SlideShare une entreprise Scribd logo

Managing Risk or Reacting to Compliance

Evan Francen
Evan Francen

This is a presentation given to Compudyne's customers to learn more about FRSecure and information security basics.

Services
1  sur  24
Protecting Financial Information Managing Risk or Reacting to Compliance Evan Francen, CISSP CISM FRSecure President March 27th, 2014
Managing Risk or Reacting to Compliance Topics Introduction Evan Francen FRSecure Compliance – Reactive Risk – Proactive Real World Examples & Guidance Social Engineering
Managing Risk or Reacting to Compliance Introduction Evan Francen Aka “The Truth”
Managing Risk or Reacting to Compliance Introduction Evan Francen Security Guy
Managing Risk or Reacting to Compliance Introduction Evan Francen Weird - Different
Managing Risk or Reacting to Compliance Introduction Evan Francen For real… • 20+ years of information security experience • Co-founded FRSecure in 2008 • Worked with organizations of all sizes, including Wells Fargo, US Bank, UnitedHealth, ADP, St. Jude, etc. • Risk Management, Security Program Development, Social Engineering, Mentoring, and the projects nobody else wants to do.
Managing Risk or Reacting to Compliance Introduction FRSecure • Information Security Management company. It’s all we do. • Methodology - Develop, use, and share methodologies for a variety of information security projects. • Project Leaders – All of our project leaders have more than 15 years of information security experience, from Fortune 100 to SMBs • Fully Transparent – Empowers our clients to do what we do. • Product Agnostic – Recommendations stand on their own, with no ulterior motive.
Managing Risk or Reacting to Compliance Compliance What is compliance?
Managing Risk or Reacting to Compliance Compliance What is compliance? • Is there any such thing as “GLBA Compliant” or “HIPAA Compliant”? If so, who certifies such things? • Is not “compliance” just doing what the last auditor told you to do? Is what the last auditor told you to do the right thing for you to do?
Managing Risk or Reacting to Compliance Compliance Are compliance and security the same thing? • Many people believe so. • The right answer is NO. Information security is the use of Administrative, Physical and Technical controls to protect the Confidentiality, Integrity, and Availability of data.
Managing Risk or Reacting to Compliance Risk Are we ever “secure”? • It depends. Right? No matter what we do with protection, there will always be a risk associated with unauthorized disclosure, alteration, or destruction of data. • “Secure” is a relative term. • Effectively managing security comes down to managing risk.
Managing Risk or Reacting to Compliance Risk Some risks are acceptable and others are not. • What is risk? • Risk is not intuitive. (more on this later) • Risk = the likelihood of something bad happening + the impact if the bad thing happened. • Risk decisions are management decisions.
Managing Risk or Reacting to Compliance Risk Risk Decisions • Risk Acceptance • Risk Avoidance • Risk Mitigation • Risk Ignorance
Managing Risk or Reacting to Compliance Risk Risk is Not (always) Intuitive • Who is at higher risk of an earthquake, San Francisco or Boston? Turns out that the risk is essentially the same. In general: • People exaggerate spectacular but rare risks and downplay common risks. • People have trouble estimating risks for anything not exactly like their normal situation. • Personified risks are perceived to be greater than anonymous risks. • People underestimate risks they willingly take and overestimate risks in situations they can't control. • People overestimate risks that are being talked about and remain an object of public scrutiny.
Managing Risk or Reacting to Compliance Compliance & Risk Compliance is based on doing what you’re told. Risk is based on likelihood and impact. Compliance is reactive. Managing risk is proactive. Compliance is more costly. Managing risk allows cost/benefit analysis. Compliance is the letter of the law. Managing risk is the intent of the law.
