Skoda Minotti, profile picture
Uploaded bySkoda Minotti
PPTX, PDF411 views

IT Security Essentials

This document provides an overview of IT security essentials and data security best practices. It discusses common data security concerns, including access controls, encryption, APIs, auditing and more. Specific frameworks and standards are also reviewed, such as PCI DSS, NIST and ISO. The document outlines steps for conducting a risk assessment and implementing controls. It emphasizes quick wins can be achieved through controls in areas like access management, encryption, patching and monitoring. Overall the document serves to educate about the threat landscape, compliance obligations and how to establish an effective data security program.

Embed presentation

Downloaded 11 times
- 1 - WELCOME! IT Security Essentials Linkedin.com/company/skoda-minotti Twitter.com/SkodaMinotti Facebook.com/SkodaMinotti
IT Security Essentials Joseph Compton, CISSP, CISA, QSA Gregory Skoda, Jr., CISA November 9, 2015
- 3 - • Threat landscape • Understanding your risks • Implementing a data security program • Testing your data security program AGENDA
- 4 - DATA BREACHES
- 5 - DATA BREACHES
- 6 - DATA BREACHES
- 7 - DATA BREACHES
- 8 - DATA BREACHES
- 9 - DATA BREACHES
- 10 - DATA BREACHES
- 11 - DATA BREACHES
- 12 - DATA SECURITY CONCERNS  Access Controls (both Physical and Logical)  Data Jurisdiction  Data Backup, Recovery and Destruction (Exit Strategy)  eDiscovery and Legal Hold issues  Audit frequency and responsibilities  Co-mingling of data  Insecure interfaces and APIs (application development)  Insufficient due diligence by cloud provider  Shared technology vulnerabilities (Denial of Service attacks)  Data breach response and forensics  Poor or no encryption of sensitive data  Account or service hijacking  Readiness for cloud services - every cloud service is different, each one must be evaluated individually
- 13 - LEGAL CONCERNS COMPLIANCE  Application ownership can be unclear  Regulatory controls for cloud (HITECT, PCI, GLBA, FERPA, HIPAA)  Data return/destruction at the end of contracts  Lack of SLA’s – slow or no service  Lack of recourse for lost data  Jurisdictional issues (data stored across multiple states or countries)  e-Discovery and legal hold issues (data stored across multiple servers)  Breach notification timeframes and forensics in a shared environment  Client vs. Cloud Provider responsibilities  Subcontracting and third parties
- 14 - Source: Verizon 2015 Data Breach Investigation Report THREAT ACTIONS
- 15 - THREAT ACTIONS Source: Verizon 2015 Data Breach Investigation Report
- 16 - BREACH DISCOVERY Source: Verizon 2015 Data Breach Investigation Report
- 17 - DATA BREACHES • SnapChat – 4.5 million compromised names and phone numbers • Kickstarter – 5.6 million victims • Korean Telecom – One of the year’s largest breaches affected 12 million customers • Heartbleed – First of three open-source vulnerabilities in 2014 • eBay – Database of 145 million customers compromised
- 18 - • PF Chang’s • Energetic Bear – Cyber spying operation targeted the energy industry • Cybervor – 1.2 billion compromised credentials • iCloud – Celebrity accounts hacked • Sandword – Attached a Windows vulnerability • Sony Pictures Entertainment – Highest-profile hack of the year • Inception Framework – Cyber-Espionage attached targeted the public sector DATA BREACHES
- 19 - • 75% say their organizations are as or more vulnerable to malicious code attacks and security breaches compared with a year ago. And in the face of a crushing skills shortage, 40% subsist on no more than 5% of the IT budget. • "Managing the complexity of security" reclaimed the No. 1 spot among 10 challenges facing the respondents to our security survey, all from organizations with 100 or more employees INSIDER THREAT Source: InformationWeek 2014 Strategic Security Survey
- 20 - • 58% see an infected personal device connecting to the corporate network as a top endpoint security concern, making it the No. 1 response, ahead of phishing and lost devices • 56% say cyber-criminals pose the greatest threat to their organizations this year, the top answer, ahead of authorized users and employees at 49% • 23% have experienced a security breach or espionage in the past year INSIDER THREAT Source: InformationWeek 2014 Strategic Security Survey
