2009 cpe by the sea presentation objectives - …conferences.tscpa.org/cpefamily/materials/rick...
Post on 25-Aug-2018
217 Views
Preview:
TRANSCRIPT
Rick Murray
1
Rick MurrayExecutive Vice President & Chief Financial Officer
Commerce Union Bank
2009 CPE By The Sea2009 CPE By The Sea
Presentation ObjectivesPresentation ObjectivesTo educate To educate youyou about emerging information and about emerging information and technologies/related risks and how they are impacting technologies/related risks and how they are impacting accountantsaccountantsTo provide To provide youyou with the latest available information with the latest available information about IT Security threats and risksabout IT Security threats and risks
22 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
yyTo help To help youyou develop a strategy for implementing and develop a strategy for implementing and managing IT security and risk assessment processes managing IT security and risk assessment processes within your firm or companywithin your firm or companyTo help To help youyou recognize and address new threats recognize and address new threats before they endanger your companybefore they endanger your companyTo empower To empower youyou to bolster overall security efforts to bolster overall security efforts through proactive risk management strategiesthrough proactive risk management strategies
2009 CPE By The Sea2009 CPE By The Sea
IT 2009 IT 2009 ––What’s New?What’s New?
33 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Rick Murray
2
2009 CPE By The Sea2009 CPE By The Sea
Continuing IT Security ThreatContinuing IT Security ThreatMany companies are spending as much as Many companies are spending as much as 1010--20%20% of of their IT budgets on security their IT budgets on security –– lost resourceslost resourcesOverall intrusion activities (hacking/cracking/viruses) Overall intrusion activities (hacking/cracking/viruses) resulted in resulted in $1 trillion in losses$1 trillion in losses during 2008during 2008Internet fraud loss exceeded Internet fraud loss exceeded $265 million $265 million in 2008in 2008
44 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
More than More than 285 million records 285 million records compromised during compromised during 2008 2008 –– 4 times 2007 levels 4 times 2007 levels –– January 2009 Heartland January 2009 Heartland data breach (potentially data breach (potentially 40 million debit/credit cards40 million debit/credit cards))Long term damage to Long term damage to business and consumer business and consumer confidenceconfidence may exceed direct dollar lossesmay exceed direct dollar lossesElectronic transaction and Electronic transaction and payments systems payments systems are are complicating the situationcomplicating the situation
Sources: CNET, Yahoo
2009 CPE By The Sea2009 CPE By The Sea
Growing Internet Security Threat
IT Security Threats ContinueIT Security Threats Continue
55 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
1995
1997
1999
2000
2001
2002
2003
2005
2007
2010
Company Ability To RespondE-Mail VirusDenial of ServiceHostile Remote ControlE-Mail Server AssaultApplication Layer Assault
Are you caughtAre you caughtin the gap?in the gap?
2009 CPE By The Sea2009 CPE By The Sea
Continuing Compliance PressureContinuing Compliance PressureDespite 2009 recession concerns, Despite 2009 recession concerns, government emphasis upon compliance government emphasis upon compliance continues to growcontinues to grow
PrivacyPrivacyConfidentialityConfidentialityHomeland SecurityHomeland Security
66 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Money LaunderingMoney LaunderingIdentity Theft Identity Theft –– continued emphasis in 2009continued emphasis in 2009
Federal, State and private regulatory Federal, State and private regulatory agencies are contributing to the compliance agencies are contributing to the compliance workloadworkload
FFIEC FFIEC –– Federal Financial Institution Federal Financial Institution Examination Council Examination Council –– FRB, FDIC, OCC, OTS FRB, FDIC, OCC, OTS and NCUAand NCUAFRB FRB –– Federal Reserve Board Reg. E Federal Reserve Board Reg. E , CC, D, CC, D
Rick Murray
3
2009 CPE By The Sea2009 CPE By The Sea
Federal, State and private regulatory agencies are Federal, State and private regulatory agencies are contributing to the compliance workloadcontributing to the compliance workload
31 CFR 203 (taxes), 210 (Fed payments), 370 (ACH and 31 CFR 203 (taxes), 210 (Fed payments), 370 (ACH and Fed Securities)Fed Securities)UCC Articles 3 (Commercial Paper), 4 (Items), 4A (EFT)UCC Articles 3 (Commercial Paper), 4 (Items), 4A (EFT)GLB GLB -- GrammGramm--Leech Bliley ActLeech Bliley Act
Continuing Compliance PressureContinuing Compliance Pressure
77 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
yyFair Credit Reporting ActFair Credit Reporting ActCheck 21Check 21FACTAFACTASOXSOXBSABSAUSA Patriot ActUSA Patriot ActNACHA Operating RulesNACHA Operating Rules
What will the current Administration and What will the current Administration and Congress mandate next?Congress mandate next?
2009 CPE By The Sea2009 CPE By The Sea
Emerging Technologies 2009…Emerging Technologies 2009…
88 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Long Live the Universal Device!Long Live the Universal Device!
2009 CPE By The Sea2009 CPE By The Sea
Emerging Technologies 2009Emerging Technologies 2009AICPA Top Ten Technologies ListAICPA Top Ten Technologies List
Information Security ManagementInformation Security ManagementPrivacy ManagementPrivacy ManagementSecure Date Storage, Transmission & Secure Date Storage, Transmission & ExchangeExchange
99 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Business Process Improvement Business Process Improvement –– Workflow Workflow and Process Exception Alertsand Process Exception AlertsMobile and Remote ComputingMobile and Remote ComputingTraining and CompetencyTraining and CompetencyIdentity & Access ManagementIdentity & Access ManagementImproved Application and Data IntegrationImproved Application and Data IntegrationDocument, Content and Knowledge Document, Content and Knowledge ManagementManagementElectronic Data Retention StrategyElectronic Data Retention Strategy
Rick Murray
4
2009 CPE By The Sea2009 CPE By The Sea
Honorable Mention 2009Honorable Mention 2009AICPA Top Ten Technologies ListAICPA Top Ten Technologies List
Business Continuity Management and Business Continuity Management and Disaster Recovery PlanningDisaster Recovery PlanningConformance with Assurance and Conformance with Assurance and Compliance StandardsCompliance StandardsC ll b i d I f i P lC ll b i d I f i P l
1010 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Collaboration and Information PortalsCollaboration and Information PortalsBusiness IntelligenceBusiness IntelligenceCustomer Relationship Management Customer Relationship Management (CRM)(CRM)
As usual, the lists are long on As usual, the lists are long on generalities and short on details…generalities and short on details…
2009 CPE By The Sea2009 CPE By The Sea
How Will These Technologies How Will These Technologies Impact You?Impact You?