Managing Risk or Reacting to Compliance Real Life Examples Large Healthcare Organization Audit conducted in 2012 Told they needed SIEM and DLP Spent $600,000 on new technology Compliant! Greatest (technical) risk was use of unencrypted mobile devices Cost to mitigate $600,000 Products are not configured or fully utilized Breach occurs in 2013 – Stolen laptop Over $3,000,000 in costs Over $3,600,000 spent. Greatest risk still exists
Managing Risk or Reacting to Compliance Real Life Examples Target Audited regularly & constantly Spend millions on compliance Spend millions on technology Compliant! Were any of these a significant risk? • Vendor risk management • Information security reporting structure • Alerting & monitoring processes • SOC processes and training • Incident response processes Millions of dollars spent. Greatest risk? Last quarter profit down 46%. Estimated costs to exceed $1,000,000,000.
Managing Risk or Reacting to Compliance Social Engineering Social Engineering is exploitation of the human factor in security; tricking a person into giving you information that could benefit you, but bring them harm. Social Engineering is by far the most effective method of gaining unauthorized access to information. We know this, and so do the bad guys.
Managing Risk or Reacting to Compliance Social Engineering Did You Know: There were more than 74,000 unique phishing campaigns discovered during the Q2/2013, leveraging over 110,000 hijacked domains and targeting more than 1,100 brands. Email Attacks (Phishing) • Tricking you into going to a website that looks legitimate, and convincing you to log in (or disclose other information). • Has a 60 – 70% success rate. • How to Avoid Phishing Scams - http://apwg.org/resources/overview/avoid-phishing-scams
Managing Risk or Reacting to Compliance Social Engineering Did You Know: A recent study shows that 30 percent of Americans will open emails, even when they know the message is malicious. Email Attacks (Malicious Attachments) • Tricking you into opening (or downloading/opening) a file that appears to be legitimate, but is in fact malicious. • Has a 30 – 40% success rate. • Don’t have blind trust in your anti-virus software. If you aren’t expecting an attachment, don’t open it. If you’re not sure, call the person who sent it to you and ask.
Managing Risk or Reacting to Compliance Social Engineering Did You Know: Most social engineering attacks go un- reported by the victim. Telephone Attacks • Tricking you into divulging sensitive information over the phone. • People like helping other people, something that an attacker can exploit to receive sensitive information. • Success rate varies greatly. • If you receive a social engineering phone call, ask them for their name, company and phone number. In almost every case, the caller will disconnect when asked questions or placed on hold.
Managing Risk or Reacting to Compliance Social Engineering Did You Know: Physical social engineering attacks can result in physical damage to the facility and safety dangers. Physical Attacks • Tricking you into giving physical access to a restricted area. • Physical social engineering attacks require a bold attacker with a very focused agenda. • Success rate varies greatly. • If you can help it, don’t hold the door for others; especially those who you don’t recognize. It’s OK to ask someone you don’t know if you can help them or ask for identification.
Managing Risk or Reacting to Compliance Social Engineering Want a story? Pick One: • Physical access to Fortune 100 company headquarters. • Password disclosure almost cost someone their retirement. • Police help me carry out an attack. • I don’t really work for NSP. • 60% of bank’s employees give us their domain usernames and passwords.
Managing Risk or Reacting to Compliance Thank you! Questions? Evan Francen, CISSP CISM President – FRSecure evan@frsecure.com 952-467-6384

