  Packet sniffing  Wireless worries Wireless Security  Control Access  Change Defaults!  Administrator Password  Network SSID  MAC Filtering  List of authorized wireless Ethernet cards  Minimize Access Points  Scan self for “rogue” access points  Heatmapper  WiFi Analyzer (Android Tool)  Control own equipment’s access
7 Wireless Security  Control Data - Encryption  WEP – Wired Equivalency Protocol  Set to highest level supported  WEP has deficiencies:  Both 40-bit and 128-bit keys have been hacked  Use still will prevent or delay hack attempts  WPA – Wi-Fi Protected Access (WPA2)  Subset of developing 802.11i Standard  Some devices updateable to support standard  Case Study: Wireless Risks  The “Cantenna” T.J. Maxx Breach Planning & Governance  Align IT Goals with Business Goals  Does the IT Department work for you or run you?  Is IT Planning part of the overall strategic planning process?  Steering committee: department head involvement!  Must-Have Plans:  Disaster Recovery Business Continuity  Testing!  Involvement of all departments – what are their needs?  Incident Response Plan  Data disclosure events  Contact Requirements
8 Case Study: Incident Response Plans Starting point: April, 2011 Type: Network Intrusion - External Records affected: 101.6 million Estimated costs: $171 million outlay ($1025 Million all considered*) Affected entities: Sony Pictures, Sony Corporation of America, Sony Online Entertainment, Sony Play Station Network. * - lost business, various compensation costs and new investments—assuming that no additional security problems emerge. Sony – Breach Timeline  2009 – “geohot” announces intention to jailbreak PS3  March, 2010 – Sony removes functionality on PS3 to install another O/S (to block jailbreak effort.)  January 2, 2011 - Geohot (George Holtz) jailbreaks PS3 and publishes code online  January 11, 2011 – Sony sues geohot – seeks to stop  April 2, 2011 – Sony announces settlement  April 13, 2011 – Anonymous announces attack on Sony “In the eyes of the law, the case is closed, for Anonymous it is just beginning… prepare for the biggest attack you have ever witnessed, Anonymous style.” Sony – Breach Timeline  April 16 – Sony Online Entertainment (SOE)  25 million user details / 23 K credit/debit cards  April 17 – PlayStation Network  77 million user details  April 20 – Sony shuts down PlayStation Network  April 26 – Sony publically discloses PlayStation breach  May 1 – Investigators discover SOE breach  May 2 – Sony publically discloses SOE breach “We are trying to fight criminal activities by corporations and governments, not steal credit cards.”
9 Sony – Lesson 1  In the public eye - assume you are going to be a target  Was Sony right to go after geohot?  Doesn’t matter if you are in IT  If the effort is coordinated they will get in  Limit the attack surface  Only ask for and store necessary data from users  What really needs to be exposed to the Internet? Sony – Lesson 2  PR Campaigns Matter  Minimize enemy creation  Response to hacking incident is critical to retention  People hate being lied to!  Contingency Plan Development  DDOS attacks are form of disaster event  Practice recovering from them Policies & Procedures  Policies in general:  Signature requirements acknowledgement  Redistribution of policy general availability  Centralize & minimize total number  Training opportunity on changes!  Important groupings:  Computer Use Policy  Internet Use  E-Mail Use  IT Security Policy  Confidentiality statements  Data handling and storage  Data retention & destruction
10 Policies & Procedures – Updating  The importance of reviewing and updating policies:  What happens when two worlds collide?  Can social media be used for public debate?  What rules are in place for posting information by the elected?  How can the use of social media be policed? Sunshine Laws Data Security Updating our policies and procedures is a critical part of the circle. Knowing Our Enemies Is that all there is to it? FRAUD: deceit, trickery, sharp practice, or breach of confidence, perpetrated for profit or to gain some unfair or dishonest advantage. No functional network is impervious.
11 Internal Fraud  Fraud usually comes from within:  On average, 6% of an organizations revenue is lost to internal fraud.  Small company loss - $127,500 per incident  Large company loss - $97,000 per incident  Schemes involving non-cash assets are more costly  Men out-steal women $200,000 to $60,000 per incident  Education levels:  Those with a high school education steal $70,000 per incident  Those with a post-graduate degrees steal $162,000  Those with a bachelor degrees steal $243,000  45% of companies report unauthorized access of data by insiders!  Case Study: The City of San Francisco  Who’s network is it anyway?  Terry Childs – Cisco Certified Internetworking Engineer  Built & Managed the city-wide network (core of networks)  Elevated rights to sole administrator – always on call Attack Origins Points of Origins of Network Attacks  Internal  Harder to protect against – productivity vs. security  Motivations:  Personal Gain  Revenge (Missed promotion, about to be fired)  Job Security  External  Hard to identify source  Motivations:  Random Attack  Revenge (Former employee, angry client, competitor)  Industrial Espionage
12 A Typical IT Hack Organization Data Store Unethical Hacker SS’s Information SS’s Information Employee Customer Vendor HH Buys Information Transfers Money Opens Charge Account UH Steals Information Cracks Database Wireless Sniff Social Engineering UH Posts Information Computer Fraud – First Steps 1. Stop using compromised system!  Every action changes computer environment  Preservation of hard drive and memory contents  Isolate System  Physically disconnect system from Internet if exposed  If intranet threat is possible, isolate from local network 1. Record visual information from PC  Running applications  Items in system tray 2. Utilize drive duplication tools to create copy of drive  Refer to item #1  Allows for other tests to be tried without losing original evidence Goals of Computer Forensics Preservation of Evidence Adherence to carefully developed set of procedures that address security, authenticity, and chain-of-custody. • Analysis of User Activity Reporting of all user activity on computer and company network including, but not limited to,e-mail, Internet and Intranet files accessed, files created and deleted, and user access times. • Password Recovery Accessing and recovering data from password protected files.
13 Fraud: Preemptive Tools  Computer audit logs  Enable auditing (default is normally not enabled)  Ensure size is sufficient (avoid overwriting)  Copied to remote storage/permanent media on regular intervals  Utilize other logging tools:  Keystroke Loggers  Screenshot Recording  Shadowing Capabilities  E-Mail and Instant Messaging Archives  Ethical Considerations  Computer Use Policy – notification of right to trace actions  Control access to implemented tools  Ensure proper and ethical use Other Threats:  Phishing  Banking Spoofs, E-Bay Accounts, etc.  New Evolution: Pharming  “Poisoning” of DNS Record to redirect request  Site could be exact duplicate of intended site  Malware  Key-loggers & Screen Capture Programs  Browser Hi-jacks Phishing – How can you tell?  How can you tell a legitimate email from a phony?
14 Other Threats:  URL Shorteners  Tinyurl, bit.ly, sn.im  Creates a short link from a long internet address  Problem if malware site is being hidden  Study of URL shorteners:  Stage 1 Compliant if it appears to use a security service or blacklist to identify malicious domains and does not allow a user to create a shortened link to any infected domain.  Stage 2 Compliant if it uses a security service or blacklist to identify malicious domains and does not allow a user to create a shortened link to any infected domain or malicious full URL hosted on that domain. Scanning Yourself  Footprinting  Gaining parameters of network  Areas of search  Google Searches  Usegroup/Newsgroup Searches  ARIN Records – DNS Stuff  Vulnerability Assessments  Finding rabbit holes - weak points in your network  Online Tools  Nessus (www.nessus.org)  Registered vs. Direct Feed  Windows & Linux Versions  External Use  Internal Use  Penetration Testing  How far down does the rabbit hole go?  Care in performing exploits – not for amateurs!  Metasploit Understand Your Enemies  You have to understand their tactics to better stop them.  Hacking for Dummies by Kevin Beaver, Stuart McClure  Certified Ethical Hacking – Training & Certification  Vulnerability Assessments  Penetration Testing  On-line Resources  Print Resources
