With the new interconnected age comes new risks for cyber attacks and other fraudulent activity. Do you know what you need to keep your end users protected? Digital Insight discusses security and compliance in the interconnected age.
What is cyber law?
What is cyber crime?
Cybercrimes areas
what law relating to
Data protection and privacy
Software Licensing Issues
IT acts
Policy Versus Law
Codes of Ethics and Professional Organizations
Leading Practices in Information Security & PrivacyDonny Shimamoto
Many not-for-profits are operating in an environment in which there is a tremendous amount of electronic documents, communications, and confidential data sits on computers and networks that are connected to the Internet. Privacy and security threats are also increasing, putting Internet communications and computer data at risk at an alarming rate. At the same time, laws and regulations with significant penalties have been passed or are being passed by states, the Federal government, and industry groups (e.g. PCI DSS) increasing the consequences of data breaches and privacy violations.
Whether you’re an executive director, program manager, or IT manager, this non-technical presentation will help you learn about the threats, requirements, and leading practices related to information security you need to help protect your donors and constituents.
Reinforcement of Information Privacy and Security NowadaysGoutama Bachtiar
Delivered in a guest lecture session conducted for Faculty of Communication Science, Padjadjaran University, West Java, Indonesia. It includes the topic on Indonesia's Laws #14 Year of 2008 on Disclosure of Public Information.
2014 GRC Conference in West Palm Beach-Moderated by Sonia LunaAviva Spectrum™
Slides from the 2014 GRC Conference Presented by:
Jeff Spivey, CRISC, CPP
Vice President of Strategy, RiskIQ, Inc.
President, Security Risk Management, Inc
Adair Barton, CPA, CISA
Vice President of Internal Audit
Dycom Industries, Inc.
and
David A. Less, CISA, CISM
CIO & SVP
Sunteck, Inc.
What is cyber law?
What is cyber crime?
Cybercrimes areas
what law relating to
Data protection and privacy
Software Licensing Issues
IT acts
Policy Versus Law
Codes of Ethics and Professional Organizations
Leading Practices in Information Security & PrivacyDonny Shimamoto
Many not-for-profits are operating in an environment in which there is a tremendous amount of electronic documents, communications, and confidential data sits on computers and networks that are connected to the Internet. Privacy and security threats are also increasing, putting Internet communications and computer data at risk at an alarming rate. At the same time, laws and regulations with significant penalties have been passed or are being passed by states, the Federal government, and industry groups (e.g. PCI DSS) increasing the consequences of data breaches and privacy violations.
Whether you’re an executive director, program manager, or IT manager, this non-technical presentation will help you learn about the threats, requirements, and leading practices related to information security you need to help protect your donors and constituents.
Reinforcement of Information Privacy and Security NowadaysGoutama Bachtiar
Delivered in a guest lecture session conducted for Faculty of Communication Science, Padjadjaran University, West Java, Indonesia. It includes the topic on Indonesia's Laws #14 Year of 2008 on Disclosure of Public Information.
2014 GRC Conference in West Palm Beach-Moderated by Sonia LunaAviva Spectrum™
Slides from the 2014 GRC Conference Presented by:
Jeff Spivey, CRISC, CPP
Vice President of Strategy, RiskIQ, Inc.
President, Security Risk Management, Inc
Adair Barton, CPA, CISA
Vice President of Internal Audit
Dycom Industries, Inc.
and
David A. Less, CISA, CISM
CIO & SVP
Sunteck, Inc.
As privacy and security professionals it's true: we simply can't get enough data on the costs of a data breach. This is primarily driven, of course, by our desire to quantify the risks associated with our profession in terms that organizations can understand and measure. Our quest is complicated, however, by the fact that breach cost data is so hard to come by.
This unique webinar will take data breach analysis to the next level. First we'll define our terms and review of some of the best known, publicly available data breach research. But then, we'll dive into a more detailed, exhaustive, quantitative review of breach data. This will include both case studies of a few seminal data breaches and statistical analysis of data breaches in the aggregate.
Our featured speaker for this timely webinar is Patrick Florer, Co-Founder & CTO of Risk Centric Security. Patrick, who is also a Fellow and Chief Research Analyst at the Ponemon Institute, has decades of experience in risk analysis and analytics and is considered an expert in data breach analysis.
A security awareness presentation created for an audience of senior officials from MTNL (India's foremost telecom PSU). The presentation covers fundamentals of Information Security, it's evolution, present day risks from the IT and Telecom infrastructure perspective.
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
NetIQ was a Platinum sponsor for “Plugging the Leaks: Finding and Fixing the IT Security Holes in Your Enterprise,” a virtual trade show (VTS) produced by Information Week Magazine and Dark Reading.