1111 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
2009 CPE By The Sea2009 CPE By The Sea
Remote Deposit/CaptureRemote Deposit/CaptureWhat is it?What is it?
Remote Deposit/Capture (RDC) Remote Deposit/Capture (RDC) moves check processing out to moves check processing out to customer officescustomer offices
What’s cool…What’s cool…
1212 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Reduces processing costs for FIsReduces processing costs for FIsReduces costs for merchantsReduces costs for merchantsImproves funds availabilityImproves funds availabilityFacilitates paperless operationsFacilitates paperless operations
What’s not…What’s not…Risk of duplicate item scansRisk of duplicate item scansPrivacy concernsPrivacy concernsHeightened regulatory scrutiny Heightened regulatory scrutiny (FFIEC January 2009)(FFIEC January 2009)
Fidelity, Fiserv, Fidelity, Fiserv, ProfitStars, ProfitStars,
GoldleafGoldleaf
Rick Murray
5
2009 CPE By The Sea2009 CPE By The Sea
Online Cash ManagementOnline Cash ManagementWhat is it?What is it?
Online Cash Management permits Online Cash Management permits businesses to control their treasury businesses to control their treasury management activities in housemanagement activities in house
What’s cool…What’s cool…
1313 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Multiple services Multiple services –– ACH, wires, ACH, wires, positive pay, stop payments, etc.positive pay, stop payments, etc.Reduces costs FIs, merchantsReduces costs FIs, merchantsImproves funds availabilityImproves funds availabilityImproves disbursement controlImproves disbursement control
What’s not…What’s not…ACH origination managementACH origination managementPotential reduction in internal controlsPotential reduction in internal controlsCompliance concernsCompliance concerns
Fidelity, Fiserv, Fidelity, Fiserv, Jack HenryJack Henry
2009 CPE By The Sea2009 CPE By The Sea
Universal Device (Smart Phone)Universal Device (Smart Phone)What is it?What is it?
One mobile device to manage multiple One mobile device to manage multiple work and personal functionswork and personal functions
What’s cool…What’s cool…Single device Single device –– single interfacesingle interface
1414 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Multiple functions out of the box (e.g. Multiple functions out of the box (e.g. phone, media player, ephone, media player, e--mail)mail)Unlimited expansion (e.g. iPhone and Unlimited expansion (e.g. iPhone and RIM application stores)RIM application stores)Facilitates mobile paymentsFacilitates mobile payments
What’s not…What’s not…Risk of theft/lossRisk of theft/lossLearning curveLearning curveCarrier interoperabilityCarrier interoperability
Apple, RIM, Apple, RIM, Google, Verizon, Google, Verizon,
AT&TAT&T
2009 CPE By The Sea2009 CPE By The Sea
Mobile BroadbandMobile BroadbandWhat is it?What is it?
Enables wireless broadband access Enables wireless broadband access anywhere, anytimeanywhere, anytime
What’s cool…What’s cool…High speed Internet access similar to a High speed Internet access similar to a
1515 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
typical LAN environmenttypical LAN environmentWorks with a variety of devices, Works with a variety of devices, including laptops, netbooks, PDAsincluding laptops, netbooks, PDAsNo need for WIFI access pointsNo need for WIFI access points
What’s not…What’s not…Recurring monthly costs for dataRecurring monthly costs for dataLimited range (although improving)Limited range (although improving)Encryption concernsEncryption concernsCarrier interoperabilityCarrier interoperability
Verizon, AT&T, Verizon, AT&T, Sprint, TSprint, T--MobileMobile
Rick Murray
6
2009 CPE By The Sea2009 CPE By The Sea
Digital Television (HDTV)Digital Television (HDTV)What is it?What is it?
High definition video and audio High definition video and audio television presentation (up to 1080P)television presentation (up to 1080P)
What’s cool…What’s cool…High resolution facilitates digital High resolution facilitates digital
1616 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
conversionconversion16 x 9 format good for data displays16 x 9 format good for data displaysTruly usable teleconferencingTruly usable teleconferencingRapidly falling costsRapidly falling costs
What’s not…What’s not…Digital conversion Digital conversion –– June 12, 2009June 12, 2009Technology confusion (decreasing)Technology confusion (decreasing)Set up and support issuesSet up and support issuesContent provider/support issuesContent provider/support issues
Sony, Samsung, Sony, Samsung, Vizeo, DirecTV, Vizeo, DirecTV,
ComcastComcast
2009 CPE By The Sea2009 CPE By The Sea
VirtualizationVirtualizationWhat is it?What is it?
Operating multiple servers, storage Operating multiple servers, storage units or applications within a virtual units or applications within a virtual hardware environmenthardware environment
What’s cool…What’s cool…
1717 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Reduced IT costs Reduced IT costs -- large reduction in large reduction in server hardware and software licensesserver hardware and software licensesIncreasingly accepted by application Increasingly accepted by application providersprovidersHardware independenceHardware independenceFacilitates rapid BCP/DR responsesFacilitates rapid BCP/DR responses
What’s not…What’s not…Can provide false sense of securityCan provide false sense of securityRequires complex BCP/DR planningRequires complex BCP/DR planning
IBM, Cisco, IBM, Cisco, VMware, Dell, VMware, Dell,
Microsoft, Red HatMicrosoft, Red Hat
2009 CPE By The Sea2009 CPE By The Sea
Evolving Storage TechnologyEvolving Storage TechnologyWhat is it?What is it?
