SlideShare a Scribd company logo

2013 PMA Business Security Insights

Download as PPTX, PDF
G
gotopaz

Slideshow from o2/26/13 Security Panel presentation.

1 of 31
Business Security Insights Earl.Chen@BankofAmerica.com Lawrence.Godfrey@e-hps.com JHenbest@ptcllc.com Alberto@SureTech.com
What do I need to protect? o Credit Card Data / Personal Info (Identities) o Files o Business Data 2
2012 Verizon Breach Report – Targeted Data For SMB’s Payment Card Data and Authentication Data is the data most targeted. 3
2012 Verizon Breach Report – Target Organization The preferred target now seems to be the SMB’s (small and medium businesses). 570 of the 855 investigations, over 66% of the total investigations. 4
Outside Threats Outside/External threats responsible for 98% of data breaches investigated in 2011 2012 Verizon Breach Report 5
Security Stories Examples 6
Hacking 30 Years Ago 7
Hacking Today Source: www.fbi.gov http://www.fbi.gov/news/stories/2010/octo ber/cyber-banking-fraud/cyber-banking- fraud/?searchterm=cyber%20theft 8
2012 Verizon Breach Report – How do they get in? Much as it has in the past, the most common malware infection vector continues to be installation or injection by a remote attacker. This covers scenarios in which an attacker breaches a system VIA REMOTE ACCESS and then deploys malware or injects code via web application vulnerabilities. 9
Security Experiences Examples 10
Inside Threats o Data Corruption / Loss (Hardware, Operator or Programmatic failures) o Remote Access Tools / Trusted Vendor Security Holes o BYOD – Bring your own device o Human error / Training o Sabotage 11
Other Inside Threats The other internal threats that needs to be considers are; – Hard Drive Crash – Water or fire damage to POS – No backups or lack of testing backup procedures 12
Preparedness, Costs & Risks How to think of Return on Investment: Is security a bottom line cost or a profit center? o What are the financial risks/costs?  Prevention  Remediation o PCI / HIPAA / FINRA / SEC compliance and liabilities 13
PCI-DSS: Why Care? – Protecting your income  Breach consequences for a Tier 4 merchant  Actual Mid-West Steakhouse example: Fines and Costs Breakdown Steakhouse Visa Fines $ 5,000 MasterCard Fines $ 30,000 Forensic Investigation Costs $ 10,322 Visa card compromise program $ 60,000 Chargebacks $ 202,223 Total Direct Breach Costs $307,545 Please Note: Breached merchant must now adhere to Level/Tier 1 Requirements 14
Preparedness, Costs and Risks Disaster Recovery vs. Business Continuity o Backup o Component Redundancy o Enterprise Redundancy 15
Technical Security Layers Physical o Checkpoints, locks, and surveillance o Logging o Force Majeur (fire, earthquakes, etc.) Network Equipment location/locks o Intrusion prevention o Intrusion detection o Access Management and ease of use EndPoint o FireWall o AntiVirus: how did AntiVirus lose the war? Where is the battle now? o OS Updates / Security Patches 16
Basic Elements of Physical Security Questions to consider… Can a visitor to your business pickup a notebook computer and slip out the door easily? What about a cell phone with email records? Is the door to the server room always locked? Are employees trained to ensure guests do not wander? Are employees appropriately limited on where they can go? www.ptcllc.com 17
Basic Elements of Physical Security o Deterrence o Access Control o Detection o Identification www.ptcllc.com 18
www.ptcllc.com 19
Basic Elements of Network Security: o Secure Passwords o Perimeter Firewalls o Intrusion Prevention What to watch: o Intrusion Detection o Logging o Alerting Monitor, monitor, monitor… Always look to improve and enhance as new threats are discovered… www.ptcllc.com 20
www.ptcllc.com 21
Effective network segmentation - PCI DSS requires it to minimize the scope of review… www.ptcllc.com 22
POS Network Wireless Network Office Network www.ptcllc.com 23
Intrusion Prevention www.ptcllc.com 24
Basic Elements of Endpoint Security: o Secure Passwords o OS and Security Patches o Antimalware Protection o Client Firewalls o Mobile Devices www.ptcllc.com 25
Recent study by Imperva (data security firm in California) and Technion-Israel Institute of Technology found success rate of the top 40+ antivirus products to be… Less than 5% Symantec – Not called Antivirus software any longer…. Now Norton Internet Security and Symantec Endpoint Protection Trend Micro, McAfee, and others are doing the same. They are losing the war and they know it. Source: NY Times, Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt – 12/31/2012 www.ptcllc.com 26
Operator Security Layers Operational Controls: o People: non business use, using default passwords etc. o The Myth of Secure Passwords o Reset Password holes (questions, email) o Password manager o Backup o Training o Auditing o Data Integrity Tools o Policies, Training, Enforcement  User Training  Data Silos (Credit Cards, Financial, Customer, Operations) Insurance o What can insurance do for me? 27
28
29
What is next for my business? o Security is complex, multilayered and ever changing. o Being aware of the issues that relate to your business is the first step. o Any solution will require trusted partners and an eye to integration of multiple solutions. 30
Thank you for attending. Earl.Chen@BankofAmerica.com Lawrence.Godfrey@e-hps.com JHenbest@ptcllc.com Alberto@SureTech.com 31

