SlideShare une entreprise Scribd logo

Gp2 Public Policy Assign8 644 Sp10

Télécharger en tant que PPTX, PDF
D
Deepa Devadas
1  sur  40
INFO 644: Public Policy AssignmentPresidential Initiatives Group #2: Tamara Clark Gustave R DeCoursey Deepa Devadas Megan Dougherty Chrystal Edwards
Top five issues for the current administration Cyber-Terrorism Insider Threats Risk Mitigation Information Security/Corporate Governance Working in the Cloud
CYBER-TERRORISM
Cyber Terrorism Threat will increase as terrorists become more high tech and computer savvy. “A cyber attack could have the same impact as a well-placed bomb” – Robert Mueller, III, Director of FBI Terrorists look for and take advantage of vulnerabilities – network infrastructure security vulnerabilities
Cyber Terrorism What is Cyber Terrorism? “Cyber Terrorism is a criminal act perpetrated by the use of computers and telecommunications capabilities, resulting in violence, destruction and/or disruption of services, where the intended purpose is to create fear by causing confusion and uncertainty within a given population, with the goal of influencing a government or population to conform to a particular political, social or ideological agenda” - Keith Lourdeau, Deputy Asst Director of FBI’s Cyber Division
Cyber Terrorism Two Types of Cyber Terrorism Attacks Effects based - Disruptive enough to generate the same fear within individuals as traditional types of terrorism Intent based - Create severe economic harm or intimidate the government and individuals into supporting the terrorists’ political objectives
Cyber Terrorism What terrorists have done: Email bombs Publication of threatening material and content Denial-of-service Defaced websites What is possible? Massive blackouts Destruction of Financial systems Transportation systems Defense infrastructure National Security infrastructure
Cyber Terrorism Evidence of acquiring computer skills to use for cyber attacks: Al-Qaeda fighters left behind documents that contained information about Al-Qaeda operatives and their level of computer systems proficiency during an attack by the U.S ImanSundra, the convicted Bali nightclub bomber, has written a book to influence Muslim youth to learn computer hacking skills in order to obtain credit card information and funds from U.S. companies.
Cyber Terrorism Iranian Cyber Army defaced Congress’ website after President Obama’s State of the Union speech Google’s network infrastructure in China hacked for Gmail accounts of Chinese human rights activists U.S. Department of Defense computer network attacked and malware installed on the network
Cyber Terrorism
Cyber Terrorism Secretary of State, Hillary Clinton, is pushing for internet freedom for all. Governments should not prevent people from connecting to the internet, web sites and each other. Current administration will work with academia, the private sector, and foreign governments to provide new tools to the people so they may exercise their freedom of speech and expression towards their governments Internet freedom will open the door to possible cyber terrorism attacks
Insider Threats
Insider Threats Businesses are most at risk from former and current employees Motivated by work situations, opportunities or other personal factors Resultant action is computer abuse, fraud and theft, falsification, planting of malicious code, or sale of personal information
Insider Threats Real World Example: Donald Burleson, a computer programmer Designed a virus after being scolded for sotring personal letters on his company computer Virus was designed to erase portions of the mainframe After being fired, Burleson was able to employ an unauthorized backdoor password to execute the virus
Insider Threats Simpler Real World Example: Two credit union employees had access to alter credit reports based on updated information received Intentionally misused this authorization to alter credit reports in exchange for money
Insider Threats U.S. Secret Service National Threat Assessment Center and the CERT Coordination Center of Carnegie Mellon University’s Software Engineering Institute completed an Insider Threat Study and found: Most insider events were triggered by a negative event in the workplace Most were motivated by financial gain Perpetrators did not share a common profile
Insider Threats Insider Threat Study (continued): Most perpetrators planned their actions in advance Only seventeen percent involved individuals with administrator access Eighty-seven percent of the attacks used very simple user commands that didn't require any advanced knowledge Most attacks were committed while at the workplace and during normal work hours
Insider Threats Business tend to concentrate on preventing outside intrusion and neglect insider threats 62% of large businesses have dealt with a security incident by a current or former employee. Deloitte 2007 Global Security Survey found that 91% were concerned about employees and 79% cited the human factor as the root cause of Information Security failures. Same survey showed 22% of respondents had provided no employee security training over the past year and less than a 33% said their staff was skilled enough to respond to security needs
Insider Threats Companies need more requirements for: Clear and concise policies Training Background checks Discipline actions
Risk Mitigation
Risk Mitigation The most commonly considered risk management strategy This involves fixing the flaw or providing some type of compensatory control to reduce the likelihood or impact associated with the flaw. “Risk mitigation involves the process of prioritizing, evaluating and implementing appropriate controls. “