Recommandé

WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemSecurityStudio
 
WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemEvan Francen
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemEvan Francen
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013Adrian Wright
 
Security Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk ManagementSecurity Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk ManagementResolver Inc.
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasEvan Francen
 

Recommandé

WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemSecurityStudio
 
WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemEvan Francen
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemEvan Francen
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013Adrian Wright
 
Security Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk ManagementSecurity Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk ManagementResolver Inc.
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasEvan Francen
 
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...centralohioissa
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseGeorge Goodall
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessArt Ocain
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Evan Francen
 
Remote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceRemote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceJTLeekley
 
Business-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterNetWize
 
Bill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-SuiteBill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-Suitecentralohioissa
 
Building Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe HarborBuilding Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe HarborAdvanced Technology Consulting (ATC)
 
Engage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramEngage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramBen Woelk, CISSP, CPTC
 
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...Polsinelli PC
 
Фишинг — проклятие или возможность для ИБ?
Фишинг — проклятие или возможность для ИБ? Фишинг — проклятие или возможность для ИБ?
Фишинг — проклятие или возможность для ИБ? Positive Hack Days
 
Risky Business
Risky BusinessRisky Business
Risky BusinessMichael Scheidell
 
Technology Risk Management
Technology Risk ManagementTechnology Risk Management
Technology Risk ManagementSocial Tables
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)ishan parikh production
 
Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Ideba
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of SecurityKarina Elise
 
Tim Nolan
Tim NolanTim Nolan
Tim Nolantimnolan1961
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk AssessmentResolver Inc.
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
 
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureCraig McGill
 

Contenu connexe

Tendances

Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...centralohioissa
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseGeorge Goodall
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessArt Ocain
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Evan Francen
 
Remote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceRemote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceJTLeekley
 
Business-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterNetWize
 
Bill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-SuiteBill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-Suitecentralohioissa
 
Engage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramEngage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramBen Woelk, CISSP, CPTC
 
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...Polsinelli PC
 
Фишинг — проклятие или возможность для ИБ?
Фишинг — проклятие или возможность для ИБ? Фишинг — проклятие или возможность для ИБ?
Фишинг — проклятие или возможность для ИБ? Positive Hack Days
 
Technology Risk Management
Technology Risk ManagementTechnology Risk Management
Technology Risk ManagementSocial Tables
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)ishan parikh production
 
Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Ideba
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of SecurityKarina Elise
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk AssessmentResolver Inc.
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
 

Tendances (20)

Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219
 
Remote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceRemote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC Complaince
 
Business-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a Disaster
 
Bill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-SuiteBill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-Suite
 
Building Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe HarborBuilding Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe Harbor
 
Engage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramEngage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness Program
 
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
 
Фишинг — проклятие или возможность для ИБ?
Фишинг — проклятие или возможность для ИБ? Фишинг — проклятие или возможность для ИБ?
Фишинг — проклятие или возможность для ИБ?
 
Risky Business
Risky BusinessRisky Business
Risky Business
 
Technology Risk Management
Technology Risk ManagementTechnology Risk Management
Technology Risk Management
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
 
Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Windstream Cloud Security Checklist
Windstream Cloud Security Checklist
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
 
Tim Nolan
Tim NolanTim Nolan
Tim Nolan
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk Assessment
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
 

Similaire à Managing Risk or Reacting to Compliance

The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
 
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureCraig McGill
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & ManufacturingEvan Francen
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT IssueEvan Francen
 
Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013EY
 
Stop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudStop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudWynyard Group
 
Treat Cyber Like a Disease
Treat Cyber Like a DiseaseTreat Cyber Like a Disease
Treat Cyber Like a DiseaseSurfWatch Labs
 
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security SummitKeynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security SummitSecurityStudio
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseRoger Grimes
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityNcell
 
6 Keys to Preventing and Responding to Workplace Violence
6 Keys to Preventing and Responding to Workplace Violence6 Keys to Preventing and Responding to Workplace Violence
6 Keys to Preventing and Responding to Workplace ViolenceCase IQ
 
ISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series PresentationISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series PresentationSecurityStudio
 
People Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language ProblemPeople Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language ProblemSecurityStudio
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Joe Bartolo
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksMatthew Rosenquist
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye, Inc.
 

