Advertisement
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit

Check these out next

Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware Dallas
Evan Francen
WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language Problem
Evan Francen
How to Catch a Wolf in Sheep's Clothing
How to Catch a Wolf in Sheep's Clothing
ThinAir
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
dianadvo
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language Problem
Evan Francen
How to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security Dollar
Hostway|HOSTING
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security culture
Craig McGill
How to Secure America
How to Secure America
SecurityStudio
1 of 50

Keynote @ ECMECC School Security Summit

Dec. 23, 2019
Download to read offline
Education

The title is "Cybersecure Schools, Parents, and Kids. The talk was delivered to ~250 people attending the summit. Tackling information security at school and at home requires us to agree to and apply the fundamentals. The S2Org is helping schools become more secure, and the S2Me is helping at home.

SecurityStudio
SecurityStudio
Advertisement
Advertisement
Advertisement

Recommended

ISSA-OC and Webster University Cybersecurity Seminar Series PresentationISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series PresentationSecurityStudio83 views54 slides
People Committed to Solving our Information Security Language ProblemPeople Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language ProblemSecurityStudio88 views54 slides
Five Mistakes of Incident ResponseFive Mistakes of Incident Response
Five Mistakes of Incident ResponseAnton Chuvakin943 views4 slides
Threat Modeling 101Threat Modeling 101
Threat Modeling 101Atlassian8.9K views105 slides
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterNetWize525 views29 slides
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemSecurityStudio177 views50 slides

More Related Content

Similar to Keynote @ ECMECC School Security Summit(20)

Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware Dallas
Evan Francen313 views
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language Problem
Evan Francen169 views
How to Catch a Wolf in Sheep's ClothingHow to Catch a Wolf in Sheep's Clothing
How to Catch a Wolf in Sheep's Clothing
ThinAir164 views
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
dianadvo235 views
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language Problem
Evan Francen230 views
How to Spend Your Cloud Security DollarHow to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security Dollar
Hostway|HOSTING1.2K views
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security culture
Craig McGill844 views
How to Secure AmericaHow to Secure America
How to Secure America
SecurityStudio301 views
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Sandra (Sandy) Dunn238 views
sanfranAIG3sanfranAIG3
sanfranAIG3
Ian Murphy 2500+ all connections welcome193 views
TIES 2013 Education Technology ConferenceTIES 2013 Education Technology Conference
TIES 2013 Education Technology Conference
Evan Francen327 views
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language Problem
SecurityStudio95 views
Skype School Session One Making Action SafeSkype School Session One Making Action Safe
Skype School Session One Making Action Safe
mirindabk3.2K views
cybersecurity-series-2019-threat-hunting.pdfcybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdf
CecilSu3 views
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
Adrian Wright1.6K views
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocks
Cyphort871 views
The Security EcosystemThe Security Ecosystem
The Security Ecosystem
Anthony Bertuzzi587 views
Group1 PptGroup1 Ppt
Group1 Ppt
jessica mellert216 views
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & Manufacturing
Evan Francen174 views
Watch Out For That Bus! (Personal Disaster Recovery Planning) - BSidesLV 2018Watch Out For That Bus! (Personal Disaster Recovery Planning) - BSidesLV 2018
Watch Out For That Bus! (Personal Disaster Recovery Planning) - BSidesLV 2018
David Minch187 views

Recently uploaded(20)

