SlideShare a Scribd company logo

CIA-Triad-Presentation.pdf

B
BabyBoy55

CIA Triad

Technology
1 of 30
Download to read offline
Is Your IT Environment Secure? November 18, 2015 Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting
Clark Schaefer Consulting Serving elite and emerging companies with practical solutions Specializing in project work that is centered around three core competencies: Risk/Control (e.g., Risk Assessment, Internal and IT Audit, Compliance) Technology (e.g., IT Security, System Changes, Disaster Recovery) Accounting & Finance
Introductions Sarah Ackerman, CISSP, CISA Technology practice leader  Responsible for overall engagement quality and oversight of security and IT audit projects  Extensive experience in information security, risk management, IT audit, and other risk/control, IT, and compliance services
Introductions Greg Bernard, CISSP, CISA Manager  IT/internal audit/security projects  Experienced in IT and IT security, including security assessments, IT audits, vulnerability management and risk management Brian Matteson Senior Consultant  Subject matter expert in programmatic IT security review, enterprise risk assessment, insider threat, and APTs
Overview CIA Triad – Confidentiality, Integrity, Availability: The three most important components of security Participants will learn:  Definition of each element  How each element affects your business  Importance of security awareness for the safety of data  Consequences of ignoring the importance of the CIA triad components  Methods used to ensure confidentiality  How to ensure that your information is trustworthy and accurate  How to guarantee the reliable access to information
CIA – Defined  Confidentiality – Taking action to ensure there is no unauthorized access to data – Confidentiality protects access to data – Privacy protects access to a person  Integrity – Safeguarding data from unsolicited modification or deletion  Availability – Ensuring data is available when it is required
CIA Triad
CIA – Risks and Controls CIA Risks Controls Confidentiality • Loss of sensitive data • Unauthorized access • Access administration and security • Use of cryptography Integrity • Loss of completeness and accuracy • Potential fraudulent activity • Change monitoring software • Logging • Quality control Availability • Service interruption • Reputational risk • Opportunity Cost • System backups • Business continuity and disaster recovery planning • Failover testing
Failure to Consider CIA – Consequences  Confidentiality – Data leaks and breaches – Could lead to compromise of sensitive proprietary/customer information  Integrity – Use of unreliable data – Could have negative impact on downstream systems and processes  Availability – Unexpected downtime – May lead to poor system performance and/or customer dissatisfaction
Confidentiality – What you can do  Access Control – Define user IDs, passwords, and specific access levels (e.g., role-based access) • Principle of least privilege – Limit access to the minimum necessary for a user’s job responsibility – Use multi-factor authentication • Something you know – password • Something you have – proximity card • Something you are – fingerprint/retina scans – File/document permissions • Secure individual files/documents
Confidentiality – What you can do  Encryption – Encrypt data at rest • Hard disk encryption – Workstations (desktops and laptops) – Storage mechanisms (servers) – Encrypt data in motion • Secure transmission methods (network and transport layers) – Prevents compromise of data in transit • Use of secure transport protocols (e.g., HTTPS, TLS) – Prevents compromise of data in transit  Segregation of Duties – Prevents users from having excessive access to data which is not relevant to their responsibilities within a business process
Confidentiality – What you can do  3rd Party Vendor Oversight – Ensure that contracts are written to protect • Confidentiality agreements / non-disclosure agreements • Security considerations – SSAE16 reports – Monitor vendor activities • Limit access to only what is necessary to perform job • Request reports of activities performed • Segregate their access
Confidentiality – Real Examples of Loss 2014  Target and Home Depot were hacked resulting in loss of customer credit card information – Demonstrates loss of confidential information – Significant reputational damage  Sony also hacked, resulting in exposure of: – Sensitive information about employees – Leaks of Sony Pictures films, and other data – Attack resulted in loss of intellectual property/ confidential information
Integrity – What you can do  Physical Integrity – Ensure reliability of physical environment where data is stored – For example, the following techniques: • Uninterruptible power supply (UPS) • Redundant array of independent disks (RAID)  Logical Integrity – General controls to help ensure the reliability of data: • Referential integrity – Ensures that a value in one database table references an existing value in another table • Entity Integrity – Ensures that each row of a database table is uniquely identified, so that it can be retrieved separately if necessary
Integrity – What you can do  Logical Integrity – Use file integrity/change monitoring software to monitor data and logs – Required to meet payment card industry (PCI) standards • Sample extract – “Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files, and configure the software to perform critical file comparisons at least weekly” – Examples include: • Tripwire • CimTrak (by Cimcor)