Risk Mitigation - Purpose Helps in communicating how specific risks will be dealt with and the action steps that are required to carry them out. Provides a clear sense of the actions that the project team members are expected to take Provides management with an understanding of what actions are being taken on their behalf to ameliorate project risk.
Risk Mitigation Issues/Threats Care should be taken while assessing and prioritizing risks, since it could result in time being wasted in dealing with risks that are not likely to occur. When there is too much time spent in assessing and managing unlikely risks, this diverts resources that could have been used more profitably. If the risk management process is prioritized too highly, then this could keep an organization from ever completing a project or even getting started. Another very important consideration in risk mitigation is to avoid any conflicts of interest.
Why should Risk Mitigation be considered important? If ignored: Result in the failure to develop a strong organizational culture Inefficient communication of information between levels of management Insufficient risk assessment Ineffective auditing and monitoring programs
Risk Mitigation – Opportunities Provide opportunities for the project members to discuss improvements, including explicit discussion of risk mitigation strategies and approaches, as well as what the probable impact of different risk mitigation measures might be These communications among organizational members offer opportunities to challenge assumptions, identify errors and voice issues. There are also opportunities for dispersed organizational members to grow and learn together. Provides opportunities for clarification, for sense making, for organizational growth, and opportunities for people to discuss improvements to the organization and the impacts of different risk mitigation strategies
Information Security/ Corporate governance
Corporate Irresponsibility WorldCom & Enron No ownership of liabilities Difficult to prosecute Legislative Action HIPAA Sarbanes-Oxley Act Graham-Leach-Bliley Act
Governance Top down methodology for ownership of corporate processes Information governance is a subset of corporate governance Deals with all aspects of information Electronic Written Printed Creation, transport and destruction
Security Governance Security roles and responsibilities Provide strategic direction Ensures objectives are met Manages risk Security policies Address roles of individual Address standards of implementation Continual evaluation of security program
Management’s Involvement Understand Risks when governance is nonexistent Reputation damage Loss of revenue Litigious effects Implementation works better with top involvement
Deliverables Security plan design Plan Implementation Monitor plan for desired outcomes Ongoing education Awareness of goals and initiatives Maintain security education to highest levels
Cloud computing
Cloud Computing – Definition Internet-based computing, which allows for shared resources, such as software and information to be provided to computers and other devices on-demand. Typical cloud computing providers deliver common business applications online which are accessed from another web service or software.
Cloud Computing – Service models Software as a Service, through which applications are provided in the cloud; Platform as a Service, through which a cloud provider permits users to create or run applications using languages and tools supported by the provider while the provider delivers the underlying infrastructure such as servers, operating systems, or storage; and Infrastructure as a Service, through which a customer can deploy a computing infrastructure similar to a virtualized environment.
Clouds Reduced costs Resource sharing is more efficient Management moves to cloud provider Consumption based cost Faster time to roll out new services Dynamic resource availability for crunch periods Compliance/regulatory laws mandate on-site ownership of data Security and privacy Latency & bandwith guarantees Absence of robust SLA’s Availability & reliabilty Pros Cons
Federal Cloud Due to its growing popularity of cloud computing, the federal government is moving more quickly than the private sector in both their interest and potential adoption of what has been referred to as the federal cloud The Obama administration has made cloud computing a high priority, calling for a "fundamental re-examination of investments in the technology infrastructure.“ the overall objective is to create a more agile federal enterprise, where services can be provisioned and reused on demand to meet business needs
Security issues with the cloud Privileged user access Sensitive data processed outside the enterprise brings a level of risk Regulatory compliance Customers are ultimately held responsible for the security and integrity of their own data, even when it is held by a service provider Data location When using a cloud, you may not have an idea of where your data is stored. Data segregation Data in the cloud in in a shared environment, with data from other customers
Security issues with the cloud Recovery Even if you don’t know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster Investigative Support Investigating inappropriate or illegal activity may be impossible in cloud computing Long-term Viability Ideally, your cloud computing provider will never go broke or get acquired by a larger company. If this happens you must be sure your data will be available, even after such an event.
Cloud – summary Client-plus-cloud computing offers enhanced choice, flexibility, operational efficiency, and cost savings for governments, businesses, and individual consumers. To take full advantage of these benefits, reliable assurances regarding the privacy and security of online data must be provided. In addition, a number of regulatory, jurisdictional, and public policy issues remain to be solved in order for online computing to thrive.

