top information security issues facing organizations l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Top Information Security Issues Facing Organizations PowerPoint Presentation
Download Presentation
Top Information Security Issues Facing Organizations

Loading in 2 Seconds...

play fullscreen
1 / 27

Top Information Security Issues Facing Organizations - PowerPoint PPT Presentation


  • 390 Views
  • Uploaded on

Top Information Security Issues Facing Organizations. Thomas C Miele, CISSP, ISSMP. What The Fortifications Are. “Man-Made Fortifications Are Just Monuments To The Stupidity Of Man. If Rivers And Mountain Ranges Can Be Breached, So Can Anything Built By Man” General George S. Patton, Jr.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Top Information Security Issues Facing Organizations' - elon


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
what the fortifications are
What The Fortifications Are

“Man-Made Fortifications Are Just Monuments To The Stupidity Of Man.

If Rivers And Mountain Ranges Can Be Breached, So Can Anything Built By Man”

General George S. Patton, Jr.

Thomas C Miele, CISSP, ISSMP

top issues
Top Issues
  • International Information Systems Security Certification Consortium (ISC²) Teamed Auburn University Researchers To ID & Rank Top Info Sec Issues By Way Of Surveys To Its Certified Security Professionals World Wide & USA
  • 25 Issues Were ID As Most Critical…..
    • NOTE: I Will Not Read All 25 !!!!

Thomas C Miele, CISSP, ISSMP

4 i found of interest
4 I Found Of Interest
  • #1 Top Management Support
  • #2 Legal & Regulatory Issues
  • #3 Malware/Social Engineering (Viruses, Trojans, Worms)
  • #4 Awareness Training & Education

Thomas C Miele, CISSP, ISSMP

user awareness
User Awareness
  • If The Users Don’t Know Or Are Not Aware, Then They Will Get In Trouble & The Company May Suffer
  • If Your Company Does Business In All 50 States Then Your Have About 46 Laws.
  • The Laws Say You Must Conduct An Awareness Program!
  • SPAM During 2009:

60% of E-Mail Received!

Thomas C Miele, CISSP, ISSMP

the less you know
The Less You Know
  • It’s Bad When A Laptop Is Lost Containing:
    • Customer Name
    • Social Security Number
    • Credit Card Information
    • Raises Good Questions:
      • Should The Data Be On The Notebook?
      • Should It Be Locked Down On A Server In The Data Center?
      • Do We Need To Store All The Information About Our Customers That We Do?

CSI Alert Feb 2007

trusted employees
Trusted Employees

What About An Inside Job?

Is the Company At Fault?

It Depends……

Deb’s Bank Example

Thomas C Miele, CISSP, ISSMP

data not protected privacy lost
Data Not Protected Privacy Lost
  • The Big Story Is That The Boundary That Existed In People’s Lives Between The Workplace And The Home Has Broken Down!

Total Number of Records Lost Containing Sensitive Personal Information From Security Breaches……

354,140,197

Ben Worthen CIO Mag. Feb 15, 2007

top breaches month of april 2010
Top Breaches Month of April 2010
  • AvMed Health Plans – 208,000 records—theft of laptops.
  • Blue Cross/Blue Shield Tenn. – 301,628 – 57 USB Storage Devices Stolen
  • Citigroup – 600,000 customers received their annual tax documents with their Social Security Numbers on the outside of the envelope!

OK HOW MANY MORE MUST SUFFER BEFORE WE DO IT THE RIGHT WAY?

Ben Worthen CIO Mag. Feb 15, 2007

consumer it products
Consumer IT Products
  • Thumb Drives – USB Port Connected Can Provide Gigabytes Of Transportable Storage
  • Data Leakage!
  • Lost ID’s
  • Spread of Any Thing Bad! The Company is Responsible if an Employee Causes Harm To Others!

Thomas C Miele, CISSP, ISSMP

ask yourself
Ask Yourself ????
  • Are The USB Ports Protected?
  • If A User Downloads Information To Any Portable Device, Can We Detect It?
  • Does Your Policies Cover Storage Of Protected Information On Workstations And/Or Mobile Devices?
  • Testing IT Systems With Live Data????
  • Is The Data Ever Encrypted?
  • Do You Allow Cell Phones In The Office That Can Take Pictures?

Thomas C Miele, CISSP, ISSMP

laws laws more laws safeguarding information
Laws, Laws, & More Laws Safeguarding Information
  • How Many States Do You Do Business In?
  • I have 9 States Laws To Look At Dealing With Privacy & Protection Of Customer Information
  • State of PA – 4 Laws With New Ones Pending
  • What If You Do Business In All 50 States? 44 States Have Laws Along With Puerto Rico and the Virgin Islands
  • What About International?

Thomas C Miele, CISSP, ISSMP

before your data goes
Before Your Data Goes
  • Organizations Need To Understand Their Privacy And Security Compliance Obligations Prior To Sending Data Across Borders
  • Nearly 50 Countries Have Some Form Of Data Protection Law And Many Of Them Conflict Or Require Specific Security Measures

Jody R. Westby Information Security Mag.

legal frameworks at play
Legal Frameworks At Play
  • Globally There Are 3 Types Of Legal Frameworks AT Play:
    • EU’s Regulatory Model
    • U.S.’s Self-Regulatory Approach
    • Asia-Pacific Economic Cooperation (APEC) Forum’s Privacy Framework

Jody R. Westby Information Security Mag.