This was our presentation deck: "Proven Practices to Protect Critical Data" presented by Matt Mosley, Senior Product Manager, and Matt Ulery, Director of Product Management during a live presentation. They explored some of the most significant problems facing security teams tasked with protecting critical data. And, they will reveal some of the most effective approaches and technology that can be used to quickly identify real threats.
Discussing how to deal with frauds occurred in e-banking channels by implementing end-to-end controls (deterrent, preventive, detective, responsive, corrective and recovery), the line of defences as well as deploying numerous anti-fraud strategies.
Join us and learn where your organization may have security gaps or be out of state or federal compliance. In this seminar, we will discover how a combination of good policies and the implementation of good, solid solutions can help you meet compliance requirements, and protect and secure your organization or business.
As privacy and security professionals it's true: we simply can't get enough data on the costs of a data breach. This is primarily driven, of course, by our desire to quantify the risks associated with our profession in terms that organizations can understand and measure. Our quest is complicated, however, by the fact that breach cost data is so hard to come by.
This unique webinar will take data breach analysis to the next level. First we'll define our terms and review of some of the best known, publicly available data breach research. But then, we'll dive into a more detailed, exhaustive, quantitative review of breach data. This will include both case studies of a few seminal data breaches and statistical analysis of data breaches in the aggregate.
Our featured speaker for this timely webinar is Patrick Florer, Co-Founder & CTO of Risk Centric Security. Patrick, who is also a Fellow and Chief Research Analyst at the Ponemon Institute, has decades of experience in risk analysis and analytics and is considered an expert in data breach analysis.
A security awareness presentation created for an audience of senior officials from MTNL (India's foremost telecom PSU). The presentation covers fundamentals of Information Security, it's evolution, present day risks from the IT and Telecom infrastructure perspective.
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
NetIQ was a Platinum sponsor for “Plugging the Leaks: Finding and Fixing the IT Security Holes in Your Enterprise,” a virtual trade show (VTS) produced by Information Week Magazine and Dark Reading.
This was our presentation deck: "Proven Practices to Protect Critical Data" presented by Matt Mosley, Senior Product Manager, and Matt Ulery, Director of Product Management during a live presentation. They explored some of the most significant problems facing security teams tasked with protecting critical data. And, they will reveal some of the most effective approaches and technology that can be used to quickly identify real threats.
Discussing how to deal with frauds occurred in e-banking channels by implementing end-to-end controls (deterrent, preventive, detective, responsive, corrective and recovery), the line of defences as well as deploying numerous anti-fraud strategies.
Join us and learn where your organization may have security gaps or be out of state or federal compliance. In this seminar, we will discover how a combination of good policies and the implementation of good, solid solutions can help you meet compliance requirements, and protect and secure your organization or business.
The 7th June 2012 Linkedin was hacked. More than 6 million LinkedIn passwords was compromised. The real shocking news was not the theft but the fact that the attackers were able to decrypt many of these passwords. Why it happened? The answer is simple: a bad design of the password security. In this talk I presented how to choose "secure" user's passwords and how to safely store it from a programmer's perspective.
This talk has been presented during the MOCA 2012, http://moca.olografix.org/moca2012
The State Of Information and Cyber Security in 2016Shannon G., MBA
Shannon Glass, Practice Director from AfidenceIT talks about the State of Information and Cyber Security in 2016. She covers the importance of creating a culture of security awareness within an organization, threats to look out for on the landscape, and why you should care about protecting your data assets.
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
There are many (small) risks and threats which are frequently overlooked in an organization. The presentation takes a look at where Risks & Threats (RaT) come from and at the "Biggies" in the RaT Lists. We look at a few Frequently Overlooked Threats and Risks (FORT) and Course Correction Options and finally a few Case Studies to highlight FORTs
More and more organization employees are required to work outside the office using tablets, laptops and smartphones. These technologies are causing profound changes in the organization of information systems and therefore they have become the source of new risks. Mobile technologies collect and compile an increasing amount of sensitive information to which access must be controlled to protect the privacy of the user and the intellectual property of the company. This webinar will discuss the risks faced by small to medium size organizations that require employees to work remotely. We will also discuss mitigation strategies.
The internet of things..perspectives for the Nigerian legal systemSimon Aderinlola
The ability for everyday devices to connect with each other and with people is a hot topic.
The Nigerian Communications Commission identified a need for the Nigerian legal system to be aware of present and future possibilities, grey areas and learnings from other countries that have taken proactive steps to prepare for this inevitable future.
Learnings from the EU, USA, China etc are considered. It is comforting to know that no country claims to have its legislation ahead of the tech innovations curve, but the catchup game needs to be at a pace that dragnets the present effectively and constantly repositions for the unknown future.
