SlideShare a Scribd company logo

Managing Risk or Reacting to Compliance

Evan Francen
Evan Francen

This is a presentation given to Compudyne's customers to learn more about FRSecure and information security basics.

Services
1 of 24
Protecting Financial Information Managing Risk or Reacting to Compliance Evan Francen, CISSP CISM FRSecure President March 27th, 2014
Managing Risk or Reacting to Compliance Topics Introduction Evan Francen FRSecure Compliance – Reactive Risk – Proactive Real World Examples & Guidance Social Engineering
Managing Risk or Reacting to Compliance Introduction Evan Francen Aka “The Truth”
Managing Risk or Reacting to Compliance Introduction Evan Francen Security Guy
Managing Risk or Reacting to Compliance Introduction Evan Francen Weird - Different
Managing Risk or Reacting to Compliance Introduction Evan Francen For real… • 20+ years of information security experience • Co-founded FRSecure in 2008 • Worked with organizations of all sizes, including Wells Fargo, US Bank, UnitedHealth, ADP, St. Jude, etc. • Risk Management, Security Program Development, Social Engineering, Mentoring, and the projects nobody else wants to do.
Managing Risk or Reacting to Compliance Introduction FRSecure • Information Security Management company. It’s all we do. • Methodology - Develop, use, and share methodologies for a variety of information security projects. • Project Leaders – All of our project leaders have more than 15 years of information security experience, from Fortune 100 to SMBs • Fully Transparent – Empowers our clients to do what we do. • Product Agnostic – Recommendations stand on their own, with no ulterior motive.
Managing Risk or Reacting to Compliance Compliance What is compliance?
Managing Risk or Reacting to Compliance Compliance What is compliance? • Is there any such thing as “GLBA Compliant” or “HIPAA Compliant”? If so, who certifies such things? • Is not “compliance” just doing what the last auditor told you to do? Is what the last auditor told you to do the right thing for you to do?
Managing Risk or Reacting to Compliance Compliance Are compliance and security the same thing? • Many people believe so. • The right answer is NO. Information security is the use of Administrative, Physical and Technical controls to protect the Confidentiality, Integrity, and Availability of data.
Managing Risk or Reacting to Compliance Risk Are we ever “secure”? • It depends. Right? No matter what we do with protection, there will always be a risk associated with unauthorized disclosure, alteration, or destruction of data. • “Secure” is a relative term. • Effectively managing security comes down to managing risk.
Managing Risk or Reacting to Compliance Risk Some risks are acceptable and others are not. • What is risk? • Risk is not intuitive. (more on this later) • Risk = the likelihood of something bad happening + the impact if the bad thing happened. • Risk decisions are management decisions.
Managing Risk or Reacting to Compliance Risk Risk Decisions • Risk Acceptance • Risk Avoidance • Risk Mitigation • Risk Ignorance
Managing Risk or Reacting to Compliance Risk Risk is Not (always) Intuitive • Who is at higher risk of an earthquake, San Francisco or Boston? Turns out that the risk is essentially the same. In general: • People exaggerate spectacular but rare risks and downplay common risks. • People have trouble estimating risks for anything not exactly like their normal situation. • Personified risks are perceived to be greater than anonymous risks. • People underestimate risks they willingly take and overestimate risks in situations they can't control. • People overestimate risks that are being talked about and remain an object of public scrutiny.
Managing Risk or Reacting to Compliance Compliance & Risk Compliance is based on doing what you’re told. Risk is based on likelihood and impact. Compliance is reactive. Managing risk is proactive. Compliance is more costly. Managing risk allows cost/benefit analysis. Compliance is the letter of the law. Managing risk is the intent of the law.