The Elements of IT Security Example one: PHISHING Right click the message and select “VIEW SOURCE”
The Elements of IT Security Actual source of the e-mail in html format:
The Elements of IT Security Example 2: Citibank Phishing FRAUD ALERT CitiBank phishing email - "Read Now! Important Message From Citibank" Date Issued: April 13 2004 Customers of CitiBank are the targets of the latest phishing email scams. The email claims to be from "Citi Identity Theft Solutions", and directs customers they must update their ATM/Debit Card PIN. Users are instructed to click on a link within the email and enter their debit card number and ATM PIN in a form on a fake website. The fake website is displayed in a small window, while the real CitiBank website is displayed in the background. This gives the users a false sense of security in entering their personal information. A copy of the email is displayed below:
The WebSite is shown below: What to do? If you receive an e-mail similar to this, do nothing. Do not reply to the e-mail and do not give any personal details to the sender. If you do receive similar emails, or any email that you think may be fraudulent, please forward to FraudWatch International at: scams@fraudwatchinternational.com
Reprinted from: http://www.sans.org/resources/policies/Acceptable_Use_Policy.pdf Sample Acceptable Use Policy 1.0 Overview InfoSec's intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to <Company Name>. established culture of openness, trust and integrity. InfoSec is committed to protecting <Company Name>'s employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of <Company Name>. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. Please review Human Resources policies for further details. Effective security is a team effort involving the participation and support of every <Company Name> employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly. 2.0 Purpose The purpose of this policy is to outline the acceptable use of computer equipment at <Company Name>. These rules are in place to protect the employee and <Company Name>. Inappropriate use exposes <Company Name> to risks including virus attacks, compromise of network systems and services, and legal issues. 3.0 Scope This policy applies to employees, contractors, consultants, temporaries, and other workers at <Company Name>, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by <Company Name>. 4.0 Policy 4.1 General Use and Ownership 1. While <Company Name>'s network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of <Company Name>. Because of the need to protect <Company Name>'s network, management cannot guarantee the confidentiality of information stored on any network device belonging to <Company Name>. 2. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager. 3. InfoSec recommends that any information that users consider sensitive or vulnerable be encrypted. For guidelines on information classification, see InfoSec's Information Sensitivity Policy. For guidelines on encrypting email and documents, go to InfoSec's Awareness Initiative. 4. For security and network maintenance purposes, authorized individuals within <Company Name> may monitor equipment, systems and network traffic at any time, per InfoSec's Audit Policy. 5. <Company Name> reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. 4.2 Security and Proprietary Information 1. The user interface for information contained on Internet/Intranet/Extranet-related systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines, details of which can be found in Human Resources policies. Examples of confidential information include but are not limited to: company private, corporate strategies, competitor
sensitive, trade secrets, specifications, customer lists, and research data. Employees should take all necessary steps to prevent unauthorized access to this information. 2. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly, user level passwords should be changed every six months. 3. All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for Win2K users) when the host will be unattended. 4. Use encryption of information in compliance with InfoSec's Acceptable Encryption Use policy. 5. Because information contained on portable computers is especially vulnerable, special care should be exercised. Protect laptops in accordance with the “Laptop Security Tips”. 6. Postings by employees from a <Company Name> email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of <Company Name>, unless posting is in the course of business duties. 7. All hosts used by the employee that are connected to the <Company Name> Internet/Intranet/Extranet, whether owned by the employee or <Company Name>, shall be continually executing approved virus-scanning software with a current virus database. Unless overridden by departmental or group policy. 8. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code. 4.3. Unacceptable Use The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services). Under no circumstances is an employee of <Company Name> authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing <Company Name>-owned resources. The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use. System and Network Activities The following activities are strictly prohibited, with no exceptions: 1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by <Company Name>. 2. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which <Company Name> or the end user does not have an active license is strictly prohibited. 3. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question. 4. Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.). 5. Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home. 6. Using a <Company Name> computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction. 7. Making fraudulent offers of products, items, or services originating from any <Company Name> account. 8. Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
9. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes. 10. Port scanning or security scanning is expressly prohibited unless prior notification to InfoSec is made. 11. Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty. 12. Circumventing user authentication or security of any host, network or account. 13. Interfering with or denying service to any user other than the employee's host (for example, denial of service attack). 14. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet. 15. Providing information about, or lists of, <Company Name> employees to parties outside <Company Name>. Email and Communications Activities 1. Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam). 2. Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages. 3. Unauthorized use, or forging, of email header information. 4. Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies. 5. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type. 6. Use of unsolicited email originating from within <Company Name>'s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by <Company Name> or connected via <Company Name>'s network. 7. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam). 5.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 6.0 Definitions Term Definition Spam Unauthorized and/or unsolicited electronic mass mailings. 7.0 Revision History
Questions & Answers "The search for static security - in the law and elsewhere - is misguided. The fact is security can only be achieved through constant change, adapting old ideas that have outlived their usefulness to current facts." - Canadian physician, William Osler Jeffrey T. Lemmermann, CPA, CITP, CISA, CEH Chief Financial Officer / Information Officer Precision Plus, Inc. 840 Koopman Ln. Elkhorn, WI 53121 LemmermannJ@preplus.com

