Video | What Happened • Directions to the A/V team - Please play from the beginning and cut it at 1:25….. • Video – http://www.youtube.com/watch?v=3FelJwb4NCM
Theresa Payton © 2013 All Rights Reserved
Uber Connected?| What to Watch? 6 Billion people have mobile phones The number of networked devices = the globe’s population Internet connectivity ubiquitous!
Uber Connected?| What to Watch? 1 Minute just went by…what happened? 639,800 GB was transferred…
204 million emails sent
135 Botnet Infec>ons
20 New vic>ms of iden>ty theF 100,000 new tweets 277,000 Facebook logins 20 million photo views 30 hours of video uploaded (+1.3M views) 100+ LinkedIn accounts added
1,300 new mobile users
Intel: What Happens in an Internet Minute? Posted By Krystal Temple March 13, 2012.
Memory Check| Current State of Affairs
What were you doing 243 days ago?
Current State of Affairs| Incoming!
Something is discovered every 90 seconds. What is it?
Breach Discovery| Bold New Approach Needed
37% 63%
M-‐Trends 2013, Mandiant
Current State of Affairs Booming Economy? Where? Russia’s Cyber Crime…but it’s other places too. Latest estimated value of the country's cyber crime market is now $2.3 billion almost double from the prior year’s $1.2B $1.8 billion of that is from what? You guessed it…Online fraud via banking malware, phishing, and spam Source: State and Trends of the Russian Digital Crime Market Released April 2012
9
Current State of Affairs| Assumptions
For IT risk and security, staffing levels should be between 5% and 12% of your total staff but many organizations have < 3%.
Chris Byrne, Gartner Security and Risk Summit, 2012
Current State of Affairs| Industry Challenges What Keeps Me Up At Night?
Businesses in a recent survey indicated: 50%+ : $/time not justified by the
threat.
75% : less than 3 hours per year
and almost half offer zero
47% -‐ Recovery Plans are Dilbert
Style!
6 out of 10 – go ahead and talk to
strangers (unsecured WiFi)
National Cyber Security Alliance and Visa poll: business’ cyber security practices & attitudes
Black Swan | Risk Management Convincing others to prepare to invest in an event that will “never” happen • “Zero Risk” does not exist but “Managed Risk” does • Making security the business enabler vs. productivity roadblock
Black Swan | Risk Management â&#x20AC;&#x153;Senior living providers are at particular risk because of the nature of the information they store on residentsâ&#x20AC;? John Atkinson, Managing Partner at The Willis Group Holdings
Black Swan | Risk Management “Over the weekend of November 17-18, 2012, five laptops were stolen from Riderwood’s physical therapy offices.” On the hard drive? Unencrypted patient names, visits, addresses and policy numbers Lessons Learned: Data storage on hard drives Encrypting files
Black Swan | Risk Management January 2013 “…the Hospice of North Idaho became HHS’s first facility with fewer than 500 residents to be fined for a patient information data breach, saddling the hospice a whopping $50,000 bill.” Stolen? Laptop (in 2010)
HHS reason for heFy fine? Unencrypted data, did not do regular risk assessments
Lessons Learned: Data storage on hard drives Delete files you do not need anymore Schedule periodic risk assessments Encrypting files
Black Swan | Risk Management HITECH Act requirement Organizations that have personal health information (PHI) must have a plan of action in the event they did experience a security breach Andâ&#x20AC;ŚRegulated by HIPAA? Breach reports to multiple outlets: Department of Health and Human Services the media affected individuals.
Does Spending=Secure?| Invalid Assumptions Case Study: Target Corp. and Oracle Corp. Hacking contest for large companies Target spends about 1/2 as much on security annually as Oracle Results? Target was more difficult to hack
Yurcan, Bryan. Panel Discussion: The Role of the Bank CIO. Bank Systems & Technology: October 20, 2011 Kapner, Suzanne. Hackers Press the ‘Schmooze’ Button. WSJ: October 31, 2011
Current State of Affairs| Innovation
How A Happy Meal = Better Security!
A case study in innovation.