Continued growth in high capacity, Continued growth in high capacity, high speed data storage deviceshigh speed data storage devices
What’s cool…What’s cool…Solid state disk drives (SSDD) are Solid state disk drives (SSDD) are b i i i 2009b i i i 2009
1818 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
becoming mainstream in 2009becoming mainstream in 2009Cheap, reliable hard disk drivesCheap, reliable hard disk drivesFlash memory standardizationFlash memory standardizationBluBlu--ray standardizationray standardizationOnline storage/archivalOnline storage/archival
What’s not…What’s not…Online storage/archival costsOnline storage/archival costsSecurity concerns (online)Security concerns (online)Inconsistent data retention standardsInconsistent data retention standards
Toshiba, Amazon, Toshiba, Amazon, IBM, Seagate, Dell, IBM, Seagate, Dell,
IntelIntel
Rick Murray
7
2009 CPE By The Sea2009 CPE By The Sea
Web 2.0 and Social NetworkingWeb 2.0 and Social NetworkingAlthough initially designed for and targeted Although initially designed for and targeted at younger people, at younger people, Web 2.0 and Social Web 2.0 and Social Networking Networking technologies are changing the technologies are changing the way we do businessway we do business
Text messaging (SMS)Text messaging (SMS)
1919 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Social sites (Facebook, My Space)Social sites (Facebook, My Space)Professional sites (LinkedIn)Professional sites (LinkedIn)Instant Messaging (AOL, MSN)Instant Messaging (AOL, MSN)Video (YouTube)Video (YouTube)Web logs or Blogs (WordPress)Web logs or Blogs (WordPress)PodcastsPodcastsChat technologies (technical support)Chat technologies (technical support)Information feeds Information feeds -- RSS, DiggRSS, Digg
2009 CPE By The Sea2009 CPE By The Sea
Social NetworkingSocial NetworkingWhat is it?What is it?
Social networking sites are changing Social networking sites are changing interaction and information sharinginteraction and information sharing
What’s cool…What’s cool…RealReal--time interaction and sharingtime interaction and sharingGl b l hGl b l h lti l dilti l di
2020 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Global reach Global reach –– multiple media sourcesmultiple media sourcesCrossCross--generational communicationsgenerational communicationsGrowing business uses Growing business uses -- FacebookFacebookProfessional uses Professional uses -- LinkedInLinkedIn
What’s not…What’s not…“Loose lips sink ships… or careers”“Loose lips sink ships… or careers”Wasted productivityWasted productivityPrivacy Privacy –– fraudulent applicationsfraudulent applicationsHeightened exposure to malwareHeightened exposure to malware
Facebook, Facebook, MySpace, MySpace,
LinkedIn, FlickrLinkedIn, Flickr
2009 CPE By The Sea2009 CPE By The Sea
TwitterTwitterWhat is it?What is it?
Twitter is a form of social network site Twitter is a form of social network site that works through short messagesthat works through short messages
What’s cool…What’s cool…RealReal--time interaction via “Tweets”time interaction via “Tweets”Gl b l hGl b l h
2121 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Global reachGlobal reachEasy to use “What are you doing?”Easy to use “What are you doing?”Well suited for mobile devices (SMS)Well suited for mobile devices (SMS)
What’s not…What’s not…“Loose lips sink ships… or careers”“Loose lips sink ships… or careers”Wasted productivityWasted productivityPrivacyPrivacyCan facilitate false rumors (swine flu)Can facilitate false rumors (swine flu)Few defined business uses Few defined business uses –– yet…yet…
Rick Murray
8
2009 CPE By The Sea2009 CPE By The Sea
Google ApplicationsGoogle ApplicationsWhat is it?What is it?
Google has evolved far beyond its Google has evolved far beyond its world class search engineworld class search engine
What’s cool…What’s cool…Google is offering increasing array of Google is offering increasing array of web apps e g Picasa Gweb apps e g Picasa G Mail GoogleMail Google
2222 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
web apps, e.g. Picasa, Gweb apps, e.g. Picasa, G--Mail, Google Mail, Google Earth, Google Checkout, AlertsEarth, Google Checkout, AlertsGoogle apps are browser independentGoogle apps are browser independentAndroid phone OSAndroid phone OSGoogle Labs Google Labs –– watch the future unfoldwatch the future unfoldMost apps are freeMost apps are free
What’s not…What’s not…Privacy concerns (Checkout, Profiles)Privacy concerns (Checkout, Profiles)Web dependenceWeb dependence
2009 CPE By The Sea2009 CPE By The Sea
Microsoft VistaMicrosoft VistaWhat is it?What is it?
Microsoft’s current desktop operating Microsoft’s current desktop operating system (32system (32--bit and 64bit and 64--bit variants)bit variants)
What’s cool…What’s cool…Enhanced graphics Enhanced graphics –– Aero interfaceAero interfaceImproved security features (UAC)Improved security features (UAC)
2323 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
p y ( )p y ( )Enhanced RAM accessEnhanced RAM accessImproved multitasking capabilitiesImproved multitasking capabilities
What’s not…What’s not…Resource hog Resource hog –– although partially although partially mitigated by 64mitigated by 64--bit versionbit version6464--bit Vista incompatible with many bit Vista incompatible with many applications/devices (e.g. banks)applications/devices (e.g. banks)Poor performance (mitigated by new Poor performance (mitigated by new hardware)hardware)
2009 CPE By The Sea2009 CPE By The Sea
Microsoft Windows 7Microsoft Windows 7What is it?What is it?
Microsoft’s next desktop operating Microsoft’s next desktop operating system system –– likely late 09/early 10 releaselikely late 09/early 10 release
What’s cool…What’s cool…Best Vista features that workBest Vista features that workImproved security features (UAC)Improved security features (UAC)
2424 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
p y ( )p y ( )Enhanced, MacEnhanced, Mac--like interfacelike interfaceWill run existing Vista HW/SW as isWill run existing Vista HW/SW as isWindows XP emulation modeWindows XP emulation modeEnhanced builtEnhanced built--in appsin appsCustomizable system trayCustomizable system tray
What’s not…What’s not…No direct Windows XP to Win 7 pathNo direct Windows XP to Win 7 pathBusiness reluctance after VistaBusiness reluctance after Vista
Rick Murray
9
2009 CPE By The Sea2009 CPE By The Sea
Netbook ComputersNetbook ComputersWhat is it?What is it?