POLI GOV_FOR DEMO.pptxPOLI GOV_FOR DEMO.pptx
POLI GOV_FOR DEMO.pptx
MICHAELISIDORO20 views
Translation of English and Chinese Idioms through Cultural Differences.pdfTranslation of English and Chinese Idioms through Cultural Differences.pdf
Translation of English and Chinese Idioms through Cultural Differences.pdf
laotan0 views
4. The cardiac cycle.pptx4. The cardiac cycle.pptx
4. The cardiac cycle.pptx
Upwork.fivver 0 views
Introduction to Computer.pptIntroduction to Computer.ppt
Introduction to Computer.ppt
DurJanAslam0 views
Study of English translations of 4-character-idioms.pdfStudy of English translations of 4-character-idioms.pdf
Study of English translations of 4-character-idioms.pdf
laotan0 views
media based artsmedia based arts
media based arts
aprems400 views
Ikalawang Yugto ng Kolonyalismo at Imperyalismo.pptxIkalawang Yugto ng Kolonyalismo at Imperyalismo.pptx
Ikalawang Yugto ng Kolonyalismo at Imperyalismo.pptx
deped Philippines0 views
Binder1.pptxBinder1.pptx
Binder1.pptx
Binish Raza0 views
Smooth Muscle PPT.pptSmooth Muscle PPT.ppt
Smooth Muscle PPT.ppt
Upwork.fivver 0 views
ALKYL HALIDES NOTES.pdfALKYL HALIDES NOTES.pdf
ALKYL HALIDES NOTES.pdf
RICHADAYARAMANI10 views
3. Cushing's_syndrome.pptx3. Cushing's_syndrome.pptx
3. Cushing's_syndrome.pptx
Lawrenceshamboko0 views
DANCING.pptxDANCING.pptx
DANCING.pptx
KristineTrilles20 views
GROUP5(Title Defense).pptxGROUP5(Title Defense).pptx
GROUP5(Title Defense).pptx
SherwinLapea0 views
Economics Development NCERT Solutions .pdfEconomics Development NCERT Solutions .pdf
Economics Development NCERT Solutions .pdf
manojkumarjain250 views
SCI 8 -PPT ON FAULTS.pptxSCI 8 -PPT ON FAULTS.pptx
SCI 8 -PPT ON FAULTS.pptx
DioscoraSGutierrez0 views
Tetanus.pptTetanus.ppt
Tetanus.ppt
ZainabSiddiqui460 views
好餓好餓的毛毛蟲_數位繪本.pptx好餓好餓的毛毛蟲_數位繪本.pptx
好餓好餓的毛毛蟲_數位繪本.pptx
KaiHuiChuang0 views
Advance Word Processing Skill.pptx.pdfAdvance Word Processing Skill.pptx.pdf
Advance Word Processing Skill.pptx.pdf
RichardArellano130 views
transistoranditsworkingprinciple-160427150207 (1) (1).pdftransistoranditsworkingprinciple-160427150207 (1) (1).pdf
transistoranditsworkingprinciple-160427150207 (1) (1).pdf
rahulreddy7738140 views
Year 8 Unit 1 Lesson 1 Presentation.pptxYear 8 Unit 1 Lesson 1 Presentation.pptx
Year 8 Unit 1 Lesson 1 Presentation.pptx
LindaGray430 views
Advertisement