Managing Risk or Reacting to Compliance Real Life Examples Large Healthcare Organization Audit conducted in 2012 Told they needed SIEM and DLP Spent $600,000 on new technology Compliant! Greatest (technical) risk was use of unencrypted mobile devices Cost to mitigate $600,000 Products are not configured or fully utilized Breach occurs in 2013 – Stolen laptop Over $3,000,000 in costs Over $3,600,000 spent. Greatest risk still exists
Managing Risk or Reacting to Compliance Real Life Examples Target Audited regularly & constantly Spend millions on compliance Spend millions on technology Compliant! Were any of these a significant risk? • Vendor risk management • Information security reporting structure • Alerting & monitoring processes • SOC processes and training • Incident response processes Millions of dollars spent. Greatest risk? Last quarter profit down 46%. Estimated costs to exceed $1,000,000,000.
Managing Risk or Reacting to Compliance Social Engineering Social Engineering is exploitation of the human factor in security; tricking a person into giving you information that could benefit you, but bring them harm. Social Engineering is by far the most effective method of gaining unauthorized access to information. We know this, and so do the bad guys.
Managing Risk or Reacting to Compliance Social Engineering Did You Know: There were more than 74,000 unique phishing campaigns discovered during the Q2/2013, leveraging over 110,000 hijacked domains and targeting more than 1,100 brands. Email Attacks (Phishing) • Tricking you into going to a website that looks legitimate, and convincing you to log in (or disclose other information). • Has a 60 – 70% success rate. • How to Avoid Phishing Scams - http://apwg.org/resources/overview/avoid-phishing-scams
Managing Risk or Reacting to Compliance Social Engineering Did You Know: A recent study shows that 30 percent of Americans will open emails, even when they know the message is malicious. Email Attacks (Malicious Attachments) • Tricking you into opening (or downloading/opening) a file that appears to be legitimate, but is in fact malicious. • Has a 30 – 40% success rate. • Don’t have blind trust in your anti-virus software. If you aren’t expecting an attachment, don’t open it. If you’re not sure, call the person who sent it to you and ask.
Managing Risk or Reacting to Compliance Social Engineering Did You Know: Most social engineering attacks go un- reported by the victim. Telephone Attacks • Tricking you into divulging sensitive information over the phone. • People like helping other people, something that an attacker can exploit to receive sensitive information. • Success rate varies greatly. • If you receive a social engineering phone call, ask them for their name, company and phone number. In almost every case, the caller will disconnect when asked questions or placed on hold.
Managing Risk or Reacting to Compliance Social Engineering Did You Know: Physical social engineering attacks can result in physical damage to the facility and safety dangers. Physical Attacks • Tricking you into giving physical access to a restricted area. • Physical social engineering attacks require a bold attacker with a very focused agenda. • Success rate varies greatly. • If you can help it, don’t hold the door for others; especially those who you don’t recognize. It’s OK to ask someone you don’t know if you can help them or ask for identification.
Managing Risk or Reacting to Compliance Social Engineering Want a story? Pick One: • Physical access to Fortune 100 company headquarters. • Password disclosure almost cost someone their retirement. • Police help me carry out an attack. • I don’t really work for NSP. • 60% of bank’s employees give us their domain usernames and passwords.
Managing Risk or Reacting to Compliance Thank you! Questions? Evan Francen, CISSP CISM President – FRSecure evan@frsecure.com 952-467-6384

