CCAPPresentationInfoSec6-3-2010.ppt… - Ning by xiuliliaofz


									Bill Finnerty
Assistant Director of Information Technology
Cumberland County
IT Security/Online Loss
What is your gender?

n   Female
n   Male
What age group do you fall into?
•   25   or less
•   26   to 35
•   36   to 45
•   46   to 55
•   56   or more
What job classification best fits you?
•   Elected Office
•   Human Resources
•   County Administration
•   Finance
•   Criminal Justice
•   Human Resources
•   IT
•   Other
I am attending this session because
•   I am a geek at heart
•   I am scared out of
    my mind
•   There was nothing
    else that interested
    me in this time slot
•   I heard there would
    be free food
I am confident in my organization’s
IT security
n   Strongly Agree
n   Agree
n   Neutral
n   Disagree
n   Strongly Disagree
Who is the average hacker?
n Age – 16 to 19
n Gender – 90% male
n Residence – 70% United States
n Spend an average of 57 hours working on a
  computer a week
n Knows c, c++, or perl
Who is the hacker?
n    Albert Gonzalez
n    Cody Reigle
n    Stephen Watt
n    Kevin Mitnick

1)                     2)

3)                     4)
How much would you be willing to
pay for a security assessment?

•   Less than $10k
•   $10k to $30k
•   $30k to $50k
•   More than $50k
Online Fraud
n   2009
    n   Over $560 million lost in online fraud
    n   Zeus botnet is able to over write online bank reports to
        cover fraud trail
    n   FBI investigates Citibank hack by Russian organized
n   2010
    n   Zeus botnet adds licensing module and automatic
        notification via IM
n   Most exploits sold in online black markets for
    $5000 or less
Cumberland County Redevelopment
Authority Hack
n       September 22, 2009
n       $479,000 lost
n       Attack mechanism
    n     Clampi Virus
    n     Replaced banking website with maintenance message
    n     Used remote session to access the bank account
    n     Used Electronic Fund Transfers to quickly move
Breach of Personal Information Notification Act
§ 2303. Notification of breach

An entity that maintains, stores or manages
computerized data that includes personal
information shall provide notice of any breach of the
security of the system following discovery of the
breach of the security of the system to any resident
of this Commonwealth whose unencrypted and
unredacted personal information was or is
reasonably believed to have been accessed and
acquired by an unauthorized person … notice shall
be made without unreasonable delay
What can we learn from a 3,000 year old Irish
fort about IT security?
n   Defense in depth
n   The key is to have
    enough warning
    and delays to be
    able to react
Perimeter Security
n Firewall
n Intrusion Prevention
n Email gateway
n Web proxy server
Internal Security
n Anti-virus, Anti-malware, Anti-spam, etc
n Desktop firewall
n Host based instruction detection
n Permissions
IT Security Policy
n   Cover what is needed for your environment
    n   Email
    n   Internet access
    n   Social media
    n   Hardware
    n   Software
    n   Anti-virus, Anti-malware, Anti-spam
n   Use plain English, these are not for the legal and
    IT departments
Does your organization regularly
present IT security training?
n   Yes
n   No
Security Training
n Know your learners
n Vary the delivery methods
    n Presentations
    n Video
    n Blogs
    n Contests

n   Gotcha training
What type of bank(s) does your
organization do business with?
n   Credit Unions
n   Regional
n   National
Coordinating with your Business
n   Establish a
    relationship with
    your banks IT
    security staff
n   Service level
    agreements in
    contracts related to
    IT security
n Budget
n Man hours
n Internal vs. External
Assessing IT Security Readiness
n   Industry standards
    n ISO 27001 and 27002
    n NIST Special Publication 800-53A
    n PCI Security Standard

n   Independent external assessment
    n IT responsibilities
    n Business unit responsibilities

n   Remediation

To top