Keynote @ ECMECC School Security Summit

  1. Cybersecure Schools, Parents, and Kids Evan Francen, CEO, SecurityStudio
  2. Agenda - Format Cybersecure Schools, Parents, and Kids
  3. ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio I do a lot of security stuff… • Co-inventor of SecurityStudio®, S²Score, S²Org, S²Vendor, S²Team, and S²Me • 25+ years of “practical” information security experience (started as a Cisco Engineer in the early 90s) • Worked as CISO and vCISO for hundreds of companies. • Developed the FRSecure Mentor Program; six students in 2010/500+ in 2018 • Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.) Cybersecure Schools, Parents, and Kids AKA: The “Truth” AKA: The “Preacher”
  4. UNSECURITY: Information Security Is Failing. Breaches Are Epidemic. How Can We Fix This Broken Industry? Published January, 2019 Cybersecure Schools, Parents, and Kids
  5. IMPORTANT! Before I get started… • The World Health Organization states that over 800,000 people die every year due to suicide, and that suicide is the second leading cause of death in 15-29-year-olds. • 5 percent of adults (18 or older) experience a mental illness in any one year • In the United States, almost half of adults (46.4 percent) will experience a mental illness during their lifetime. • In the United States, only 41 percent of the people who had a mental disorder in the past year received professional health care or other services. • https://www.mentalhealthhackers.org/resources-and-links/
  6. A simple CTF challenge in Robby’s Memory. qr fbir ygdblcg yafr erodkganc hbd oneqrde oe yb ygr zrcannanc bh ygr kbefbe. oe qr kgoncrj pwonre qoayanc hbd yafr yb kbfr onj cby bhh ygae powr zwlr jby hbd o kbefak zwans bh on rmr, qr kolcgy o cwafper bh ebfryganc jrrprd / fbdr fronanchlw ygon oneqrde; pldr zrolym: glfonaym. qgawr eyaww kopyaioyrj onj rnygdowwrj zm ygae jaekbirdm, qr zoes an bld lybpao, ydmanc yb fosr ygance hoad onj rtlow, eb ah qr qrdr yb jrpody onj cry zoks bn zbodj bld oadpwonr onj yafr hanowwm kofr yb cry le, qr qblwj goir frfbdare zwaeehlw rnblcg yb woey le lnyaw bld nrvy oddaiow onj cair ygrf yb ygr hlyldr, hbd ydlwm mbl snbq grd, zly ah nby, a oeeldr mbl, egr oweb goe o zrolyahlw eblw. -dbzzm onjdrq qowwrnzrdc zdocc mbld hwoc ae drfrfzrdancwbeygoksrde One way to get a free book. Solve this and email me; efrancen@securitystudio.com.
  7. The #Truth 1. Information security isn’t about information or security as much as it is about people. 2. You cannot separate information security, privacy, and safety. 3. Everybody has something that somebody wants. 4. We are all in this together. Security people and “normal” people.
  8. You know we have an language problem in our industry, right? Our Industry AI Blockchain Penetration Test Vulnerability Management NIST CSF RiskRisk Management Containers Incident Management Cyber Insurance Threats Maturity Assessment Malware Security Cryptography Breach APT Cybersecurity BCDR Malware Trojan Spoofing UTM Phishing Vishing DDoS Worm Botnet ML Vulnerability Zero-Day Layered Exploit Threat Actor Attribution Kali OSCP CISSP NIST CSF How many of you are security people (my tribe)?
  9. You know we have an language problem in our industry, right? Normal People See Us Like AI Blockchain Penetration Test Vulnerability Management NIST CSF RiskRisk Management Containers Incident Management Cyber Insurance Threats Maturity Assessment Malware Security Cryptography Breach APT Cybersecurity BCDR Malware Trojan Spoofing UTM Phishing Vishing DDoS Worm Botnet ML Vulnerability Zero-Day Layered Exploit Threat Actor Attribution Kali OSCP CISSP NIST CSF
  10. Why? Because we don’t agree on a language Their Language FIX: Fundamentals and simplification. Translation/Communication Let’s test this…
  11. Information Security is
  12. Managing RiskInformation Security is
  13. Eliminating RiskInformation Security is NOT
  14. ComplianceInformation Security is NOT
  15. Managing RiskInformation Security is of what?
  16. Managing RiskInformation Security is unauthorized disclosure, alteration, and/or destruction of information. of
  17. Managing RiskInformation Security is in what? unauthorized disclosure, alteration, and/or destruction of information. of
  18. Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is unauthorized disclosure, alteration, and/or destruction of information. of in
  19. Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is Easier to go through your secretary than your firewall Firewall doesn’t help when someone steals your server YAY! IT stuff unauthorized disclosure, alteration, and/or destruction of information. of in
  20. Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is What’s risk? unauthorized disclosure, alteration, and/or destruction of information. of in
  21. Managing Risk Likelihood Impact Administrative Controls Physical Controls Technical Controls Information Security is Of something bad happening. If it did. unauthorized disclosure, alteration, and/or destruction of information. of in
  22. Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is in unauthorized disclosure, alteration, and/or destruction of information. of Likelihood Impact How do you figure out likelihood and impact?
  23. Managing Risk Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Start with vulnerabilities. Likelihood Impact in unauthorized disclosure, alteration, and/or destruction of information. of
  24. Managing Risk Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Start with vulnerabilities. • Vulnerabilities are weaknesses. • A fully implemented and functional control has no weakness. • Think CMMI, 1 – Initial to 5 – Optimizing. in unauthorized disclosure, alteration, and/or destruction of information. of Likelihood Impact
  25. Managing Risk Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is OK, but there’s no risk in a weakness by itself, right? Likelihood Impact in unauthorized disclosure, alteration, and/or destruction of information. of
  26. Managing Risk Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is OK, but there’s no risk in a weakness by itself, right? That’s right! We need threats too. in unauthorized disclosure, alteration, and/or destruction of information. of Likelihood Impact
  27. Managing Risk Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Likelihood Impact in unauthorized disclosure, alteration, and/or destruction of information. of
  28. Managing Risk Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Likelihood Impact in unauthorized disclosure, alteration, and/or destruction of information. of There is NO risk • For vulnerabilities without a threat. • For threats without a vulnerability.