Recommended

Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsBen Rothke
 
Reality of cybersecurity 11.4.2017
Reality of cybersecurity 11.4.2017Reality of cybersecurity 11.4.2017
Reality of cybersecurity 11.4.2017japijapi
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionBen Rothke
 
Item46763
Item46763Item46763
Item46763madunix
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframePrecisely
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Ben Rothke
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Gabriel Dusil
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 

Recommended

Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsBen Rothke
 
Reality of cybersecurity 11.4.2017
Reality of cybersecurity 11.4.2017Reality of cybersecurity 11.4.2017
Reality of cybersecurity 11.4.2017japijapi
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionBen Rothke
 
Item46763
Item46763Item46763
Item46763madunix
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframePrecisely
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Ben Rothke
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Gabriel Dusil
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Maximizing Security Training ROI
Maximizing Security Training ROIMaximizing Security Training ROI
Maximizing Security Training ROISymosis Security (Previously C-Level Security)
 
Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_servicesG. Subramanian
 
Choosing the Right Data Security Solution
Choosing the Right Data Security SolutionChoosing the Right Data Security Solution
Choosing the Right Data Security SolutionProtegrity
 
Challenges of doing security in uncharted territory
Challenges of doing security in uncharted territoryChallenges of doing security in uncharted territory
Challenges of doing security in uncharted territoryPECB
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...DFLABS SRL
 
SFScon17 - Luca Moroni: "Outsourcing Cyber Risks"
SFScon17 - Luca Moroni: "Outsourcing Cyber Risks"SFScon17 - Luca Moroni: "Outsourcing Cyber Risks"
SFScon17 - Luca Moroni: "Outsourcing Cyber Risks"South Tyrol Free Software Conference
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber securitynsheel
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&AMatt Tortora
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security TwistSecurity Innovation
 
ITrust Company Overview EN
ITrust Company Overview ENITrust Company Overview EN
ITrust Company Overview ENITrust - Cybersecurity as a Service
 
Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry BrianHuntMSFCPACRISC
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroDon't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroPriyanka Aash
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
A6704d01
A6704d01A6704d01
A6704d01mudigonda
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesCSNP
 
Key note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougKey note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougUlf Mattsson
 
Cybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to knowCybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to knowCordium
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Top 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptxTop 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptxInfosectrain3
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Education & Training Boards
 

More Related Content

What's hot

Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_servicesG. Subramanian
 
Choosing the Right Data Security Solution
Choosing the Right Data Security SolutionChoosing the Right Data Security Solution
Choosing the Right Data Security SolutionProtegrity
 
Challenges of doing security in uncharted territory
Challenges of doing security in uncharted territoryChallenges of doing security in uncharted territory
Challenges of doing security in uncharted territoryPECB
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...DFLABS SRL
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber securitynsheel
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&AMatt Tortora
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security TwistSecurity Innovation
 
Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry BrianHuntMSFCPACRISC
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroDon't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroPriyanka Aash
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 

What's hot (14)

Maximizing Security Training ROI
Maximizing Security Training ROIMaximizing Security Training ROI
Maximizing Security Training ROI
 
Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_services
 
Choosing the Right Data Security Solution
Choosing the Right Data Security SolutionChoosing the Right Data Security Solution
Choosing the Right Data Security Solution
 
Challenges of doing security in uncharted territory
Challenges of doing security in uncharted territoryChallenges of doing security in uncharted territory
Challenges of doing security in uncharted territory
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
 
SFScon17 - Luca Moroni: "Outsourcing Cyber Risks"
SFScon17 - Luca Moroni: "Outsourcing Cyber Risks"SFScon17 - Luca Moroni: "Outsourcing Cyber Risks"
SFScon17 - Luca Moroni: "Outsourcing Cyber Risks"
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&A
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
 
ITrust Company Overview EN
ITrust Company Overview ENITrust Company Overview EN
ITrust Company Overview EN
 
Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroDon't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 

Similar to 2013 PMA Business Security Insights

Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesCSNP
 
Key note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougKey note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougUlf Mattsson
 
Cybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to knowCybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to knowCordium
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Top 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptxTop 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptxInfosectrain3
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Education & Training Boards
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 sucesuminas
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfMetaorange
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxMetaorange
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to SecurityTripwire
 
2010 Sc World Congress Nyc
2010 Sc World Congress Nyc2010 Sc World Congress Nyc
2010 Sc World Congress NycBob Maley
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
Cacs na isaca session 414 ulf mattsson may 10 final
Cacs na isaca session 414 ulf mattsson may 10 finalCacs na isaca session 414 ulf mattsson may 10 final
Cacs na isaca session 414 ulf mattsson may 10 finalUlf Mattsson
 
Ulf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare versionUlf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare versionUlf Mattsson
 

Similar to 2013 PMA Business Security Insights (20)

A6704d01
A6704d01A6704d01
A6704d01
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation Strategies
 
Key note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougKey note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyoug
 
Cybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to knowCybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to know
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Top 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptxTop 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptx
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White Paper
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdf
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptx
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
 
2010 Sc World Congress Nyc
2010 Sc World Congress Nyc2010 Sc World Congress Nyc
2010 Sc World Congress Nyc
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Symantec Data Loss Prevention 9
Symantec Data Loss Prevention 9Symantec Data Loss Prevention 9
Symantec Data Loss Prevention 9
 
Cacs na isaca session 414 ulf mattsson may 10 final
Cacs na isaca session 414 ulf mattsson may 10 finalCacs na isaca session 414 ulf mattsson may 10 final
Cacs na isaca session 414 ulf mattsson may 10 final
 
Ulf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare versionUlf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare version
 

2013 PMA Business Security Insights

  • 1. Business Security Insights Earl.Chen@BankofAmerica.com Lawrence.Godfrey@e-hps.com JHenbest@ptcllc.com Alberto@SureTech.com
  • 2. What do I need to protect? o Credit Card Data / Personal Info (Identities) o Files o Business Data 2
  • 3. 2012 Verizon Breach Report – Targeted Data For SMB’s Payment Card Data and Authentication Data is the data most targeted. 3
  • 4. 2012 Verizon Breach Report – Target Organization The preferred target now seems to be the SMB’s (small and medium businesses). 570 of the 855 investigations, over 66% of the total investigations. 4
  • 5. Outside Threats Outside/External threats responsible for 98% of data breaches investigated in 2011 2012 Verizon Breach Report 5
  • 6. Security Stories Examples 6
  • 8. Hacking Today Source: www.fbi.gov http://www.fbi.gov/news/stories/2010/octo ber/cyber-banking-fraud/cyber-banking- fraud/?searchterm=cyber%20theft 8
  • 9. 2012 Verizon Breach Report – How do they get in? Much as it has in the past, the most common malware infection vector continues to be installation or injection by a remote attacker. This covers scenarios in which an attacker breaches a system VIA REMOTE ACCESS and then deploys malware or injects code via web application vulnerabilities. 9
  • 10. Security Experiences Examples 10
  • 11. Inside Threats o Data Corruption / Loss (Hardware, Operator or Programmatic failures) o Remote Access Tools / Trusted Vendor Security Holes o BYOD – Bring your own device o Human error / Training o Sabotage 11
  • 12. Other Inside Threats The other internal threats that needs to be considers are; – Hard Drive Crash – Water or fire damage to POS – No backups or lack of testing backup procedures 12
  • 13. Preparedness, Costs & Risks How to think of Return on Investment: Is security a bottom line cost or a profit center? o What are the financial risks/costs?  Prevention  Remediation o PCI / HIPAA / FINRA / SEC compliance and liabilities 13
  • 14. PCI-DSS: Why Care? – Protecting your income  Breach consequences for a Tier 4 merchant  Actual Mid-West Steakhouse example: Fines and Costs Breakdown Steakhouse Visa Fines $ 5,000 MasterCard Fines $ 30,000 Forensic Investigation Costs $ 10,322 Visa card compromise program $ 60,000 Chargebacks $ 202,223 Total Direct Breach Costs $307,545 Please Note: Breached merchant must now adhere to Level/Tier 1 Requirements 14
  • 15. Preparedness, Costs and Risks Disaster Recovery vs. Business Continuity o Backup o Component Redundancy o Enterprise Redundancy 15
  • 16. Technical Security Layers Physical o Checkpoints, locks, and surveillance o Logging o Force Majeur (fire, earthquakes, etc.) Network Equipment location/locks o Intrusion prevention o Intrusion detection o Access Management and ease of use EndPoint o FireWall o AntiVirus: how did AntiVirus lose the war? Where is the battle now? o OS Updates / Security Patches 16
  • 17. Basic Elements of Physical Security Questions to consider… Can a visitor to your business pickup a notebook computer and slip out the door easily? What about a cell phone with email records? Is the door to the server room always locked? Are employees trained to ensure guests do not wander? Are employees appropriately limited on where they can go? www.ptcllc.com 17
  • 18. Basic Elements of Physical Security o Deterrence o Access Control o Detection o Identification www.ptcllc.com 18
  • 20. Basic Elements of Network Security: o Secure Passwords o Perimeter Firewalls o Intrusion Prevention What to watch: o Intrusion Detection o Logging o Alerting Monitor, monitor, monitor… Always look to improve and enhance as new threats are discovered… www.ptcllc.com 20
  • 22. Effective network segmentation - PCI DSS requires it to minimize the scope of review… www.ptcllc.com 22
  • 23. POS Network Wireless Network Office Network www.ptcllc.com 23
  • 24. Intrusion Prevention www.ptcllc.com 24
  • 25. Basic Elements of Endpoint Security: o Secure Passwords o OS and Security Patches o Antimalware Protection o Client Firewalls o Mobile Devices www.ptcllc.com 25
  • 26. Recent study by Imperva (data security firm in California) and Technion-Israel Institute of Technology found success rate of the top 40+ antivirus products to be… Less than 5% Symantec – Not called Antivirus software any longer…. Now Norton Internet Security and Symantec Endpoint Protection Trend Micro, McAfee, and others are doing the same. They are losing the war and they know it. Source: NY Times, Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt – 12/31/2012 www.ptcllc.com 26
  • 27. Operator Security Layers Operational Controls: o People: non business use, using default passwords etc. o The Myth of Secure Passwords o Reset Password holes (questions, email) o Password manager o Backup o Training o Auditing o Data Integrity Tools o Policies, Training, Enforcement  User Training  Data Silos (Credit Cards, Financial, Customer, Operations) Insurance o What can insurance do for me? 27
  • 28. 28
  • 29. 29
  • 30. What is next for my business? o Security is complex, multilayered and ever changing. o Being aware of the issues that relate to your business is the first step. o Any solution will require trusted partners and an eye to integration of multiple solutions. 30
  • 31. Thank you for attending. Earl.Chen@BankofAmerica.com Lawrence.Godfrey@e-hps.com JHenbest@ptcllc.com Alberto@SureTech.com 31

