Slides from my information security management talk at a CalCPA Society Meeting. This story-filled non-technical talk provides real-world guidance executives and their boards need to meet the challenge of cybercrime.
- Why Care: Business Implications of Cyber Crime.
- The Critical Four: Key Questions for Managing Information Risk.
- Why Are We So Vulnerable? Three Inconvenient Truths.
- We Have a Firewall and Antivirus. Isn’t This Enough?
- What Are We Supposed to Do: Information Security Management Objectives.
- How Do We Do It: The Six Key Information Security Management Strategies.
- Leadership and Culture: The Final Frontier.
2. 2
The number one thing at the Board level and CEO level is to take
cybersecurity as seriously as you take business operations and
financial operations. It’s not good enough to go to your CIO and
say “are we good to go.” You’ve got to be able to ask questions
and understand the answers.
Major Gen Brett Williams, U.S. Air Force (Ret)
This Week with George Stephanopoulos, December 2014
3.
4. Online Fraud: Business Email Compromise
Deceives Controller
4
From: Your Vendor, Stan
Sent: Sunday, December 28, 2014 12:07 PM
To: Bill Hopkins, Controller
Subject: Change of Bank Account
Hi Bill – Just an alert to let you know we’ve changed banks.
Please use the following from now on in wiring our payments.
RTN: 123456789 Account: 0010254742631
I’m still planning to be out your way in February. It will be nice
to get out of the cold Montreal winter.
Great thanks.
Cheers - Stan
_________________________
The secret of success is honesty and fair-dealing.
If you can fake that, you’ve got it made ... Groucho Marx
14. The Bottom Line: Cyber Security Management
Is Now An Executive Management Necessity
Customer Information
Credit Cards and PCI Compliance
HIPAA Security Rule
Breach Disclosure Laws
On-Line Bank Fraud & Embezzlement
Theft of Trade Secrets & Other
Intellectual Property
Critical Information Made Unavailable
Systems Used for Illegal Purposes
14
15. Cybercrime’s Greatest Impact is on Small
& Medium Sized Organizations
30% of victims have
fewer than 250
employees
60% of small-
business victims are
out of business
within 6 months
80% of breaches
preventable with
basic security
15
16. Managing Information Risk — Four Key
Questions
1. How serious is cybercrime and why
should my organization care?
2. How vulnerable are we, really?
3. What do we need to do?
4. How do we do it?
16
17. Internet not designed to be secure
Computer technology is riddled with security
holes
We humans are also imperfect
Why Are We so Vulnerable?
Three Inconvenient Truths
17
24. Technology Solutions Are Inadequate to
Challenge
http://krebsonsecurity.com/2012/06/a-closer-look-recent-email-based-malware-attacks/
24
25. Management Too Often Fails to Set
Security Standards for IT Network
Senior
Management
IT Head
That’s great
Bob. We’re all
counting on
you.
You’re
keeping us
secure now
aren’t you?
Yes sir.
Everything’s
fine.
Yes sir.
Everything’s
fine.
Hi Bob.
Things
good?
I appreciate
that sir.
26. Management Too Often Fails to Properly
Fund IT Network Security
26
Senior
Management
IT Head
I understand.
But you know
how tight
budgets are.
You’re
keeping us
secure now
aren’t you?
Yes sir.
Everything’s
fine.
We need a
BYOD
Solution.
Hi Bob.
Things
good?
I do. Yes sir.
27. We Make It Way Too Easy: 80% of
Breaches are “Low Difficulty”
Inadequate training
of people
Inadequate security
management of IT
networks
Inadequate
involvement by
senior management
27
Verizon 2015 Data Breach Investigations Report:
http://www.verizonenterprise.com/DBIR/
29. The Objective of Information Security
Management is to Manage Information Risk
Cyber Fraud
Information Theft
Ransomware
Denial of Service
Attack
Regulatory /
Compliance
Disaster
Loss of Money … Brand Value … Competitive
Advantage
30. The Four Elements of Information Risk
Confidentiality … Assuring information is only
accessible to those authorized to use it
Integrity … Assuring that information is changed in
accordance with authorized procedures by
authorized people
Availability … Assuring that information and
systems are available to users when they need it
Authenticity … Assuring that a received message is
really from the purported sender
30
31. The Information Security Management
Chain
31
Identify Detect Respond RecoverProtect
Continuous Security Management Improvement
Risk Transfer and Insurance
Legal and Regulatory Framework
Based Upon:
1. NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014
2. International Standards Organization 27001:2013: Information technology— Security techniques —
Information security management systems — Requirements
3. Porter Value Chain: Understanding How Value is Created Within Organizations
32. Don’t Try to Reinvent Wheel: Use an Accepted
Information Security Management Framework
Information Security Policies
Organization of Information
Security
Human Resource Security
Asset Management
Access Control
Cryptography
Physical / Environmental
Security
Operations Security
Communications Security
System Acquisition,
Development & Maintenance
Supplier Relationships
Information Security Incident
Management
Information Security Aspects of
Business Continuity
Management
Compliance
32
33. Manage Information Security Like
Everything Else. Establish Leadership.
