Meeting the Information Security Management Challenge in the Cyber-Age

© Copyright 2016. Citadel Information Group. All Rights Reserved.

Stan Stahl, Ph.D.President

Citadel Information Group

May 2016

2

The number one thing at the Board level and CEO level is to take cybersecurity as seriously as you take business operations and financial operations. It’s not good enough to go to your CIO and say “are we good to go.” You’ve got to be able to ask questions

and understand the answers.

Major Gen Brett Williams, U.S. Air Force (Ret)This Week with George Stephanopoulos, December 2014

Online Fraud: Business Email Compromise Deceives Controller

4

From: Your Vendor, Stan Sent: Sunday, December 28, 2014 12:07 PMTo: Bill Hopkins, Controller Subject: Change of Bank Account

Hi Bill – Just an alert to let you know we’ve changed banks.

Please use the following from now on in wiring our payments.

RTN: 123456789 Account: 0010254742631

I’m still planning to be out your way in February. It will be nice to get out of the cold Montreal winter.

Great thanks.

Cheers - Stan_________________________The secret of success is honesty and fair-dealing. If you can fake that, you’ve got it made ... Groucho Marx

Company Loses $46 Million to Online Fraud

5

FBI Reports $2.3 Billion Lost to Business Email Compromise

Your Money or Your Data: Ransomware Viruses Reach Epidemic Proportions

7

Hollywood Presbyterian Medical Center paid $17,000 to ransomware hackers

Epidemic of Credit Card Theft … Medical Records Theft … Personnel Records Theft

8

Data Breach Costs Expensive.Money Down the Drain.

Approximately $150 Per Compromised Record

$15 Million Per Event

Investigative Costs

Breach Disclosure Costs

Legal Fees

Identity Theft Monitoring

Lawsuits Customers

Shareholders

http://www.ponemon.org/index.php

9

Competitor Steals Information. Bankrupts Company.

10

Intellectual Property Theft —Economic Death by a Thousand Cuts

11

Disgruntled Employees Sabotage Systems, Steal Information and Extort Money

12

Organizations Attacked Because Someone Didn’t Like What They Stood For

13

The Bottom Line: Cyber Security Management Is Now An Executive Management Necessity

Customer Information

Credit Cards and PCI Compliance

HIPAA Security Rule

Breach Disclosure Laws

On-Line Bank Fraud & Embezzlement

Theft of Trade Secrets & Other Intellectual Property

Critical Information Made Unavailable

Systems Used for Illegal Purposes

14

Cybercrime’s Greatest Impact is on Small & Medium Sized Organizations

30% of victims have fewer than 250 employees

60% of small-business victims are out of business within 6 months

80% of breaches preventable with basic security

15

Managing Information Risk — Four Key Questions

1. How serious is cybercrime and why should my organization care?

2. How vulnerable are we, really?

3. What do we need to do?

4. How do we do it?

16

Internet not designed to be secure

Computer technology is riddled with security holes

We humans are also imperfect

Why Are We so Vulnerable? Three Inconvenient Truths

17

Cyber Security Need vs. Reality18

http://www.citibank.

com.us.welcome.c.tr

ack.bridge.metrics.po

rtal.jps.signon.online.

sessionid.ssl.secure.

gkkvnxs62qufdtl83ldz

.udaql9ime4bn1siact

3f.uwu2e4phxrm31jy

mlgaz.9rjfkbl26xnjskx

ltu5o.aq7tr61oy0cmbi

0snacj.4yqvgfy5geuu

xeefcoe7.paroquian

sdores.org/

Phishing: Users Unwittingly Open the Door to Cybercrime

19

Vendors an Increasing Information Security Risk

20

Visiting a Website Can Expose You to Cyberattack

21

Clicking an Ad Can Expose You to Cyberattack

22

Cyberattacks Succeed Because ofFlaws — Vulnerabilities — in Programs

23

Technology Solutions Are Inadequate to Challenge

http://krebsonsecurity.com/2012/06/a-closer-look-recent-email-based-malware-attacks/

24

Management Too Often Fails to Set Security Standards for IT Network

Senior Management

IT Head

That’s great

Bob. We’re all

counting on

you.

You’re

keeping us

secure now

aren’t you?

Yes sir.

Everything’s

fine.

Yes sir.

Everything’s

fine.

Hi Bob.

Things

good?

I appreciate

that sir.

Management Too Often Fails to Properly Fund IT Network Security

26

Senior Management

IT Head

I understand.

But you know

how tight

budgets are.

You’re

keeping us

secure now

aren’t you?

Yes sir.

Everything’s

fine.

We need a

BYOD

Solution.

Hi Bob.

Things

good?

I do. Yes sir.

We Make It Way Too Easy: 80% of Breaches are “Low Difficulty”

Inadequate training of people

Inadequate security management of IT networks

Inadequate involvement by senior management

27

Verizon 2015 Data Breach Investigations Report:

http://www.verizonenterprise.com/DBIR/

Securing Your Organization28

Distrust and caution are the parents of security.