Ultra small notebook computers Ultra small notebook computers designed for mobile web usedesigned for mobile web use
What’s cool…What’s cool…Lightweight, capable PCs (Intel Atom)Lightweight, capable PCs (Intel Atom)Enhanced power managementEnhanced power management
2525 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
p gp gWindows XP, Linux (Win 7 coming)Windows XP, Linux (Win 7 coming)Many offer SSDDs Many offer SSDDs –– some HDDssome HDDsInexpensive ($200 and up)Inexpensive ($200 and up)
What’s not…What’s not…No optical drives, limited RAMNo optical drives, limited RAMRestricted expansion capabilityRestricted expansion capabilitySmall screens, smaller keyboardsSmall screens, smaller keyboardsLow cost laptops Low cost laptops -- “bang for the buck”“bang for the buck”
Dell, Acer, HP, Dell, Acer, HP, LenovoLenovo
2009 CPE By The Sea2009 CPE By The Sea
Internet Explorer 8Internet Explorer 8What is it?What is it?
Microsoft’s latest web browserMicrosoft’s latest web browser
What’s cool…What’s cool…Faster and more stable than IE 7Faster and more stable than IE 7More secure (better malware defense)More secure (better malware defense)InPrivate browsingInPrivate browsing
2626 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
InPrivate browsingInPrivate browsingAccelerators permit faster data accessAccelerators permit faster data accessIE 7 compatibility modeIE 7 compatibility modeWeb Slices will automate data updatesWeb Slices will automate data updatesCrash recovery Crash recovery –– recover open sitesrecover open sites
What’s not…What’s not…Sporadic upgrade issues (Vista Ultimate)Sporadic upgrade issues (Vista Ultimate)Competitive browsers (e.g. Firefox)Competitive browsers (e.g. Firefox)InPrivate business issuesInPrivate business issues
2009 CPE By The Sea2009 CPE By The Sea
Coming AttractionsComing AttractionsMicrosoft Microsoft -- Office 2010, Exchange 2010Office 2010, Exchange 2010SubscriptionSubscription--based Applicationsbased ApplicationsUSB 3.0 (5 Gbps)USB 3.0 (5 Gbps)Broadband BluetoothBroadband BluetoothWireless 802 11N (up to 300 Mbps)Wireless 802 11N (up to 300 Mbps)
2727 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Wireless 802.11N (up to 300 Mbps)Wireless 802.11N (up to 300 Mbps)Dual screen notebooks (e.g. Lenovo Dual screen notebooks (e.g. Lenovo W700)W700)Secure flash drives (IronKey)Secure flash drives (IronKey)Electronic paperElectronic paperNetwork access control (SSO on steroids)Network access control (SSO on steroids)Practical encryptionPractical encryptionNew web portals (e.g. BillShrink, Knowx)New web portals (e.g. BillShrink, Knowx)
Rick Murray
10
2009 CPE By The Sea2009 CPE By The Sea
Where Do We Go From Here?Where Do We Go From Here?
2828 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
2009 CPE By The Sea2009 CPE By The Sea
Time For A Reality Check…Time For A Reality Check…Do you know how personnel are using the Internet Do you know how personnel are using the Internet (time spent, sites visited, social networking, etc.)?(time spent, sites visited, social networking, etc.)?Are you taking steps to deter Are you taking steps to deter Identity Theft?Identity Theft?How dependent are you upon the How dependent are you upon the Internet?Internet?Are employees alert for Are employees alert for Phishing/SEPhishing/SE scams?scams?
2929 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
p yp y ggIs your web site secure Is your web site secure (e.g. URL obfuscation)?(e.g. URL obfuscation)?Are your Are your remote accessremote access processes secure?processes secure?Is your network secured Is your network secured (patched)(patched) and monitored?and monitored?Are your Are your IT policies and procedures IT policies and procedures upup--toto--date?date?Have you conducted a recent Have you conducted a recent business impact business impact analysisanalysis and and risk assessment?risk assessment?
2009 CPE By The Sea2009 CPE By The Sea
Is your Is your BCP/DRBCP/DR plan current? plan current? Has it been tested?Has it been tested?Do you have an Do you have an incident responseincident response strategy? strategy? Are confidential company and customer records Are confidential company and customer records secure secure (e.g. GLB, SOX, various privacy acts)(e.g. GLB, SOX, various privacy acts)??Is your company eIs your company e--mail secure mail secure (e.g. encrypted)(e.g. encrypted)??
Time For A Reality Check…Time For A Reality Check…
3030 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
y p yy p y ( g yp )( g yp )Are your Are your Malware/Spyware Malware/Spyware defenses updefenses up--toto--date? date? Are your prepared to deal with the risks presented Are your prepared to deal with the risks presented by high capacity portable computing devices by high capacity portable computing devices (e.g. (e.g. flash memory drives, iPods, flash memory drives, iPods, iPhonesiPhones)?)?Are your external trading partners secure Are your external trading partners secure (e.g. (e.g. payment systems, payroll providers)?payment systems, payroll providers)?Have you evaluated the risks posed by emerging Have you evaluated the risks posed by emerging information technologies?information technologies?
Rick Murray
11
2009 CPE By The Sea2009 CPE By The Sea
Security Issues And Risks 2009Security Issues And Risks 2009MalwareMalwareSpywareSpywareScarewareScarewareIdentity TheftIdentity TheftPhi hiPhi hi
3131 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
PhishingPhishingSpamSpamDisaster Disaster Preparedness and Preparedness and Business Continuity Business Continuity PlanningPlanning
2009 CPE By The Sea2009 CPE By The Sea
Malicious Code (Malware)Malicious Code (Malware)VirusesVirusesTrojansTrojansWormsWormsSpywareSpyware
3232 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
SpywareSpywareBrowser HijackersBrowser HijackersDenial of ServiceDenial of ServiceHacking toolsHacking toolsPopPop--UpsUps Is your firmIs your firm
NEXT?NEXT?