Recomendados

Chapter 8 securing information systems MIS
Chapter 8 securing information systems MISChapter 8 securing information systems MIS
Chapter 8 securing information systems MIS
Amirul Shafiq Ahmad Zuperi
 
8 - Securing Info Systems
8 - Securing Info Systems8 - Securing Info Systems
8 - Securing Info Systems
Hemant Nagwekar
 
Session#7; securing information systems
Session#7; securing information systemsSession#7; securing information systems
Session#7; securing information systems
Omid Aminzadeh Gohari
 
Securing information systems
Securing information systemsSecuring information systems
Securing information systems
Prof. Othman Alsalloum
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
Information security
Information securityInformation security
Information security
Vijayananda Mohire
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
Dinesh O Bareja
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
joevest
 

Recomendados

Chapter 8 securing information systems MIS
Chapter 8 securing information systems MISChapter 8 securing information systems MIS
Chapter 8 securing information systems MIS
Amirul Shafiq Ahmad Zuperi
 
8 - Securing Info Systems
8 - Securing Info Systems8 - Securing Info Systems
8 - Securing Info Systems
Hemant Nagwekar
 
Session#7; securing information systems
Session#7; securing information systemsSession#7; securing information systems
Session#7; securing information systems
Omid Aminzadeh Gohari
 
Securing information systems
Securing information systemsSecuring information systems
Securing information systems
Prof. Othman Alsalloum
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
Information security
Information securityInformation security
Information security
Vijayananda Mohire
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
Dinesh O Bareja
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
joevest
 
Enterprise Information Systems Security: A Case Study in the Banking Sector
Enterprise Information Systems Security: A Case Study in the Banking SectorEnterprise Information Systems Security: A Case Study in the Banking Sector
Enterprise Information Systems Security: A Case Study in the Banking Sector
CONFENIS 2012
 
Information Security and Privacy - Public Sector actions, policies and regula...
Information Security and Privacy - Public Sector actions, policies and regula...Information Security and Privacy - Public Sector actions, policies and regula...
Information Security and Privacy - Public Sector actions, policies and regula...
The University of Texas (UTRGV)
 
Information Technology Security A Brief Overview 2001
Information Technology Security A Brief Overview 2001Information Technology Security A Brief Overview 2001
Information Technology Security A Brief Overview 2001
Donald E. Hester
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 
information security technology
information security technologyinformation security technology
information security technology
garimasagar
 
MIS-CH08: Securing Information Systems
MIS-CH08: Securing Information SystemsMIS-CH08: Securing Information Systems
MIS-CH08: Securing Information Systems
Sukanya Ben
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness
Dinesh O Bareja
 
The importance of information security nowadays
The importance of information security nowadaysThe importance of information security nowadays
The importance of information security nowadays
PECB
 
Safeguardsintheworkplace
SafeguardsintheworkplaceSafeguardsintheworkplace
Safeguardsintheworkplace
Adam Richards
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
Julius Clark, CISSP, CISA
 
Uit9 ppt ch09_au_rev
Uit9 ppt ch09_au_revUit9 ppt ch09_au_rev
Uit9 ppt ch09_au_rev
idrissss dddd
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 
Information Security
Information SecurityInformation Security
Information Security
steffiann88
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information security
ethanBrownusa
 
Information security
Information securityInformation security
Information security
LJ PROJECTS
 
Protecting legitimate software users’ interest in designing a piracy preventi...
Protecting legitimate software users’ interest in designing a piracy preventi...Protecting legitimate software users’ interest in designing a piracy preventi...
Protecting legitimate software users’ interest in designing a piracy preventi...
Alexander Decker
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
Govt. P.G. College Sendhwa, Barwani (M.P.)
 