Integrity – Real Examples of Loss  Recent examples of loss of integrity due to vulnerabilities: – April 2013: The Associated Press Twitter account was hacked • Resulted in false reports of explosions at the White House. • Caused a $136 Billion drop in value on the stock market – October 2013: The Syrian Electronic Army hijacked a link from President Obama’s Twitter account • Redirected to video of terror incidents – January 2015: Twitter accounts for the New York Post and United Press International were hacked • Resulted in publication of erroneous news stories
Availability – What you can do  Define what data exists and prioritize its importance  Understand type of storage/retrieval device or media including both hardware and software  Define and implement the appropriate network bandwidth between devices and network connections of mediums  Consider the processing overhead of affected mechanisms
Availability – What you can do  Implement monitoring of service levels with vendors  Implement effective means of backup to an offsite/disaster recovery location – Data replication – Data mirroring – Frequent periodic backups (e.g., nightly)  Define and document an effective Disaster Recovery/Business Resumption Plan – Defines how to quickly recover data – Recovery Time Objective (RTO) – Recovery Point Objective (RPO)
Availability – Examples of Loss  Recent examples of loss of availability resulting in system downtime: – PayPal: Due to a power outage, PayPal services were unavailable for many customers on October 30, 2015 – Neustar UltraDNS: Due to an internal server issue, Neustar UltraDNS, a web content delivery service, was down on October 15, 2015 • Resulted in 90 minute outage for popular websites, including Netflix and Expedia – CenturyLink: Result of a software glitch that affected the 911 network overseen by CenturyLink • 911 service was down in six western Pennsylvania counties for two hours on October 6, 2015
Security Awareness – Tips for Leadership U.S. Department of Homeland Security tips for industry leadership: 1. Implement a layered defense strategy that includes technical, organizational, and operational controls 2. Establish clear policies and procedures for employee use of organization’s IT systems/data
Security Awareness – Tips for Leadership 3. Coordinate cyber incident response planning with existing disaster recovery and business continuity plans across organization 4. Implement technical defenses – For example, firewalls, intrusion detection systems, and Internet content filtering 5. Update your anti-virus software often
Security Awareness – Tips for Leadership 6. Follow your organization’s guidelines and security regulations 7. Regularly download vendor security patches for all of your software 8. Change the manufacturer’s default passwords on all of your software
Security Awareness – Tips for Leadership 9. Encrypt data and use two-factor authentication where possible 10. If you use a wireless network, make sure that it is secure 11. Monitor, log, and analyze successful and attempted intrusions to your systems and networks
Security Awareness – Tips for Employees U.S. Department of Homeland Security tips for industry employees: 1. Read and abide by your company’s Internet use policy 2. Make your passwords complex. – Combination of numbers, symbols, and letters (uppercase and lowercase)
Security Awareness – Tips for Employees 3. Change your passwords regularly (every 45 to 90 days) 4. Don’t share any of your usernames, passwords, or other computer or website access codes 5. Only open emails or attachments from people you know
Security Awareness – Tips for Employees 6. Never install or connect any personal software or hardware to your organization’s network or hardware without permission from your IT department 7. Make electronic and physical backups or copies of all your most important work 8. Report all suspicious or unusual problems with your computer to your IT department
Training Best Practices:  Modify training program for different departments and/or locations  Offer different programs for managers and staff  Provide training more than once per year  Deliver security awareness training through several different channels  Measure the success of your company’s training program (next slide) Security Awareness – Training
Metric Indicator Increase in reports of attempted email/phone scams Better recognition of suspicious emails/calls Reduction in malware outbreaks Fewer opened malicious emails Vulnerability scans are scheduled to detect high & critical vulnerabilities Decrease in time between detection and remediation Increase in number of personnel completing training Attendance tracking and performance evaluations Increase in comprehension of training material Feedback from personnel; and training assessments Security Awareness – Metrics and Indicators Source: PCI Security Standards Council
Questions? 29
For More Information If you wish to discuss any aspects of this presentation in more detail, please feel free to contact us: Clark Schaefer Consulting, LLC. 120 East Fourth Street, Suite 1100 Cincinnati, Ohio 45202 513-768-7100 www.clarkschaefer.com Email: info@clarkschaefer.com

