Information Technology Security - PowerPoint PPT Presentation

1 / 40
About This Presentation
Title:

Information Technology Security

Description:

Information Technology Security Presented by: Mike Russo, PMP , CISSP, CFE, CGEIT State Chief Information Security The Agency for Enterprise Information Technology – PowerPoint PPT presentation

Number of Views:1058
Avg rating:3.0/5.0
Slides: 41
Provided by: Cald5
Category:

less

Transcript and Presenter's Notes

Title: Information Technology Security


1
Information Technology Security
  • Presented by
  • Mike Russo, PMP, CISSP, CFE, CGEIT
  • State Chief Information Security
  • The Agency for Enterprise Information Technology
  • State of Florida

2
Overview
  • What is Information?
  • National Trends and Issues
  • Current Hacks and Security Issues
  • Floridas Response
  • Policies, Rules and Guidelines
  • Partnerships

3
What is Information?Identify Your Risk?
  • Paper
  • Project Plans, Memos, Manuals, Phone Lists,
  • Org Charts, Sensitive and Confidential Documents
  • Electronic Data
  • PCs, Laptops, Mainframes, Servers
  • Palm Pilots, Cell Phones, I Phones, MP3s
  • Diskette, CDs, Tape, Thumb Drives
  • Conversation
  • Discussions should be thoughtful, consider your
    location, surroundings and individuals in your
    midst

4
Social Engineering
Employees
Social Engineering
Surveillance to gain access
Lack of physical security
5
High Tech Vulnerabilities
Peer to Peer Sharing
Network Copy Machines Faxes
Cell Phones, I Phones MP3
Suring the web email
Wireless Router Wireless Network
Thumb drives, CD/DVD Disk
6
National Trends and Issues
  • Malware, worms, and Trojan horses These will
    continue to spread by email, instant messaging,
    malicious websites, and infected non-malicious
    websites. Some websites will automatically
    download the malware without the users knowledge
    or intervention. This is known as a drive-by
    download. Other methods will require the users
    to click on a link or button.
  • Botnets and zombies These threats will continue
    to proliferate as the attack techniques evolve
    and become available to a broader audience, with
    less technical knowledge required to launch
    successful attacks. Botnets designed to steal
    data are improving their encryption capabilities
    and thus becoming more difficult to detect.
  • Scareware fake/rogue security software There
    are millions of different versions of malware,
    with hundreds more being created and used every
    day. This type of scam can be particularly
    profitable for cyber criminals -- as many users
    believe the pop-up warnings telling them their
    system is infected and are lured into downloading
    and paying for the special software to protect
    their system.

7
National Trends and Issues
  • Attacks on client-side software - With users
    keeping their operating systems patched,
    client-side software vulnerabilities are now an
    increasingly popular means of attacking systems.
    Client-side software includes things like
    Internet browsers, media players, PDF readers,
    etc. This software will continue to have
    vulnerabilities and subsequently be targeted by
    various malwares.
  • Ransom attacks occur when a user or company is
    hit by malware that encrypts their hard drives or
    they are hit with a Distributed Denial of Service
    Attack (DDOS) attack. The cyber criminals then
    notify the user or company that if they pay a
    small fee, the DDOS attack will stop or the hard
    drive will be unencrypted. This type of attack
    has existed for a number of years and is now it
    is gaining in popularity.
  • Social Network Attacks Social network attacks
    will be one of the major sources of attacks in
    2010 because of the volume of users and the
    amount of personal information that is posted.
    Users inherent trust in their online friends is
    what makes these networks a prime target. For
    example, users may be prompted to follow a link
    on someone's page, which could bring users to a
    malicious website.

8
National Trends and Issues
  • Cloud Computing Cloud computing is a growing
    trend due to its considerable cost saving
    opportunities for organizations. Cloud computing
    refers to a type of computing that relies on
    sharing computing resources rather than
    maintaining and supporting local servers. The
    growing use of cloud computing will make it a
    prime target for attack.
  • Web Applications There continues to be a large
    number of websites and online applications
    developed with inadequate security controls.
    These security gaps can lead to the compromise of
    the site and potentially to the site's visitors.
  • Budget cuts will be a problem for security
    personnel and a boon to cyber criminals. With
    less money to update software, hire personnel and
    implement security controls enterprises will be
    trying to do more with less. By not having
    up-to-date software, appropriate security
    controls or enough personnel to secure and
    monitor the networks, organizations will be more
    vulnerable.