Recommandé

Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...CSCJournals
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?CBIZ, Inc.
 
The Evolving Landscape on Information Security
The Evolving Landscape on Information SecurityThe Evolving Landscape on Information Security
The Evolving Landscape on Information SecuritySimoun Ung
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingwardell henley
 
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYSYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYIJNSA Journal
 
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09Tammy Clark
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaTechBiz Forense Digital
 

Recommandé

Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...CSCJournals
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?CBIZ, Inc.
 
The Evolving Landscape on Information Security
The Evolving Landscape on Information SecurityThe Evolving Landscape on Information Security
The Evolving Landscape on Information SecuritySimoun Ung
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingwardell henley
 
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYSYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYIJNSA Journal
 
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09Tammy Clark
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaTechBiz Forense Digital
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateKashif Ali
 
Threat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperThreat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperDuncan Hart
 
Social Engineering-The Underpinning of Unauthorized Access
Social Engineering-The Underpinning of Unauthorized AccessSocial Engineering-The Underpinning of Unauthorized Access
Social Engineering-The Underpinning of Unauthorized AccessKory Edwards
 
Carbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityCarbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityMighty Guides, Inc.
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security AwarenessThe Network Support Company
 
Social Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network SecuritySocial Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network SecurityOladotun Ojebode
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingKimberly Hood
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bank7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bankshreemala1
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badbanerjeea
 
Mobile Application Security
Mobile Application Security Mobile Application Security
Mobile Application Security Booz Allen Hamilton
 
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSESE-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSESIJNSA Journal
 
Institutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military PerspectiveInstitutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military PerspectiveGovernment
 
ISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloJohn Intindolo
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutionsJonny Nässlander
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk MitigationMukalele Rogers
 
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyTripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyMelloney Jewell
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackMekhi Da ‘Quay Daniels
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemInternational Journal of Engineering Inventions www.ijeijournal.com
 
It's Time to Rethink Your Endpoint Strategy
It's Time to Rethink Your Endpoint StrategyIt's Time to Rethink Your Endpoint Strategy
It's Time to Rethink Your Endpoint StrategyLumension
 
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfInsider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfEnterprise Insider
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 

Contenu connexe

Tendances

OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateKashif Ali
 
Threat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperThreat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperDuncan Hart
 
Social Engineering-The Underpinning of Unauthorized Access
Social Engineering-The Underpinning of Unauthorized AccessSocial Engineering-The Underpinning of Unauthorized Access
Social Engineering-The Underpinning of Unauthorized AccessKory Edwards
 
Carbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityCarbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityMighty Guides, Inc.
 
Social Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network SecuritySocial Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network SecurityOladotun Ojebode
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingKimberly Hood
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bank7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bankshreemala1
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badbanerjeea
 
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSESE-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSESIJNSA Journal
 
Institutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military PerspectiveInstitutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military PerspectiveGovernment
 
ISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloJohn Intindolo
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk MitigationMukalele Rogers
 
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyTripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyMelloney Jewell
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackMekhi Da ‘Quay Daniels
 
It's Time to Rethink Your Endpoint Strategy
It's Time to Rethink Your Endpoint StrategyIt's Time to Rethink Your Endpoint Strategy
It's Time to Rethink Your Endpoint StrategyLumension
 

Tendances (20)

OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrate
 
Threat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperThreat Lifecycle Management_Whitepaper
Threat Lifecycle Management_Whitepaper
 
Social Engineering-The Underpinning of Unauthorized Access
Social Engineering-The Underpinning of Unauthorized AccessSocial Engineering-The Underpinning of Unauthorized Access
Social Engineering-The Underpinning of Unauthorized Access
 
Carbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityCarbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint Security
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security Awareness
 
Social Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network SecuritySocial Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network Security
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and Training
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
 
7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bank7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bank
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
 
Mobile Application Security
Mobile Application Security Mobile Application Security
Mobile Application Security
 
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSESE-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
 
Institutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military PerspectiveInstitutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military Perspective
 
ISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_Intindolo
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk Mitigation
 
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyTripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of Attack
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection System
 
It's Time to Rethink Your Endpoint Strategy
It's Time to Rethink Your Endpoint StrategyIt's Time to Rethink Your Endpoint Strategy
It's Time to Rethink Your Endpoint Strategy
 

Similaire à Gp2 Public Policy Assign8 644 Sp10

Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfInsider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfEnterprise Insider
 
Pivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityPivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityMatthew Rosenquist
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Atlantic Security Conference
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarFERMA
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyCasey Fleming
 
Corporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameCorporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameTatainteractive1
 
Replies Required for below Posting 1 user security awarene.docx
Replies Required for below Posting 1 user security awarene.docxReplies Required for below Posting 1 user security awarene.docx
Replies Required for below Posting 1 user security awarene.docxsodhi3
 
threat-lifecycle-management-whitepaper
threat-lifecycle-management-whitepaperthreat-lifecycle-management-whitepaper
threat-lifecycle-management-whitepaperRudy Piekarski
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyOrganization
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk ManagementDMIMarketing
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent ThreatsBooz Allen Hamilton
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEMJoseph DeFever
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfgalagirishp
 
Cybersecurity Challenges in the Modern Digital Landscape.docx
Cybersecurity Challenges in the Modern Digital Landscape.docxCybersecurity Challenges in the Modern Digital Landscape.docx
Cybersecurity Challenges in the Modern Digital Landscape.docxPelorusTechnologies
 
Defensive Cybersecurity: A Modern Approach to Safeguarding Digital Assets
Defensive Cybersecurity: A Modern Approach to Safeguarding Digital AssetsDefensive Cybersecurity: A Modern Approach to Safeguarding Digital Assets
Defensive Cybersecurity: A Modern Approach to Safeguarding Digital Assetscyberprosocial
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurityMatthew Rosenquist
 

Similaire à Gp2 Public Policy Assign8 644 Sp10 (20)

Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfInsider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Pivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityPivotal Role of HR in Cybersecurity
Pivotal Role of HR in Cybersecurity
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk Webinar
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity Literacy
 
Corporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameCorporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious Game
 
Replies Required for below Posting 1 user security awarene.docx
Replies Required for below Posting 1 user security awarene.docxReplies Required for below Posting 1 user security awarene.docx
Replies Required for below Posting 1 user security awarene.docx
 
threat-lifecycle-management-whitepaper
threat-lifecycle-management-whitepaperthreat-lifecycle-management-whitepaper
threat-lifecycle-management-whitepaper
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent Threats
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEM
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdf
 
Cybersecurity Challenges in the Modern Digital Landscape.docx
Cybersecurity Challenges in the Modern Digital Landscape.docxCybersecurity Challenges in the Modern Digital Landscape.docx
Cybersecurity Challenges in the Modern Digital Landscape.docx
 
Defensive Cybersecurity: A Modern Approach to Safeguarding Digital Assets
Defensive Cybersecurity: A Modern Approach to Safeguarding Digital AssetsDefensive Cybersecurity: A Modern Approach to Safeguarding Digital Assets
Defensive Cybersecurity: A Modern Approach to Safeguarding Digital Assets
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity
 