Similaire à Managing Risk or Reacting to Compliance (20)

The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security culture
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & Manufacturing
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
 
Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
 
Stop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudStop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraud
 
Treat Cyber Like a Disease
Treat Cyber Like a DiseaseTreat Cyber Like a Disease
Treat Cyber Like a Disease
 
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security SummitKeynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security Defense
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
6 Keys to Preventing and Responding to Workplace Violence
6 Keys to Preventing and Responding to Workplace Violence6 Keys to Preventing and Responding to Workplace Violence
6 Keys to Preventing and Responding to Workplace Violence
 
ISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series PresentationISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series Presentation
 
People Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language ProblemPeople Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language Problem
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
Accidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionAccidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 Version
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
 

Plus de Evan Francen

Managing Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyManaging Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyEvan Francen
 
Step Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksStep Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksEvan Francen
 
Simple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudSimple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudEvan Francen
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917Evan Francen
 
People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017Evan Francen
 
AFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionAFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionEvan Francen
 
TIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceTIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceEvan Francen
 
Mobile Information Security
Mobile Information SecurityMobile Information Security
Mobile Information SecurityEvan Francen
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environmentEvan Francen
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance WorldEvan Francen
 
Information Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderInformation Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderEvan Francen
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
FRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByFRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByEvan Francen
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisEvan Francen
 
An Introduction to Information Security
An Introduction to Information SecurityAn Introduction to Information Security
An Introduction to Information SecurityEvan Francen
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales DeckEvan Francen
 

Plus de Evan Francen (16)

Managing Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyManaging Third-Party Risk Effectively
Managing Third-Party Risk Effectively
 
Step Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksStep Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party Risks
 
Simple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudSimple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment Fraud
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917
 
People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017
 
AFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionAFCOM - Information Security State of the Union
AFCOM - Information Security State of the Union
 
TIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceTIES 2013 Education Technology Conference
TIES 2013 Education Technology Conference
 
Mobile Information Security
Mobile Information SecurityMobile Information Security
Mobile Information Security
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environment
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
 
Information Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderInformation Security For Leaders, By a Leader
Information Security For Leaders, By a Leader
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
FRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByFRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) By
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
 
An Introduction to Information Security
An Introduction to Information SecurityAn Introduction to Information Security
An Introduction to Information Security
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
 

Dernier

Guwahati ❣️ Call Girl 97487*63073 Call Girls in Guwahati Escort service book now
Guwahati ❣️ Call Girl 97487*63073 Call Girls in Guwahati Escort service book nowGuwahati ❣️ Call Girl 97487*63073 Call Girls in Guwahati Escort service book now
Guwahati ❣️ Call Girl 97487*63073 Call Girls in Guwahati Escort service book nowapshanarani255
 
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book now
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book nowIndore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book now
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book nowapshanarani255
 
Call Girls in B-18 Islamabad || 🔝 03274100048
Call Girls in B-18 Islamabad || 🔝 03274100048Call Girls in B-18 Islamabad || 🔝 03274100048
Call Girls in B-18 Islamabad || 🔝 03274100048Ifra Zohaib
 
Kolkata 💋 Call Girl 9748763073 Call Girls in Kolkata Escort service book now
Kolkata 💋 Call Girl 9748763073 Call Girls in Kolkata Escort service book nowKolkata 💋 Call Girl 9748763073 Call Girls in Kolkata Escort service book now
Kolkata 💋 Call Girl 9748763073 Call Girls in Kolkata Escort service book nowapshanarani255
 
BADDI CALL GIRL 92628/71154 BADDI CALL G
BADDI CALL GIRL 92628/71154 BADDI CALL GBADDI CALL GIRL 92628/71154 BADDI CALL G
BADDI CALL GIRL 92628/71154 BADDI CALL GNiteshKumar82226
 
9891550660 Call Girls In Noida Sector 62 Short 1500 Night 6000
9891550660 Call Girls In Noida Sector 62 Short 1500 Night 60009891550660 Call Girls In Noida Sector 62 Short 1500 Night 6000
9891550660 Call Girls In Noida Sector 62 Short 1500 Night 6000teencall080
 