2009 CPE By The Sea2009 CPE By The Sea
Malware Malware –– How Do We Get It?How Do We Get It?Web browsing Web browsing –– particularly particularly social social networking networking sites sites –– e.g. e.g. Facebook (over 200 Facebook (over 200 million users), MySpace (over 150 million million users), MySpace (over 150 million users)users)Remote accessRemote accessO li fil h iO li fil h i (P(P P kP k
3333 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Online file sharing Online file sharing (Peer(Peer--toto--Peer networks Peer networks ––e.g. e.g. BitTorrentBitTorrent))–– Note: litigation has reduced Note: litigation has reduced (but not eliminated) this problem(but not eliminated) this problemMedia (e.g. disks, CD/DVDMedia (e.g. disks, CD/DVD--ROMs, ROMs, Flash Flash keyskeysEE--mail (attachments)mail (attachments)Adware and SpywareAdware and Spyware programsprogramsInstant Messenger/chat programsInstant Messenger/chat programs
Rick Murray
12
2009 CPE By The Sea2009 CPE By The Sea
SpywareSpywareSoftware that captures information Software that captures information transmits it to unauthorized (and transmits it to unauthorized (and usually unknown) external parties usually unknown) external parties (including confidential Internet (including confidential Internet Banking and online account Banking and online account credentials) credentials) –– increased risk of increased risk of
3434 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Identity Theft (robots, zombies)Identity Theft (robots, zombies)Some Spyware applications take Some Spyware applications take control of Internet browsers control of Internet browsers (e.g. (e.g. Browser Hijackers)Browser Hijackers)Spyware applications cause Spyware applications cause significant degradationsignificant degradation in in performanceperformanceRecent examples Recent examples –– ConfickerConfickerworm set to activate 4/1/09worm set to activate 4/1/09
2009 CPE By The Sea2009 CPE By The Sea
ScarewareScarewareOne of the latest malware variants is One of the latest malware variants is commonly known as commonly known as “Scareware”“Scareware”Scareware tricks users into Scareware tricks users into downloading software onto their downloading software onto their computers by telling them that “a computers by telling them that “a virus has been detected”virus has been detected”
3535 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
virus has been detectedvirus has been detectedTypical forms Typical forms –– fake A/V programs, fake A/V programs, registry cleaners,registry cleaners,Examples of fraudulent software Examples of fraudulent software ––Spyware Cleaner, Registry Cleaner Spyware Cleaner, Registry Cleaner XP, WinFixer, WinAntivirus, XP, WinFixer, WinAntivirus, DriveCleaner, ErrorSafe DriveCleaner, ErrorSafe Examples of dangerous scareware Examples of dangerous scareware --SpySheriffSpySheriff
2009 CPE By The Sea2009 CPE By The Sea
Identity TheftIdentity TheftIdentity TheftIdentity Theft is a fast rising crimeis a fast rising crimeFACTA (26 “Red Flag” Rules)FACTA (26 “Red Flag” Rules)Identity Theft occurs from a variety of Identity Theft occurs from a variety of sourcessources
User ManipulationUser Manipulation (“Social Engineering”)(“Social Engineering”)
3636 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
User Manipulation User Manipulation ( Social Engineering )( Social Engineering )Interception of discarded equipment and Interception of discarded equipment and trash trash (“Dumpster Diving”)(“Dumpster Diving”)Network Attacks (e.g. data stolen from file Network Attacks (e.g. data stolen from file servers)servers)Media Loss/Theft (e.g. backup tapes, disk)Media Loss/Theft (e.g. backup tapes, disk)Internet AttacksInternet Attacks
Risk rising due to Risk rising due to Universal Universal devices/devices/SmartphonesSmartphones
Rick Murray
13
2009 CPE By The Sea2009 CPE By The Sea
PhishingPhishingPhishingPhishing ––attempts to obtain confidential attempts to obtain confidential information from users by tricking them into information from users by tricking them into responding to bogus requests responding to bogus requests -- of particular of particular concern to econcern to e--commerce vendors (Passwords, PINs)commerce vendors (Passwords, PINs)
Regions Bank, Bank of America, SunTrust, Capital One Regions Bank, Bank of America, SunTrust, Capital One –– requests updated customer account information due requests updated customer account information due
3737 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
security threatsecurity threatee--Bay/Pay Pal scamsBay/Pay Pal scams –– requests updated credit card requests updated credit card information due to account having been compromisedinformation due to account having been compromised“Republic of the Congo” or Nigerian 411 scams“Republic of the Congo” or Nigerian 411 scams ––requests money to be wired to assist in a get rich moneyrequests money to be wired to assist in a get rich money--laundering schemelaundering schemeSome scams are easy to spot Some scams are easy to spot (misspellings, inaccurate (misspellings, inaccurate information, moronic subject matters) information, moronic subject matters) , but “, but “PhishersPhishers” are ” are getting more sophisticated (e.g. recent bank scams) getting more sophisticated (e.g. recent bank scams)
2009 CPE By The Sea2009 CPE By The Sea
PhishingPhishingPhishing scams are growing in complexity Phishing scams are growing in complexity –– the the loss potential is enormous loss potential is enormous –– approximately 40% approximately 40% increase during 2008increase during 2008))Phishing uses several techniques, includingPhishing uses several techniques, including
Mass eMass e--mailsmails
3838 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Targeted eTargeted e--mails mails (“Spear Phishing”)(“Spear Phishing”)Disguised web pagesDisguised web pagesPop Ups or Page Concealment techniquesPop Ups or Page Concealment techniquesURL confusion (address bar URL differs from address URL confusion (address bar URL differs from address shown at bottom of browser)shown at bottom of browser)Hacking Hacking –– e.g. using hidden scripts on web pages to e.g. using hidden scripts on web pages to force page redirection and/or to capture informationforce page redirection and/or to capture informationPharmingPharming identifies potential lists that can be targeted identifies potential lists that can be targeted for subsequent phishing attemptsfor subsequent phishing attempts
2009 CPE By The Sea2009 CPE By The Sea
Phishing Phishing –– Password Password -- 20092009
3939 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Source: AntiSource: Anti--Phishing Working Group 2009Phishing Working Group 2009
Rick Murray
14
2009 CPE By The Sea2009 CPE By The Sea
Phishing Reports Phishing Reports –– Late 2008Late 2008
4040 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Source: AntiSource: Anti--Phishing Working Group 2009Phishing Working Group 2009
2009 CPE By The Sea2009 CPE By The Sea
Phishing Phishing –– Most Targeted Most Targeted -- 20092009
4141 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Source: AntiSource: Anti--Phishing Working Group 2009Phishing Working Group 2009
Note the shiftNote the shifttoward paymenttoward payment
services!services!