Regulation should also be smart. Rather than get bogged down regulating aluminium weight for car use, fuel grades for combustion, rather regulate speed (protect lives) and drive regulation by principles that outlive wherever tech wants to go next.
The session was eye-opening for a good number of the aged and candid judges, but it was gladdening to see the mindset: mobile tech is not "that thing", it has to be used, understood and admitted as evidence.
The nerds and more tech savvy should help these 'learned ones' to better embrace tech and help them do their work better for joint good!
Attendee/delegate feedback was candid and NCC hopes to build on this in the coming years.
Join Kaseya and guest cybersecurity expert from Kaspersky, Cynthia James, to hear how companies like Target, eBay, and Home Depot are losing data, and how you can protect your company from suffering the same fate.
• The latest cybersecurity threats and vectors putting organizations at risk
• How your organization can avoid falling victim to a data breach
• Additional strategies to secure your organization and its data
Presentation given by Dr K Subramanian, Director and Professor, Advance Centre for Informatic and Innovative Learning IGNOU on August 3rd, 2011 at eWorld Forum (www.eworldforum.net) in the session Information Management and Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityStephen Cobb
A presentation delivered at the 2014 meeting of the Municipal Information Systems Association of California. Includes suggestions for security awareness programs.
As the confluence of several mature and emerging technologies, the Internet of Things (IoT) is rapidly developing into a vibrant new marketplace. What are important considerations for technology, media, and telecom (TMT) companies as they compete for opportunities? This presentation covers:
• Questions TMT executives should be asking about impacts of IoT technologies, performance improvement opportunities, and where value can be generated.
• Building an IoT ecosystem where all players benefit – defining different players' roles and relationships, and already-successful tactics.
• Security and privacy challenges, including how data protection responsibility is assigned and monitored, and defining appropriate security and privacy standards.
Explore this quickly developing new opportunity for TMT companies.
Get more IoT insights: http://www.deloitte.com/us/iot_ecosystem
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
3. Introduction
Alan Akahoshi is a lead security product
manager at Digital Insight. With 22 years of
network communication, applications and
security experience, Alan has safeguarded
systems for the nation’s leading technology
companies. His previous roles include
program manager for Microsoft's hosted
services group, and product manager for
Symantec's consumer business unit.
4. Agenda
• The Internet of Everything (IoE)
– Ecosystem
• FFIEC Guidelines for your customer digital channel
– Coverage
• A security model for protecting your Customer
– Closing the gap
5. Have you ever received an email from
your refrigerator or television set?
a. Yes
b. No
c. Is that possible?!
Poll Question 1 : Current Events
6. >750K malicious emails sent by botnet.
It’s enough to give you chills.
“In this case, hackers
broke into more than
100,000 everyday
consumer gadgets, such as
home-networking routers,
connected multi-media
centers, televisions, and at
least one refrigerator,
Proofpoint says. They then
used those objects to send
more than 750,000
malicious emails to
enterprises and individuals
worldwide.”
8. IoE = User x (Devices x Networks x Services)
The connected state or the “Internet of Everything”
Networks
(Places)
Services
(Transactions/Interactions)
Devices
Data Data
Data
DataData
Data
10. Cyber Security is the biggest concern
Source: http://www.businessinsider.com/the-internet-of-everything-2014-slide-deck-sai-2014-2?op=1
11. • “Six degrees or less,” you are connected to a
vulnerable element in the IoE ecosystem.
For Financial Institutions, Security must extend beyond
your purview.
youyou
OLB OLB
Gotcha!
12. • The Heartbleed bug is a vulnerability in the OpenSSL
cryptographic software library that existed since 2012 and was
not uncovered until early this year.
And the effects may be devastating
Reputation takes years to build,
and only moments to lose.
In IoE, controlling borders and
layering security isn’t enough.
You need to dramatically change
your security strategy.
14. • Federal rules and regulations
– Federal Reserve Board
• Regulation E (Electronic Fund Transfers, 12
CFR 205)
– Uniform Commercial Code
• Article 4A, Funds Transfer (2012)
– Dodd-Frank Wall Street Reform and
Consumer Protection Act
• The FFIEC prescribes recommendations
for federal examinations of financial
institutions .
– E-Banking
– Information Security
– Supplement in 2011
In a highly regulated industry, how do you
respond to IoE?
15. • 2001: Electronic Banking
• 2005, 2011: Internet Banking
• What does it protect?
– Customer data (privacy)
– Fund movement (anti-fraud)
• How does it protect?
– Periodic risk assessments
– Multi-factor authentication
– Layered security controls
• Access controls (limits)
• Monitoring
– Customer awareness
FFIEC Internet Banking Guidelines (2011)
17. Financial Institution Best Practices
How do you provide an effective and secure digital banking experience?