Recommended

Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best PracticesEvolve IP
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness ProgramBill Gardner
 
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Mukesh Chinta
 
CompTIA Security+ SY0-601 Domain 1
CompTIA Security+ SY0-601 Domain 1CompTIA Security+ SY0-601 Domain 1
CompTIA Security+ SY0-601 Domain 1ShivamSharma909
 
Enterprise Identity and Access Management Use Cases
Enterprise Identity and Access Management Use CasesEnterprise Identity and Access Management Use Cases
Enterprise Identity and Access Management Use CasesWSO2
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Mukesh Chinta
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 

Recommended

Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best PracticesEvolve IP
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness ProgramBill Gardner
 
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Mukesh Chinta
 
CompTIA Security+ SY0-601 Domain 1
CompTIA Security+ SY0-601 Domain 1CompTIA Security+ SY0-601 Domain 1
CompTIA Security+ SY0-601 Domain 1ShivamSharma909
 
Enterprise Identity and Access Management Use Cases
Enterprise Identity and Access Management Use CasesEnterprise Identity and Access Management Use Cases
Enterprise Identity and Access Management Use CasesWSO2
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Mukesh Chinta
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.pptFaheem Ul Hasan
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber SecurityNikunj Thakkar
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber ResiliencePeter Wood
 
Information security
Information securityInformation security
Information securitySina Bagherinezhad
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information SecurityKen Holmes
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Cybersecurity Awareness E-Book - WeSecureApp
Cybersecurity Awareness E-Book - WeSecureAppCybersecurity Awareness E-Book - WeSecureApp
Cybersecurity Awareness E-Book - WeSecureAppWeSecureApp
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Security Awareness & Training
Security Awareness & TrainingSecurity Awareness & Training
Security Awareness & Trainingnovemberchild
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurancebdemchak
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxRSAArcher
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101Donald E. Hester
 
Cyber Security in Society
Cyber Security in SocietyCyber Security in Society
Cyber Security in SocietyRubal Sagwal
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technicalStephen Cobb
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptxselvapriyabiher
 
ISBB_Chapter6.pptx
ISBB_Chapter6.pptxISBB_Chapter6.pptx
ISBB_Chapter6.pptxAmanSoni665879
 

More Related Content

What's hot

Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber SecurityNikunj Thakkar
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber ResiliencePeter Wood
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information SecurityKen Holmes
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Cybersecurity Awareness E-Book - WeSecureApp
Cybersecurity Awareness E-Book - WeSecureAppCybersecurity Awareness E-Book - WeSecureApp
Cybersecurity Awareness E-Book - WeSecureAppWeSecureApp
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Security Awareness & Training
Security Awareness & TrainingSecurity Awareness & Training
Security Awareness & Trainingnovemberchild
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurancebdemchak
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxRSAArcher
 
Cyber Security in Society
Cyber Security in SocietyCyber Security in Society
Cyber Security in SocietyRubal Sagwal
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technicalStephen Cobb
 

