1 / 27

Top Information Security Issues Facing Organizations

Top Information Security Issues Facing Organizations. Thomas C Miele, CISSP, ISSMP. What The Fortifications Are. “Man-Made Fortifications Are Just Monuments To The Stupidity Of Man. If Rivers And Mountain Ranges Can Be Breached, So Can Anything Built By Man” General George S. Patton, Jr.

elon
Download Presentation

Top Information Security Issues Facing Organizations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Top Information Security Issues Facing Organizations Thomas C Miele, CISSP, ISSMP

  2. What The Fortifications Are “Man-Made Fortifications Are Just Monuments To The Stupidity Of Man. If Rivers And Mountain Ranges Can Be Breached, So Can Anything Built By Man” General George S. Patton, Jr. Thomas C Miele, CISSP, ISSMP

  3. Top Issues • International Information Systems Security Certification Consortium (ISC²) Teamed Auburn University Researchers To ID & Rank Top Info Sec Issues By Way Of Surveys To Its Certified Security Professionals World Wide & USA • 25 Issues Were ID As Most Critical….. • NOTE: I Will Not Read All 25 !!!! Thomas C Miele, CISSP, ISSMP

  4. 4 I Found Of Interest • #1 Top Management Support • #2 Legal & Regulatory Issues • #3 Malware/Social Engineering (Viruses, Trojans, Worms) • #4 Awareness Training & Education Thomas C Miele, CISSP, ISSMP

  5. User Awareness • If The Users Don’t Know Or Are Not Aware, Then They Will Get In Trouble & The Company May Suffer • If Your Company Does Business In All 50 States Then Your Have About 46 Laws. • The Laws Say You Must Conduct An Awareness Program! • SPAM During 2009: 60% of E-Mail Received! Thomas C Miele, CISSP, ISSMP

  6. The Less You Know • It’s Bad When A Laptop Is Lost Containing: • Customer Name • Social Security Number • Credit Card Information • Raises Good Questions: • Should The Data Be On The Notebook? • Should It Be Locked Down On A Server In The Data Center? • Do We Need To Store All The Information About Our Customers That We Do? CSI Alert Feb 2007

  7. Trusted Employees What About An Inside Job? Is the Company At Fault? It Depends…… Deb’s Bank Example Thomas C Miele, CISSP, ISSMP

  8. Data Not Protected Privacy Lost • The Big Story Is That The Boundary That Existed In People’s Lives Between The Workplace And The Home Has Broken Down! Total Number of Records Lost Containing Sensitive Personal Information From Security Breaches…… 354,140,197 Ben Worthen CIO Mag. Feb 15, 2007

  9. Top Breaches Month of April 2010 • AvMed Health Plans – 208,000 records—theft of laptops. • Blue Cross/Blue Shield Tenn. – 301,628 – 57 USB Storage Devices Stolen • Citigroup – 600,000 customers received their annual tax documents with their Social Security Numbers on the outside of the envelope! OK HOW MANY MORE MUST SUFFER BEFORE WE DO IT THE RIGHT WAY? Ben Worthen CIO Mag. Feb 15, 2007

  10. Consumer IT Products • Thumb Drives – USB Port Connected Can Provide Gigabytes Of Transportable Storage • Data Leakage! • Lost ID’s • Spread of Any Thing Bad! The Company is Responsible if an Employee Causes Harm To Others! Thomas C Miele, CISSP, ISSMP

  11. Ask Yourself ???? • Are The USB Ports Protected? • If A User Downloads Information To Any Portable Device, Can We Detect It? • Does Your Policies Cover Storage Of Protected Information On Workstations And/Or Mobile Devices? • Testing IT Systems With Live Data???? • Is The Data Ever Encrypted? • Do You Allow Cell Phones In The Office That Can Take Pictures? Thomas C Miele, CISSP, ISSMP

  12. Laws, Laws, & More Laws Safeguarding Information • How Many States Do You Do Business In? • I have 9 States Laws To Look At Dealing With Privacy & Protection Of Customer Information • State of PA – 4 Laws With New Ones Pending • What If You Do Business In All 50 States? 44 States Have Laws Along With Puerto Rico and the Virgin Islands • What About International? Thomas C Miele, CISSP, ISSMP

  13. Before Your Data Goes • Organizations Need To Understand Their Privacy And Security Compliance Obligations Prior To Sending Data Across Borders • Nearly 50 Countries Have Some Form Of Data Protection Law And Many Of Them Conflict Or Require Specific Security Measures Jody R. Westby Information Security Mag.

  14. Legal Frameworks At Play • Globally There Are 3 Types Of Legal Frameworks AT Play: • EU’s Regulatory Model • U.S.’s Self-Regulatory Approach • Asia-Pacific Economic Cooperation (APEC) Forum’s Privacy Framework Jody R. Westby Information Security Mag.