Recommended

WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language Problem
SecurityStudio
 
WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language Problem
Evan Francen
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language Problem
Evan Francen
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Sandra (Sandy) Dunn
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
Adrian Wright
 
Security Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk ManagementSecurity Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk Management
Resolver Inc.
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
JoAnna Cheshire
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware Dallas
Evan Francen
 

Recommended

WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language Problem
SecurityStudio
 
WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language Problem
Evan Francen
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language Problem
Evan Francen
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Sandra (Sandy) Dunn
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
Adrian Wright
 
Security Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk ManagementSecurity Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk Management
Resolver Inc.
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
JoAnna Cheshire
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware Dallas
Evan Francen
 
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
centralohioissa
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
George Goodall
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
Art Ocain
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219
Evan Francen
 
Remote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceRemote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC Complaince
JTLeekley
 
Business-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a Disaster
NetWize
 
Bill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-SuiteBill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-Suite
centralohioissa
 
Building Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe HarborBuilding Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe Harbor
Advanced Technology Consulting (ATC)
 
Engage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramEngage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness Program
Ben Woelk, CISSP, CPTC
 
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Polsinelli PC
 
Фишинг — проклятие или возможность для ИБ?
Фишинг — проклятие или возможность для ИБ? Фишинг — проклятие или возможность для ИБ?
Фишинг — проклятие или возможность для ИБ?
Positive Hack Days
 
Risky Business
Risky BusinessRisky Business
Risky Business
Michael Scheidell
 
Technology Risk Management
Technology Risk ManagementTechnology Risk Management
Technology Risk Management
Social Tables
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
ishan parikh production
 
Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Windstream Cloud Security Checklist
Windstream Cloud Security Checklist
Ideba
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of SecurityKarina Elise
 
Tim Nolan
Tim NolanTim Nolan
Tim Nolan
timnolan1961
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk Assessment
Resolver Inc.
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
EC-Council
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
Stephen Cobb
 
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security culture
Craig McGill
 

More Related Content

What's hot

Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
centralohioissa
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
George Goodall
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
Art Ocain
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219
Evan Francen
 
Remote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceRemote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC Complaince
JTLeekley
 
Business-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a Disaster
NetWize
 
Bill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-SuiteBill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-Suite
centralohioissa
 
Building Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe HarborBuilding Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe Harbor
Advanced Technology Consulting (ATC)
 
Engage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramEngage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness Program
Ben Woelk, CISSP, CPTC
 
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Polsinelli PC
 
Фишинг — проклятие или возможность для ИБ?
Фишинг — проклятие или возможность для ИБ? Фишинг — проклятие или возможность для ИБ?
Фишинг — проклятие или возможность для ИБ?
Positive Hack Days
 
Risky Business
Risky BusinessRisky Business
Risky Business
Michael Scheidell
 
Technology Risk Management
Technology Risk ManagementTechnology Risk Management
Technology Risk Management
Social Tables
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
ishan parikh production
 
Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Windstream Cloud Security Checklist
Windstream Cloud Security Checklist
Ideba
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of SecurityKarina Elise
 
Tim Nolan
Tim NolanTim Nolan
Tim Nolan
timnolan1961
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk Assessment
Resolver Inc.
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
EC-Council
 

What's hot (20)

Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219
 
Remote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceRemote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC Complaince
 
Business-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a Disaster
 
Bill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-SuiteBill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-Suite
 
Building Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe HarborBuilding Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe Harbor
 
Engage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramEngage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness Program
 
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
 
Фишинг — проклятие или возможность для ИБ?
Фишинг — проклятие или возможность для ИБ? Фишинг — проклятие или возможность для ИБ?
Фишинг — проклятие или возможность для ИБ?
 
Risky Business
Risky BusinessRisky Business
Risky Business
 
Technology Risk Management
Technology Risk ManagementTechnology Risk Management
Technology Risk Management
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
 
Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Windstream Cloud Security Checklist
Windstream Cloud Security Checklist
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
 
Tim Nolan
Tim NolanTim Nolan
Tim Nolan
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk Assessment
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
 

Similar to Managing Risk or Reacting to Compliance

The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
Stephen Cobb
 
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security culture
Craig McGill
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & Manufacturing
Evan Francen
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
Evan Francen
 
Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013
EY
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
Комсс Файквэе
 
Stop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudStop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraud
Wynyard Group
 
Treat Cyber Like a Disease
Treat Cyber Like a DiseaseTreat Cyber Like a Disease
Treat Cyber Like a Disease
SurfWatch Labs
 
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security SummitKeynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
SecurityStudio
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security Defense
Roger Grimes
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Ncell
 
6 Keys to Preventing and Responding to Workplace Violence
6 Keys to Preventing and Responding to Workplace Violence6 Keys to Preventing and Responding to Workplace Violence
6 Keys to Preventing and Responding to Workplace Violence
Case IQ
 
ISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series PresentationISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series Presentation
SecurityStudio
 
People Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language ProblemPeople Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language Problem
SecurityStudio
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 
Accidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionAccidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 Version
Murray Security Services
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
William Gregorian
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Joe Bartolo
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
Matthew Rosenquist
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye, Inc.
 

