I
NFORMATIONS
ECURITY FOR YOURA
GENCYPresenter:
Chad Knutson
C
ONTACTI
NFORMATION Dr. Kevin Streff
Professor at Dakota State University Director - National Center for the
Protection of the Financial Infrastructure
Managing Partner at SBS kevin@protectmybank.com
Chad Knutson
Senior Information Security Consultant CISSP, CISA, CRISC
Phone: 605-480-3366
chad@protectmybank.com
D
AKOTA
S
TATE
N
ATIONALLY
R
ECOGNIZED
• National Security Agency
• Department of Homeland Security
• 4,000 universities in the country
• Only 100 named national centers in the past 10 years
D
AKOTA
S
TATE
U
NIVERSITY
S
UMMARY
Dakota State University is the only national
center of excellence focused on the security of banks
S
ECUREB
ANKINGS
OLUTIONS Information Security IT Risk Assessment Policy Development IT Audit Vulnerability Assessments Penetration Testing Social Engineering Financial Institutions www.protectmybank.com Community Banks & Credit Unions
Healthcare
A
GENDA What information security laws and regulations
apply to me?
What security threats exist in todays world that
I should be concerned about?
How can I protect my business?
C
YBERC
RIME– W
HO IS THE TARGET?
Cybercrime will eclipse terrorism – FBI Director …around 85% of cyber attacks are now targeting
small businesses – Whitehouse
70% of small business lack basic security
controls
Who has the data that cybercriminals want? Who are the least expecting targets?
Where might information security be the
weakest?
Where could a cybercriminal break in, where
H
ACKING MADE EASY Default Passwords http://cirt.net/passwords Hacking Tools http://sectools.org/ Caller ID Spoofing http://www.telespoof.com/freecall/agi Social Engineer Toolkit
I
NDUSTRYR
ISKA
SSESSMENT 9Sensitive Data
Size / Locat
ion
Lar ge/Met ro Sm all /RuralBusiness Health Financial
G
RAMM-L
EACH-B
LILEYA
CT(GLBA)
"develop, implement, and maintain a
comprehensive written Information Security Program containing administrative,
technical, and physical safeguards that are
appropriate to the size and complexity of the entity, the nature and scope of its activities, and the sensitivity of any customer information at issue." - Safeguards Rule implement section 501(b) of GLBA (effective on July 1, 2001)
The law covers banks, savings and loans, credit
unions, insurance companies and securities
H
EALTHI
NSURANCEP
ORTABILITY ANDA
CCOUNTABILITYA
CT(HIPAA)
Security Rule requires covered entities to
maintain reasonable and appropriate
administrative, technical, and physical
safeguards for protecting e-PHI.
Specifically, covered entities must:
Ensure the confidentiality, integrity, and
availability of all e-PHI they create, receive, maintain or transmit;
Identify and protect against reasonably anticipated
threats to the security or integrity of the information;
Protect against reasonably anticipated, impermissible
uses or disclosures; and
Ensure compliance by their workforce.
O
THERS
TATE& F
EDERALL
AWS Identify Theft Red Flags Rule Fair Credit Reporting Act
Fair & Accurate Credit Transactions (FACT) Act State Data Breach Notification Laws
P
ERSONALLYI
DENTIFIABLEI
NFORMATION Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. (NIST 800-122 and Westport
“Personal Data”)
First name and last name or first initial and last name in combination with any one or more of the
following data elements that relate to such resident: (a) Social Security number; (b) driver's license
number or state-issued identification card number; or (c) financial account number, or credit… (Mass
S
ECURITY PROCESSPlan
I
NFORMATIONS
ECURITYP
ROGRAM15
Administrative
I
NFORMATIONS
ECURITYP
ROGRAM 16 Administrative Technical Physical • Malware Protection • Hardware Firewall • Software Firewall • Software Patching • Wireless Security • Unique User Accounts • Limited User Permissions • Data Encryption • Data Backup • Mobile Devices • Physical Security • Security Cameras • Motion Sensors • Receptionist • Secure Areas • Locked DoorsPolicy & Procedures
Agency
Risk
Assessment Response Incident Penetration Test Continuity Business Vulnerability Assessment Awareness Security Engineering Social IT Audit
ISP B
LUEPRINTPolicy & Procedures
Agency
Risk
Assessment Response Incident Penetration Test Continuity Business Vulnerability Assessment Awareness Security Engineering Social IT Audit
ISP B
LUEPRINTQ1
S
MALLB
USINESSI
NFORMATIONS
ECURITY:
T
HEF
UNDAMENTALS October 2009 NIST 7621 was released Assist small business management in
understanding how to provide basic security for their information, systems, and networks.