  29. Managing Risk Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Likelihood Impact in unauthorized disclosure, alteration, and/or destruction of information. of There is NO risk • For vulnerabilities without a threat. • For threats without a vulnerability. So, what is information security?
  30. Managing Risk Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Likelihood Impact in unauthorized disclosure, alteration, and/or destruction of information. of
  31. Some more #truth about information security It’s relative. Something insecure at the core will always be insecure. You can’t manage what you can’t measure. You can’t manage risk without assessing it. Complexity is the enemy. The better you know yourself, the better you can protect yourself.
  32. Some truth about information security It’s relative. Something insecure at the core will always be insecure. You can’t manage what you can’t measure. You can’t manage risk without assessing it. Complexity is the enemy. You cannot build any effective security program or strategy in a school or at home without an assessment.
  33. Some truth about information security It’s relative. Something insecure at the core will always be insecure. You can’t manage what you can’t measure. You can’t manage risk without assessing it. Complexity is the enemy. You cannot build any effective security program or strategy in a school or at home without an assessment. As many as 90% of schools fail to do fundamental information security risk assessments. WHY? Reason #1: Complexity
  34. Managing Risk Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Likelihood Impact in unauthorized disclosure, alteration, and/or destruction of information. of Fine for our tribe, but what about the others?
  35. Managing Risk Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Likelihood Impact in unauthorized disclosure, alteration, and/or destruction of information. of What if we made a simple score to represent this?
  36. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is We call it the S²Score. We did.
  37. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is The S²Score is a simple and effective language to communicate information security to everyone (parents, students, school boards, other security people, administration, regulators, etc.).
  38. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is As many as 90% of schools fail to do fundamental information security risk assessments. Reason #2: Cost
  39. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Let’s make an information security risk assessment that’s FREE! The assessment that creates the S²Score is available at no cost. No budget, no problem.
  40. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Let’s make an information security risk assessment that’s FREE! The assessment that creates the S²Score is available at no cost. No budget, no problem. There’s no catch.
  41. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Let’s make an information security risk assessment that’s FREE! The assessment that creates the S²Score is available at no cost. No budget, no problem. There’s no catch. For those who like our snazzy standards and acronyms, the S2Org is derived from and mapped to: • NIST CSF • NIST SP 800-53 • NIST SP 800-171 • ISO 27002 • COBIT • Others…
  42. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Let’s make an information security risk assessment that’s FREE! The assessment that creates the S2Score is available at no cost to anyone. There’s no catch. For those who like our snazzy standards and acronyms, the S2Org is derived from and mapped to: • NIST CSF • NIST SP 800-53 • NIST SP 800-171 • ISO 27002 • COBIT • Others…
  43. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Let’s make an information security risk assessment that’s FREE! The assessment that creates the S2Score is available at no cost to anyone. There’s no catch. For those who like our snazzy standards and acronyms, the S2Org is derived from and mapped to: • NIST CSF • NIST SP 800-53 • NIST SP 800-171 • ISO 27002 • COBIT • Others… That’s for schools… S2Org is free. https://securitystudio.com. ECMECC is a trusted partner helping schools.
  44. What about parents and kids? (security is security, which is good) People are creatures of habit. We can’t address issues that we don’t know about. The same people at home are the same people at work and school. This also requires an assessment. The better you know yourself, the better you can protect yourself.
  45. What about parents and kids? (security is security, which is good) Motivation will come from understanding. In information security, ignorance isn’t bliss! If data security doesn’t motivate… Surely safety will! The default is risk ignorance. DANGER! It’s breach. Maybe privacy will. If privacy doesn’t motivate…
  46. S2Me is also free. Always will be. https://s2me.io. What about parents and kids? Here’s what we’ll do…
  47. S2Me is also free. Always will be. https://s2me.io. What about parents and kids? Here’s what we’ll do… Eventually (maybe soon), we create an S2Teen too.
  48. What to do NOW! By speaking a common language we can work on what really matters (our most significant risks). What we’re going to do: • Keep preaching. • Work politically. • Keep improving (by listening). What you need to do: • Get your S2Org Assessment and do it! • Help us preach. • Get your free S2Me Assessment. • Get your family, friends, and parents to do one too. • Help us improve (by talking). What’s the point?
  49. What to do NOW! By speaking a common language we can work on what really matters (our most significant risks). What we’re going to do: • Keep preaching. • Work politically. • Keep improving (by listening). What you need to do: • Get your S2Org Assessment and do it! • Help us preach. • Get your free S2Me Assessment. • Get your family, friends, and parents to do one too. • Help us improve (by talking). What’s the point? People are the point! Information security is not about information or security as much as it is about people. People within our industry and people who work with us are confused and we’re wasting valuable resources.
  50. What to do NOW! By speaking a common language we can work on what really matters (our most significant risks). What we’re going to do: • Keep preaching. • Work politically. • Keep improving (by listening). What you need to do: • Get your S2Org Assessment and do it! • Help us preach. • Get your free S2Me Assessment. • Get your family, friends, and parents to do one too. • Help us improve (by talking). What’s the point? People are the point! Information security is not about information or security as much as it is about people. People within our industry and people who work with us are confused and we’re wasting valuable resources. ECMECC is a trusted partner! Ask them for help or more information. Follow me/us on Twitter: @evanfrancen @StudioSecurity Thank you!
Advertisement