What every executive needs to know about information technology security
What every executive needs to know about information technology securityWhat every executive needs to know about information technology security
What every executive needs to know about information technology security
Legal Services National Technology Assistance Project (LSNTAP)
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
sraina2
 
Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutions
Capri Insurance
 
Reports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityReports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber Security
A. V. Rajabahadur
 
Future strategic-issues-and-warfare
Future strategic-issues-and-warfareFuture strategic-issues-and-warfare
Future strategic-issues-and-warfare
Donald Stephen
 

Más contenido relacionado

La actualidad más candente

information security technology
information security technologyinformation security technology
information security technology
garimasagar
 
Safeguardsintheworkplace
SafeguardsintheworkplaceSafeguardsintheworkplace
Safeguardsintheworkplace
Adam Richards
 
Uit9 ppt ch09_au_rev
Uit9 ppt ch09_au_revUit9 ppt ch09_au_rev
Uit9 ppt ch09_au_rev
idrissss dddd
 
Information Security
Information SecurityInformation Security
Information Security
steffiann88
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
sraina2
 

La actualidad más candente (20)

Enterprise Information Systems Security: A Case Study in the Banking Sector
Enterprise Information Systems Security: A Case Study in the Banking SectorEnterprise Information Systems Security: A Case Study in the Banking Sector
Enterprise Information Systems Security: A Case Study in the Banking Sector
 
Information Security and Privacy - Public Sector actions, policies and regula...
Information Security and Privacy - Public Sector actions, policies and regula...Information Security and Privacy - Public Sector actions, policies and regula...
Information Security and Privacy - Public Sector actions, policies and regula...
 
Information Technology Security A Brief Overview 2001
Information Technology Security A Brief Overview 2001Information Technology Security A Brief Overview 2001
Information Technology Security A Brief Overview 2001
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
information security technology
information security technologyinformation security technology
information security technology
 
MIS-CH08: Securing Information Systems
MIS-CH08: Securing Information SystemsMIS-CH08: Securing Information Systems
MIS-CH08: Securing Information Systems
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness
 
The importance of information security nowadays
The importance of information security nowadaysThe importance of information security nowadays
The importance of information security nowadays
 
Safeguardsintheworkplace
SafeguardsintheworkplaceSafeguardsintheworkplace
Safeguardsintheworkplace
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
 
Uit9 ppt ch09_au_rev
Uit9 ppt ch09_au_revUit9 ppt ch09_au_rev
Uit9 ppt ch09_au_rev
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
Information Security
Information SecurityInformation Security
Information Security
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information security
 
Information security
Information securityInformation security
Information security
 
Protecting legitimate software users’ interest in designing a piracy preventi...
Protecting legitimate software users’ interest in designing a piracy preventi...Protecting legitimate software users’ interest in designing a piracy preventi...
Protecting legitimate software users’ interest in designing a piracy preventi...
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
 
What every executive needs to know about information technology security
What every executive needs to know about information technology securityWhat every executive needs to know about information technology security
What every executive needs to know about information technology security
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
 
Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutions
 

Destacado

Reports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityReports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber Security
A. V. Rajabahadur
 
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
Hackito Ergo Sum
 
Security concepts
Security conceptsSecurity concepts
Security concepts
Deepak Raj
 
Sophos security-threat-report-2014-na
Sophos security-threat-report-2014-naSophos security-threat-report-2014-na
Sophos security-threat-report-2014-na
Andreas Hiller
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
zynamics GmbH
 
Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!
Barry Caplin
 

Destacado (20)

Reports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityReports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber Security
 
Future strategic-issues-and-warfare
Future strategic-issues-and-warfareFuture strategic-issues-and-warfare
Future strategic-issues-and-warfare
 
Enterprise Strategy Group: The Big Data Security Analytics Era is Here
Enterprise Strategy Group: The Big Data Security Analytics Era is HereEnterprise Strategy Group: The Big Data Security Analytics Era is Here
Enterprise Strategy Group: The Big Data Security Analytics Era is Here
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Security Attacks And Solutions On Ubiquitous Computing Networks
Security Attacks And Solutions On Ubiquitous Computing NetworksSecurity Attacks And Solutions On Ubiquitous Computing Networks
Security Attacks And Solutions On Ubiquitous Computing Networks
 
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackAdvanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll
 
Tech Talk: Preventing Data Breaches with Risk-Aware Session Management
Tech Talk: Preventing Data Breaches with Risk-Aware Session ManagementTech Talk: Preventing Data Breaches with Risk-Aware Session Management
Tech Talk: Preventing Data Breaches with Risk-Aware Session Management
 
Mobile Security Attacks: A Glimpse from the Trenches - Yair Amit, Skycure
Mobile Security Attacks: A Glimpse from the Trenches - Yair Amit, SkycureMobile Security Attacks: A Glimpse from the Trenches - Yair Amit, Skycure
Mobile Security Attacks: A Glimpse from the Trenches - Yair Amit, Skycure
 
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
 
sc_can0315_28373
sc_can0315_28373sc_can0315_28373
sc_can0315_28373
 
Riding the Seven Waves of Change That Will Power, or Crush, Your Digital Busi...
Riding the Seven Waves of Change That Will Power, or Crush, Your Digital Busi...Riding the Seven Waves of Change That Will Power, or Crush, Your Digital Busi...
Riding the Seven Waves of Change That Will Power, or Crush, Your Digital Busi...
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application Security
 
Bring Your Own Internet of Things: BYO‐IoT
Bring Your Own Internet of Things: BYO‐IoTBring Your Own Internet of Things: BYO‐IoT
Bring Your Own Internet of Things: BYO‐IoT
 
Security concepts
Security conceptsSecurity concepts
Security concepts
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
 
Sophos security-threat-report-2014-na
Sophos security-threat-report-2014-naSophos security-threat-report-2014-na
Sophos security-threat-report-2014-na
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
 
Acuent Security
Acuent Security Acuent Security
Acuent Security
 
Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!
 