- 21 - Source: SpectorSoft Insider Threat Survey Report INSIDER THREAT SURVEY 53% of enterprise respondents have discovered that employees use company-issued devices to send company information to personal email and cloud-based file-sharing accounts such as Yahoo! or Gmail and cloud-based file sharing accounts such as Box, DropBox or Hightail (419 enterprise respondents) 23% of end-user employee respondents reported that they transfer corporate information using Box, DropBox or Hightail (200 end-user employee respondents)
- 22 - INSIDER THREAT SURVEY Source: SpectorSoft Insider Threat Survey Report 33% of end-user employee respondents reported that they transfer corporate information via personal Yahoo! and Gmail accounts (200 end-user employee respondents) 49% of enterprise respondents have discovered that employees are copying corporate data to USB flash storage devices (419 enterprise respondents)
- 23 - MANAGER ISSUES CURRENT RISK • 55% of risk managers feel they have not dedicated enough resources to combat the evolution of hacking techniques • 76% of risk managers feel the biggest risk of cloud technology is the loss of confidentiality of information Source: The Hartford Steam Boiler Inspection and Insurance Company (HSB) Cyber Risk Survey
- 24 - SMALL BUSINESSES THREATS TO Small businesses can be forced to close down due to a data breach Four common company weak points: 1. Intrusion detection software 2. Encryption of private data 3. Patch management 4. Vendor mismanagement Source: PropertyCasualty360.com
- 25 - WHERE DO I START?
- 26 - COMPLIANCE LIFE CYCLE
- 27 - RISK ASSESSMENT
- 28 - RISK ASSESSMENT Understand organizational risks Key risk prioritization Identify high risk areas • Gain an understanding of the high risk areas and underlying rationales by conducting interviews with members of Senior Management, Legal and your Trust Advisors • Identify key risks based on the threats and vulnerabilities relevant to the organization and ranked these items based upon on their overall impact (environment, system and technical analysis) and expected likelihood of occurrence. • Identified the top risks to the Company based on inherent risk ranking. Threat Categories A B C D E External attack 2 3 Internal misuse and abuse 6 2 Theft 2 System malfunction 2 1 Service interruption 1 5 Customer 4 Information Risk Ratings: A-Verify High, B-High, C-Medium, D-Low, E-Very Low
- 29 - CONTROL FRAMEWORKS • CSA Star – Cloud Security Alliance • COBIT – Control Objectives for Information and Related Technology • FEDRAMP – Federal Risk and Authorization Management Program • FISMA – Federal Information Security Management Act • HIPAA – Health Insurance Portability and Accountability Act • ISO – International Organization for Standardization • ITIL – Information Technology Infrastructure Library • PCI DSS – Payment Card Industry Data Security Standard • NIST – National Institute of Standards and Technology • SOC 2 (AT 101) – Service Organization Control Reports
- 30 - SECURITY STANDARDS PCI DATA Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications
- 31 - SECURITY STANDARDS PCI DATA Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
- 32 - VALIDATE Independent auditor assessments and attestations • Review of policies and administrative procedures • Inspection of configurations and settings • Testing of manual procedures • Observation of control activities
- 33 - Security Testing • Vulnerability Assessments Internal and external testing • Internal and external penetration testing Network penetration testing Web application testing Social engineering VALIDATE
- 34 - WHAT CAN I DO FIRST? • 40% of the controls determined to be most effective against data breaches fall into the “Quick Win” Category Source: Verizon 2015 Data Breach Investigation Report
- 35 - CONTACT Joe Compton, CISSP, CISA, QSA (440) 605-7252 jcompton@skodaminotti.com Greg Skoda, Jr., CISA (440) 605-7176 gskodajr@skodaminotti.com

More Related Content

PDF
Data Security in Healthcare
byQuick Heal Technologies Ltd.
 
PDF
ICION 2016 - Cyber Security Governance
byCharles Lim
 
PPT
Top 10 Security Challenges
byJorge Sebastiao
 
PPTX
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
byIBM Security
 
PPTX
Cyber Crime Threat Landscape - A Focus on the Financial Industry
byWilliam McBorrough
 
PPTX
Information Security vs IT - Key Roles & Responsibilities
byKroll
 
PPTX
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
byIBM Security
 
PPTX
The Future of Cybersecurity - October 2015
bySecurity Innovation
 
Data Security in Healthcare
byQuick Heal Technologies Ltd.
 