18. Please select the best statement
that applies to your institution:
a. The security of my solution is
most important.
b. The security of my solution is
important, but it should minimally
impact my customer user
experience.
c. My customer user experience is
most important.
Poll Question 2 : Security vs. Ease of Use
19. • Includes Prevention
• Includes Monitoring
• Includes Remediation
• Is multi-faceted, multi-layered
to provide maximum protection
– a system of redundancy
An effective security program framework
Prevention
MonitoringRemediation
20. • In order to secure the online
and mobile banking ecosystem,
you need to consider the multiple
layers and what it is you are
protecting.
• Adopt solutions using the
“lenses” of your security program
– Prevention, monitoring
and remediation
User
protection
•User credentials
•User devices
•User applications
•User assets ($)
•Malware detection/removal
Network
protection
•Network providers
(public, private, mobile)
•Data exchange (privacy
encryption)
Service
protection
•Online banking applications
•Mobile banking applications
•Data handling and storage
(privacy)
•Service availability
Business
protection
•Employees
•Business assets ($)
•Data governance
Protection layers in order to manage risk
21. • Identity Verification (Account
Origination)
– Required by Section 326 of the USA Patriot
Act (FFIEC 2005)
– Reduce the risk of
• Identity theft
• Fraudulent account applications (international
money laundering and terrorist financing)
• Unenforceable account agreements or
transactions
• User Verification (Authentication,
Authorization and Access Control)
– Layered “what you can see” & “what you can
do”
– Reduce the risk of
• Unauthorized account access (privacy;
protecting data)
• Account takeover
• Fraudulent activity
Prove you are who you say you are
P
MR
User
Network
Service
Business
22. • User verification methods
– Something the user knows
• “Shared secret”, password, PIN
– Something the user has
• ATM card, smart card, scratch card
• Mobile device, FOB token, USB token
– Something the user is
• Biometric hardware (fingerprint, face,
voice, retinal/iris, etc.)
– Other factors that complement
authentication
• User device identification
• User location / network
• User internet protocol address
Authentication, Authorization and Access Control
P
MR
User
Network
Service
Business
23. • Layered Security Controls
– Measure the level of risk and match protection
methods
• Consumer Banking
– Accessing banking account information
– Accessing personal account information
– Money movement activity
• Bill payment
• Intrabank funds transfers
• Interbank funds/wire transfers
• Business Banking
– Frequent and higher $$$ amounts money
movement activity
• ACH file origination
• Frequent interbank wire transfers
Not all online activity or actions are equal
P
MR
User
Network
Service
Business
25. What is your greatest mobile security concern? (Select one)
a. Application security
b. Device data leakage
c. Device loss or theft
d. Malware attack
Poll Question 3 : Mobile Risk
26. • Mobile devices, networks it connects to,
services it accesses, and data shared…
– 63% of smartphone users access
their bank or credit union institution
– 61% of smartphone owners who
don’t use mobile banking cite
“security” issues
• Mobile Apps vs Mobile Web
• Secure communication channel
(data privacy)
• Complex device identification,
geo-location and reputation
– Assurance to tie this to a user
– Monitoring
Mobile is personal, an extension of You
P
MR
User
Network
Service
Business
Source: Deloitte, May 2014, Mobile Financial Services: Raising The Bar on Customer Engagement
27. • It’s never a question of ‘if’ I get hacked,
but ‘when’ I get hacked…
– Hackers are continuously finding and
exploiting the weakest link
• Effective monitoring is key to
detecting fraud and preventing attacks
• Complex analytics of user, device and system
data, and behavioral modeling provide
intelligent detection
• Mitigation processes
Hackers hack and they will continue to hack
P
MR
User
Network
Service
Business
28. How do you provide customers/members
with tools and tips to safeguard their
online and/or mobile banking experience?
(select all that apply)
a. Online Banking Application
b. Mobile Banking Application
c. Email
d. Text/SMS
e. In-Branch
f. Other
g. We do not provide any tools or tips
Poll Question 4 : Education Programs
29. • Customer Awareness & Education
– DOs and DON’Ts
– Alerts and Notifications
• Attacks, risks etc.
• Internal Training
Secure people, not just the technology
P
MR
1. Be vigilant.
2. Protect your devices.
3. Protect your passwords.
• Create password groups.
4. Do not share your passwords.
5. Use trusted applications from
known and trusted sources.
6. Access trusted websites.
7. Be careful of email content,
even if it’s from a known
person.
* Feb 1st – National Change Your Password Day
User
Network
System
Business
30. What you can do . . .
Effective security strategy – elements for
prevention, monitoring and remediation
Multi-factor authentication
Layered security controls
Transaction monitoring
Marketing programs for customer
awareness and education
Annual risk assessment
Security and Compliance Checklist
User
Service
Business
Network