1 / 24

IT Security/Online Loss Prevention

IT Security/Online Loss Prevention. Bill Finnerty Assistant Director of Information Technology Cumberland County. What is your gender?. Female Male. What age group do you fall into?. 25 or less 26 to 35 36 to 45 46 to 55 56 or more. I am confident in my organization’s IT security.

crevan
Télécharger la présentation

IT Security/Online Loss Prevention

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IT Security/Online Loss Prevention Bill Finnerty Assistant Director of Information Technology Cumberland County

  2. What is your gender? • Female • Male

  3. What age group do you fall into? • 25 or less • 26 to 35 • 36 to 45 • 46 to 55 • 56 or more

  4. I am confident in my organization’s IT security • Strongly Agree • Agree • Neutral • Disagree • Strongly Disagree

  5. Do you have Cyber Liability Insurance? • Yes • No

  6. Who is the average hacker? • Age – 16 to 19 • Gender – 90% male • Residence – 70% United States • Spend an average of 57 hours working on a computer a week • Knows c, c++, or perl

  7. Who is the hacker? • Albert Gonzalez • Cody Reigle • Stephen Watt • Kevin Mitnick 1) 2) 3) 4)

  8. How much would you be willing to pay for a security assessment? • Less than $10k • $10k to $30k • $30k to $50k • More than $50k

  9. Online Fraud • 2009 • Over $560 million lost in online fraud • Zeus botnet is able to over write online bank reports to cover fraud trail • FBI investigates Citibank hack by Russian organized crime • 2010 • Zeus botnet adds licensing module and automatic notification via IM • 2011 • Zeus, SpyEye, Carberp, Gozi and Patcher • Most exploits sold in online black markets for $5000 or less

  10. Cumberland County Redevelopment Authority Hack • September 22, 2009 • $479,000 lost • Attack mechanism • Clampi Virus • Replaced banking website with maintenance message • Used remote session to access the bank account • Used Electronic Fund Transfers to quickly move money

  11. Hacktivism • Motivation – political • Groups • Anonymous • LulzSec • AntiSec • Tools • website defacement • distributed denial of service attacks • information theft

  12. Breach of Personal Information Notification Act § 2303. Notification of breach An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person … notice shall be made without unreasonable delay

  13. What can we learn from a 3,000 year old Irish fort about IT security? • Defense in depth • The key is to have enough warning and delays to be able to react

  14. Physical Security • Physical access to computers and computer equipment is a

  15. Perimeter Security • Firewall • Intrusion Prevention • Email gateway • Web proxy server

  16. Internal Security • Anti-virus, Anti-malware, Anti-spam, etc • Desktop firewall • Host based instruction detection • Permissions

  17. IT Security Policy • Cover what is needed for your environment • Email • Internet access • Social media • Hardware • Software • Anti-virus, Anti-malware, Anti-spam • Use plain English, these are not for the legal and IT departments

  18. Does your organization regularly present IT security training? • Yes • No

  19. Security Training • Know your learners • Vary the delivery methods • Presentations • Video • Blogs • Contests • Gotcha training

  20. What type of bank(s) does your organization do business with? • Credit Unions • Regional • National

  21. Coordinating with your Business Partners • Establish a relationship with your banks IT security staff • Service level agreements in contracts related to IT security

  22. Resources • Budget • Man hours • Internal vs. External

  23. Assessing IT Security Readiness • Industry standards • ISO 27001 and 27002 • NIST Special Publication 800-53A • PCI Security Standard • Independent external assessment • IT responsibilities • Business unit responsibilities • Remediation

  24. Questions

More Related