Gp2 Public Policy Assign8 644 Sp10

  • 1. INFO 644: Public Policy AssignmentPresidential Initiatives Group #2: Tamara Clark Gustave R DeCoursey Deepa Devadas Megan Dougherty Chrystal Edwards
  • 2. Top five issues for the current administration Cyber-Terrorism Insider Threats Risk Mitigation Information Security/Corporate Governance Working in the Cloud
  • 4. Cyber Terrorism Threat will increase as terrorists become more high tech and computer savvy. “A cyber attack could have the same impact as a well-placed bomb” – Robert Mueller, III, Director of FBI Terrorists look for and take advantage of vulnerabilities – network infrastructure security vulnerabilities
  • 5. Cyber Terrorism What is Cyber Terrorism? “Cyber Terrorism is a criminal act perpetrated by the use of computers and telecommunications capabilities, resulting in violence, destruction and/or disruption of services, where the intended purpose is to create fear by causing confusion and uncertainty within a given population, with the goal of influencing a government or population to conform to a particular political, social or ideological agenda” - Keith Lourdeau, Deputy Asst Director of FBI’s Cyber Division
  • 6. Cyber Terrorism Two Types of Cyber Terrorism Attacks Effects based - Disruptive enough to generate the same fear within individuals as traditional types of terrorism Intent based - Create severe economic harm or intimidate the government and individuals into supporting the terrorists’ political objectives
  • 7. Cyber Terrorism What terrorists have done: Email bombs Publication of threatening material and content Denial-of-service Defaced websites What is possible? Massive blackouts Destruction of Financial systems Transportation systems Defense infrastructure National Security infrastructure
  • 8. Cyber Terrorism Evidence of acquiring computer skills to use for cyber attacks: Al-Qaeda fighters left behind documents that contained information about Al-Qaeda operatives and their level of computer systems proficiency during an attack by the U.S ImanSundra, the convicted Bali nightclub bomber, has written a book to influence Muslim youth to learn computer hacking skills in order to obtain credit card information and funds from U.S. companies.
  • 9. Cyber Terrorism Iranian Cyber Army defaced Congress’ website after President Obama’s State of the Union speech Google’s network infrastructure in China hacked for Gmail accounts of Chinese human rights activists U.S. Department of Defense computer network attacked and malware installed on the network
  • 11. Cyber Terrorism Secretary of State, Hillary Clinton, is pushing for internet freedom for all. Governments should not prevent people from connecting to the internet, web sites and each other. Current administration will work with academia, the private sector, and foreign governments to provide new tools to the people so they may exercise their freedom of speech and expression towards their governments Internet freedom will open the door to possible cyber terrorism attacks
  • 13. Insider Threats Businesses are most at risk from former and current employees Motivated by work situations, opportunities or other personal factors Resultant action is computer abuse, fraud and theft, falsification, planting of malicious code, or sale of personal information
  • 14. Insider Threats Real World Example: Donald Burleson, a computer programmer Designed a virus after being scolded for sotring personal letters on his company computer Virus was designed to erase portions of the mainframe After being fired, Burleson was able to employ an unauthorized backdoor password to execute the virus
  • 15. Insider Threats Simpler Real World Example: Two credit union employees had access to alter credit reports based on updated information received Intentionally misused this authorization to alter credit reports in exchange for money
  • 16. Insider Threats U.S. Secret Service National Threat Assessment Center and the CERT Coordination Center of Carnegie Mellon University’s Software Engineering Institute completed an Insider Threat Study and found: Most insider events were triggered by a negative event in the workplace Most were motivated by financial gain Perpetrators did not share a common profile
  • 17. Insider Threats Insider Threat Study (continued): Most perpetrators planned their actions in advance Only seventeen percent involved individuals with administrator access Eighty-seven percent of the attacks used very simple user commands that didn't require any advanced knowledge Most attacks were committed while at the workplace and during normal work hours
  • 18. Insider Threats Business tend to concentrate on preventing outside intrusion and neglect insider threats 62% of large businesses have dealt with a security incident by a current or former employee. Deloitte 2007 Global Security Survey found that 91% were concerned about employees and 79% cited the human factor as the root cause of Information Security failures. Same survey showed 22% of respondents had provided no employee security training over the past year and less than a 33% said their staff was skilled enough to respond to security needs
  • 19. Insider Threats Companies need more requirements for: Clear and concise policies Training Background checks Discipline actions
  • 21. Risk Mitigation The most commonly considered risk management strategy This involves fixing the flaw or providing some type of compensatory control to reduce the likelihood or impact associated with the flaw. “Risk mitigation involves the process of prioritizing, evaluating and implementing appropriate controls. “
  • 22. Risk Mitigation - Purpose Helps in communicating how specific risks will be dealt with and the action steps that are required to carry them out. Provides a clear sense of the actions that the project team members are expected to take Provides management with an understanding of what actions are being taken on their behalf to ameliorate project risk.
  • 23. Risk Mitigation Issues/Threats Care should be taken while assessing and prioritizing risks, since it could result in time being wasted in dealing with risks that are not likely to occur. When there is too much time spent in assessing and managing unlikely risks, this diverts resources that could have been used more profitably. If the risk management process is prioritized too highly, then this could keep an organization from ever completing a project or even getting started. Another very important consideration in risk mitigation is to avoid any conflicts of interest.