Similar to Managing Risk or Reacting to Compliance (20)

The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security culture
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & Manufacturing
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
 
Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
 
Stop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudStop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraud
 
Treat Cyber Like a Disease
Treat Cyber Like a DiseaseTreat Cyber Like a Disease
Treat Cyber Like a Disease
 
Keynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security SummitKeynote @ ECMECC School Security Summit
Keynote @ ECMECC School Security Summit
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security Defense
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
6 Keys to Preventing and Responding to Workplace Violence
6 Keys to Preventing and Responding to Workplace Violence6 Keys to Preventing and Responding to Workplace Violence
6 Keys to Preventing and Responding to Workplace Violence
 
ISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series PresentationISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series Presentation
 
People Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language ProblemPeople Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language Problem
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
Accidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionAccidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 Version
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
 

More from Evan Francen

Managing Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyManaging Third-Party Risk Effectively
Managing Third-Party Risk Effectively
Evan Francen
 
Step Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksStep Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party Risks
Evan Francen
 
Simple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudSimple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment Fraud
Evan Francen
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917
Evan Francen
 
People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017
Evan Francen
 
AFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionAFCOM - Information Security State of the Union
AFCOM - Information Security State of the Union
Evan Francen
 
TIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceTIES 2013 Education Technology Conference
TIES 2013 Education Technology Conference
Evan Francen
 
Mobile Information Security
Mobile Information SecurityMobile Information Security
Mobile Information Security
Evan Francen
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environment
Evan Francen
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
Evan Francen
 
Information Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderInformation Security For Leaders, By a Leader
Information Security For Leaders, By a Leader
Evan Francen
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
FRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByFRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) By
Evan Francen
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
Evan Francen
 
An Introduction to Information Security
An Introduction to Information SecurityAn Introduction to Information Security
An Introduction to Information Security
Evan Francen
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
Evan Francen
 

More from Evan Francen (16)

Managing Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyManaging Third-Party Risk Effectively
Managing Third-Party Risk Effectively
 
Step Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksStep Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party Risks
 
Simple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudSimple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment Fraud
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917
 
People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017
 
AFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionAFCOM - Information Security State of the Union
AFCOM - Information Security State of the Union
 
TIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceTIES 2013 Education Technology Conference
TIES 2013 Education Technology Conference
 
Mobile Information Security
Mobile Information SecurityMobile Information Security
Mobile Information Security
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environment
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
 
Information Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderInformation Security For Leaders, By a Leader
Information Security For Leaders, By a Leader
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
FRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByFRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) By
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
 
An Introduction to Information Security
An Introduction to Information SecurityAn Introduction to Information Security
An Introduction to Information Security
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
 

Recently uploaded

WORK PERMIT IN NORWAY | WORK VISA SERVICE
WORK PERMIT IN NORWAY | WORK VISA SERVICEWORK PERMIT IN NORWAY | WORK VISA SERVICE
WORK PERMIT IN NORWAY | WORK VISA SERVICE
RKIMT
 
eBrand Promotion Full Service Digital Agency Company Profile
eBrand Promotion Full Service Digital Agency Company ProfileeBrand Promotion Full Service Digital Agency Company Profile
eBrand Promotion Full Service Digital Agency Company Profile
ChimaOrjiOkpi
 
Bridging the Language Gap The Power of Simultaneous Interpretation in Rwanda
Bridging the Language Gap The Power of Simultaneous Interpretation in RwandaBridging the Language Gap The Power of Simultaneous Interpretation in Rwanda
Bridging the Language Gap The Power of Simultaneous Interpretation in Rwanda
Kasuku Translation Ltd
 