2009 CPE By The Sea2009 CPE By The Sea
Phishing Phishing –– Rise of “Scareware”Rise of “Scareware”
4242 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Source: AntiSource: Anti--Phishing Working Group 2009Phishing Working Group 2009
Rick Murray
15
2009 CPE By The Sea2009 CPE By The Sea
SpamSpamSpamSpam involves sending/receiving unsolicited einvolves sending/receiving unsolicited e--mailmailExcessive receipt of spam messages can cripple Excessive receipt of spam messages can cripple company ecompany e--mail systemsmail systems
Heavy message volume robs server and telecom resources Heavy message volume robs server and telecom resources (similar to junk faxes, only worse)(similar to junk faxes, only worse)
4343 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Traveling usersTraveling users with dialwith dial--up access are particularly up access are particularly inconvenienced due to bandwidth clogginginconvenienced due to bandwidth cloggingImportant Important messages may be ignored and/or deletedmessages may be ignored and/or deleted in in overused inboxes overused inboxes (potential regulatory/legal issues)(potential regulatory/legal issues)Users may become desensitizedUsers may become desensitized to opening messages, to opening messages, thereby opening the door for malicious code assaultsthereby opening the door for malicious code assaultsPotential Potential legal riskslegal risks (e.g. sexual harassment)(e.g. sexual harassment)
Companies who send out Spam can be Companies who send out Spam can be blacklistedblacklistedby Internet Service Providersby Internet Service Providers
2009 CPE By The Sea2009 CPE By The Sea
Continuity PlanningContinuity PlanningRecent experiences with local and regional Recent experiences with local and regional disasters have challenged company continuity disasters have challenged company continuity plans plans (e.g. March 2009 Middle Tennessee (e.g. March 2009 Middle Tennessee tornados, Texas hurricane impacts)tornados, Texas hurricane impacts)Along with the potential loss of facilities and Along with the potential loss of facilities and
4444 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
equipment, companies must be prepared to deal equipment, companies must be prepared to deal with data loss/ID theft problems that could rapidly with data loss/ID theft problems that could rapidly escalate to disaster level escalate to disaster level (e.g. debit card breaches)(e.g. debit card breaches)Statistics repeatedly show that most companies Statistics repeatedly show that most companies who experience a major data disaster who experience a major data disaster go out of go out of business within 24 monthsbusiness within 24 monthsCan you recover your client records in the event Can you recover your client records in the event of fire, weather or intentional destruction?of fire, weather or intentional destruction?
2009 CPE By The Sea2009 CPE By The Sea
IT Risk Management SolutionsIT Risk Management Solutions
4545 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Rick Murray
16
2009 CPE By The Sea2009 CPE By The Sea
Risk Management PlanningRisk Management PlanningBusiness Impact AnalysisBusiness Impact AnalysisRisk AssessmentRisk AssessmentBusiness Continuity PlanningBusiness Continuity PlanningPolicies and ProceduresPolicies and Procedures
IT Risk Management SolutionsIT Risk Management Solutions
4646 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Policies and ProceduresPolicies and ProceduresAuthenticationAuthenticationPerimeter DefensePerimeter DefenseVulnerability AssessmentVulnerability AssessmentMalicious CodeMalicious CodeIdentity TheftIdentity TheftInternal Control SolutionsInternal Control Solutions
2009 CPE By The Sea2009 CPE By The Sea
Security Policy
Risk Assessment
Select Security Measures
Plan Deployment
Security planning is Security planning is a a methodical processmethodical processwhich repeatedly which repeatedly recycles throughout recycles throughout the firm’s life cyclethe firm’s life cycle
IT Risk Management ProcessIT Risk Management Process
4747 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
p y
Training
Implement Security Measures
Operate/Mainta in Security Measures
Audit Security (Internal, External)
Evaluate Effectiveness
Incorporate Enhancements
the firm s life cyclethe firm s life cycle
It must be driven by It must be driven by management and management and board of directorsboard of directors
2009 CPE By The Sea2009 CPE By The Sea
Risk management process should be Risk management process should be balancedbalanced ––protection weighed against information availability, protection weighed against information availability,
integrity and confidentiality integrity and confidentiality
AvailabilityAvailability
IT Risk Management ProcessIT Risk Management Process
4848 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
yy
IntegrityIntegrity ConfidentialityConfidentiality
IT SecurityIT Security
Rick Murray
17
2009 CPE By The Sea2009 CPE By The Sea
Adopt an Adopt an IT Governance IT Governance modelmodelConduct a Conduct a Business Impact Business Impact Analysis/Risk AssessmentAnalysis/Risk AssessmentDevelop Develop IT Security Policies, IT Security Policies, Standards and ProceduresStandards and Procedures
IT Risk Management StepsIT Risk Management Steps
4949 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Standards and ProceduresStandards and ProceduresDevelop a Develop a Business Continuity PlanBusiness Continuity PlanTrainingTrainingTest and AuditTest and AuditRepeat the processRepeat the process
2009 CPE By The Sea2009 CPE By The Sea
BIA/RA Factors To ConsiderBIA/RA Factors To ConsiderLoss of critical recordsLoss of critical recordsAdded external expensesAdded external expensesAdded internal personnel Added internal personnel expenses during the incident expenses during the incident and recovery periods and recovery periods (e.g. (e.g. absenteeism during aabsenteeism during a
Repair/replacement costsRepair/replacement costsLoss of reputation Loss of reputation Impact upon employees Impact upon employees –– the the “Human Element”“Human Element”Insurance liability claims Insurance liability claims --subsequent increase insubsequent increase in
5050 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
absenteeism during a absenteeism during a pandemic)pandemic)Loss of revenue Loss of revenue (cash flow)(cash flow)due to damaged/closed due to damaged/closed facilitiesfacilitiesReduction in customer Reduction in customer service levels service levels (potential lost (potential lost customers)customers)Facilities repair and/or Facilities repair and/or replacement costsreplacement costs
subsequent increase in subsequent increase in premiums or loss of coveragepremiums or loss of coverageTraining costs for personnelTraining costs for personnelAdvertising and PR costs Advertising and PR costs (e.g. damage control)(e.g. damage control)Legal or regulatory fines and Legal or regulatory fines and penaltiespenaltiesIntegration with external Integration with external payment systemspayment systems
2009 CPE By The Sea2009 CPE By The Sea
Business Continuity Plan Business Continuity Plan Threat identificationThreat identification and and analysis analysis ––internal, externalinternal, externalSystems ranking bySystems ranking by mission mission criticalitycriticalityITIT policies and procedurespolicies and proceduresAlternate operatingAlternate operating
Hardware/software failureHardware/software failure(e.g. hot sites)(e.g. hot sites)Damaged orDamaged or destroyed filesdestroyed filesFacilities evacuationFacilities evacuationAtackAtack response proceduresresponse proceduresArchival/Archival/backup systemsbackup systems
5151 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
arrangements and sitesarrangements and sitesSystemSystem documentationdocumentationIdentification ofIdentification of critical critical nonnon--ITIT processes and processes and functionsfunctionsPhysical securityPhysical security (e.g. (e.g. locks, fire suppression, locks, fire suppression, power conditioning)power conditioning)Contact informationContact information (e.g. (e.g. company personnel, company personnel, vendors, utilities, etc.)vendors, utilities, etc.)