ICION 2016 - Cyber Security Governance
byCharles Lim
 
Top 10 Security Challenges
byJorge Sebastiao
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
byIBM Security
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
byWilliam McBorrough
 
Information Security vs IT - Key Roles & Responsibilities
byKroll
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
byIBM Security
 
The Future of Cybersecurity - October 2015
bySecurity Innovation
 

What's hot

PPTX
See How You Measure Up With MaaS360 Mobile Metrics
byIBM Security
 
PDF
Overview of Information Security & Privacy
byNawanan Theera-Ampornpunt
 
PDF
Key Findings from the 2015 IBM Cyber Security Intelligence Index
byIBM Security
 
PPTX
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
byGovernment Technology and Services Coalition
 
PDF
Final presentation january iia cybersecurity securing your 2016 audit plan
byCameron Forbes Over
 
PPTX
Using Threat Intelligence to Address Your Growing Digital Risk
bySurfWatch Labs
 
PDF
Top Cyber Security Trends for 2016
byImperva
 
PPTX
Information & Cyber Security Risk
byMurray Security Services
 
PPTX
Understanding Your Attack Surface and Detecting & Mitigating External Threats
byUlf Mattsson
 
PPTX
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
byPhil Agcaoili
 
PPTX
Cyber Security Landscape: Changes, Threats and Challenges
byBloxx
 
PDF
IT Position of Trust Designation
byMurray Security Services
 
PPT
Cyber Six: Managing Security in Internet
byRichardus Indrajit
 
PPTX
Top 5 Things to Look for in an IPS Solution
byIBM Security
 
DOCX
Target Data Breach Case Study 10242014
byJoseph White MPA CPM
 
PPTX
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
byJohn Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
PDF
Cyber Security and the National Central Banks
byCommunity Protection Forum
 
PDF
Cybersecurity | Risk. Impact. Innovations.
byVertex Holdings
 
PDF
How to Reduce the Attack Surface Created by Your Cyber-Tools
byEnterprise Management Associates
 
PPTX
The Science and Art of Cyber Incident Response (with Case Studies)
byKroll
 
See How You Measure Up With MaaS360 Mobile Metrics
byIBM Security
 
Overview of Information Security & Privacy
byNawanan Theera-Ampornpunt
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
byIBM Security
 
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
byGovernment Technology and Services Coalition
 
Final presentation january iia cybersecurity securing your 2016 audit plan
byCameron Forbes Over
 
Using Threat Intelligence to Address Your Growing Digital Risk
bySurfWatch Labs
 
Top Cyber Security Trends for 2016
byImperva
 
Information & Cyber Security Risk
byMurray Security Services
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
byUlf Mattsson
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
byPhil Agcaoili
 
Cyber Security Landscape: Changes, Threats and Challenges
byBloxx
 
IT Position of Trust Designation
byMurray Security Services
 
Cyber Six: Managing Security in Internet
byRichardus Indrajit
 
Top 5 Things to Look for in an IPS Solution
byIBM Security
 
Target Data Breach Case Study 10242014
byJoseph White MPA CPM
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
byJohn Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Cyber Security and the National Central Banks
byCommunity Protection Forum
 
Cybersecurity | Risk. Impact. Innovations.
byVertex Holdings
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
byEnterprise Management Associates
 
The Science and Art of Cyber Incident Response (with Case Studies)
byKroll
 

Viewers also liked

PPT
Is it time to remove IT from the boardroom agenda?
byVMwareUK
 
PPTX
Information security
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
PPT
Information Security Lesson 3 - Basics - Eric Vanderburg
byEric Vanderburg
 
PPTX
Affordable Care Act Update
bySkoda Minotti
 
PPTX
12 More Great Ideas
bySkoda Minotti
 
PPTX
Ohio Municipal Reform Update
bySkoda Minotti
 
PPTX
12 (More) Great Ideas
bySkoda Minotti
 
PPTX
Preparing for the ACA
bySkoda Minotti
 
PPTX
7 Tips to Help Uncover Hidden Blog Content in Your CPA Firm
bySkoda Minotti
 
PPTX
Income Tax Refund Fraud
bySkoda Minotti
 
PPTX
Post-Election: What You Need to Know for Tax Planning
bySkoda Minotti
 
PPTX
State and Local Tax Issues Facing the Real Estate and Construction Industry
bySkoda Minotti
 
