People are your greatest risk to your information security. This presentation was delivered by FRSecure's President Evan Francen at the CTS Security Seminar on January 9th, 2013. In the presentation Evan gave the audience real-world advice and examples from the following topics:
- FRSecure’s Ten Information Commandments (Truths)
- Truth #4 – People are the biggest risk
- Why defeat the firewall; we’ll just go around it.
- Real Life Stories
- Solutions
- Do this now
- Need Help? – Contact Us!
The presentation was very well received, resulting in high marks in evaluations and new customers for FRSecure.
Organizational Structure Running A Successful Business
The Truth - FRSecure's Truth #4
1. The Truth
FRSecure’s Truth #4 – People are
the biggest risk
CTS Security Seminar – January 9, 2013
Presented by Evan Francen, President – FRSecure, LLC
http://www.frsecure.com | 952-467-6384
3. Introduction
Thank you for attending!
Thank you to CTS for inviting us!
http://www.frsecure.com | 952-467-6384
4. Introduction
Before we get started:
• This is not your typical presentation.
• What you have to say is as important as what I am
going to tell you.
• You are encouraged to participate!
I will ask you questions, if you don’t ask me some!
http://www.frsecure.com | 952-467-6384
5. Introduction
FRSecure
• Information security consulting company – it’s all
we do.
• Established in 2008 by people who have earned
their stripes in the field.
• We help small to medium sized organizations
solve information security challenges.
We get paid to tell people the truth.
http://www.frsecure.com | 952-467-6384
6. Introduction
Speaker – Evan Francen, CISSP CISM CCSK
• President & Co-founder of FRSecure
• 20 years of information security experience
• Security evangelist with more than 700 published articles
• Experience with 150+ public & private organizations.
http://www.frsecure.com | 952-467-6384
7. Introduction
Topics
• FRSecure’s Ten Information Commandments (Truths)
• Truth #4 – People are the biggest risk
• Why defeat the firewall; we’ll just go around it.
• Real Life Stories
• Solutions
• Do this now
• Need Help? – Contact Us!
http://www.frsecure.com | 952-467-6384
8. FRSecure Information Security 10
Commandments
#1 – A business is in business to make money.
Information security must align with business objectives.
#2 – Information security is a business issue.
Information security is NOT an IT issue.
#3 – Information security is fun.
Seriously. It is. Stop laughing!
#4 – People are the biggest risk.
Not technology.
#5 – “Compliant” and “secure” are different.
We shouldn’t confuse the two.
http://www.frsecure.com | 952-467-6384
9. FRSecure Information Security 10
Commandments
#6 – There is no common sense in information security.
If there were, we would have much better information security.
#7 – “Secure” is relative.
One of many reasons for measurements and comparisons.
#8 – Information security should drive business.
Identify and focus on information security benefits. It shouldn’t just be a cost-
center.
#9 – Information security is not one size fits all.
No two organizations are alike.
#10 – There is no “easy button”.
So stop looking for one.
http://www.frsecure.com | 952-467-6384
10. Truth #4 – People are the your biggest risk
http://www.frsecure.com | 952-467-6384
11. Truth #4 – People are the your biggest risk
Truths about the truth…
It’s easier to go through your secretary than it is to go through
your firewall.
People don’t read your policies.
Social engineering success rates are more than
8x better than technology penetration success
rates.
http://www.frsecure.com | 952-467-6384
12. Why defeat the firewall; we’ll just go around it
1. Call someone and ask them for their password.
2. Email something interesting.
3. Show up as someone who looks legit.
4. Ask related questions, and infer the rest.
5. People like flash drives.
http://www.frsecure.com | 952-467-6384
13. Real Life Stories
Physical access to Fortune 100 company headquarters.
Password disclosure almost cost someone their
retirement.
Police help me carry out an attack.
I don’t really work for NSP.
http://www.frsecure.com | 952-467-6384
15. Solutions
Training
Don’t worry, you’re probably not overspending on training.
Awareness
Stay top of mind. Be creative. People can tune you out quickly.
Policy
Reference materials, not books.
Culture
Create an information security culture.
http://www.frsecure.com | 952-467-6384
16. Do this now
Ask yourself these questions:
• What is my organization’s information security culture?
(management sets culture)
• How would I know if someone has been compromised, and
what would I do about it?
• If I were a “John or Jane Doe” employee, do I know what I
need to know in order to protect the organization?
Ask your employees what they think about information security.
If the answer is something other than what you want it to be, then
your culture is not what you want it to be.
http://www.frsecure.com | 952-467-6384
17. How we help – Risk Assessments
http://www.frsecure.com | 952-467-6384
18. How we help – Management (Build & Manage)
http://www.frsecure.com | 952-467-6384
19. Need Help? Contact FRSecure!
Some of our services:
• Information Security Assessments
• Compliance Assessments (i.e. HIPAA, GLBA, etc.)
• Customer Required Assessments
• Internal Network Vulnerability Assessments
• External Network Security Assessments
• Penetration Testing and Social Engineering
• Information Security Program Development
• Security Policies Evan Francen, CISSP CISM
• Training & Awareness President
• BC/DR Plans evan@frsecure.com
• Outsourced Security Resources 952-467-6384 (direct)
www.frsecure.com
http://www.frsecure.com | 952-467-6384