System System inventoryinventorySystemSystem topology maptopology mapIP IP addressing schemeaddressing schemeTelecom Telecom configurationsconfigurations(e.g. routers)(e.g. routers)UserUser account and password account and password proceduresproceduresExternal vendor integrationExternal vendor integrationPlan test/review processPlan test/review processPandemic planning (04/09)Pandemic planning (04/09)
Rick Murray
18
2009 CPE By The Sea2009 CPE By The Sea
Testing the PlanTesting the PlanTabletopTabletop tests vs. tests vs. “Full“Full--blown” blown” BCP testsBCP testsIT recovery testsIT recovery tests
HardwareHardwareSoftwareSoftwareData/databasesData/databases
5252 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
TelecommunicationsTelecommunications
Operational testingOperational testingResource intensiveResource intensiveResource allocation Resource allocation (e.g. What will employees (e.g. What will employees do while waiting for recovery?)do while waiting for recovery?)
Have your plan externally reviewed!Have your plan externally reviewed!
2009 CPE By The Sea2009 CPE By The Sea
Policies and Procedures Policies and Procedures Roles and ResponsibilitiesRoles and ResponsibilitiesIT Audit and ReviewIT Audit and ReviewSystems MonitoringSystems MonitoringBusiness Impact Analysis/Risk Business Impact Analysis/Risk AssessmentAssessmentBusiness Continuity PlanningBusiness Continuity Planning
Incident ResponseIncident ResponseAcceptable Internet/eAcceptable Internet/e--Mail Mail UsageUsageVirus/MalwareVirus/MalwareBackup/ArchivalBackup/ArchivalPatch ManagementPatch Management
5353 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Business Continuity PlanningBusiness Continuity PlanningData Ownership and Security Data Ownership and Security (e.g. Queries)(e.g. Queries)Software Management/Change Software Management/Change ControlControlNetwork Management Network Management (including portable devices)(including portable devices)User Authentication and User Authentication and Password ManagementPassword ManagementIT Outsourcing/ProcurementIT Outsourcing/Procurement
Patch ManagementPatch ManagementWireless/Remote AccessWireless/Remote AccessPhysical SecurityPhysical SecurityPrivacy and ConfidentialityPrivacy and ConfidentialityWindows Security StandardsWindows Security StandardsIT TrainingIT TrainingHR HR –– including new hire including new hire screening, background check screening, background check proceduresprocedures
2009 CPE By The Sea2009 CPE By The Sea
Traditional authentication systems have been Traditional authentication systems have been built upon a single factor “what you know” built upon a single factor “what you know” model model –– e.g. the users “knows” both the user ID e.g. the users “knows” both the user ID and passwordand passwordSingle factor or password user authentication Single factor or password user authentication systems are highly vulnerablesystems are highly vulnerable
AuthenticationAuthentication
5454 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
systems are highly vulnerablesystems are highly vulnerableWeak or nonWeak or non--existent passwordsexistent passwordsInfrequent password rotation (if any)Infrequent password rotation (if any)Passwords written down or known by other usersPasswords written down or known by other usersDefault accounts (e.g. anonymous, guest) activeDefault accounts (e.g. anonymous, guest) activeToo many passwords for many usersToo many passwords for many users
Growing trend toward Growing trend toward MultiMulti--Factor Factor authentication systems authentication systems –– e.g. what you know, e.g. what you know, what you have, who you arewhat you have, who you are
Rick Murray
19
2009 CPE By The Sea2009 CPE By The Sea
“What You Know”“What You Know”User IDs/PasswordsUser IDs/PasswordsPIN codes PIN codes –– e.g. ATM/Debit cardse.g. ATM/Debit cardsTax ID or SSN numbersTax ID or SSN numbersPersonal information Personal information -- e.g. “mother’s maiden name”e.g. “mother’s maiden name”
MultiMulti--Factor AuthenticationFactor Authentication
5555 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Knowledge of specific transactions Knowledge of specific transactions –– e.g. “what did you e.g. “what did you buy on August 24, 2008 at Best Buy”buy on August 24, 2008 at Best Buy”
“What You Have”“What You Have”TokensTokensSmart CardsSmart CardsOne Time PadsOne Time PadsEncryption keysEncryption keysDigital CertificatesDigital Certificates
2009 CPE By The Sea2009 CPE By The Sea
“Who You Are” “Who You Are” -- BiometricsBiometricsVoice pattern recognitionVoice pattern recognitionHand geometryHand geometryFinger print analysis Finger print analysis –– e.g. thumb print e.g. thumb print scannersscannersF i l itiF i l iti
MultiMulti--Factor AuthenticationFactor Authentication
5656 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Facial recognitionFacial recognitionOcular recognition Ocular recognition –– e.g. retina/iris scanse.g. retina/iris scansHandwriting/signature recognitionHandwriting/signature recognition
Other authentication methodsOther authentication methodsIP fingerprintingIP fingerprintingAntiAnti--phishing imagesphishing imagesGPS location authentication (e.g. cellular GPS location authentication (e.g. cellular phones, Universal devices)phones, Universal devices)
2009 CPE By The Sea2009 CPE By The Sea
IT risk assessment should include an analysis of IT risk assessment should include an analysis of network exposure via network exposure via penetration or intrusion testingpenetration or intrusion testingPenetration testing requires specialized expertisePenetration testing requires specialized expertisePenetration testing poses risks to information systemsPenetration testing poses risks to information systems
False alarmsFalse alarms from intrusion detection softwarefrom intrusion detection software
Vulnerability AssessmentVulnerability Assessment
5757 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
DowntimeDowntime resulting from system exploitationresulting from system exploitationLoss of programs and dataLoss of programs and dataCompromised security informationCompromised security informationAlienation of internal IT personnelAlienation of internal IT personnel