PPTX
Valuation Issues in Developing and Executing Buy-Sell Agreements
bySkoda Minotti
 
PPTX
Common 401(k) Plan Operational Deficiencies
bySkoda Minotti
 
PPTX
Forensic Autopsies: Inside Real-Life Fraud Investigations
bySkoda Minotti
 
PPTX
Accounting Standards Update
bySkoda Minotti
 
PPTX
International Tax and Transfer Pricing Topics
bySkoda Minotti
 
PPTX
Developing Your Business Through Internal Controls
bySkoda Minotti
 
Is it time to remove IT from the boardroom agenda?
byVMwareUK
 
Information security
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Information Security Lesson 3 - Basics - Eric Vanderburg
byEric Vanderburg
 
Affordable Care Act Update
bySkoda Minotti
 
12 More Great Ideas
bySkoda Minotti
 
Ohio Municipal Reform Update
bySkoda Minotti
 
12 (More) Great Ideas
bySkoda Minotti
 
Preparing for the ACA
bySkoda Minotti
 
7 Tips to Help Uncover Hidden Blog Content in Your CPA Firm
bySkoda Minotti
 
Income Tax Refund Fraud
bySkoda Minotti
 
Post-Election: What You Need to Know for Tax Planning
bySkoda Minotti
 
State and Local Tax Issues Facing the Real Estate and Construction Industry
bySkoda Minotti
 
Valuation Issues in Developing and Executing Buy-Sell Agreements
bySkoda Minotti
 
Common 401(k) Plan Operational Deficiencies
bySkoda Minotti
 
Forensic Autopsies: Inside Real-Life Fraud Investigations
bySkoda Minotti
 
Accounting Standards Update
bySkoda Minotti
 
International Tax and Transfer Pricing Topics
bySkoda Minotti
 
Developing Your Business Through Internal Controls
bySkoda Minotti
 

Similar to IT Security Essentials

PPTX
Cyber Attack Survival
bySkoda Minotti
 
PDF
idg_secops-solutions
byJonny Nässlander
 
PPTX
A guide to Sustainable Cyber Security
byErnest Staats
 
PPTX
Top 12 Threats to Enterprise
byArgyle Executive Forum
 
PPTX
SAM05_Barber PW (7-9-15)
byNorm Barber
 
PDF
The State of Data Security
byRazor Technology
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
PDF
Today's Cyber Challenges: Methodology to Secure Your Business
byJoAnna Cheshire
 
PPTX
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
byhoang971
 
PDF
Introduction to Cybersecurity
byKrutarth Vasavada
 
PDF
IDC Best Practices in Private Sector Cyber Security
byinside-BigData.com
 
PDF
Data+Security+Masterclass Presentation.pdf
byckurt9676
 
PPTX
Secure Iowa Oct 2016
byLarry Slobodzian
 
PPTX
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
byAkramAlqadasi1
 
PDF
cybersecurity-careers.pdf
byRakeshKumar442494
 
PPTX
So You Want a Job in Cybersecurity
by2nd Sight Lab
 
PPTX
SoCal HIMSS Privacy Security Webinar
byMarty Miller
 
PDF
Security Industry Overview
byThomvest Ventures
 
PPTX
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
byArgyle Executive Forum
 
PDF
Cybersecurity Challenges - Identifying Key Threats and Trends.pdf
bySeasiaInfotech2
 
Cyber Attack Survival
bySkoda Minotti
 
idg_secops-solutions
byJonny Nässlander
 
A guide to Sustainable Cyber Security
byErnest Staats
 
Top 12 Threats to Enterprise
byArgyle Executive Forum
 
SAM05_Barber PW (7-9-15)
byNorm Barber
 
The State of Data Security
byRazor Technology
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
Today's Cyber Challenges: Methodology to Secure Your Business
byJoAnna Cheshire
 