  15. In Europe, Privacy Is Different • Personal Information Cannot Be Collected Without Consumers’ Permission, And They Have The Right To Review The Data And Correct Inaccuracies • Companies That Process Data Must Register Their Activities With The Government • Employers Cannot Read Workers’ Private E-Mail • Personal Information Cannot Be Shared By Companies Or Across Borders Without Express Permission From The Data Subject • Checkout Clerks Cannot Ask For Shoppers’ Phone Numbers Thomas C Miele, CISSP, ISSMP

  16. Global Complications • Everyone’s Connected • 240 Countries And 1.1 Billion People Online • Fractured Frameworks • 51 Countries With Privacy Laws Including 27 EU Countries • 8 U.S. Agencies With Privacy Regulations And Enforcement Authority • 34 States With Security Breach Notification Laws Jody R. Westby Information Security Mag.

  17. Global Complications • Competing Models • EU, U.S., APEC Each Have Overlapping Privacy Mandates • Multilateral Actions • Various Efforts From The EU, G8, APEC, Council Of Europe (CoE) • CoE Convention On Data Protection • CoE Convention On Cyber crime • G8 24/7 High-Tech Crimes Points-Of-Contact Network. • HOW DO YOU KEEP UP???????? Jody R. Westby Information Security Mag.

  18. Privacy Lost ????? • Most Americans Say They Are Concerned About Privacy • 60% Feel Their Privacy Is “Slipping Away” • Only 7% Change Behaviors To Preserve Privacy • Carnegie Mellon Test Shows People Will Give SSN To Get 50-Cents-Off Coupon • Don’t Lose A Laptop With Personal Information!!!!!!!!!! • Veterans Admin, ChoicePoint, LexisNexis, Bank Of America, And Other Firms –Loss or Theft Of Personal Information !!!! Were At The End Of Righteous Indignation By Public And Lawmakers.. Thomas C Miele, CISSP, ISSMP

  19. What’s A CEO To Do??? • Companies Want to Contact Their Customers Or Potential Customers • Customers Want Privacy • Laws Say We Must Protect Their Privacy/Information • So, We Have A Balancing Act • Make Sure You Know How Far You Can Go With Your Customers Information Thomas C Miele, CISSP, ISSMP

  20. Social Engineering • Attacker Uses Human Interaction (Social Skills) To Obtain Or Compromise Information About An Organization Or Its Computer Network/Systems • May Seem Unassuming And Respectable • Claiming To Be A New Employee • Repair Person • USB Trick • Asking Questions – Infiltrate A Network Thomas C Miele, CISSP, ISSMP

  21. Good Security Practices-Security First, Then Compliance • Don’t Click On Links Within Pop-Up Windows • Be Wary Of Free Downloadable Software • Don’t Follow E-mail Links Claiming To Offer Anti-Spyware Software • Delete E-mails From Senders You Don’t Know !!!!! • Don’t Get Complacent! Never Ever Think You Are Done! Always keep thinking How Security Can Be Breached. Thomas C Miele, CISSP, ISSMP

  22. Defense-in-Depth 6 Layers To Consider • Proactive Software Assurance • Blocking Attacks: Network Based • IPS & Detection (IDS) • Wireless Intrusion Prevention • Network Behavior Analysis • Firewalls • Secure Web Gateways • Blocking Attacks: Host Based • Endpoint Security SANS What Works in Internet Security

  23. Defense-in-Depth 6 Layers To Consider • Blocking Attacks: Host Based • Endpoint Security • Network Access Control • System Integrity Checking Tools • Eliminating Security Vulnerabilities • Network Discovery Tools • Vulnerability Management • Attack & Penetration Testing • Patch & Security Configuration Management SANS What Works in Internet Security

  24. Defense-in-Depth 6 Layers To Consider • Safely Supporting Authorized Users • Identity & Access Management • Mobile Data Protection & Encryption • Content Monitoring/Data Leak Prevention • Tools to Manage Security • Log Management & Event Management • Media Sanitization and Mobile Device Recovery and Erasure • Security Awareness Training SANS What Works in Internet Security

  25. Defense-in-Depth 6 Layers To Consider • Tools to Manage Security • Security Awareness Training • Forensics Tools • Governance, Risk & Compliance Mgt Tools • GLBA, SOX, PCI, HIPAA • Disaster Recovery and Business Continuity SANS What Works in Internet Security

  26. Why I Worry About Social Engineering & Spyware • Loss Of Corporate Information And Data • Average Cost Per Breach $4.8 Million • Legal Liability • If Companies Close Down And/Or Go Out Of Business Then People Will Not Be Paying Into The Social Security Fund !!! • We All Pay The Price, However, CEO Will Pay The Biggest Price!!! Thomas C Miele, CISSP, ISSMP

  27. Privacy Resources • U.S. Safe Harbor Program www.export.gov/safeHarbor/sh_overview.html • U.S. Federal Trade Commission www.ftc.gov/privacy/index.html • EU Data Protection Directive http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm • Council of Europe Cybercrime Convention http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm Jody R. Westby Information Security Mag.

More Related