Have written test plan and scope before testingHave written test plan and scope before testingMake sure that the BCP is in place prior to testingMake sure that the BCP is in place prior to testingMake sure Make sure social engineering social engineering defense is testeddefense is testedHave verified system backups availableHave verified system backups available
Rick Murray
20
2009 CPE By The Sea2009 CPE By The Sea
Simple Secure TopologySimple Secure Topology
External UserExternal User
RouterRouter
External FirewallExternal FirewallUntrusted NetworkUntrusted Network
InternetInternet
Virus WallVirus Wall
5858 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Internal FirewallInternal FirewallInternal Information SystemsInternal Information Systems
Web ServerWeb Server Trusted NetworkTrusted Network
IDSIDS
2009 CPE By The Sea2009 CPE By The Sea
User education User education –– including policies, procedures, scamsincluding policies, procedures, scamsInstall/update antivirus software Install/update antivirus software (e.g. Symantec, Trend)(e.g. Symantec, Trend)Use AntiUse Anti--Spyware softwareSpyware software (e.g. Microsoft Defender, (e.g. Microsoft Defender, AdAd--Aware)Aware)Use multiple software scans (from different vendors)Use multiple software scans (from different vendors)
Malware DefenseMalware Defense
5959 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Use multiple software scans (from different vendors) Use multiple software scans (from different vendors) whenever possiblewhenever possibleUse PopUse Pop--Up blocking softwareUp blocking software (e.g. Google Toolbar)(e.g. Google Toolbar)Use AntiUse Anti--Spam technologySpam technology (e.g. (e.g. TrustWaveTrustWave, , PostiniPostini, , Barracuda)Barracuda)Use Use protected document formatsprotected document formats (e.g. PDF)(e.g. PDF)Employ Employ patch managementpatch management (e.g. WSUS)(e.g. WSUS)
2009 CPE By The Sea2009 CPE By The Sea
Defense against Defense against Identity TheftIdentity Theft (e.g. Phishing (e.g. Phishing schemes) involves vigilance on the part of schemes) involves vigilance on the part of companies and consumerscompanies and consumers
Employee Security ProgramsEmployee Security Programs –– employees must be employees must be trained to spot schemes before they fall victimtrained to spot schemes before they fall victimCustomer Awareness ProgramsCustomer Awareness Programs –– customers andcustomers and
Identity Theft DefenseIdentity Theft Defense
6060 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
Customer Awareness ProgramsCustomer Awareness Programs customers and customers and consumers should be made aware of current schemes consumers should be made aware of current schemes (e.g. web site notices, statement stuffers)(e.g. web site notices, statement stuffers)Document DestructionDocument Destruction –– e.g. use of “crosse.g. use of “cross--cut” cut” shredders or secure document disposal companies shredders or secure document disposal companies (e.g. Shred(e.g. Shred--it)it)Proper Equipment/Media DisposalProper Equipment/Media Disposal –– e.g. destruction e.g. destruction of hard drives, backup tapesof hard drives, backup tapesMultiMulti--Factor AuthenticationFactor Authentication –– e.g. Bank of America e.g. Bank of America Site KeySite KeyVulnerability AssessmentVulnerability Assessment –– e.g. penetration testinge.g. penetration testing
Rick Murray
21
2009 CPE By The Sea2009 CPE By The Sea
Implement improved Implement improved internal auditinternal audit process with process with added riskadded risk--based focus on information based focus on information technology issuestechnology issuesImplement software licensing and accounting Implement software licensing and accounting proceduresprocedures
IT/Internal Control SolutionsIT/Internal Control Solutions
6161 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
ppPerform extensive Perform extensive background checksbackground checks on all on all employees who work with sensitive dataemployees who work with sensitive dataReview Review external auditexternal audit requirements and requirements and processes processes –– make sure that auditor is proficient in make sure that auditor is proficient in reviewing Internetreviewing Internet--based IT systemsbased IT systemsRegularly review all 3Regularly review all 3rdrd party processing party processing agreements agreements (e.g. ACH/Merchant Capture (e.g. ACH/Merchant Capture origination agreements)origination agreements)
2009 CPE By The Sea2009 CPE By The Sea
IT/Internal Control SolutionsIT/Internal Control SolutionsReview trading partner contingency plansReview trading partner contingency plansEmploy Employ access control access control systems with user names systems with user names and and strongstrong passwordspasswords
Passwords should be Passwords should be regularly rotatedregularly rotated (30 to 90 days)(30 to 90 days)Passwords should be Passwords should be complexcomplex (8 or more characters, (8 or more characters, including upper/lower case numbers special symbols)including upper/lower case numbers special symbols)
6262 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
including upper/lower case, numbers, special symbols)including upper/lower case, numbers, special symbols)Passwords should Passwords should not be reusednot be reused (at least for 12 changes)(at least for 12 changes)
Employ Employ data encryptiondata encryption technologies on remote technologies on remote access mechanisms access mechanisms (e.g. 128(e.g. 128--bit SSL, PKI)bit SSL, PKI)Develop secure alternative communications links Develop secure alternative communications links to key data sources to key data sources –– Particularly important as Particularly important as applications shift to the webapplications shift to the webDisable 3Disable 3rdrd party vendor accounts when not in use party vendor accounts when not in use –– log all activity when activelog all activity when active
2009 CPE By The Sea2009 CPE By The Sea
Questions And AnswersQuestions And Answers
6363 © 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP© 2009 William R. Murray, MBA, CPA, CISA, CITP, AAP
top related