Similar a IT Security Presentation - IIMC 2014 Conference

CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
mccormicknadine86
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
sleeperharwell
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10
jpmccormack
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professional
ciso_insights
 
Causes And Consequences Of Data Leakage
Causes And Consequences Of Data LeakageCauses And Consequences Of Data Leakage
Causes And Consequences Of Data Leakage
Patty Buckley
 
Search Inform DLP
Search Inform DLPSearch Inform DLP
Search Inform DLP
Sergei Yavchenko
 
Business ethics ppt
Business ethics pptBusiness ethics ppt
Business ethics ppt
Wulax37
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud Detection
Splunk
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
IBM Security
 

Similar a IT Security Presentation - IIMC 2014 Conference (20)

Information Security
Information SecurityInformation Security
Information Security
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10
 
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professional
 
Guard Era Security Overview Preso (Draft)
Guard Era Security Overview Preso (Draft)Guard Era Security Overview Preso (Draft)
Guard Era Security Overview Preso (Draft)
 
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A Survey
 
Causes And Consequences Of Data Leakage
Causes And Consequences Of Data LeakageCauses And Consequences Of Data Leakage
Causes And Consequences Of Data Leakage
 
Search Inform DLP
Search Inform DLPSearch Inform DLP
Search Inform DLP
 
Cybersecurity…real world solutions
Cybersecurity…real world solutions Cybersecurity…real world solutions
Cybersecurity…real world solutions
 
Business ethics ppt
Business ethics pptBusiness ethics ppt
Business ethics ppt
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to Infrastructure
 
Kevin Wharram Security Summit
Kevin Wharram Security SummitKevin Wharram Security Summit
Kevin Wharram Security Summit
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud Detection
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
 

Último

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Último (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