BYOD
DATA MAPS
DIGITAL ASSETS
SMIT
BYOD –without CYA creates BYOB The new 4 letter word is SMIT Who knew cybercriminals were so “socially minded”? Malware morphs beyond detection awareness Why the Cloud could be your “Father’s Oldsmobile” and when will we get Big Data analytics ?
SO SOCIAL!
PORSCHE WRAPPER
5 Tech Trends | Enormous Implications
MORPH TO THE MAX
Top Digital Assets?| Actions Security and Privacy Settings BYOD access…hmmm Cloud? Free Wi-Fi at Your Peril What protections do you have for the “POTUS and VP” assets?
Plan of Attack| 5 Step Plan Training Policies and Procedures Prac4cing Digital Doomsday Technology Tuning Security in the Supply Chain
80/20 Rule| 2 Steps = Biggest Impact Best Practices & Improved Security Policies
58%
Informed, Aware & Engaged 20% Employees Technology Improvements Gov’t Regulation & Law Enforcement
2012 Bit9 Cyber Security Research Report
18% 4%
Back at the Office| Actions Basics Top Digital Assets â&#x20AC;&#x201C; Who are they? Training Policies and Procedures Patches Configurations Hardening Encryption of PHI emails Encryption of data
Back at the Office| Actions Timeout feature
Password protect
4 TIPS TO REMEMBER Treat old devices and back up informa>on like gold Never loan devices or WiFi
Back at the Office| Actions Next Phase Incident Management Disaster Recovery Digital Disaster Technology Tuning Supply Chain Review
Back at the Office| Actions • Check the box! DANGER! Trap: Focusing on regulatory compliance instead of comprehensive security. • Looks good but is it safe? A lack of security features consistently built into elderly care and health care systems. • 411 Breakdown: Capability gap for sharing information on cybersecurity and other issues. • No Measurements: Lack of metrics for evaluating cybersecurity.
Next Steps | Let’s Get to Work! 5 Things… • Training – just say NO to CBT only • Document IT AND End User policies and procedures • Where will your team get stuck during the digital doomsday exercise? • 90% of our clients last year had the core technology they needed but… • You are the weakest link? No!
Next Steps | Practice Makes Perfect Hereâ&#x20AC;&#x2122;s your next staff meeting agenda Current State Assessment â&#x20AC;&#x201C; Spend Dedicated Time Discussing: What security measures are in place? What do they protect? How vulnerable are you? How vulnerable are your clients? What client communication and response plans exist? Do you test incident management plans using plausible scenarios? Options Analysis What could be done within the next 90 days to improve security? How would your company respond to losing intellectual property, internal emails posted on a public website, or worse? How can each security layer be enhanced, at what cost and at what impact to productivity?
Next Steps | Practice Makes Perfect Staff Meeting - Practice the Disaster Name Your Worst Digital Nightmare: Digital death, what happened? Go around the room and ask the team to tell you the escalation plan and their list of actions. Do you know who to call? Do you know what to do? How do you stop the bad guys from taking more? Do you need outside help? Time yourself…how long does it take before you create a plan of action?
Next Steps | Practice Makes Perfect Supply Chain Security â&#x20AC;&#x201C; 8 Vendor Checkpoints Information Security Identity Management Endpoint and Server Security Gateway and Network Security Web and Application Security Physical and Personnel Security Security Management Intellectual Property, Customer Information, and Financial Transaction Security
Next Steps | Practice Makes Perfect Supply Chain Security 窶天endor Must Answer: Chain of Custody Least Privilege Access Separation of Duties Tamper Resistance and Evidence Persistent Compliance Management Code Testing and Verification Trusted and Vetted Staff
Next Steps | Cloud in your future? Draw up the Pre-Nup First! When you “break up” what are their sanitization policies so you get your data back and they don’t have your digital footprints? Need a “Go to guide”? Try NIST: NIST Cloud Computing Reference Architecture SP 500-292
Questions? tp@fortalicesolutions.com @FortaliceLLC Fortalice-‐LLC fortalicesolutions.blogspot.com