What's hot (20)

Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
 
Information security
Information securityInformation security
Information security
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber Security
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
 
Information security
Information securityInformation security
Information security
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Cybersecurity Awareness E-Book - WeSecureApp
Cybersecurity Awareness E-Book - WeSecureAppCybersecurity Awareness E-Book - WeSecureApp
Cybersecurity Awareness E-Book - WeSecureApp
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
 
Security Awareness & Training
Security Awareness & TrainingSecurity Awareness & Training
Security Awareness & Training
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurance
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101
 
Cyber Security in Society
Cyber Security in SocietyCyber Security in Society
Cyber Security in Society
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technical
 

Similar to CIA-Triad-Presentation.pdf

Information Security
Information SecurityInformation Security
Information Securitysonykhan3
 
Cloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceCloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceSoumitra Bhattacharyya
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are comingErnest Staats
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hackingDesmond Devendran
 
Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4CrispnCrunch
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!MarketingArrowECS_CZ
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019Fahad Al-Hasan
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
ICAB - ITA Chapter 5 class 9-10 - Controls and Standards
ICAB - ITA Chapter 5 class 9-10 - Controls and StandardsICAB - ITA Chapter 5 class 9-10 - Controls and Standards
ICAB - ITA Chapter 5 class 9-10 - Controls and StandardsMohammad Abdul Matin Emon
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteSplunk
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...Jon Papp
 

Similar to CIA-Triad-Presentation.pdf (20)

security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptx
 
ISBB_Chapter6.pptx
ISBB_Chapter6.pptxISBB_Chapter6.pptx
ISBB_Chapter6.pptx
 
Information Security
Information SecurityInformation Security
Information Security
 
Cloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceCloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform Service
 
Unlock Security Insight from Machine Data
Unlock Security Insight from Machine DataUnlock Security Insight from Machine Data
Unlock Security Insight from Machine Data
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are coming
 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptx
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
 
Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
ICAB - ITA Chapter 5 class 9-10 - Controls and Standards
ICAB - ITA Chapter 5 class 9-10 - Controls and StandardsICAB - ITA Chapter 5 class 9-10 - Controls and Standards
ICAB - ITA Chapter 5 class 9-10 - Controls and Standards
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
 
ISS CAPSTONE TEAM
ISS CAPSTONE TEAMISS CAPSTONE TEAM
ISS CAPSTONE TEAM
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
Vulnerability Management V0.1
Vulnerability Management V0.1Vulnerability Management V0.1
Vulnerability Management V0.1
 
Harsha CV
Harsha CVHarsha CV
Harsha CV
 
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
 
Biznet Gio Presentation - Database Security
Biznet Gio Presentation - Database SecurityBiznet Gio Presentation - Database Security
Biznet Gio Presentation - Database Security
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 