9
National Trends and Issues
  • Cybercrime costs American companies a median loss
    of 3.8 million a year, according to a study
    released by security firm ArcSight and the
    Ponemon Institute, a privacy research
    organization.
  • The study was based on interviews with data
    protection and IT practitioners from 45 U.S.
    organizations from various sectors, who shared
    details about the volume of threats they face
    every day. Over a four-week period, these
    companies experienced 50 successful attacks per
    week. That's more than one successful attack per
    organization per week.
  • Losses to cybercrime ranged from 1 million on
    the lower end to as much as 52 million, the
    report said.
  • Cybercriminals are increasingly focussing on
    money, a new report suggests, and improved
    organisation means that toolkits have been
    developed to methodically infect PCs so that
    illegally obtained information can be bought and
    sold.
  • In a survey by security firm AVG, 165 internet
    domains were found to have attacked 12 million
    visitors over the course of two months. More than
    1.2 million computers were subsequently
    infected.

10
Current Hacks and Security Issues
  • Infected USB drive blamed for 08 Military
    cyber breach 8.25.2010
  • Malware spread undetected to both classified
    and unclassified systems, essentially
    establishing a digital beachhead from which
    data could be transferred to servers outside the
    U.S
  • Cameron Diaz is the most dangerous celebrity in
    Cyberspace 8.19.2010 McAfee Most Dangerous
    Celebrities study found movie stars and models
    top the "most dangerous. Cybercriminals often
    use the names of popular celebrities to lure
    people to sites that are actually laden with
    malicious software.
  • A Threat Worse Than 9/11 8.12.2010
  • Warns the nations total dependence on our
    automated infrastructureelectric grid, air
    traffic control, manufacturing, and businessand
    our national defense networks are dangerously
    vulnerable to accelerated and insidious threats.
  • Heartland Payment Systems - 1.20.2009 Largest
    Breach to date
  • A credit card processor with clients in Florida,
    said a massive data breach exposed the personal
    information contained in more than 130 million
    credit and debit card transactions in 2008.
  • Security officials warn of worm spread via USB
    drives - 1.13.2009
  • A worm that took advantage of un-patched
    Microsoft Windows machines last week has sparked
    some security professionals to speculate
    cybercriminals may be preparing for a
    "large-scale attack.

11
Largest Incidents
  • 100,000,000 2009-01-20 Heartland Payment Systems
  • 17,000,000 2008-10-06 T-Mobile, Deutsche
    Telekom
  • National Information Services
  • 11,000,000 2008-09-06 GS Caltex
  • 12,500,000 2008-05-07 Archive Systems Inc, Bank
    of New York Mellon
  • 25,000,000 2007-11-20 HM Revenue and Customs,
    TNT
  • 8,500,000 2007-07-03 Certegy Check Services
    Inc, Fidelity
  • 8,637,405 2007-03-12 Dai Nippon Printing
    Company
  • 94,000,000 2007-01-17 TJX Companies Inc.
  • 26,500,000 2006-05-22 U.S. Department of
    Veterans Affairs
  • 40,000,000 2005-06-19 CardSystems, Visa,
    MasterCard, American Express
  • 145,000 2005-02-15 ChoicePoint
  • 30,000,000 2004-06-24 America Online
  • (http//datalossdb.org)

12
http//www.privacyrights.org/
13
YTD Incidents by sector
Outsider Incidents 52 Insider Incidents
25
September 2010 Data found at http//datalossdb.or
g
To date Over 510,544,441 Million Identities
Compromised
14
Reality Check
  • Survey 81 Percent of U.S. Firms Lost Laptops
    with Sensitive Data in the Past Year
    (Computerworld)
  • Security, like correctness, is not an add-on
    feature." (Andrew S. Tanenbaum)
  • "The user's going to pick dancing pigs over
    security every time. (Bruce Schneier)

15
Floridas Response Security Triad
  • 1998 Floridas Computer Crime Center
    established within FDLE
  • 1999 Technology Office created within DMS
  • 2001 Office of Information Security was created
  • 2002 Legislature established the Florida
    Infrastructure Protection Center (FIPC)
  • 2002 - State of Florida includes Cyber in
    Domestic Security Strategy
  • 2003 - Federal Government includes Cyber in
    Homeland Security Strategy
  • 2007 Legislature established the Agency for
    Enterprise Information Technology

16
The Florida Computer Crime Center
  • The Center has a statewide mission to
    investigate complex computer crimes, assist with
    regional investigations, train investigators,
    disseminate information to the public, and
    proactively work to identify computer criminals
    to prevent future crimes.

17
www.secureflorida.org
  • Secure Florida developed
  • www.secureflorida.org, a website that provides
    citizens and businesses with tools to harden
    their own computer networks and information.
  • Secureflorida.org is truly a one-stop shop for
    computer-related information, news, and security
    for every Floridians home or business.
  • Secureflorida.org is continually updated with the
    latest information on security breaches, viruses,
    worms, and e-mail scams.