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7Sana Rajpoot
 
Call Girl Rohini ❤️7065000506 Pooja@ Rohini Call Girls Near Me ❤️♀️@ Sexy Cal...
Call Girl Rohini ❤️7065000506 Pooja@ Rohini Call Girls Near Me ❤️♀️@ Sexy Cal...Call Girl Rohini ❤️7065000506 Pooja@ Rohini Call Girls Near Me ❤️♀️@ Sexy Cal...
Call Girl Rohini ❤️7065000506 Pooja@ Rohini Call Girls Near Me ❤️♀️@ Sexy Cal...Sheetaleventcompany
 
Indore Call girl service 6289102337 indore escort service
Indore Call girl service 6289102337 indore escort serviceIndore Call girl service 6289102337 indore escort service
Indore Call girl service 6289102337 indore escort servicemaheshsingh64440
 
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.riyadelhic riyadelhic
 
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...riyasharma00119
 
VAPI CALL GIRL 92628/71154 VAPI CALL GIR
VAPI CALL GIRL 92628/71154 VAPI CALL GIRVAPI CALL GIRL 92628/71154 VAPI CALL GIR
VAPI CALL GIRL 92628/71154 VAPI CALL GIRNiteshKumar82226
 
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book nowLucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book nowapshanarani255
 
Varanasi Call Girl 78709*93772 Call Girls in Varanasi Escort service book now
Varanasi Call Girl 78709*93772 Call Girls in Varanasi Escort service book nowVaranasi Call Girl 78709*93772 Call Girls in Varanasi Escort service book now
Varanasi Call Girl 78709*93772 Call Girls in Varanasi Escort service book nowapshanarani255
 
MYSORE CALL GIRLS ESCORT SER 92628/71154
MYSORE CALL GIRLS ESCORT SER 92628/71154MYSORE CALL GIRLS ESCORT SER 92628/71154
MYSORE CALL GIRLS ESCORT SER 92628/71154NiteshKumar82226
 
Book_ A Project based approach CHAPTER 1 summary.pptx
Book_ A Project based approach CHAPTER 1 summary.pptxBook_ A Project based approach CHAPTER 1 summary.pptx
Book_ A Project based approach CHAPTER 1 summary.pptxssuser8fd809
 
Best VIP Call Girls Noida Sector 24 Call Me: 8700611579
Best VIP Call Girls Noida Sector 24 Call Me: 8700611579Best VIP Call Girls Noida Sector 24 Call Me: 8700611579
Best VIP Call Girls Noida Sector 24 Call Me: 8700611579diyaspanoida
 
Call Girls in Rawalpindi | 🍆💦 03280288848
Call Girls in Rawalpindi | 🍆💦 03280288848Call Girls in Rawalpindi | 🍆💦 03280288848
Call Girls in Rawalpindi | 🍆💦 03280288848Ifra Zohaib
 
Bhopal Call girl service 6289102337 bhopal escort service
Bhopal Call girl service 6289102337 bhopal escort serviceBhopal Call girl service 6289102337 bhopal escort service
Bhopal Call girl service 6289102337 bhopal escort servicemaheshsingh64440
 
CALL GIRLS 9999288940 women seeking men Locanto No Advance North Goa
CALL GIRLS 9999288940 women seeking men Locanto No Advance North GoaCALL GIRLS 9999288940 women seeking men Locanto No Advance North Goa
CALL GIRLS 9999288940 women seeking men Locanto No Advance North Goadelhincr993
 

Dernier (20)

Guwahati ❣️ Call Girl 97487*63073 Call Girls in Guwahati Escort service book now
Guwahati ❣️ Call Girl 97487*63073 Call Girls in Guwahati Escort service book nowGuwahati ❣️ Call Girl 97487*63073 Call Girls in Guwahati Escort service book now
Guwahati ❣️ Call Girl 97487*63073 Call Girls in Guwahati Escort service book now
 
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book now
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book nowIndore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book now
Indore ❣️Call Girl 97487*63073 Call Girls in Indore Escort service book now
 
