High level overview of what you need to do to ensure you are building a dynamic and robust Information Security Program to protect your company's key assets.
1. PRIMER FOR INFOSEC PROGRAMS
Richard Greenberg, CISSP
ISSA Fellow
President, ISSA Los Angeles, www.issa-la.org
President, OWASP Los Angeles, www.owaspla.org
LinkedIn: http://www.linkedin.com/in/richardagreenberg
2. CURRENT STATE OF AFFAIRS
Breaches are Occurring Everywhere in Every Industry
Phishing Attacks are Multiplying and are Now the
Preferred Method of Infiltration
Ransomware is growing as a targeted attack
It is Difficult to Secure Application Development
Environments
Breaches Are Not Discovered for 6-9 Months
• Often Discovered by External Source
3. RECENT BREACHES
Anthem: 78.8 million records
Target: 42 million people’s credit or debit information stolen;
banks file class-action lawsuit against Target
Home Depot: estimated 56 million credit and debit card
numbers
JPMorgan: 76 million households and 7 million small
businesses
Carbanak: $1 billion stolen from more than 100 banks in 30
countries
AdultFriendFinder.com 3.9 million users' personal details and
sexual preferences
4. DATA BREACH COSTS
Average Cost of a Data Breach in US Averages
$6.5 million, highest in the world
One estimate of the cost to Home Depot is $10
billion by 2020
Cost in Health Care Organizations Could be as
much as $363 Per Record
5. THE TIMES THEY ARE A CHANGIN’
Every Business is Now a Target
Every Medical Device Could be a Target
Every Car Could be a Target
Every Refrigerator Could be a Target
Every Drone Could be an Attacker
6. AWARENESS OF SECURITY SEEMS TO BE
EVERYWHERE!
Boardrooms Now Have Security on their Agendas
80% of the Time
Breaches are a Weekly News Item on Mainstream
Media
Cousins Call Us for Advice or to Ask What We Think
of the Latest Attack
Congress is Talking About Security
7. WHAT THE $%#%^%&*?
Old Vulnerabilities Are Still Everywhere
• SQL Injection (in the OWASP Top 10 in 2007 and still there!)
• 44%of known breaches in 2014 came from vulnerabilities
that were between two and four years old1
Patching is Still Problematic
Change Management is not Happening
Configuration Management is Not Happening
Our Mission Critical Information is Not Encrypted
1 HP 2015 Cyber Risk Report
8. OUR WORKFORCE HAS GONE
PHISHING!
Click That Link!
Open That Attachment!
Open That Email From the Unknown Sender
Respond to that “Too Good to be True” Email
Scam!
Forward that Funny Attachment to Everyone!
We Love Port 80!!
9. WHAT’S A GOOD SECURITY LEADER TO
DO?!
Go on Tour
• Security Awareness Training for Everyone
• Address Your Companies Vulnerability Trends
• Gamify Your Training
• Provide Incentives and Prizes
• Please, No Death by PowerPoint
Speak at Division Meetings
Speak at General Staff Meetings
10. MEET WITH KEY PLAYERS
Lunch with all Executives
Meet Regularly With:
• CTO or Head of System Admins
• Division Heads
• Legal
• Risk Compliance
Learn to Talk “Businessese”
11. CREATE AND ENFORCE POLICIES,
STANDARDS, AND PROCEDURES
Ensure Standard Image is Created
• Is Regularly Updated
• Is Regularly Tested
• Deployed Everywhere-Especially on Admin
Systems
No one Should Be Regularly Logged in with Admin
Privileges
Have a Plan and Procedures for Securing Portable
Devices and BYOD
12. BAKE SECURITY INTO THE SDLC
Embrace and Befriend the Head of Application
Development
Utilize Static/Dynamic Web App Vulnerability
Scanners
Have All Staff in AppDev Take Secure Coding
Training
All Project Proposals Must be Reviewed by InfoSec
Work with the PMO
13. SECURE YOUR PHYSICAL
ENVIRONMENT
Does Your Facilities Head Purchase Physical Security
Solutions Without InfoSec Involvement or
Knowledge?
Are Your Physical Security Access Cards Waaay too
Easy to Hack? Most Are!
Do You Know Who Has Access to Your Data Center?
Are You Sure?
Can People Leave Your Buildings Carrying Anything
They Want?
14. MONITOR SYSTEMS REGULARLY
Are You Able to Detect Anomalies on Your
Networks?
Do You Know if You Have Been Compromised?
Probably Not!
Would You be able to Detect Strange Outbound
Traffic to, Let’s Say, China or North Korea?
Monitor Unusual Changes in User Behavior
Do You Know if 50 Users All Had Their Accounts
Locked After Unsuccessful Login Attempts?
15. CREATE AND REVIEW REPORTS
Create Remediation Plans After Reviewing Network
Vulnerability Scans
Compare Reports From Various Tools: Patch
Management, Vulnerability Scanning, Anti-Malware
Follow-up on Remediation Efforts
Rescan and Review Reports
Look for Patterns in Incidents in Your HelpDesk
Database
16. ENFORCE ACCESS MANAGEMENT
STANDARDS
Work With HR to Establish Provisioning/
Deprovisioning Procedures
Enforce Process to Approve and Grant Access to
Systems
Enforce Deprovisioning Procedures
Periodically Audit Systems Access
Two Factors Required for all Admin Access to Mission
Critical Systems
17. NETWORK AND COLLABORATE
Attend Networking Events
Make New Contacts
Share War Stories and Solutions
Join ISSA, OWASP, ISACA, CSA, HTCIA, etc.
Form New Groups
Look for Meetups
Leave Here Today With at Least 5 New Contacts;
Follow-up with them
19. HELP PREPARE THE NEXT GENERATION
OF SECURITY LEADERS
Hire Students
Train and Mentor Your Staff
Speak at Schools
Support Cyber Competitions
Help Schools With their Curriculum
Teach Security at Schools