CIA-Triad-Presentation.pdf

  • 1. Is Your IT Environment Secure? November 18, 2015 Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting
  • 2. Clark Schaefer Consulting Serving elite and emerging companies with practical solutions Specializing in project work that is centered around three core competencies: Risk/Control (e.g., Risk Assessment, Internal and IT Audit, Compliance) Technology (e.g., IT Security, System Changes, Disaster Recovery) Accounting & Finance
  • 3. Introductions Sarah Ackerman, CISSP, CISA Technology practice leader  Responsible for overall engagement quality and oversight of security and IT audit projects  Extensive experience in information security, risk management, IT audit, and other risk/control, IT, and compliance services
  • 4. Introductions Greg Bernard, CISSP, CISA Manager  IT/internal audit/security projects  Experienced in IT and IT security, including security assessments, IT audits, vulnerability management and risk management Brian Matteson Senior Consultant  Subject matter expert in programmatic IT security review, enterprise risk assessment, insider threat, and APTs
  • 5. Overview CIA Triad – Confidentiality, Integrity, Availability: The three most important components of security Participants will learn:  Definition of each element  How each element affects your business  Importance of security awareness for the safety of data  Consequences of ignoring the importance of the CIA triad components  Methods used to ensure confidentiality  How to ensure that your information is trustworthy and accurate  How to guarantee the reliable access to information
  • 6. CIA – Defined  Confidentiality – Taking action to ensure there is no unauthorized access to data – Confidentiality protects access to data – Privacy protects access to a person  Integrity – Safeguarding data from unsolicited modification or deletion  Availability – Ensuring data is available when it is required
  • 8. CIA – Risks and Controls CIA Risks Controls Confidentiality • Loss of sensitive data • Unauthorized access • Access administration and security • Use of cryptography Integrity • Loss of completeness and accuracy • Potential fraudulent activity • Change monitoring software • Logging • Quality control Availability • Service interruption • Reputational risk • Opportunity Cost • System backups • Business continuity and disaster recovery planning • Failover testing
  • 9. Failure to Consider CIA – Consequences  Confidentiality – Data leaks and breaches – Could lead to compromise of sensitive proprietary/customer information  Integrity – Use of unreliable data – Could have negative impact on downstream systems and processes  Availability – Unexpected downtime – May lead to poor system performance and/or customer dissatisfaction
  • 10. Confidentiality – What you can do  Access Control – Define user IDs, passwords, and specific access levels (e.g., role-based access) • Principle of least privilege – Limit access to the minimum necessary for a user’s job responsibility – Use multi-factor authentication • Something you know – password • Something you have – proximity card • Something you are – fingerprint/retina scans – File/document permissions • Secure individual files/documents
  • 11. Confidentiality – What you can do  Encryption – Encrypt data at rest • Hard disk encryption – Workstations (desktops and laptops) – Storage mechanisms (servers) – Encrypt data in motion • Secure transmission methods (network and transport layers) – Prevents compromise of data in transit • Use of secure transport protocols (e.g., HTTPS, TLS) – Prevents compromise of data in transit  Segregation of Duties – Prevents users from having excessive access to data which is not relevant to their responsibilities within a business process
  • 12. Confidentiality – What you can do  3rd Party Vendor Oversight – Ensure that contracts are written to protect • Confidentiality agreements / non-disclosure agreements • Security considerations – SSAE16 reports – Monitor vendor activities • Limit access to only what is necessary to perform job • Request reports of activities performed • Segregate their access
  • 13. Confidentiality – Real Examples of Loss 2014  Target and Home Depot were hacked resulting in loss of customer credit card information – Demonstrates loss of confidential information – Significant reputational damage  Sony also hacked, resulting in exposure of: – Sensitive information about employees – Leaks of Sony Pictures films, and other data – Attack resulted in loss of intellectual property/ confidential information
  • 14. Integrity – What you can do  Physical Integrity – Ensure reliability of physical environment where data is stored – For example, the following techniques: • Uninterruptible power supply (UPS) • Redundant array of independent disks (RAID)  Logical Integrity – General controls to help ensure the reliability of data: • Referential integrity – Ensures that a value in one database table references an existing value in another table • Entity Integrity – Ensures that each row of a database table is uniquely identified, so that it can be retrieved separately if necessary
  • 15. Integrity – What you can do  Logical Integrity – Use file integrity/change monitoring software to monitor data and logs – Required to meet payment card industry (PCI) standards • Sample extract – “Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files, and configure the software to perform critical file comparisons at least weekly” – Examples include: • Tripwire • CimTrak (by Cimcor)
