Information securityisn’t about information or security, it’s about people! Presented by Kevin Orth, VP of Operations FRSecure LLC
Introduction - Topics• About FRSecure• Information Security Explained• Why are people risky?• Ingrained sense of trust• Behaviors, moods, events, experiences, and surroundings• Mistakes and malicious intent• Twelve types of people• Questions?
About FRSecureFRSecure LLC is a full-service information security consulting company. Weare dedicated to providing value to our clients through well designed,implemented, and managed information security solutions. Our missionstatement:– We take the time to understand our clients business and align information security initiatives with their goals and objectives. In so doing, our clients benefit from solutions that help to drive business and add to the bottom line. Information security does not have to be a cost center.FRSecure works with businesses of all sizes, in all industries. We understandthat our clients are in business to make money, so we design secure solutionsthat drive business, protect sensitive information assets, and improve theirbottom line.
What we do• Information Security Assessments An independent and objective assessment of your current information security program based on well-established security standards. – ISO Assessments – Small Business Assessments – Compliance Assessments Assess • GLBA • HIPAA Test Improve • PCI – Network Security Assessments – Wireless Networking Assessments – SAS70/SSAE16 Readiness Assessments Train Manage – Customer Required AssessmentsVisit FRSecure.com for more information
What we do• Information Security Program Development A Formal, cost-effective and customized information security program, that reduces risk and improves efficiency. – Outsourced information security Assess – PCI Compliance – Vendor Risk Management Test Improve – Penetration Testing – Policy Creation – Training & Awareness Programs Train Manage – BC/DR Planning• Information Security Management Leverage years of expertise without the tremendous expense that can accompany it. – Outsourced CISO – Incident ResponseVisit FRSecure.com for more information
Introduction – A PrinciplePeople Present the Most Significant Risk to thesecurity of information“It’s not the technology that’s to blame for most breaches; it’s thepeople behind the technology”
Introduction – A QuestionGive an example of a typical way people lose sensitive information.
Introduction – A Definition What isinformation security?
Information Security ExplainedFundamentally, Information Security is:The application of Administrative, Physical and Technical controlsin an effort to protect the Confidentiality, Integrity, and Availabilityof Information.Controls:Administrative – Policies, procedures, processesPhysical – Locks, cameras, alarm systemsTechnical – Firewalls, anti-virus software, permissionsProtect:Confidentiality – Disclosure to authorized entitiesIntegrity – Accuracy and completenessAvailability – Accessible when required and authorized
Why are people risky?The variables involved in human behavior are numerous andoften times unpredictable. People are affected by aningrained sense of trust in their fellow humans, and behaviorscan be affected by moods, events, experiences, andsurroundings. The risks involved can range from simplemistakes to malicious intent. Understand that people presentthe most significant risks to information assets, and designcontrols to account for these risks. If we properly invest inpeople through solid training and awareness, we can influencebehaviors and mitigate risk.
Ingrained Sense of TrustPeople have a certain amount oftrust in other people.
Social engineering example #1• You receive an urgent email from your bank that requires your immediate attention.• Everything appears to be legit, so you click and login.• You’ve been phished!• Someone else now has your login credentials to your online banking account.
Social engineering example #2• You get a call from XYZ Energy Company. They are performing account maintenance on all accounts in your area.• The person on the telephone asks you to confirm your account information. “Sir, we just need to confirm the information on your account. As a thank you for your time, we will credit $10 to your next energy bill.”
Behaviors, Moods, Events, Experiences, and SurroundingsIf you catch the rightperson at the righttime, you might besurprised at what theydo to put themselvesand their organization atrisk.
Example 1 – It’s been a bad day• You’re in a bad mood. Your boss comes to you and asks you do some seemingly unimportant task.• Do you do it?• Probably, but do you think the quality of the work suffers?• If the quality of the work suffers, details might be missed. Some of these details might lead to vulnerabilities.