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
byhoang971
 
Introduction to Cybersecurity
byKrutarth Vasavada
 
IDC Best Practices in Private Sector Cyber Security
byinside-BigData.com
 
Data+Security+Masterclass Presentation.pdf
byckurt9676
 
Secure Iowa Oct 2016
byLarry Slobodzian
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
byAkramAlqadasi1
 
cybersecurity-careers.pdf
byRakeshKumar442494
 
So You Want a Job in Cybersecurity
by2nd Sight Lab
 
SoCal HIMSS Privacy Security Webinar
byMarty Miller
 
Security Industry Overview
byThomvest Ventures
 
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
byArgyle Executive Forum
 
Cybersecurity Challenges - Identifying Key Threats and Trends.pdf
bySeasiaInfotech2
 

More from Skoda Minotti

PPTX
Navigating Tomorrow's Tax Landscape - 2020
bySkoda Minotti
 
PPTX
Elevate 2019: Business Leader Slides
bySkoda Minotti
 
PPTX
Elevate 2019: Financial Professional Slides
bySkoda Minotti
 
PDF
Smart Manufacturing Workshop: An Interactive Improv Session
bySkoda Minotti
 
PDF
Managing Risk
bySkoda Minotti
 
PDF
Navigating the Tax and Accounting Implications of Cryptocurrencies
bySkoda Minotti
 
PDF
Performance and Rewards
bySkoda Minotti
 
PPTX
Non-Qualified Deferred Compensation Programs for Private Companies
bySkoda Minotti
 
PDF
ABC Presents: Interviewing Skills
bySkoda Minotti
 
PDF
Valuation Issues in Developing and Executing Buy-Sell Agreements
bySkoda Minotti
 
PDF
ABC Presents: Recruiting and Retaining Top Talent
bySkoda Minotti
 
PDF
State and Local Tax Nexus Issues and the Impact on Mergers and Acquisitions
bySkoda Minotti
 
PDF
Future-Proofing Your Business with Technology
bySkoda Minotti
 
PPTX
Manufacturing in Northeast Ohio: Where We Stand, Where We’re Headed
bySkoda Minotti
 
PPTX
Recruiting and Retaining Top Talent
bySkoda Minotti
 
PPTX
New Ohio Cybersecurity Law Requirements
bySkoda Minotti
 
PPTX
Understanding Medicare
bySkoda Minotti
 
PDF
Five Digital Marketing Trends Your Company Needs to Know in 2019
bySkoda Minotti
 
PPTX
Business Valuation Basics
bySkoda Minotti
 
PPTX
The Importance of State and Local Tax Nexus
bySkoda Minotti
 
Navigating Tomorrow's Tax Landscape - 2020
bySkoda Minotti
 
Elevate 2019: Business Leader Slides
bySkoda Minotti
 
Elevate 2019: Financial Professional Slides
bySkoda Minotti
 
Smart Manufacturing Workshop: An Interactive Improv Session
bySkoda Minotti
 
Managing Risk
bySkoda Minotti
 
Navigating the Tax and Accounting Implications of Cryptocurrencies
bySkoda Minotti
 
Performance and Rewards
bySkoda Minotti
 
Non-Qualified Deferred Compensation Programs for Private Companies
bySkoda Minotti
 
ABC Presents: Interviewing Skills
bySkoda Minotti
 
Valuation Issues in Developing and Executing Buy-Sell Agreements
bySkoda Minotti
 
ABC Presents: Recruiting and Retaining Top Talent
bySkoda Minotti
 
State and Local Tax Nexus Issues and the Impact on Mergers and Acquisitions
bySkoda Minotti
 
Future-Proofing Your Business with Technology
bySkoda Minotti
 
Manufacturing in Northeast Ohio: Where We Stand, Where We’re Headed
bySkoda Minotti
 
Recruiting and Retaining Top Talent
bySkoda Minotti
 
New Ohio Cybersecurity Law Requirements
bySkoda Minotti
 
Understanding Medicare
bySkoda Minotti
 
Five Digital Marketing Trends Your Company Needs to Know in 2019
bySkoda Minotti
 
Business Valuation Basics
bySkoda Minotti
 
The Importance of State and Local Tax Nexus
bySkoda Minotti
 

Recently uploaded

PDF
Laura Sergio - Specializing In Helping Small Businesses
byLaura Sergio
 
PDF
A Brief Introduction About Zaid Alsikafi
byZaid Alsikafi
 
PDF
Contract_Costing_Introduction and Basics
byANEESHA252224
 
PDF
Hryhorii Butovych: Talent Management у PMO: як бути лідером для лідерів (UA)
byLviv Startup Club
 