Call Girls in B-18 Islamabad || 🔝 03274100048
Call Girls in B-18 Islamabad || 🔝 03274100048Call Girls in B-18 Islamabad || 🔝 03274100048
Call Girls in B-18 Islamabad || 🔝 03274100048
 
Kolkata 💋 Call Girl 9748763073 Call Girls in Kolkata Escort service book now
Kolkata 💋 Call Girl 9748763073 Call Girls in Kolkata Escort service book nowKolkata 💋 Call Girl 9748763073 Call Girls in Kolkata Escort service book now
Kolkata 💋 Call Girl 9748763073 Call Girls in Kolkata Escort service book now
 
BADDI CALL GIRL 92628/71154 BADDI CALL G
BADDI CALL GIRL 92628/71154 BADDI CALL GBADDI CALL GIRL 92628/71154 BADDI CALL G
BADDI CALL GIRL 92628/71154 BADDI CALL G
 
9891550660 Call Girls In Noida Sector 62 Short 1500 Night 6000
9891550660 Call Girls In Noida Sector 62 Short 1500 Night 60009891550660 Call Girls In Noida Sector 62 Short 1500 Night 6000
9891550660 Call Girls In Noida Sector 62 Short 1500 Night 6000
 
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
 
Call Girl Rohini ❤️7065000506 Pooja@ Rohini Call Girls Near Me ❤️♀️@ Sexy Cal...
Call Girl Rohini ❤️7065000506 Pooja@ Rohini Call Girls Near Me ❤️♀️@ Sexy Cal...Call Girl Rohini ❤️7065000506 Pooja@ Rohini Call Girls Near Me ❤️♀️@ Sexy Cal...
Call Girl Rohini ❤️7065000506 Pooja@ Rohini Call Girls Near Me ❤️♀️@ Sexy Cal...
 
Indore Call girl service 6289102337 indore escort service
Indore Call girl service 6289102337 indore escort serviceIndore Call girl service 6289102337 indore escort service
Indore Call girl service 6289102337 indore escort service
 
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.
Call Now ☎9870417354|| Call Girls in Noida Sector 18 Escort Service Noida N.C.R.
 
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...
Low Rate Russian Call Girls In Lajpat Nagar ➡️ 7836950116 Call Girls Service ...
 
VAPI CALL GIRL 92628/71154 VAPI CALL GIR
VAPI CALL GIRL 92628/71154 VAPI CALL GIRVAPI CALL GIRL 92628/71154 VAPI CALL GIR
VAPI CALL GIRL 92628/71154 VAPI CALL GIR
 
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book nowLucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
 
Varanasi Call Girl 78709*93772 Call Girls in Varanasi Escort service book now
Varanasi Call Girl 78709*93772 Call Girls in Varanasi Escort service book nowVaranasi Call Girl 78709*93772 Call Girls in Varanasi Escort service book now
Varanasi Call Girl 78709*93772 Call Girls in Varanasi Escort service book now
 
MYSORE CALL GIRLS ESCORT SER 92628/71154
MYSORE CALL GIRLS ESCORT SER 92628/71154MYSORE CALL GIRLS ESCORT SER 92628/71154
MYSORE CALL GIRLS ESCORT SER 92628/71154
 
Book_ A Project based approach CHAPTER 1 summary.pptx
Book_ A Project based approach CHAPTER 1 summary.pptxBook_ A Project based approach CHAPTER 1 summary.pptx
Book_ A Project based approach CHAPTER 1 summary.pptx
 
Best VIP Call Girls Noida Sector 24 Call Me: 8700611579
Best VIP Call Girls Noida Sector 24 Call Me: 8700611579Best VIP Call Girls Noida Sector 24 Call Me: 8700611579
Best VIP Call Girls Noida Sector 24 Call Me: 8700611579
 
Call Girls in Rawalpindi | 🍆💦 03280288848
Call Girls in Rawalpindi | 🍆💦 03280288848Call Girls in Rawalpindi | 🍆💦 03280288848
Call Girls in Rawalpindi | 🍆💦 03280288848
 