Example 2 – I didn’t know any better• A member of your team has cancer and goes to the hospital for chemotherapy.• You check on them and find out that they’re doing well.• You email the rest of your team to let them know that your coworker is doing well and that the chemo seems to be working.
Example 3 – Desperate times call for desperate measures• You are a good worker, but you have fallen on hard times. Your transmission went out in your car, and one of your children was recently sick leaving you with some expensive hospital bills. To add insult to injury, your company was recently acquired and you could be out of a job in a few months.• You work in customer service for your company, and you have access to sensitive customer information. You wouldn’t normally even consider taking the information and using it for financial gain, but these are desperate times.• Desperate times call for desperate measures, right?
Example 4 – The quick stop• On your way home from work, you decide to make a quick stop at the convenience store. You need some bread and milk.• After you get home, you turn to your back seat to grab your bag. It’s gone!• In your bag was your laptop; the same laptop that you use for work.• You work in HR and you know that there were spreadsheets containing sensitive personal information stored on the laptop hard drive.• Uh oh! Your company is out thousands (maybe millions) of dollars, and you are out of a job. That’s expensive milk!
Twelve types of people• The disgruntled employee In her mind, she’s been done wrong. She’s looking for revenge.• The criminal employee Eventually, he’s going to break the law to get what he wants.• The poorly trained employee This person just didn’t know any better.• The driven employee This gal is so busy; she doesn’t have time for rules.• The overworked employee He wants to do the right thing, but he has deadlines to meet.• The curious/opportunist employee What’s this directory; R&D? That might be cool!
Twelve types of people• The vendor Does anybody even know this guy?• The contractor and/or service provider They’re going to need administrator access.• The customer They’re requesting administrative access to one of your systems so that they can run some tests.
Twelve types of people• The outside criminal You’ve got something that the criminal wants.• The outside opportunist While browsing your website, the opportunist recognizes something that catches his eye.• The activist As long as everyone agrees with you; you should be okay. See: Operation Payback and “Anonymous”.
The Right ApproachCompanies who take a comprehensive, risk-based approachto information security are able to:• Reduce (not eliminate) risks posed by people• Provide adequate information security training to their employees• Leverage new technologies that have potentially high people risk• Reduce downtime due to mistakes
The Right ApproachThe Jigsaw Puzzle Analogy• Choose a standard – The Box Cover• Information security controls – The pieces• Build a framework – The edge and corner pieces• Complete the picture – Refer to the box often. Each piece in the right place.
The Right ApproachThe Jigsaw Puzzle Rules:• Don’t build the puzzle from the inside out.• Don’t build the puzzle without the box cover.• If you don’t understand where a piece fits, don’t buy it.
The Right ApproachWho’s data is it? Company or individual.This is why we’re passionate
The Right ApproachAre you an information security risk to your company?
Conclusion• Information Security Program Development A Formal, cost-effective and customized information security program, that reduces risk and improves efficiency. – Outsourced information security Assess – PCI Compliance – Vendor Risk Management Test Improve – Penetration Testing – Policy Creation – Training & Awareness Programs Train Manage – BC/DR PlanningHopefully you have a better understanding of the reason why we use “People presentthe most significant risk” as one of FRSecure’s Ten Principles that Guide our Work.
You made it! – Questions?About FRSecureAs an information security firm, FRSecure protects sensitive, confidential businessinformation from unauthorized access, disclosure, distribution and destruction.We assess existing information security systems and develop, implement andmanage plans tailored to each client’s specific security needs and overall businessinterests. These plans spare clients from the irreparable financial and reputationalcosts that invariably accompany the breach of sensitive business and personalinformation.FRSecure works with businesses of all sizes, in all industries. We understand thatour clients are in business to make money, so we design secure solutions that drivebusiness, protect sensitive information assets, and improve their bottom line.Achievements, experience and continuous referrals separate FRSecure as reliableinformation security experts who provide the resources and services that everybusiness needs, but only FRSecure can deliver.