  • 24. Why should Risk Mitigation be considered important? If ignored: Result in the failure to develop a strong organizational culture Inefficient communication of information between levels of management Insufficient risk assessment Ineffective auditing and monitoring programs
  • 25. Risk Mitigation – Opportunities Provide opportunities for the project members to discuss improvements, including explicit discussion of risk mitigation strategies and approaches, as well as what the probable impact of different risk mitigation measures might be These communications among organizational members offer opportunities to challenge assumptions, identify errors and voice issues. There are also opportunities for dispersed organizational members to grow and learn together. Provides opportunities for clarification, for sense making, for organizational growth, and opportunities for people to discuss improvements to the organization and the impacts of different risk mitigation strategies
  • 27. Corporate Irresponsibility WorldCom & Enron No ownership of liabilities Difficult to prosecute Legislative Action HIPAA Sarbanes-Oxley Act Graham-Leach-Bliley Act
  • 28. Governance Top down methodology for ownership of corporate processes Information governance is a subset of corporate governance Deals with all aspects of information Electronic Written Printed Creation, transport and destruction
  • 29. Security Governance Security roles and responsibilities Provide strategic direction Ensures objectives are met Manages risk Security policies Address roles of individual Address standards of implementation Continual evaluation of security program
  • 30.
  • 31. Management’s Involvement Understand Risks when governance is nonexistent Reputation damage Loss of revenue Litigious effects Implementation works better with top involvement
  • 32. Deliverables Security plan design Plan Implementation Monitor plan for desired outcomes Ongoing education Awareness of goals and initiatives Maintain security education to highest levels
  • 34. Cloud Computing – Definition Internet-based computing, which allows for shared resources, such as software and information to be provided to computers and other devices on-demand. Typical cloud computing providers deliver common business applications online which are accessed from another web service or software.
  • 35. Cloud Computing – Service models Software as a Service, through which applications are provided in the cloud; Platform as a Service, through which a cloud provider permits users to create or run applications using languages and tools supported by the provider while the provider delivers the underlying infrastructure such as servers, operating systems, or storage; and Infrastructure as a Service, through which a customer can deploy a computing infrastructure similar to a virtualized environment.
  • 36. Clouds Reduced costs Resource sharing is more efficient Management moves to cloud provider Consumption based cost Faster time to roll out new services Dynamic resource availability for crunch periods Compliance/regulatory laws mandate on-site ownership of data Security and privacy Latency & bandwith guarantees Absence of robust SLA’s Availability & reliabilty Pros Cons
  • 37. Federal Cloud Due to its growing popularity of cloud computing, the federal government is moving more quickly than the private sector in both their interest and potential adoption of what has been referred to as the federal cloud The Obama administration has made cloud computing a high priority, calling for a "fundamental re-examination of investments in the technology infrastructure.“ the overall objective is to create a more agile federal enterprise, where services can be provisioned and reused on demand to meet business needs
  • 38. Security issues with the cloud Privileged user access Sensitive data processed outside the enterprise brings a level of risk Regulatory compliance Customers are ultimately held responsible for the security and integrity of their own data, even when it is held by a service provider Data location When using a cloud, you may not have an idea of where your data is stored. Data segregation Data in the cloud in in a shared environment, with data from other customers
  • 39. Security issues with the cloud Recovery Even if you don’t know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster Investigative Support Investigating inappropriate or illegal activity may be impossible in cloud computing Long-term Viability Ideally, your cloud computing provider will never go broke or get acquired by a larger company. If this happens you must be sure your data will be available, even after such an event.
  • 40. Cloud – summary Client-plus-cloud computing offers enhanced choice, flexibility, operational efficiency, and cost savings for governments, businesses, and individual consumers. To take full advantage of these benefits, reliable assurances regarding the privacy and security of online data must be provided. In addition, a number of regulatory, jurisdictional, and public policy issues remain to be solved in order for online computing to thrive.

Notes de l'éditeur

  1. Much of the current set of industry standards of today’s computing environment come out of these. Corporate irresponsibility created legislation to govern what should have already been governed by integrity of the individuals at the top.
  2. The flow of the information within the chart depicts a possible path for all departments involved in the process of design, implementation and ongoing maintenance and management. The involvement of multiple levels of participants will help to make sure that all security needs are accounted for.
  3. Security staff and management need to be constantly vigil about the information they are trying to protect. No plan implemented today will be sufficient in six months. New technology and applications are constantly bombarding the market. Corporations that want to maintain their leading edge on competition will ensue that security governance is a mission of the enterprise.