PPTX
Sewage Treatment Plant Installation in Chennai | Hyderabad | Vijayawada | Ban...
byKemproPumps
 
PDF
Daily-Ads Review: Top Affiliates Are SCARED to Tell You This.pdf
bysimplefreedomwarrior
 
PDF
Havenwatch Foundation for Child Protection Data Handling & Privacy Policy
byhavenwatchfoundation
 
PDF
A good time to buy a diamond company? By James Allan
byJames AH Campbell
 
PDF
PRINCIPLES OF MARKETING 4th quarter lessons.pdf
bysnhsseniorhigh2
 
PDF
How to Buy Verified Cash App Accounts A Step-by-Step Guide.pdf
byUsaservicepoint
 
PDF
Optimizing Buy Old Gmail Accounts Security – Academic & Professional Guide 20...
byBuy iCloud Email Accounts
 
PPTX
Sewage Treatment Plant in Chennai | Best STP Plant Manufacturers in Tamilnad...
byKemproPumps
 
PPTX
OpenAI’s Pitch Deck Analysis: Full Slide Review
byashishupmetrics
 
PDF
Ultra Map Section I Interface Virtual.pdf
byBrij Consulting, LLC
 
PDF
DaVinci Commerce January New Year Edition: Our Big Resolution
byCorina Manea
 
PDF
Decoded: The Mystery of Life and the Begining of Time
byanyebepeter
 
PDF
J Hamilton M&G - 4 Feb 2026 FINAL (1).pdf
byHenry Tapper
 
PDF
How to Buy EDU Email Accounts_ A Comprehensive Guide in 2026.pdf
byonline marketing by pvaisback
 
PPTX
STP Plant Construction in Chennai | Hyderabad | Vijayawada | Bangalore | Myso...
byKemproPumps
 
PPTX
PRELIMS for PES on world businesses.pptx
bySureshGKPESUniversit
 
Laura Sergio - Specializing In Helping Small Businesses
byLaura Sergio
 
A Brief Introduction About Zaid Alsikafi
byZaid Alsikafi
 
Contract_Costing_Introduction and Basics
byANEESHA252224
 
Hryhorii Butovych: Talent Management у PMO: як бути лідером для лідерів (UA)
byLviv Startup Club
 
Sewage Treatment Plant Installation in Chennai | Hyderabad | Vijayawada | Ban...
byKemproPumps
 
Daily-Ads Review: Top Affiliates Are SCARED to Tell You This.pdf
bysimplefreedomwarrior
 
Havenwatch Foundation for Child Protection Data Handling & Privacy Policy
byhavenwatchfoundation
 
A good time to buy a diamond company? By James Allan
byJames AH Campbell
 
PRINCIPLES OF MARKETING 4th quarter lessons.pdf
bysnhsseniorhigh2
 
How to Buy Verified Cash App Accounts A Step-by-Step Guide.pdf
byUsaservicepoint
 
Optimizing Buy Old Gmail Accounts Security – Academic & Professional Guide 20...
byBuy iCloud Email Accounts
 
Sewage Treatment Plant in Chennai | Best STP Plant Manufacturers in Tamilnad...
byKemproPumps
 
OpenAI’s Pitch Deck Analysis: Full Slide Review
byashishupmetrics
 
Ultra Map Section I Interface Virtual.pdf
byBrij Consulting, LLC
 
DaVinci Commerce January New Year Edition: Our Big Resolution
byCorina Manea
 
Decoded: The Mystery of Life and the Begining of Time
byanyebepeter
 
J Hamilton M&G - 4 Feb 2026 FINAL (1).pdf
byHenry Tapper
 
How to Buy EDU Email Accounts_ A Comprehensive Guide in 2026.pdf
byonline marketing by pvaisback
 
STP Plant Construction in Chennai | Hyderabad | Vijayawada | Bangalore | Myso...
byKemproPumps
 