Bhopal Call girl service 6289102337 bhopal escort service
Bhopal Call girl service 6289102337 bhopal escort serviceBhopal Call girl service 6289102337 bhopal escort service
Bhopal Call girl service 6289102337 bhopal escort service
 
CALL GIRLS 9999288940 women seeking men Locanto No Advance North Goa
CALL GIRLS 9999288940 women seeking men Locanto No Advance North GoaCALL GIRLS 9999288940 women seeking men Locanto No Advance North Goa
CALL GIRLS 9999288940 women seeking men Locanto No Advance North Goa
 

Managing Risk or Reacting to Compliance

  • 1. Protecting Financial Information Managing Risk or Reacting to Compliance Evan Francen, CISSP CISM FRSecure President March 27th, 2014
  • 2. Managing Risk or Reacting to Compliance Topics Introduction Evan Francen FRSecure Compliance – Reactive Risk – Proactive Real World Examples & Guidance Social Engineering
  • 3. Managing Risk or Reacting to Compliance Introduction Evan Francen Aka “The Truth”
  • 4. Managing Risk or Reacting to Compliance Introduction Evan Francen Security Guy
  • 5. Managing Risk or Reacting to Compliance Introduction Evan Francen Weird - Different
  • 6. Managing Risk or Reacting to Compliance Introduction Evan Francen For real… • 20+ years of information security experience • Co-founded FRSecure in 2008 • Worked with organizations of all sizes, including Wells Fargo, US Bank, UnitedHealth, ADP, St. Jude, etc. • Risk Management, Security Program Development, Social Engineering, Mentoring, and the projects nobody else wants to do.
  • 7. Managing Risk or Reacting to Compliance Introduction FRSecure • Information Security Management company. It’s all we do. • Methodology - Develop, use, and share methodologies for a variety of information security projects. • Project Leaders – All of our project leaders have more than 15 years of information security experience, from Fortune 100 to SMBs • Fully Transparent – Empowers our clients to do what we do. • Product Agnostic – Recommendations stand on their own, with no ulterior motive.
  • 8. Managing Risk or Reacting to Compliance Compliance What is compliance?
  • 9. Managing Risk or Reacting to Compliance Compliance What is compliance? • Is there any such thing as “GLBA Compliant” or “HIPAA Compliant”? If so, who certifies such things? • Is not “compliance” just doing what the last auditor told you to do? Is what the last auditor told you to do the right thing for you to do?
  • 10. Managing Risk or Reacting to Compliance Compliance Are compliance and security the same thing? • Many people believe so. • The right answer is NO. Information security is the use of Administrative, Physical and Technical controls to protect the Confidentiality, Integrity, and Availability of data.
  • 11. Managing Risk or Reacting to Compliance Risk Are we ever “secure”? • It depends. Right? No matter what we do with protection, there will always be a risk associated with unauthorized disclosure, alteration, or destruction of data. • “Secure” is a relative term. • Effectively managing security comes down to managing risk.
  • 12. Managing Risk or Reacting to Compliance Risk Some risks are acceptable and others are not. • What is risk? • Risk is not intuitive. (more on this later) • Risk = the likelihood of something bad happening + the impact if the bad thing happened. • Risk decisions are management decisions.
  • 13. Managing Risk or Reacting to Compliance Risk Risk Decisions • Risk Acceptance • Risk Avoidance • Risk Mitigation • Risk Ignorance
  • 14. Managing Risk or Reacting to Compliance Risk Risk is Not (always) Intuitive • Who is at higher risk of an earthquake, San Francisco or Boston? Turns out that the risk is essentially the same. In general: • People exaggerate spectacular but rare risks and downplay common risks. • People have trouble estimating risks for anything not exactly like their normal situation. • Personified risks are perceived to be greater than anonymous risks. • People underestimate risks they willingly take and overestimate risks in situations they can't control. • People overestimate risks that are being talked about and remain an object of public scrutiny.