All Trophies at Trophy-World Malaysia | Custom Trophies & Plaques Supplier
All Trophies at Trophy-World Malaysia | Custom Trophies & Plaques SupplierAll Trophies at Trophy-World Malaysia | Custom Trophies & Plaques Supplier
All Trophies at Trophy-World Malaysia | Custom Trophies & Plaques Supplier
Trophy-World Malaysia Your #1 Rated Trophy Supplier
 
Spanish Marriage Certificate Attestation in Dubai
Spanish Marriage Certificate Attestation in DubaiSpanish Marriage Certificate Attestation in Dubai
Spanish Marriage Certificate Attestation in Dubai
Attestation On Time
 
Satrya Jaya Mulia - Company Profile - 2024 - CS PROJECT.pptx
Satrya Jaya Mulia - Company Profile - 2024 - CS PROJECT.pptxSatrya Jaya Mulia - Company Profile - 2024 - CS PROJECT.pptx
Satrya Jaya Mulia - Company Profile - 2024 - CS PROJECT.pptx
RichoRamadhan2
 
Comprehensive Water Damage Restoration Services
Comprehensive Water Damage Restoration ServicesComprehensive Water Damage Restoration Services
Comprehensive Water Damage Restoration Services
kleenupdisaster
 
x ray baggage scanner manufacturers in India
x ray baggage scanner manufacturers in Indiax ray baggage scanner manufacturers in India
x ray baggage scanner manufacturers in India
Gujar Industries India Pvt. Ltd
 
Greeting powerpoint slide for kids( 4-6 years old)
Greeting powerpoint slide for kids( 4-6 years old)Greeting powerpoint slide for kids( 4-6 years old)
Greeting powerpoint slide for kids( 4-6 years old)
lenguyenthaotrang663
 
The Best Premium IPTV Service Frane.docx
The Best Premium IPTV Service Frane.docxThe Best Premium IPTV Service Frane.docx
The Best Premium IPTV Service Frane.docx
Industry Foods UK
 
Sustainable Solutions for Chemical Waste Disposal by Summerland Environmental...
Sustainable Solutions for Chemical Waste Disposal by Summerland Environmental...Sustainable Solutions for Chemical Waste Disposal by Summerland Environmental...
Sustainable Solutions for Chemical Waste Disposal by Summerland Environmental...
Summerland Environmental
 
Best steel industrial company LLC in UAE
Best steel industrial company LLC in UAEBest steel industrial company LLC in UAE
Best steel industrial company LLC in UAE
alafnanmetals
 
Discover How Long Do Aluminum Gutters Last?
Discover How Long Do Aluminum Gutters Last?Discover How Long Do Aluminum Gutters Last?
Discover How Long Do Aluminum Gutters Last?
SteveRiddle8
 
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptxTop Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Merchantech - Payment Processing Services
 
Keyword Density Evolution: Elevating SEO Excellence, Leading as Top SEO Agenc...
Keyword Density Evolution: Elevating SEO Excellence, Leading as Top SEO Agenc...Keyword Density Evolution: Elevating SEO Excellence, Leading as Top SEO Agenc...
Keyword Density Evolution: Elevating SEO Excellence, Leading as Top SEO Agenc...
Barrownz.in
 
SEO For Interior Designers In Delhi.pdf
SEO For Interior Designers In Delhi.pdfSEO For Interior Designers In Delhi.pdf
SEO For Interior Designers In Delhi.pdf
SEOServicesinDelhi
 
Solar Panel For Home Price List In india
Solar Panel For Home Price List In indiaSolar Panel For Home Price List In india
Solar Panel For Home Price List In india
janhaviconaxweb
 
Siddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TXSiddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TX
gaurisiddhivinayakte
 
USCG Quick Guide For Uniform Medals and Ribbons wear and placement.pdf
USCG Quick Guide For Uniform Medals and Ribbons wear and placement.pdfUSCG Quick Guide For Uniform Medals and Ribbons wear and placement.pdf
USCG Quick Guide For Uniform Medals and Ribbons wear and placement.pdf
Pin-iT Military Uniform Tools
 