  • 16. Integrity – Real Examples of Loss  Recent examples of loss of integrity due to vulnerabilities: – April 2013: The Associated Press Twitter account was hacked • Resulted in false reports of explosions at the White House. • Caused a $136 Billion drop in value on the stock market – October 2013: The Syrian Electronic Army hijacked a link from President Obama’s Twitter account • Redirected to video of terror incidents – January 2015: Twitter accounts for the New York Post and United Press International were hacked • Resulted in publication of erroneous news stories
  • 17. Availability – What you can do  Define what data exists and prioritize its importance  Understand type of storage/retrieval device or media including both hardware and software  Define and implement the appropriate network bandwidth between devices and network connections of mediums  Consider the processing overhead of affected mechanisms
  • 18. Availability – What you can do  Implement monitoring of service levels with vendors  Implement effective means of backup to an offsite/disaster recovery location – Data replication – Data mirroring – Frequent periodic backups (e.g., nightly)  Define and document an effective Disaster Recovery/Business Resumption Plan – Defines how to quickly recover data – Recovery Time Objective (RTO) – Recovery Point Objective (RPO)
  • 19. Availability – Examples of Loss  Recent examples of loss of availability resulting in system downtime: – PayPal: Due to a power outage, PayPal services were unavailable for many customers on October 30, 2015 – Neustar UltraDNS: Due to an internal server issue, Neustar UltraDNS, a web content delivery service, was down on October 15, 2015 • Resulted in 90 minute outage for popular websites, including Netflix and Expedia – CenturyLink: Result of a software glitch that affected the 911 network overseen by CenturyLink • 911 service was down in six western Pennsylvania counties for two hours on October 6, 2015
  • 20. Security Awareness – Tips for Leadership U.S. Department of Homeland Security tips for industry leadership: 1. Implement a layered defense strategy that includes technical, organizational, and operational controls 2. Establish clear policies and procedures for employee use of organization’s IT systems/data
  • 21. Security Awareness – Tips for Leadership 3. Coordinate cyber incident response planning with existing disaster recovery and business continuity plans across organization 4. Implement technical defenses – For example, firewalls, intrusion detection systems, and Internet content filtering 5. Update your anti-virus software often
  • 22. Security Awareness – Tips for Leadership 6. Follow your organization’s guidelines and security regulations 7. Regularly download vendor security patches for all of your software 8. Change the manufacturer’s default passwords on all of your software
  • 23. Security Awareness – Tips for Leadership 9. Encrypt data and use two-factor authentication where possible 10. If you use a wireless network, make sure that it is secure 11. Monitor, log, and analyze successful and attempted intrusions to your systems and networks
  • 24. Security Awareness – Tips for Employees U.S. Department of Homeland Security tips for industry employees: 1. Read and abide by your company’s Internet use policy 2. Make your passwords complex. – Combination of numbers, symbols, and letters (uppercase and lowercase)
  • 25. Security Awareness – Tips for Employees 3. Change your passwords regularly (every 45 to 90 days) 4. Don’t share any of your usernames, passwords, or other computer or website access codes 5. Only open emails or attachments from people you know
  • 26. Security Awareness – Tips for Employees 6. Never install or connect any personal software or hardware to your organization’s network or hardware without permission from your IT department 7. Make electronic and physical backups or copies of all your most important work 8. Report all suspicious or unusual problems with your computer to your IT department
  • 27. Training Best Practices:  Modify training program for different departments and/or locations  Offer different programs for managers and staff  Provide training more than once per year  Deliver security awareness training through several different channels  Measure the success of your company’s training program (next slide) Security Awareness – Training
  • 28. Metric Indicator Increase in reports of attempted email/phone scams Better recognition of suspicious emails/calls Reduction in malware outbreaks Fewer opened malicious emails Vulnerability scans are scheduled to detect high & critical vulnerabilities Decrease in time between detection and remediation Increase in number of personnel completing training Attendance tracking and performance evaluations Increase in comprehension of training material Feedback from personnel; and training assessments Security Awareness – Metrics and Indicators Source: PCI Security Standards Council
  • 30. For More Information If you wish to discuss any aspects of this presentation in more detail, please feel free to contact us: Clark Schaefer Consulting, LLC. 120 East Fourth Street, Suite 1100 Cincinnati, Ohio 45202 513-768-7100 www.clarkschaefer.com Email: info@clarkschaefer.com