18
(No Transcript)
19
Florida Infrastructure Protection Center (FIPC)
  • The FIPC has three components
  • Analysis and Warning Point
  • Computer Incident Response Team and (CIRT) and
    Computer Security Incident Response Teams
    (CSIRTS)
  • Secure Florida

20
(No Transcript)
21
Floridas Domestic Security Strategy Goals
  • Prevention, preempt and deter acts of terrorism
  • Prepare for terrorism response mission
  • Protect Floridas citizens, visitors and critical
    infrastructure
  • Respond in an immediate, effective, and
    coordinated manner, focused on the victims of an
    attack
  • Recover quickly and restore our way of life
    following a terrorist act

22
Office of Information Security
23
  • Templates Links to our partners via our website

http//aeit.myflorida.com
24
Office of Information Security
  • 2010 Information Security Strategic Focus Areas
  • Policies, Procedures and Rules
  • Training for Information Security
    Managers/Officers
  • Domestic Security Coordination and Outreach
  • Risk Assessments and Security Audits
  • Incident Response
  • Survivability Planning

25
Office of Information Security
  • Policy/Rule
  • Florida Law - F.S. 282.318
  • Information Security Policies
  • Information Security Guidelines
  • Security Rule

26
Office of Information Security
  • Risk Management/Audit
  • Baseline Audit
  • Risk Assessment NIST 800-30
  • HIPAA Security Rule/PCI Compliance
  • Security Tools
  • CSIRT Coordination
  • FISMA/FIPS/NIST

27
Enterprise Risk Management
  • 1999 SAIC IT Audit
  • 2002 Tru-Secure Assessment
  • 2005 Comprehensive Risk Assessment
  • 2008 Agency Managed Risk Assessment
  • Goal - Protect the organization and its ability
    to perform its mission. Focus is Mission, not IT
    assets. Therefore, the risk management is an
    essential management function of the
    organization.

28
Common Findings
  • Poor Security Awareness Training
  • Poor Access Control to Network and Information
  • Poor Patch Management
  • Poor Server Hardening
  • Absence of COOP/ITDRP
  • Absence of Event Log Management Monitoring
  • Poor Contractual Requirements
  • Poor Background Check Process
  • Risk Mitigation
  • Senior management and functional and business
    managers ensure that the most appropriate
    controls are implemented to enable required
    mission capability

29
Office of Information Security
  • Training/Consulting
  • CSIRT Training
  • Advanced Incident Training
  • CISSP Certification
  • Basic/Advanced Ethical Hacking
  • Cyber Defense Prevention and Response
  • Wireless LAN Design and Deployment
  • Cyber Security Webcast
  • CISA Certification
  • ISM Monthly Training
  • Cyber Academy

30
Office of Information Security
  • Domestic Security Coordination
  • Domestic Security Law Enforcement Terrorism
    Prevention Committee State CISO
  • Domestic Security Oversight Council
  • Executive Committee MS-ISAC Council
  • Cyber Center - Equipment
  • Risk Assessments All Agencies
  • Tools
  • Physical Security
  • Homeland Security Portal Florida ISAC

31
Security Guidelines
  • Information Security Policy Guidelines
  • 11 Core guides
  • Guidelines for Risk Management in Florida
  • CSIRT Agency Guidelines and Template
  • Information Technology Disaster Recovery Plan
    Guidelines and Checklist
  • Information Security Managers Handbook

32
Office of Information Security
  • Incident Response and Survivability
  • CSIRT Lead
  • ITDRP Minimum Standards
  • IT Disaster Recovery Template
  • IT Disaster Recovery Checklist
  • Based on Industry Standards
  • COOP
  • COG

33
Partnerships
  • Department of Homeland Security
  • Floridas Domestic Security Task Forces
  • CIO Council
  • FDLEs Computer Crimes Center
  • InfraGard
  • Multi-State ISAC
  • US-CERT
  • Florida ISAC
  • Private Industry
  • Small Businesses

34
(No Transcript)
35
(No Transcript)
36
http//www.fdle.state.fl.us/bsafe/
37
Local Government Guides
  • Internet Acceptable Use Policy Template
  • Erasing Information and Disposal of Electronic
    Media
  • Beginners Guide to Firewalls
  • Cyber Security Getting Started

38
Office of Information Security
  • Pamphlets

39
Floridas Future
  • Improvements in
  • Executive level Education
  • Training
  • Security Awareness
  • CSIRT development
  • Risk Assessments
  • Notification and Mitigation
  • Room to improve
  • Data Classification
  • Application and Website Security
  • Certification and Accreditation of data systems

40
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com