PRELIMS for PES on world businesses.pptx
bySureshGKPESUniversit
 

IT Security Essentials

  • 1.
    - 1 - WELCOME! ITSecurity Essentials Linkedin.com/company/skoda-minotti Twitter.com/SkodaMinotti Facebook.com/SkodaMinotti
  • 2.
    IT Security Essentials JosephCompton, CISSP, CISA, QSA Gregory Skoda, Jr., CISA November 9, 2015
  • 3.
    - 3 - •Threat landscape • Understanding your risks • Implementing a data security program • Testing your data security program AGENDA
  • 4.
    - 4 - DATABREACHES
  • 5.
    - 5 - DATABREACHES
  • 6.
    - 6 - DATABREACHES
  • 7.
    - 7 - DATABREACHES
  • 8.
    - 8 - DATABREACHES
  • 9.
    - 9 - DATABREACHES
  • 10.
    - 10 - DATABREACHES
  • 11.
    - 11 - DATABREACHES
  • 12.
    - 12 - DATASECURITY CONCERNS  Access Controls (both Physical and Logical)  Data Jurisdiction  Data Backup, Recovery and Destruction (Exit Strategy)  eDiscovery and Legal Hold issues  Audit frequency and responsibilities  Co-mingling of data  Insecure interfaces and APIs (application development)  Insufficient due diligence by cloud provider  Shared technology vulnerabilities (Denial of Service attacks)  Data breach response and forensics  Poor or no encryption of sensitive data  Account or service hijacking  Readiness for cloud services - every cloud service is different, each one must be evaluated individually
  • 13.
    - 13 - LEGALCONCERNS COMPLIANCE  Application ownership can be unclear  Regulatory controls for cloud (HITECT, PCI, GLBA, FERPA, HIPAA)  Data return/destruction at the end of contracts  Lack of SLA’s – slow or no service  Lack of recourse for lost data  Jurisdictional issues (data stored across multiple states or countries)  e-Discovery and legal hold issues (data stored across multiple servers)  Breach notification timeframes and forensics in a shared environment  Client vs. Cloud Provider responsibilities  Subcontracting and third parties
  • 14.
    - 14 - Source:Verizon 2015 Data Breach Investigation Report THREAT ACTIONS
  • 15.
    - 15 - THREATACTIONS Source: Verizon 2015 Data Breach Investigation Report
  • 16.
    - 16 - BREACHDISCOVERY Source: Verizon 2015 Data Breach Investigation Report
  • 17.
    - 17 - DATABREACHES • SnapChat – 4.5 million compromised names and phone numbers • Kickstarter – 5.6 million victims • Korean Telecom – One of the year’s largest breaches affected 12 million customers • Heartbleed – First of three open-source vulnerabilities in 2014 • eBay – Database of 145 million customers compromised
  • 18.
    - 18 - •PF Chang’s • Energetic Bear – Cyber spying operation targeted the energy industry • Cybervor – 1.2 billion compromised credentials • iCloud – Celebrity accounts hacked • Sandword – Attached a Windows vulnerability • Sony Pictures Entertainment – Highest-profile hack of the year • Inception Framework – Cyber-Espionage attached targeted the public sector DATA BREACHES
  • 19.
    - 19 - •75% say their organizations are as or more vulnerable to malicious code attacks and security breaches compared with a year ago. And in the face of a crushing skills shortage, 40% subsist on no more than 5% of the IT budget. • "Managing the complexity of security" reclaimed the No. 1 spot among 10 challenges facing the respondents to our security survey, all from organizations with 100 or more employees INSIDER THREAT Source: InformationWeek 2014 Strategic Security Survey
  • 20.
    - 20 - •58% see an infected personal device connecting to the corporate network as a top endpoint security concern, making it the No. 1 response, ahead of phishing and lost devices • 56% say cyber-criminals pose the greatest threat to their organizations this year, the top answer, ahead of authorized users and employees at 49% • 23% have experienced a security breach or espionage in the past year INSIDER THREAT Source: InformationWeek 2014 Strategic Security Survey
  • 21.
    - 21 - Source:SpectorSoft Insider Threat Survey Report INSIDER THREAT SURVEY 53% of enterprise respondents have discovered that employees use company-issued devices to send company information to personal email and cloud-based file-sharing accounts such as Yahoo! or Gmail and cloud-based file sharing accounts such as Box, DropBox or Hightail (419 enterprise respondents) 23% of end-user employee respondents reported that they transfer corporate information using Box, DropBox or Hightail (200 end-user employee respondents)
  • 22.