Benjamin Franklin

The Objective of Information Security Management is to Manage Information Risk

Cyber Fraud

Information Theft

Ransomware

Denial of Service Attack

Regulatory / Compliance

Disaster

Loss of Money … Brand Value … Competitive Advantage

The Four Elements of Information Risk

Confidentiality … Assuring information is only accessible to those authorized to use it

Integrity … Assuring that information is changed in accordance with authorized procedures by authorized people

Availability … Assuring that information and systems are available to users when they need it

Authenticity … Assuring that a received message is really from the purported sender

30

The Information Security Management Chain

31

Identify Detect Respond RecoverProtect

Continuous Security Management Improvement

Risk Transfer and Insurance

Legal and Regulatory Framework

Based Upon: 1. NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 20142. International Standards Organization 27001:2013: Information technology— Security techniques —

Information security management systems — Requirements3. Porter Value Chain: Understanding How Value is Created Within Organizations

Don’t Try to Reinvent Wheel: Use an Accepted Information Security Management Framework

Information Security Policies

Organization of Information Security

Human Resource Security

Asset Management

Access Control

Cryptography

Physical / Environmental Security

Operations Security

Communications Security

System Acquisition, Development & Maintenance

Supplier Relationships

Information Security Incident Management

Information Security Aspects of Business Continuity Management

Compliance

32

Manage Information Security Like Everything Else. Establish Leadership.

33

An organization's ability to learn, and translate

that learning into action rapidly, is the ultimate

competitive advantage.

Jack Welch

Take Specific Action to Protect Against Online Financial Fraud

Implement Internal Controls Over Payee Change Requests

Assume all email or fax requests from vendors or company President are fraudulent

Use Out-of-Band Confirmation

Use Dedicated On-Line Banking Workstation

Keep Patched

Use Only for On-Line Banking

Work with Bank

Dual Control

Out-Of-Band Confirmation

Strong Controls on Wires

34

See our blog:https://citadel-information.com/2016/02/business-e-mail-compromise-dont-be-a-victim/

Know What Information Needs To Be Protected and Where It Is

35

Online Banking CredentialsCredit cardsEmployee Health InformationSalariesTrade SecretsIntellectual PropertyCustomer Information

ServersDesktopsCloudHome PCsBYOD devices

Implement Written Information Security Management Policies and Standards

36

Train Staff to Be Mindful. Provide Phishing Defense Training.

37

Provide Information Security Education. Change Culture.

38

If you do not know your enemies nor yourself, you will be imperiled in every single battle.

Ensure IT has Aggressive Vulnerability and Patch Management Program.

39

Require Vendors to Meet Security Management Standards

Security Management included in Service Level Agreements

Comply with Information Security Standards

Business Associate Agreements (HIPAA)

Information Security Continuing Education

40

Make Sure Critical Information Available in Disaster or Ransomware Attack

41

Trust … But Verify.

Be Prepared: It’s Not “If” But “When”42

Getting Started: Implement Basics. Assess IT Security. Develop Strategy.

43

Put Someone in Charge

Review IT Network

Management Compliance with

Security Standards

Conduct IT Network

Vulnerability Scan

Establish Policies & Standards

Train Staff

Develop Strategy

Create Steering Committee to Manage Ongoing Information Security

44

Leadership & Organizational Improvements

Security Management of IT Network

Security Improvements to IT Network

Improve constantly and forever the system of

production and service, to improve quality and

productivity, and thus constantly decrease costs

W. Edwards Deming 14 Key Principles for Improving

Organizational Effectiveness

Join a Secure The Village Roundtable45

Summary: Manage Security of Information as Rigorously as Operations & Finance

Implement Formal Information Security Management System1. Information Security Manager / Chief Information

Security Officera. Independent C-Suite Accessb. Provide Cross-Functional Supportc. Support with Subject-Matter Expertise

2. Implement Formal Risk-Driven Information Security Policies and Standards

3. Identify, Document and Control Sensitive Information 4. Train and Educate Personnel. Change Culture.5. Manage Vendor Security6. Manage IT Infrastructure from “information security point

of view”

46

Information Security is Proactively Managed

Information Security Standard of Care

Total Cost of Information Security SM

Information Security Proactively Managed

Commercially Reasonable Information Security Practices

Lower Total Cost of Information Security SM

Citadel Information Group: Who We Are

48

Stan Stahl, Ph.DCo-Founder & President

35+ Years ExperienceReagan White House

Nuclear Missile Control

Kimberly Pease, CISSP

Co-Founder & VP

Former CIO15+ Years Information

Security Experience

David Lam, CISSP, CPPVP Technology

Management Services

Former CIO20+ Years Information

Security Experience

Citadel Information Group: What We Do49

Deliver Information Peace of Mind SM

to Business and the Not-for-Profit Community

Cyber Security Management Services

Information Security Leadership

Information Security Management Consulting & Coaching

Assessments & Reviews … Executive Management …Technical Management

Secure Network Engineering … Secure Software Engineering

Incident Response / Business Continuity Planning

Adverse Termination

For More Information

Stan Stahl Stan@citadel-information.com 323-428-0441 LinkedIn: Stan Stahl Twitter: @StanStahl

Citadel Information Group: www.citadel-information.comInformation Security Resource Library

Free: Cyber Security News of the WeekFree: Weekend Vulnerability and Patch Report

50

Meeting the Information Security Management Challenge in the Cyber-Age

© Copyright 2016. Citadel Information Group. All Rights Reserved.

Stan Stahl, Ph.D.President

Citadel Information Group