High level overview of what you need to do to ensure you are building a dynamic and robust Information Security Program to protect your company's key assets.

1. PRIMER FOR INFOSEC PROGRAMS
Richard Greenberg, CISSP
ISSA Fellow
President, ISSA Los Angeles, www.issa-la.org
President, OWASP Los Angeles, www.owaspla.org
LinkedIn: http://www.linkedin.com/in/richardagreenberg

2. CURRENT STATE OF AFFAIRS
 Breaches are Occurring Everywhere in Every Industry
 Phishing Attacks are Multiplying and are Now the
Preferred Method of Infiltration
 Ransomware is growing as a targeted attack
 It is Difficult to Secure Application Development
Environments
 Breaches Are Not Discovered for 6-9 Months
• Often Discovered by External Source

3. RECENT BREACHES
 Anthem: 78.8 million records
 Target: 42 million people’s credit or debit information stolen;
banks file class-action lawsuit against Target
 Home Depot: estimated 56 million credit and debit card
numbers
 JPMorgan: 76 million households and 7 million small
businesses
 Carbanak: $1 billion stolen from more than 100 banks in 30
countries
 AdultFriendFinder.com 3.9 million users' personal details and
sexual preferences

4. DATA BREACH COSTS
 Average Cost of a Data Breach in US Averages
$6.5 million, highest in the world
 One estimate of the cost to Home Depot is $10
billion by 2020
 Cost in Health Care Organizations Could be as
much as $363 Per Record

5. THE TIMES THEY ARE A CHANGIN’
 Every Business is Now a Target
 Every Medical Device Could be a Target
 Every Car Could be a Target
 Every Refrigerator Could be a Target
 Every Drone Could be an Attacker

6. AWARENESS OF SECURITY SEEMS TO BE
EVERYWHERE!
 Boardrooms Now Have Security on their Agendas
80% of the Time
 Breaches are a Weekly News Item on Mainstream
Media
 Cousins Call Us for Advice or to Ask What We Think
of the Latest Attack
 Congress is Talking About Security

7. WHAT THE $%#%^%&*?
 Old Vulnerabilities Are Still Everywhere
• SQL Injection (in the OWASP Top 10 in 2007 and still there!)
• 44%of known breaches in 2014 came from vulnerabilities
that were between two and four years old1
 Patching is Still Problematic
 Change Management is not Happening
 Configuration Management is Not Happening
 Our Mission Critical Information is Not Encrypted
1 HP 2015 Cyber Risk Report

8. OUR WORKFORCE HAS GONE
PHISHING!
 Click That Link!
 Open That Attachment!
 Open That Email From the Unknown Sender
 Respond to that “Too Good to be True” Email
Scam!
 Forward that Funny Attachment to Everyone!
 We Love Port 80!!

9. WHAT’S A GOOD SECURITY LEADER TO
DO?!
 Go on Tour
• Security Awareness Training for Everyone
• Address Your Companies Vulnerability Trends
• Gamify Your Training
• Provide Incentives and Prizes
• Please, No Death by PowerPoint
 Speak at Division Meetings
 Speak at General Staff Meetings

10. MEET WITH KEY PLAYERS
Lunch with all Executives
Meet Regularly With:
• CTO or Head of System Admins
• Division Heads
• Legal
• Risk Compliance
Learn to Talk “Businessese”

11. CREATE AND ENFORCE POLICIES,
STANDARDS, AND PROCEDURES
 Ensure Standard Image is Created
• Is Regularly Updated
• Is Regularly Tested
• Deployed Everywhere-Especially on Admin
Systems
 No one Should Be Regularly Logged in with Admin
Privileges
 Have a Plan and Procedures for Securing Portable
Devices and BYOD

12. BAKE SECURITY INTO THE SDLC
 Embrace and Befriend the Head of Application
Development
 Utilize Static/Dynamic Web App Vulnerability
Scanners
 Have All Staff in AppDev Take Secure Coding
Training
 All Project Proposals Must be Reviewed by InfoSec
 Work with the PMO

13. SECURE YOUR PHYSICAL
ENVIRONMENT
 Does Your Facilities Head Purchase Physical Security
Solutions Without InfoSec Involvement or
Knowledge?
 Are Your Physical Security Access Cards Waaay too
Easy to Hack? Most Are!
 Do You Know Who Has Access to Your Data Center?
Are You Sure?
 Can People Leave Your Buildings Carrying Anything
They Want?

14. MONITOR SYSTEMS REGULARLY
 Are You Able to Detect Anomalies on Your
Networks?
 Do You Know if You Have Been Compromised?
Probably Not!
 Would You be able to Detect Strange Outbound
Traffic to, Let’s Say, China or North Korea?
 Monitor Unusual Changes in User Behavior
 Do You Know if 50 Users All Had Their Accounts
Locked After Unsuccessful Login Attempts?

15. CREATE AND REVIEW REPORTS
 Create Remediation Plans After Reviewing Network
Vulnerability Scans
 Compare Reports From Various Tools: Patch
Management, Vulnerability Scanning, Anti-Malware
 Follow-up on Remediation Efforts
 Rescan and Review Reports
 Look for Patterns in Incidents in Your HelpDesk
Database

16. ENFORCE ACCESS MANAGEMENT
STANDARDS
 Work With HR to Establish Provisioning/
Deprovisioning Procedures
 Enforce Process to Approve and Grant Access to
Systems
 Enforce Deprovisioning Procedures
 Periodically Audit Systems Access
 Two Factors Required for all Admin Access to Mission
Critical Systems

17. NETWORK AND COLLABORATE
 Attend Networking Events
 Make New Contacts
 Share War Stories and Solutions
 Join ISSA, OWASP, ISACA, CSA, HTCIA, etc.
 Form New Groups
 Look for Meetups
 Leave Here Today With at Least 5 New Contacts;
Follow-up with them

18. KEEP LEARNING
Webcasts
Classes
Podcasts
Books
LinkedIn and Twitter Links
Blogs
Networking Events and Conferences

19. HELP PREPARE THE NEXT GENERATION
OF SECURITY LEADERS
Hire Students
Train and Mentor Your Staff
Speak at Schools
Support Cyber Competitions
Help Schools With their Curriculum
Teach Security at Schools

20. THANK YOU!
Stay Safe
Stay Hungry for Knowledge
Believe in Yourself
Live Long and Prosper!