DOJO Training Center - Empowering Workforce Excellence
DOJO Training Center - Empowering Workforce ExcellenceDOJO Training Center - Empowering Workforce Excellence
DOJO Training Center - Empowering Workforce Excellence
Himanshu
 

Recently uploaded (20)

WORK PERMIT IN NORWAY | WORK VISA SERVICE
WORK PERMIT IN NORWAY | WORK VISA SERVICEWORK PERMIT IN NORWAY | WORK VISA SERVICE
WORK PERMIT IN NORWAY | WORK VISA SERVICE
 
eBrand Promotion Full Service Digital Agency Company Profile
eBrand Promotion Full Service Digital Agency Company ProfileeBrand Promotion Full Service Digital Agency Company Profile
eBrand Promotion Full Service Digital Agency Company Profile
 
Bridging the Language Gap The Power of Simultaneous Interpretation in Rwanda
Bridging the Language Gap The Power of Simultaneous Interpretation in RwandaBridging the Language Gap The Power of Simultaneous Interpretation in Rwanda
Bridging the Language Gap The Power of Simultaneous Interpretation in Rwanda
 
All Trophies at Trophy-World Malaysia | Custom Trophies & Plaques Supplier
All Trophies at Trophy-World Malaysia | Custom Trophies & Plaques SupplierAll Trophies at Trophy-World Malaysia | Custom Trophies & Plaques Supplier
All Trophies at Trophy-World Malaysia | Custom Trophies & Plaques Supplier
 
Spanish Marriage Certificate Attestation in Dubai
Spanish Marriage Certificate Attestation in DubaiSpanish Marriage Certificate Attestation in Dubai
Spanish Marriage Certificate Attestation in Dubai
 
Satrya Jaya Mulia - Company Profile - 2024 - CS PROJECT.pptx
Satrya Jaya Mulia - Company Profile - 2024 - CS PROJECT.pptxSatrya Jaya Mulia - Company Profile - 2024 - CS PROJECT.pptx
Satrya Jaya Mulia - Company Profile - 2024 - CS PROJECT.pptx
 
Comprehensive Water Damage Restoration Services
Comprehensive Water Damage Restoration ServicesComprehensive Water Damage Restoration Services
Comprehensive Water Damage Restoration Services
 
x ray baggage scanner manufacturers in India
x ray baggage scanner manufacturers in Indiax ray baggage scanner manufacturers in India
x ray baggage scanner manufacturers in India
 
Greeting powerpoint slide for kids( 4-6 years old)
Greeting powerpoint slide for kids( 4-6 years old)Greeting powerpoint slide for kids( 4-6 years old)
Greeting powerpoint slide for kids( 4-6 years old)
 
The Best Premium IPTV Service Frane.docx
The Best Premium IPTV Service Frane.docxThe Best Premium IPTV Service Frane.docx
The Best Premium IPTV Service Frane.docx
 
Sustainable Solutions for Chemical Waste Disposal by Summerland Environmental...
Sustainable Solutions for Chemical Waste Disposal by Summerland Environmental...Sustainable Solutions for Chemical Waste Disposal by Summerland Environmental...
Sustainable Solutions for Chemical Waste Disposal by Summerland Environmental...
 
Best steel industrial company LLC in UAE
Best steel industrial company LLC in UAEBest steel industrial company LLC in UAE
Best steel industrial company LLC in UAE
 
Discover How Long Do Aluminum Gutters Last?
Discover How Long Do Aluminum Gutters Last?Discover How Long Do Aluminum Gutters Last?
Discover How Long Do Aluminum Gutters Last?
 
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptxTop Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
 
Keyword Density Evolution: Elevating SEO Excellence, Leading as Top SEO Agenc...
Keyword Density Evolution: Elevating SEO Excellence, Leading as Top SEO Agenc...Keyword Density Evolution: Elevating SEO Excellence, Leading as Top SEO Agenc...
Keyword Density Evolution: Elevating SEO Excellence, Leading as Top SEO Agenc...
 