    - 22 - INSIDERTHREAT SURVEY Source: SpectorSoft Insider Threat Survey Report 33% of end-user employee respondents reported that they transfer corporate information via personal Yahoo! and Gmail accounts (200 end-user employee respondents) 49% of enterprise respondents have discovered that employees are copying corporate data to USB flash storage devices (419 enterprise respondents)
  • 23.
    - 23 - MANAGERISSUES CURRENT RISK • 55% of risk managers feel they have not dedicated enough resources to combat the evolution of hacking techniques • 76% of risk managers feel the biggest risk of cloud technology is the loss of confidentiality of information Source: The Hartford Steam Boiler Inspection and Insurance Company (HSB) Cyber Risk Survey
  • 24.
    - 24 - SMALLBUSINESSES THREATS TO Small businesses can be forced to close down due to a data breach Four common company weak points: 1. Intrusion detection software 2. Encryption of private data 3. Patch management 4. Vendor mismanagement Source: PropertyCasualty360.com
  • 25.
    - 25 - WHEREDO I START?
  • 26.
  • 27.
    - 27 - RISKASSESSMENT
  • 28.
    - 28 - RISKASSESSMENT Understand organizational risks Key risk prioritization Identify high risk areas • Gain an understanding of the high risk areas and underlying rationales by conducting interviews with members of Senior Management, Legal and your Trust Advisors • Identify key risks based on the threats and vulnerabilities relevant to the organization and ranked these items based upon on their overall impact (environment, system and technical analysis) and expected likelihood of occurrence. • Identified the top risks to the Company based on inherent risk ranking. Threat Categories A B C D E External attack 2 3 Internal misuse and abuse 6 2 Theft 2 System malfunction 2 1 Service interruption 1 5 Customer 4 Information Risk Ratings: A-Verify High, B-High, C-Medium, D-Low, E-Very Low
  • 29.
    - 29 - CONTROLFRAMEWORKS • CSA Star – Cloud Security Alliance • COBIT – Control Objectives for Information and Related Technology • FEDRAMP – Federal Risk and Authorization Management Program • FISMA – Federal Information Security Management Act • HIPAA – Health Insurance Portability and Accountability Act • ISO – International Organization for Standardization • ITIL – Information Technology Infrastructure Library • PCI DSS – Payment Card Industry Data Security Standard • NIST – National Institute of Standards and Technology • SOC 2 (AT 101) – Service Organization Control Reports
  • 30.
    - 30 - SECURITYSTANDARDS PCI DATA Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications
  • 31.
    - 31 - SECURITYSTANDARDS PCI DATA Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
  • 32.
    - 32 - VALIDATE Independentauditor assessments and attestations • Review of policies and administrative procedures • Inspection of configurations and settings • Testing of manual procedures • Observation of control activities
  • 33.
    - 33 - SecurityTesting • Vulnerability Assessments Internal and external testing • Internal and external penetration testing Network penetration testing Web application testing Social engineering VALIDATE
  • 34.
    - 34 - WHATCAN I DO FIRST? • 40% of the controls determined to be most effective against data breaches fall into the “Quick Win” Category Source: Verizon 2015 Data Breach Investigation Report
  • 35.
    - 35 - CONTACT JoeCompton, CISSP, CISA, QSA (440) 605-7252 jcompton@skodaminotti.com Greg Skoda, Jr., CISA (440) 605-7176 gskodajr@skodaminotti.com

Editor's Notes

  • #4 Thank you for coming out
  • #20 [With the mass proliferation of technology and the Internet of Things, this should be no surprise and will not be trending downward any time soon.]
  • #21 [This is reason number one to implement a REAL BYOD program.] [The big breaches reported this year all involved outsiders taking advantage of insiders. I’d really recommend company’s reconsider what technology employees actually need as opposed to want for starters.] [Additional data suggests that only about 33% of all breaches are even reported to law enforcement. It’s safe to assume that of all entities out there, 67% are unaware, negligent, incompetent and or willful; take your pick!]
  • #22 53% of 419 enterprise respondents report employees using Dropbox, Google Drive, or some other file sharing scheme 23% of 200 end user respondents report the same What does all this mean? Ask audience for their thoughts.
  • #23 49% report employees using USB flash storage Out of 200 end-user employee respondents 33% transfer corporate data using personal email accounts i.e.