IT Security Presentation - IIMC 2014 Conference

  • 1. Information Technology Security: Where are Your Problems? Precision Plus, Inc. Jeffrey T. Lemmermann, CPA, CITP, CISA, CEH LemmermannJ@preplus.com International Institute of Municipal Clerks 2014 Conference May 17 - 22, 2014 – Milwaukee, WI
  • 2. 1 Information Security 1. Managing & retaining data (2) 2. Securing the IT environment (1) 3. Managing IT risk & compliance 4. Ensuring privacy 5. Managing system implementation (6) Topping The Charts Everywhere! AICPA 2013 Top 10 Technology Initiatives 6. Preventing & responding to fraud (9) 7. Enabling decision support & managing performance 8. Governing & managing IT investment/spending 9. Leveraging emerging technologies (6) 10.Managing vendors and service providers Importance of Data Security  Regulations  HIPAA  GLBA / SOX 404  FACTA  Red Flag Rules  PCI Standards  Publicity “No such thing is bad publicity …except your own obituary.” - Brendan Behan, Irish Dramatist  Damage to reputation.  Loss of consumer confidence.  Redirection of resources SONY 77 Million User Accounts – 12 Million Unencrypted CC #s Playstation Network Taken Down – Cost’s over $178 M Fidelity Info Services $13M Loss – Unauthorized Credit Card Activities SEGA 1.3M subscribers: names, birth dates, e-mail addresses, and passwords UW - Milwaukee Names and SS #s of 75,000 Students and Staff Regulation Changes 1. Electronic documents are treated the same as physical documents! 2. Requires Organizations to know what data you have and in which format it exists. 3. Forensic Professionals on many sides of a case: 1. Recovering lost or unintentionally deleted items 2. Producing evidence that opponent said was not available 4. Handling of computer evidence 1. Preserve evidence 2. Maintain chain of custody Changes to the Federal Rules of Civil Procedure Enacted December 1, 2006
  • 3. 2 Where Is Your Data?  The Obvious  Network File/Data Servers  Laptop Computers  Backup Storage Media  The Obscure  Smartphones / Tablets  Portable Storage (USB Drives)  E-Mail Attachments  The Forgotten  Disposed Equipment – LEASED Equipment! Proper Disposal Rules “Disposal practices that are reasonable and appropriate to prevent unauthorized access to –or use of- information in a consumer report.”  Burn, pulverize, or shred papers so they cannot be reconstructed.  Destroy or erase electronic files or media so information cannot be read or reconstructed.  Conduct due diligence and hire a document destruction contractor.  Due diligence could include:  Reviewing contractor’s independent audit  Obtain information from several references  Require certification by recognized trade association  Review contractor’s information security policies or procedures Hard Drive Data  Study of 2nd Hand Drives  O & O Company:  2004: 88% of Disks from EBay contained recoverable data.  2005: 71%  Edith Cowan University – Annual study of 2nd hand hard drives  2006: 48% 2009: 39% 2012: 47%  2007: 40% 2010:  2008: 38% 2011:  Type of recoverable data:  Internal company memos  Legal correspondence of governmental agency  Credit ratings (Bank owned hard drive)  File erasing Utilities  Eraser (Freeware - up to 35 overwrite passes)  Steganos Security Suite (up to 100 passes)
  • 4. 3 Hard Drive Data Worries  What About Smartphones?  Deleting Apps Might Not Delete Data  SD Card Storage  Data Stored By Service Providers  Tablet Computers – Same Issues as Smartphones  Solid State Drives (SSDs)  Traditional Disk Wiping Utilities Do Not Work  “Nearly impossible to completely delete data from SSD’s”  Physical Destruction Highly Recommended  Newer SSDs – Deletion Utilities with Drives Data Security How can we keep our data safe?  Case Study: Open Records  How “open” do you mean?
  • 5. 4 Security Points Five Key Points of Data Security: Physical Security Network Security Application Security External Security Planning & Governance Physical Security  Access to Equipment  Locked server room, mobile equipment logs  Theft Prevention Procedures  Cameras, user policies on mobile equipment  Separation of Duties  Ordering / Inventory separate from Installers  Hardware Inventory  Serial numbers, internal configurations, assignments Network Security  Password Policies  Minimum characters, forced changes, complexity  No sticky notes!  Unattended Terminal Protection  Password protected screensavers, firm policies  Network File Structure Security  User site of files, annual review process!  Auditing Logs  Activate logging, review logs  Control of Backup Tapes  Physical security, password protection
  • 6. 5 Password Complexity Demo  Importance of non-dictionary passwords  Dictionaries now including numbers added to words  Alternate spelling meth0ds 1nclud3d  Importance of length  Ease of brute-force attacks  Flaw in some encryption methods  Importance of other characters  Adds to password possibilities  Helps to beat dictionary cracks Password Recommendations  Secure Password Techniques:  Use modified pass phrases  4score&7yearsago  Let’sg0r3d  Connect words with modifier in middle  Milwaukeejtl07Bucks  Aries01thejtlram  Stick with constant formulas  Use secure password database managers  PC / PocketPC – KeePass (http://keepass.sourceforge.net)  Android – KeePass, LastPass, SplashId  iPhone / iPad – DataVault Password Manager (iTunes store) Application Security  Key Application Security  Accounting, HR, or other sensitive data applications  Follow password standards of network  Segregation of duties / Reporting Controls  Anti-Virus Protection (Symantec, McAfee, etc.)  Server based, automatic updates of workstations  E-mail protection  Patch Maintenance  Windows Update Services  Employee Training  Dangerous Files, E-Mail Concerns, Web Surfing  Spyware Protection
  • 7. 6 Spyware – Detecting & Eliminating  Signs you have been infected:  Random “Security” Pop-up windows appear when browsing.  Normal home page has been replaced.  Drop in computer performance.  New search bars have appeared in web browser.  Removal help:  Cleaning Programs: ComboFix, SpyBot Search & Destroy  Monitoring & Prevention: SuperAntiSpyware, MS Defender  Other Tools:  Startup Inspector  Pop-up Blocker - Google  www.processlibrary.com External Access Security  Cannot have without other elements!  Weakness in other areas can defeat the best external security.  Access method security (vpn, citrix, etc.)  Data Encryption  User Education  Activities to avoid  Popular methods of capturing data:  Shoulder surfing  Key logging / capturing programs  Packet sniffing  Wireless worries Wireless Security  Control Access  Change Defaults!  Administrator Password  Network SSID  MAC Filtering  List of authorized wireless Ethernet cards  Minimize Access Points  Scan self for “rogue” access points  Heatmapper  WiFi Analyzer (Android Tool)  Control own equipment’s access
  • 8. 7 Wireless Security  Control Data - Encryption  WEP – Wired Equivalency Protocol  Set to highest level supported  WEP has deficiencies:  Both 40-bit and 128-bit keys have been hacked  Use still will prevent or delay hack attempts  WPA – Wi-Fi Protected Access (WPA2)  Subset of developing 802.11i Standard  Some devices updateable to support standard  Case Study: Wireless Risks  The “Cantenna” T.J. Maxx Breach Planning & Governance  Align IT Goals with Business Goals  Does the IT Department work for you or run you?  Is IT Planning part of the overall strategic planning process?  Steering committee: department head involvement!  Must-Have Plans:  Disaster Recovery Business Continuity  Testing!  Involvement of all departments – what are their needs?  Incident Response Plan  Data disclosure events  Contact Requirements