SEO For Interior Designers In Delhi.pdf
SEO For Interior Designers In Delhi.pdfSEO For Interior Designers In Delhi.pdf
SEO For Interior Designers In Delhi.pdf
 
Solar Panel For Home Price List In india
Solar Panel For Home Price List In indiaSolar Panel For Home Price List In india
Solar Panel For Home Price List In india
 
Siddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TXSiddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TX
 
USCG Quick Guide For Uniform Medals and Ribbons wear and placement.pdf
USCG Quick Guide For Uniform Medals and Ribbons wear and placement.pdfUSCG Quick Guide For Uniform Medals and Ribbons wear and placement.pdf
USCG Quick Guide For Uniform Medals and Ribbons wear and placement.pdf
 
DOJO Training Center - Empowering Workforce Excellence
DOJO Training Center - Empowering Workforce ExcellenceDOJO Training Center - Empowering Workforce Excellence
DOJO Training Center - Empowering Workforce Excellence
 

Managing Risk or Reacting to Compliance

  • 1. Protecting Financial Information Managing Risk or Reacting to Compliance Evan Francen, CISSP CISM FRSecure President March 27th, 2014
  • 2. Managing Risk or Reacting to Compliance Topics Introduction Evan Francen FRSecure Compliance – Reactive Risk – Proactive Real World Examples & Guidance Social Engineering
  • 3. Managing Risk or Reacting to Compliance Introduction Evan Francen Aka “The Truth”
  • 4. Managing Risk or Reacting to Compliance Introduction Evan Francen Security Guy
  • 5. Managing Risk or Reacting to Compliance Introduction Evan Francen Weird - Different
  • 6. Managing Risk or Reacting to Compliance Introduction Evan Francen For real… • 20+ years of information security experience • Co-founded FRSecure in 2008 • Worked with organizations of all sizes, including Wells Fargo, US Bank, UnitedHealth, ADP, St. Jude, etc. • Risk Management, Security Program Development, Social Engineering, Mentoring, and the projects nobody else wants to do.
  • 7. Managing Risk or Reacting to Compliance Introduction FRSecure • Information Security Management company. It’s all we do. • Methodology - Develop, use, and share methodologies for a variety of information security projects. • Project Leaders – All of our project leaders have more than 15 years of information security experience, from Fortune 100 to SMBs • Fully Transparent – Empowers our clients to do what we do. • Product Agnostic – Recommendations stand on their own, with no ulterior motive.
  • 8. Managing Risk or Reacting to Compliance Compliance What is compliance?
  • 9. Managing Risk or Reacting to Compliance Compliance What is compliance? • Is there any such thing as “GLBA Compliant” or “HIPAA Compliant”? If so, who certifies such things? • Is not “compliance” just doing what the last auditor told you to do? Is what the last auditor told you to do the right thing for you to do?
  • 10. Managing Risk or Reacting to Compliance Compliance Are compliance and security the same thing? • Many people believe so. • The right answer is NO. Information security is the use of Administrative, Physical and Technical controls to protect the Confidentiality, Integrity, and Availability of data.
  • 11. Managing Risk or Reacting to Compliance Risk Are we ever “secure”? • It depends. Right? No matter what we do with protection, there will always be a risk associated with unauthorized disclosure, alteration, or destruction of data. • “Secure” is a relative term. • Effectively managing security comes down to managing risk.
  • 12. Managing Risk or Reacting to Compliance Risk Some risks are acceptable and others are not. • What is risk? • Risk is not intuitive. (more on this later) • Risk = the likelihood of something bad happening + the impact if the bad thing happened. • Risk decisions are management decisions.
  • 13. Managing Risk or Reacting to Compliance Risk Risk Decisions • Risk Acceptance • Risk Avoidance • Risk Mitigation • Risk Ignorance
  • 14. Managing Risk or Reacting to Compliance Risk Risk is Not (always) Intuitive • Who is at higher risk of an earthquake, San Francisco or Boston? Turns out that the risk is essentially the same. In general: • People exaggerate spectacular but rare risks and downplay common risks. • People have trouble estimating risks for anything not exactly like their normal situation. • Personified risks are perceived to be greater than anonymous risks. • People underestimate risks they willingly take and overestimate risks in situations they can't control. • People overestimate risks that are being talked about and remain an object of public scrutiny.
