240 likes | 355 Views
IT Security/Online Loss Prevention. Bill Finnerty Assistant Director of Information Technology Cumberland County. What is your gender?. Female Male. What age group do you fall into?. 25 or less 26 to 35 36 to 45 46 to 55 56 or more. I am confident in my organization’s IT security.
E N D
IT Security/Online Loss Prevention Bill Finnerty Assistant Director of Information Technology Cumberland County
What is your gender? • Female • Male
What age group do you fall into? • 25 or less • 26 to 35 • 36 to 45 • 46 to 55 • 56 or more
I am confident in my organization’s IT security • Strongly Agree • Agree • Neutral • Disagree • Strongly Disagree
Do you have Cyber Liability Insurance? • Yes • No
Who is the average hacker? • Age – 16 to 19 • Gender – 90% male • Residence – 70% United States • Spend an average of 57 hours working on a computer a week • Knows c, c++, or perl
Who is the hacker? • Albert Gonzalez • Cody Reigle • Stephen Watt • Kevin Mitnick 1) 2) 3) 4)
How much would you be willing to pay for a security assessment? • Less than $10k • $10k to $30k • $30k to $50k • More than $50k
Online Fraud • 2009 • Over $560 million lost in online fraud • Zeus botnet is able to over write online bank reports to cover fraud trail • FBI investigates Citibank hack by Russian organized crime • 2010 • Zeus botnet adds licensing module and automatic notification via IM • 2011 • Zeus, SpyEye, Carberp, Gozi and Patcher • Most exploits sold in online black markets for $5000 or less
Cumberland County Redevelopment Authority Hack • September 22, 2009 • $479,000 lost • Attack mechanism • Clampi Virus • Replaced banking website with maintenance message • Used remote session to access the bank account • Used Electronic Fund Transfers to quickly move money
Hacktivism • Motivation – political • Groups • Anonymous • LulzSec • AntiSec • Tools • website defacement • distributed denial of service attacks • information theft
Breach of Personal Information Notification Act § 2303. Notification of breach An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person … notice shall be made without unreasonable delay
What can we learn from a 3,000 year old Irish fort about IT security? • Defense in depth • The key is to have enough warning and delays to be able to react
Physical Security • Physical access to computers and computer equipment is a
Perimeter Security • Firewall • Intrusion Prevention • Email gateway • Web proxy server
Internal Security • Anti-virus, Anti-malware, Anti-spam, etc • Desktop firewall • Host based instruction detection • Permissions
IT Security Policy • Cover what is needed for your environment • Email • Internet access • Social media • Hardware • Software • Anti-virus, Anti-malware, Anti-spam • Use plain English, these are not for the legal and IT departments
Does your organization regularly present IT security training? • Yes • No
Security Training • Know your learners • Vary the delivery methods • Presentations • Video • Blogs • Contests • Gotcha training
What type of bank(s) does your organization do business with? • Credit Unions • Regional • National
Coordinating with your Business Partners • Establish a relationship with your banks IT security staff • Service level agreements in contracts related to IT security
Resources • Budget • Man hours • Internal vs. External
Assessing IT Security Readiness • Industry standards • ISO 27001 and 27002 • NIST Special Publication 800-53A • PCI Security Standard • Independent external assessment • IT responsibilities • Business unit responsibilities • Remediation