33
An organization's ability
to learn, and translate
that learning into action
rapidly, is the ultimate
competitive advantage.
Jack Welch
34. Take Specific Action to Protect Against
Online Financial Fraud
Implement Internal Controls
Over Payee Change Requests
Assume all email or fax requests
from vendors or company
President are fraudulent
Use Out-of-Band Confirmation
Use Dedicated On-Line Banking
Workstation
Keep Patched
Use Only for On-Line Banking
Work with Bank
Dual Control
Out-Of-Band Confirmation
Strong Controls on Wires
34
See our blog:
https://citadel-
information.com/2016/02/business-
e-mail-compromise-dont-be-a-
victim/
35. Know What Information Needs To Be
Protected and Where It Is
35
Online Banking Credentials
Credit cards
Employee Health Information
Salaries
Trade Secrets
Intellectual Property
Customer Information
Servers
Desktops
Cloud
Home PCs
BYOD devices
37. Train Staff to Be Mindful.
Provide Phishing Defense Training.
37
38. Provide Information Security Education.
Change Culture.
38
If you do not know
your enemies nor
yourself, you will be
imperiled in every
single battle.
39. Ensure IT has Aggressive Vulnerability and
Patch Management Program.
39
40. Require Vendors to Meet Security
Management Standards
Security Management included in
Service Level Agreements
Comply with Information Security
Standards
Business Associate Agreements
(HIPAA)
Information Security Continuing
Education
40
41. Make Sure Critical Information Available
in Disaster or Ransomware Attack
41
Trust … But Verify.
43. Getting Started: Implement Basics. Assess
IT Security. Develop Strategy.
43
Put Someone in
Charge
Review IT
Network
Management
Compliance with
Security
Standards
Conduct IT
Network
Vulnerability
Scan
Establish Policies
& Standards
Train Staff
Develop Strategy
44. Create Steering Committee to Manage
Ongoing Information Security
44
Leadership & Organizational Improvements
Security Management of IT Network
Security Improvements to IT Network
Improve constantly and
forever the system of
production and service, to
improve quality and
productivity, and thus
constantly decrease costs
W. Edwards Deming
14 Key Principles for Improving
Organizational Effectiveness
46. Summary: Manage Security of Information as
Rigorously as Operations & Finance
Implement Formal Information Security Management System
1. Information Security Manager / Chief Information
Security Officer
a. Independent C-Suite Access
b. Provide Cross-Functional Support
c. Support with Subject-Matter Expertise
2. Implement Formal Risk-Driven Information Security
Policies and Standards
3. Identify, Document and Control Sensitive Information
4. Train and Educate Personnel. Change Culture.
5. Manage Vendor Security
6. Manage IT Infrastructure from “information security point
of view”
46
47. Security is Proactively Managed
mation Security Standard of Care
Information Security Proactively Managed
Commercially Reasonable Information Security Practices
Lower Total Cost of Information Security SM
48. Citadel Information Group: Who We Are
48
Stan Stahl, Ph.D
Co-Founder & President
35+ Years Experience
Reagan White House
Nuclear Missile Control
Kimberly Pease,
CISSP
Co-Founder & VP
Former CIO
15+ Years Information
Security Experience
David Lam, CISSP, CPP
VP Technology
Management Services
Former CIO
20+ Years Information
Security Experience
49. Citadel Information Group: What We Do
49
Deliver Information Peace of Mind SM
to Business and the Not-for-Profit Community
Cyber Security Management Services
Information Security Leadership
Information Security Management Consulting & Coaching
Assessments & Reviews … Executive Management …Technical Management
Secure Network Engineering … Secure Software Engineering
Incident Response / Business Continuity Planning
Adverse Termination
50. For More Information
Stan Stahl Stan@citadel-information.com 323-428-0441
LinkedIn: Stan Stahl Twitter: @StanStahl
Citadel Information Group: www.citadel-information.com
Information Security Resource Library
Free: Cyber Security News of the Week
Free: Weekend Vulnerability and Patch Report
50