Information Security Management presentation presented to students of MBA class at UAB

1. Information Security Management Joe Vest (CISSP, CISA, CEH) 4/08/2010

9. Real World Examples of Physical Security Failure Why Manage Information Security? Does your security work?

10. Real World Examples of Physical Security Failure Why Manage Information Security? Security should not be confusing

11. Real World Examples of Physical Security Failure Why Manage Information Security? This is just funny 

12. Real World Examples of Physical Security Failure Why Manage Information Security? Computers are everywhere

13. Real World Examples of Physical Security Failure Why Manage Information Security? Security should protect something

14. Real World Examples of Physical Security Failure Why Manage Information Security? Do it yourself boarding pass? Site taken down by Feds in 2006

15. Real World Examples of Physical Security Failure Why Manage Information Security?

16. Real World Examples of Physical Security Failure Why Manage Information Security?

17. Real World Examples of Physical Security Failure Why Manage Information Security?

18. What about these? XSS CSRF Remote Code Injection SQL Injection Man in the Middle Brute Force Password Attack Buffer Overflow Race Condition Clear Text Transmission of Sensitive Information ARP Poisoning Zero Day Attack Remote Code Execution DNS Cache Poisoning Phishing Why Manage Information Security?

31. Top Antivirus vendors miss 10-20% of new threats !!

33. Real World Security

35. Example Business Model of Organized Hackers

36. Credit Cards for sale

37. Money Mules

40. Heartland Payment Systems Hacked Heartland’s Data Breach: What Happened? II. The method used to compromise Heartland’s network was ultimately determined to be SQL injection. Code written eight years ago for a web form allowed access to Heartland’s corporate network. This code had a vulnerability that (1) was not identified through annual internal and external audits of Heartland’s systems or through continuous internal system-monitoring procedures, and (2) provided a means to extend the compromise from the corporate network to the separate payment processing network. Although the vulnerability existed for several years, SQL injection didn’t occur until late 2007. * Heartland Payment Systems:Lessons Learned from a Data Breach Julia S. Cheney

41. Heartland Payment Systems Hacked Heartland’s Data Breach: Aftermath Albert Gonzalez, sentenced to 20 years for $200 Million Theft Gonzalez pleaded guilty in September to multiple federal charges of conspiracy, computer fraud, access device fraud and identity theft for hacking into TJX, which owns T.J. Maxx, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. He was facing up to 25 years in prison for these charges. Gonzalez also pleaded guilty last year in two other pending hacking cases for which he is scheduled to be sentenced on Friday. He faces up to 20 years in prison for his role in hacking into the network of Dave & Buster's restaurant chain and stealing credit and debit card numbers from at least 11 locations. As part of a third pending case, Gonzalez faces between 17 and 25 years in prison for hacking into the payment card networks of Heartland, 7-Eleven and Hannaford Bros. supermarket chain to steal more than 130 million credit and debit card numbers. In a plea deal, his sentences will run concurrently to each other. SCMagazine (http://www.scmagazineus.com/hacker-albert-gonzalez-receives-20-years-in-prison/article/166571/)

52. Real examples of spam

53. Questions? Joe Vest, (CISSP, CISA, CEH) [email_address]