  • 9. 8 Case Study: Incident Response Plans Starting point: April, 2011 Type: Network Intrusion - External Records affected: 101.6 million Estimated costs: $171 million outlay ($1025 Million all considered*) Affected entities: Sony Pictures, Sony Corporation of America, Sony Online Entertainment, Sony Play Station Network. * - lost business, various compensation costs and new investments—assuming that no additional security problems emerge. Sony – Breach Timeline  2009 – “geohot” announces intention to jailbreak PS3  March, 2010 – Sony removes functionality on PS3 to install another O/S (to block jailbreak effort.)  January 2, 2011 - Geohot (George Holtz) jailbreaks PS3 and publishes code online  January 11, 2011 – Sony sues geohot – seeks to stop  April 2, 2011 – Sony announces settlement  April 13, 2011 – Anonymous announces attack on Sony “In the eyes of the law, the case is closed, for Anonymous it is just beginning… prepare for the biggest attack you have ever witnessed, Anonymous style.” Sony – Breach Timeline  April 16 – Sony Online Entertainment (SOE)  25 million user details / 23 K credit/debit cards  April 17 – PlayStation Network  77 million user details  April 20 – Sony shuts down PlayStation Network  April 26 – Sony publically discloses PlayStation breach  May 1 – Investigators discover SOE breach  May 2 – Sony publically discloses SOE breach “We are trying to fight criminal activities by corporations and governments, not steal credit cards.”
  • 10. 9 Sony – Lesson 1  In the public eye - assume you are going to be a target  Was Sony right to go after geohot?  Doesn’t matter if you are in IT  If the effort is coordinated they will get in  Limit the attack surface  Only ask for and store necessary data from users  What really needs to be exposed to the Internet? Sony – Lesson 2  PR Campaigns Matter  Minimize enemy creation  Response to hacking incident is critical to retention  People hate being lied to!  Contingency Plan Development  DDOS attacks are form of disaster event  Practice recovering from them Policies & Procedures  Policies in general:  Signature requirements acknowledgement  Redistribution of policy general availability  Centralize & minimize total number  Training opportunity on changes!  Important groupings:  Computer Use Policy  Internet Use  E-Mail Use  IT Security Policy  Confidentiality statements  Data handling and storage  Data retention & destruction
  • 11. 10 Policies & Procedures – Updating  The importance of reviewing and updating policies:  What happens when two worlds collide?  Can social media be used for public debate?  What rules are in place for posting information by the elected?  How can the use of social media be policed? Sunshine Laws Data Security Updating our policies and procedures is a critical part of the circle. Knowing Our Enemies Is that all there is to it? FRAUD: deceit, trickery, sharp practice, or breach of confidence, perpetrated for profit or to gain some unfair or dishonest advantage. No functional network is impervious.
  • 12. 11 Internal Fraud  Fraud usually comes from within:  On average, 6% of an organizations revenue is lost to internal fraud.  Small company loss - $127,500 per incident  Large company loss - $97,000 per incident  Schemes involving non-cash assets are more costly  Men out-steal women $200,000 to $60,000 per incident  Education levels:  Those with a high school education steal $70,000 per incident  Those with a post-graduate degrees steal $162,000  Those with a bachelor degrees steal $243,000  45% of companies report unauthorized access of data by insiders!  Case Study: The City of San Francisco  Who’s network is it anyway?  Terry Childs – Cisco Certified Internetworking Engineer  Built & Managed the city-wide network (core of networks)  Elevated rights to sole administrator – always on call Attack Origins Points of Origins of Network Attacks  Internal  Harder to protect against – productivity vs. security  Motivations:  Personal Gain  Revenge (Missed promotion, about to be fired)  Job Security  External  Hard to identify source  Motivations:  Random Attack  Revenge (Former employee, angry client, competitor)  Industrial Espionage
  • 13. 12 A Typical IT Hack Organization Data Store Unethical Hacker SS’s Information SS’s Information Employee Customer Vendor HH Buys Information Transfers Money Opens Charge Account UH Steals Information Cracks Database Wireless Sniff Social Engineering UH Posts Information Computer Fraud – First Steps 1. Stop using compromised system!  Every action changes computer environment  Preservation of hard drive and memory contents  Isolate System  Physically disconnect system from Internet if exposed  If intranet threat is possible, isolate from local network 1. Record visual information from PC  Running applications  Items in system tray 2. Utilize drive duplication tools to create copy of drive  Refer to item #1  Allows for other tests to be tried without losing original evidence Goals of Computer Forensics Preservation of Evidence Adherence to carefully developed set of procedures that address security, authenticity, and chain-of-custody. • Analysis of User Activity Reporting of all user activity on computer and company network including, but not limited to,e-mail, Internet and Intranet files accessed, files created and deleted, and user access times. • Password Recovery Accessing and recovering data from password protected files.
  • 14. 13 Fraud: Preemptive Tools  Computer audit logs  Enable auditing (default is normally not enabled)  Ensure size is sufficient (avoid overwriting)  Copied to remote storage/permanent media on regular intervals  Utilize other logging tools:  Keystroke Loggers  Screenshot Recording  Shadowing Capabilities  E-Mail and Instant Messaging Archives  Ethical Considerations  Computer Use Policy – notification of right to trace actions  Control access to implemented tools  Ensure proper and ethical use Other Threats:  Phishing  Banking Spoofs, E-Bay Accounts, etc.  New Evolution: Pharming  “Poisoning” of DNS Record to redirect request  Site could be exact duplicate of intended site  Malware  Key-loggers & Screen Capture Programs  Browser Hi-jacks Phishing – How can you tell?  How can you tell a legitimate email from a phony?
  • 15. 14 Other Threats:  URL Shorteners  Tinyurl, bit.ly, sn.im  Creates a short link from a long internet address  Problem if malware site is being hidden  Study of URL shorteners:  Stage 1 Compliant if it appears to use a security service or blacklist to identify malicious domains and does not allow a user to create a shortened link to any infected domain.  Stage 2 Compliant if it uses a security service or blacklist to identify malicious domains and does not allow a user to create a shortened link to any infected domain or malicious full URL hosted on that domain. Scanning Yourself  Footprinting  Gaining parameters of network  Areas of search  Google Searches  Usegroup/Newsgroup Searches  ARIN Records – DNS Stuff  Vulnerability Assessments  Finding rabbit holes - weak points in your network  Online Tools  Nessus (www.nessus.org)  Registered vs. Direct Feed  Windows & Linux Versions  External Use  Internal Use  Penetration Testing  How far down does the rabbit hole go?  Care in performing exploits – not for amateurs!  Metasploit Understand Your Enemies  You have to understand their tactics to better stop them.  Hacking for Dummies by Kevin Beaver, Stuart McClure  Certified Ethical Hacking – Training & Certification  Vulnerability Assessments  Penetration Testing  On-line Resources  Print Resources
  • 16. The Elements of IT Security Example one: PHISHING Right click the message and select “VIEW SOURCE”