in europe privacy is different
In Europe, Privacy Is Different
  • Personal Information Cannot Be Collected Without Consumers’ Permission, And They Have The Right To Review The Data And Correct Inaccuracies
  • Companies That Process Data Must Register Their Activities With The Government
  • Employers Cannot Read Workers’ Private E-Mail
  • Personal Information Cannot Be Shared By Companies Or Across Borders Without Express Permission From The Data Subject
  • Checkout Clerks Cannot Ask For Shoppers’ Phone Numbers

Thomas C Miele, CISSP, ISSMP

global complications
Global Complications
  • Everyone’s Connected
    • 240 Countries And 1.1 Billion People Online
  • Fractured Frameworks
    • 51 Countries With Privacy Laws Including 27 EU Countries
    • 8 U.S. Agencies With Privacy Regulations And Enforcement Authority
    • 34 States With Security Breach Notification Laws

Jody R. Westby Information Security Mag.

global complications17
Global Complications
  • Competing Models
    • EU, U.S., APEC Each Have Overlapping Privacy Mandates
  • Multilateral Actions
    • Various Efforts From The EU, G8, APEC, Council Of Europe (CoE)
    • CoE Convention On Data Protection
    • CoE Convention On Cyber crime
    • G8 24/7 High-Tech Crimes Points-Of-Contact Network.
  • HOW DO YOU KEEP UP????????

Jody R. Westby Information Security Mag.

privacy lost
Privacy Lost ?????
  • Most Americans Say They Are Concerned About Privacy
  • 60% Feel Their Privacy Is “Slipping Away”
  • Only 7% Change Behaviors To Preserve Privacy
  • Carnegie Mellon Test Shows People Will Give SSN To Get 50-Cents-Off Coupon
  • Don’t Lose A Laptop With Personal Information!!!!!!!!!!
  • Veterans Admin, ChoicePoint, LexisNexis, Bank Of America, And Other Firms –Loss or Theft Of Personal Information !!!! Were At The End Of Righteous Indignation By Public And Lawmakers..

Thomas C Miele, CISSP, ISSMP

what s a ceo to do
What’s A CEO To Do???
  • Companies Want to Contact Their Customers Or Potential Customers
  • Customers Want Privacy
  • Laws Say We Must Protect Their Privacy/Information
  • So, We Have A Balancing Act
  • Make Sure You Know How Far You Can Go With Your Customers Information

Thomas C Miele, CISSP, ISSMP

social engineering
Social Engineering
  • Attacker Uses Human Interaction (Social Skills) To Obtain Or Compromise Information About An Organization Or Its Computer Network/Systems
  • May Seem Unassuming And Respectable
  • Claiming To Be A New Employee
  • Repair Person
  • USB Trick
  • Asking Questions – Infiltrate A Network

Thomas C Miele, CISSP, ISSMP

good security practices security first then compliance
Good Security Practices-Security First, Then Compliance
  • Don’t Click On Links Within Pop-Up Windows
  • Be Wary Of Free Downloadable Software
  • Don’t Follow E-mail Links Claiming To Offer Anti-Spyware Software
  • Delete E-mails From Senders You Don’t Know !!!!!
  • Don’t Get Complacent! Never Ever Think You Are Done! Always keep thinking How Security Can Be Breached.

Thomas C Miele, CISSP, ISSMP

defense in depth 6 layers to consider
Defense-in-Depth 6 Layers To Consider
  • Proactive Software Assurance
  • Blocking Attacks: Network Based
    • IPS & Detection (IDS)
    • Wireless Intrusion Prevention
    • Network Behavior Analysis
    • Firewalls
    • Secure Web Gateways
  • Blocking Attacks: Host Based
    • Endpoint Security

SANS What Works in Internet Security

defense in depth 6 layers to consider23
Defense-in-Depth 6 Layers To Consider
  • Blocking Attacks: Host Based
    • Endpoint Security
    • Network Access Control
    • System Integrity Checking Tools
  • Eliminating Security Vulnerabilities
    • Network Discovery Tools
    • Vulnerability Management
    • Attack & Penetration Testing
    • Patch & Security Configuration Management

SANS What Works in Internet Security

defense in depth 6 layers to consider24
Defense-in-Depth 6 Layers To Consider
  • Safely Supporting Authorized Users
    • Identity & Access Management
    • Mobile Data Protection & Encryption
    • Content Monitoring/Data Leak Prevention
  • Tools to Manage Security
    • Log Management & Event Management
    • Media Sanitization and Mobile Device Recovery and Erasure
    • Security Awareness Training

SANS What Works in Internet Security

defense in depth 6 layers to consider25
Defense-in-Depth 6 Layers To Consider
  • Tools to Manage Security
    • Security Awareness Training
    • Forensics Tools
    • Governance, Risk & Compliance Mgt Tools
      • GLBA, SOX, PCI, HIPAA
    • Disaster Recovery and Business Continuity

SANS What Works in Internet Security

why i worry about social engineering spyware
Why I Worry About Social Engineering & Spyware
  • Loss Of Corporate Information And Data
  • Average Cost Per Breach $4.8 Million
  • Legal Liability
  • If Companies Close Down And/Or Go Out Of Business Then People Will Not Be Paying Into The Social Security Fund !!!
  • We All Pay The Price, However, CEO Will Pay The Biggest Price!!!

Thomas C Miele, CISSP, ISSMP

privacy resources
Privacy Resources
  • U.S. Safe Harbor Program

www.export.gov/safeHarbor/sh_overview.html

  • U.S. Federal Trade Commission

www.ftc.gov/privacy/index.html

  • EU Data Protection Directive

http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm

  • Council of Europe Cybercrime Convention

http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm

Jody R. Westby Information Security Mag.