  • 15. Managing Risk or Reacting to Compliance Compliance & Risk Compliance is based on doing what you’re told. Risk is based on likelihood and impact. Compliance is reactive. Managing risk is proactive. Compliance is more costly. Managing risk allows cost/benefit analysis. Compliance is the letter of the law. Managing risk is the intent of the law.
  • 16. Managing Risk or Reacting to Compliance Real Life Examples Large Healthcare Organization Audit conducted in 2012 Told they needed SIEM and DLP Spent $600,000 on new technology Compliant! Greatest (technical) risk was use of unencrypted mobile devices Cost to mitigate $600,000 Products are not configured or fully utilized Breach occurs in 2013 – Stolen laptop Over $3,000,000 in costs Over $3,600,000 spent. Greatest risk still exists
  • 17. Managing Risk or Reacting to Compliance Real Life Examples Target Audited regularly & constantly Spend millions on compliance Spend millions on technology Compliant! Were any of these a significant risk? • Vendor risk management • Information security reporting structure • Alerting & monitoring processes • SOC processes and training • Incident response processes Millions of dollars spent. Greatest risk? Last quarter profit down 46%. Estimated costs to exceed $1,000,000,000.
  • 18. Managing Risk or Reacting to Compliance Social Engineering Social Engineering is exploitation of the human factor in security; tricking a person into giving you information that could benefit you, but bring them harm. Social Engineering is by far the most effective method of gaining unauthorized access to information. We know this, and so do the bad guys.
  • 19. Managing Risk or Reacting to Compliance Social Engineering Did You Know: There were more than 74,000 unique phishing campaigns discovered during the Q2/2013, leveraging over 110,000 hijacked domains and targeting more than 1,100 brands. Email Attacks (Phishing) • Tricking you into going to a website that looks legitimate, and convincing you to log in (or disclose other information). • Has a 60 – 70% success rate. • How to Avoid Phishing Scams - http://apwg.org/resources/overview/avoid-phishing-scams
  • 20. Managing Risk or Reacting to Compliance Social Engineering Did You Know: A recent study shows that 30 percent of Americans will open emails, even when they know the message is malicious. Email Attacks (Malicious Attachments) • Tricking you into opening (or downloading/opening) a file that appears to be legitimate, but is in fact malicious. • Has a 30 – 40% success rate. • Don’t have blind trust in your anti-virus software. If you aren’t expecting an attachment, don’t open it. If you’re not sure, call the person who sent it to you and ask.
  • 21. Managing Risk or Reacting to Compliance Social Engineering Did You Know: Most social engineering attacks go un- reported by the victim. Telephone Attacks • Tricking you into divulging sensitive information over the phone. • People like helping other people, something that an attacker can exploit to receive sensitive information. • Success rate varies greatly. • If you receive a social engineering phone call, ask them for their name, company and phone number. In almost every case, the caller will disconnect when asked questions or placed on hold.
  • 22. Managing Risk or Reacting to Compliance Social Engineering Did You Know: Physical social engineering attacks can result in physical damage to the facility and safety dangers. Physical Attacks • Tricking you into giving physical access to a restricted area. • Physical social engineering attacks require a bold attacker with a very focused agenda. • Success rate varies greatly. • If you can help it, don’t hold the door for others; especially those who you don’t recognize. It’s OK to ask someone you don’t know if you can help them or ask for identification.
  • 23. Managing Risk or Reacting to Compliance Social Engineering Want a story? Pick One: • Physical access to Fortune 100 company headquarters. • Password disclosure almost cost someone their retirement. • Police help me carry out an attack. • I don’t really work for NSP. • 60% of bank’s employees give us their domain usernames and passwords.
  • 24. Managing Risk or Reacting to Compliance Thank you! Questions? Evan Francen, CISSP CISM President – FRSecure evan@frsecure.com 952-467-6384