  • 17. The Elements of IT Security Actual source of the e-mail in html format:
  • 18. The Elements of IT Security Example 2: Citibank Phishing FRAUD ALERT CitiBank phishing email - "Read Now! Important Message From Citibank" Date Issued: April 13 2004 Customers of CitiBank are the targets of the latest phishing email scams. The email claims to be from "Citi Identity Theft Solutions", and directs customers they must update their ATM/Debit Card PIN. Users are instructed to click on a link within the email and enter their debit card number and ATM PIN in a form on a fake website. The fake website is displayed in a small window, while the real CitiBank website is displayed in the background. This gives the users a false sense of security in entering their personal information. A copy of the email is displayed below:
  • 19. The WebSite is shown below: What to do? If you receive an e-mail similar to this, do nothing. Do not reply to the e-mail and do not give any personal details to the sender. If you do receive similar emails, or any email that you think may be fraudulent, please forward to FraudWatch International at: scams@fraudwatchinternational.com
  • 20. Reprinted from: http://www.sans.org/resources/policies/Acceptable_Use_Policy.pdf Sample Acceptable Use Policy 1.0 Overview InfoSec's intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to <Company Name>. established culture of openness, trust and integrity. InfoSec is committed to protecting <Company Name>'s employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of <Company Name>. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. Please review Human Resources policies for further details. Effective security is a team effort involving the participation and support of every <Company Name> employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly. 2.0 Purpose The purpose of this policy is to outline the acceptable use of computer equipment at <Company Name>. These rules are in place to protect the employee and <Company Name>. Inappropriate use exposes <Company Name> to risks including virus attacks, compromise of network systems and services, and legal issues. 3.0 Scope This policy applies to employees, contractors, consultants, temporaries, and other workers at <Company Name>, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by <Company Name>. 4.0 Policy 4.1 General Use and Ownership 1. While <Company Name>'s network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of <Company Name>. Because of the need to protect <Company Name>'s network, management cannot guarantee the confidentiality of information stored on any network device belonging to <Company Name>. 2. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager. 3. InfoSec recommends that any information that users consider sensitive or vulnerable be encrypted. For guidelines on information classification, see InfoSec's Information Sensitivity Policy. For guidelines on encrypting email and documents, go to InfoSec's Awareness Initiative. 4. For security and network maintenance purposes, authorized individuals within <Company Name> may monitor equipment, systems and network traffic at any time, per InfoSec's Audit Policy. 5. <Company Name> reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. 4.2 Security and Proprietary Information 1. The user interface for information contained on Internet/Intranet/Extranet-related systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines, details of which can be found in Human Resources policies. Examples of confidential information include but are not limited to: company private, corporate strategies, competitor
  • 21. sensitive, trade secrets, specifications, customer lists, and research data. Employees should take all necessary steps to prevent unauthorized access to this information. 2. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly, user level passwords should be changed every six months. 3. All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for Win2K users) when the host will be unattended. 4. Use encryption of information in compliance with InfoSec's Acceptable Encryption Use policy. 5. Because information contained on portable computers is especially vulnerable, special care should be exercised. Protect laptops in accordance with the “Laptop Security Tips”. 6. Postings by employees from a <Company Name> email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of <Company Name>, unless posting is in the course of business duties. 7. All hosts used by the employee that are connected to the <Company Name> Internet/Intranet/Extranet, whether owned by the employee or <Company Name>, shall be continually executing approved virus-scanning software with a current virus database. Unless overridden by departmental or group policy. 8. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code. 4.3. Unacceptable Use The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services). Under no circumstances is an employee of <Company Name> authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing <Company Name>-owned resources. The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use. System and Network Activities The following activities are strictly prohibited, with no exceptions: 1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by <Company Name>. 2. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which <Company Name> or the end user does not have an active license is strictly prohibited. 3. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question. 4. Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.). 5. Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home. 6. Using a <Company Name> computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction. 7. Making fraudulent offers of products, items, or services originating from any <Company Name> account. 8. Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
  • 22. 9. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes. 10. Port scanning or security scanning is expressly prohibited unless prior notification to InfoSec is made. 11. Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty. 12. Circumventing user authentication or security of any host, network or account. 13. Interfering with or denying service to any user other than the employee's host (for example, denial of service attack). 14. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet. 15. Providing information about, or lists of, <Company Name> employees to parties outside <Company Name>. Email and Communications Activities 1. Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam). 2. Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages. 3. Unauthorized use, or forging, of email header information. 4. Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies. 5. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type. 6. Use of unsolicited email originating from within <Company Name>'s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by <Company Name> or connected via <Company Name>'s network. 7. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam). 5.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 6.0 Definitions Term Definition Spam Unauthorized and/or unsolicited electronic mass mailings. 7.0 Revision History
  • 23. Questions & Answers "The search for static security - in the law and elsewhere - is misguided. The fact is security can only be achieved through constant change, adapting old ideas that have outlived their usefulness to current facts." - Canadian physician, William Osler Jeffrey T. Lemmermann, CPA, CITP, CISA, CEH Chief Financial Officer / Information Officer Precision Plus, Inc. 840 Koopman Ln. Elkhorn, WI 53121 LemmermannJ@preplus.com