Editor's Notes

  1. Earl: – International indictments of a Romanian hacker ring which targeted small retail businesses to steal credit card data.  They stole payment card data from over hundreds of retailers by leveraging remote access software and caused over $40MM in losses.This would be a good place to share the story from Mark C.
  2. "We got an order for 6 cases of Dom Perignon 1999.  Value was between $5-10k.  Customer called in using a service for the hearing-impaired, where presumably he was typing something to the service and they were doing the talking for him...then they’d type our answer back to him.  Net effect was that caller id showed the service’s number, not his.  He wanted to pay with a credit card...but not until the product was ready for pick-up.  He wanted to pick it up with his own service (thus no delivery address).   Finally, he asked that when we run the card, we put $200 in cash on it to tip the driver."z
  3. 30 years ago the threat was a teenage kid in their parents basement.. The vast majority weren’t as smart as Matthew Broderick ‘s character in War Games; David Lightman
  4. Organized CrimeProfessional Software development organizationsMulti national crime syndicates located off shore Larry: Michael’s/Barnes & Noble: PIN Attacks:In response to these attacks, Michaels disabled the customer facing Signature Pads and Barnes and Noble completely removed their customer facing PIN Pads.
  5. Earl: recent NBC website and iPhone developer site attacks that targeted visitors machines and downloaded malware. This would be a good place to share the remote security camera story and/or Carly’s story.  Not sure which would be best because I don’t remember seeing details about Carly’s example.
  6. Earl:recent NBC website and iPhone developer site attacks that targeted visitors machines and downloaded malware.Earl: International indictments of a Romanian hacker ring which targeted small retail businesses to steal credit card data.  They stole payment card data from over hundreds of retailers by leveraging remote access software and caused over $40MM in losses.Jack: hack attempt through insecure remote access to cameras
  7. Deterrence - Fence, warning signs, windosw stickers, lighting, hedges, trenchesAccess Control - gates, doors, locksDetection - alarms, motion sensors, glass breakage detectorsIdentification - checkin/checkout, video surveillance, badges