  • 15. Managing Risk or Reacting to Compliance Compliance & Risk Compliance is based on doing what you’re told. Risk is based on likelihood and impact. Compliance is reactive. Managing risk is proactive. Compliance is more costly. Managing risk allows cost/benefit analysis. Compliance is the letter of the law. Managing risk is the intent of the law.
  • 16. Managing Risk or Reacting to Compliance Real Life Examples Large Healthcare Organization Audit conducted in 2012 Told they needed SIEM and DLP Spent $600,000 on new technology Compliant! Greatest (technical) risk was use of unencrypted mobile devices Cost to mitigate $600,000 Products are not configured or fully utilized Breach occurs in 2013 – Stolen laptop Over $3,000,000 in costs Over $3,600,000 spent. Greatest risk still exists
  • 17. Managing Risk or Reacting to Compliance Real Life Examples Target Audited regularly & constantly Spend millions on compliance Spend millions on technology Compliant! Were any of these a significant risk? • Vendor risk management • Information security reporting structure • Alerting & monitoring processes • SOC processes and training • Incident response processes Millions of dollars spent. Greatest risk? Last quarter profit down 46%. Estimated costs to exceed $1,000,000,000.
  • 18. Managing Risk or Reacting to Compliance Social Engineering Social Engineering is exploitation of the human factor in security; tricking a person into giving you information that could benefit you, but bring them harm. Social Engineering is by far the most effective method of gaining unauthorized access to information. We know this, and so do the bad guys.
  • 19. Managing Risk or Reacting to Compliance Social Engineering Did You Know: There were more than 74,000 unique phishing campaigns discovered during the Q2/2013, leveraging over 110,000 hijacked domains and targeting more than 1,100 brands. Email Attacks (Phishing) • Tricking you into going to a website that looks legitimate, and convincing you to log in (or disclose other information). • Has a 60 – 70% success rate. • How to Avoid Phishing Scams - http://apwg.org/resources/overview/avoid-phishing-scams
  • 20. Managing Risk or Reacting to Compliance Social Engineering Did You Know: A recent study shows that 30 percent of Americans will open emails, even when they know the message is malicious. Email Attacks (Malicious Attachments) • Tricking you into opening (or downloading/opening) a file that appears to be legitimate, but is in fact malicious. • Has a 30 – 40% success rate. • Don’t have blind trust in your anti-virus software. If you aren’t expecting an attachment, don’t open it. If you’re not sure, call the person who sent it to you and ask.
  • 21. Managing Risk or Reacting to Compliance Social Engineering Did You Know: Most social engineering attacks go un- reported by the victim. Telephone Attacks • Tricking you into divulging sensitive information over the phone. • People like helping other people, something that an attacker can exploit to receive sensitive information. • Success rate varies greatly. • If you receive a social engineering phone call, ask them for their name, company and phone number. In almost every case, the caller will disconnect when asked questions or placed on hold.
  • 22. Managing Risk or Reacting to Compliance Social Engineering Did You Know: Physical social engineering attacks can result in physical damage to the facility and safety dangers. Physical Attacks • Tricking you into giving physical access to a restricted area. • Physical social engineering attacks require a bold attacker with a very focused agenda. • Success rate varies greatly. • If you can help it, don’t hold the door for others; especially those who you don’t recognize. It’s OK to ask someone you don’t know if you can help them or ask for identification.
  • 23. Managing Risk or Reacting to Compliance Social Engineering Want a story? Pick One: • Physical access to Fortune 100 company headquarters. • Password disclosure almost cost someone their retirement. • Police help me carry out an attack. • I don’t really work for NSP. • 60% of bank’s employees give us their domain usernames and passwords.
  • 24. Managing Risk or Reacting to Compliance Thank you! Questions? Evan Francen, CISSP CISM President – FRSecure evan@frsecure.com 952-467-6384