Provides commercially reasonable security
measures which will reduce the likeliness of a security incident.
Three basic areas which may reduce likeliness:
Absolutely Necessary (todays focus)
Highly Recommended Other Considerations
http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf
1) M
ALWARE- V
IRUS, T
ROJANS, S
PYWARE If your networks access the internet, then you
2) H
ARDWAREF
IREWALL Most small businesses have a broadband (high
speed) internet connection which is always “on”. This leaves the network susceptible to network
attacks on a 24/7 basis from anywhere in the world.
3) S
OFTWAREF
IREWALL In addition to hardware firewalls, software
firewalls should be used on all workstations, mobile devices, and servers.
Software firewalls protect systems from each
other.
4) S
OFTWAREP
ATCHING All operating systems such as Microsoft
Windows, Apple OSX, and all distributions of UNIX/Linux have patches that need to be
installed on a regular basis.
Most software products require patches,
including Microsoft Office, Adobe, Java, QuickTime, Firefox.
These patches fix compatibility issues and
known security vulnerabilities, not applying them leaves you vulnerable.
5) B
ACKUPD
ATA Backing up your data protects it from numerous
threats:
Hackers destroying your computer Malware corrupting your data
Fire and other natural disaster destroying your
systems
Many other threats
Include all your critical data, backup often. Store a copy offsite.
Test your backup process to know you can
6)
PHYSICAL ACCESSS
ECURITY Secure each entrance point
Monitor areas for unauthorized people Escort visitors around the building
Secure documents, computers, servers from theft
25
Secure ?
7) W
IRELESSS
ECURITY Do not use wireless unless required for business Securely configure all wireless devices and
access points.
Most users implement with default settings
Default passwords - http://cirt.net/passwords
WEP encryption can be hacked in hours (WPA2) Security vulnerabilities in wireless technology
www.us-cert.gov/cas/techalerts/TA12-006A.html
Update wireless software and firmware
Users connect wireless devices to unsecured
8) S
ECURITYA
WARENESST
RAINING Employees should read security policies Employees should sign Acceptable Use
Agreement
Employees should receive training on security
threats: Malware Phishing Social Engineering Unauthorized Access 27 Phishing 15% Other Spam 74% Legitimate Email 11%
9) U
NIQUEU
SERA
CCOUNTS Users should have a unique login to all computers,
programs, and websites.
Users should not be administrators on their local
machine. If users can install software, then malware can install itself to the computer when clicked.
Complex passwords - the password Spring08 can be
cracked with on a normal computer in 24 seconds.
Secure Passwords - 73% of users share the passwords
which they use for online banking, with at least one
nonfinancial website.
If its easy to remember, its easy to guess. Try mnemonics
“Proud to be an American” + birth year = PtbaA0&91 0&91 where the & has been substituted for 8 and 0891 is backwards for 1980.
10) L
IMITA
CCESS TOD
ATA For all employees, provide access to only those
systems and only to the specific information that they need to do their jobs.
Do not allow a single individual to both initiate
and approve a transaction (financial or otherwise).
Limited access reduces the exposure of data to
malware and hackers. Also reduces the impacts of malicious insiders.
11) E
NCRYPTP
ERSONALLYI
DENTIFIABLEI
NFORMATION Identify where in your institution you have
personally identifiable information.
When that information leaves your institution,
assess whether or not you have encrypted that data during transmission or storage.
Common systems needing encryption are:
Company Website Email
Offsite backup tapes Laptops
Mobile phones / Tablets / iPads
12) D
OCUMENTEDI
NFORMATIONS
ECURITYP
OLICY Document the process of how risks to personally
identifiable information will be assessed.
Document specific controls implemented to
protect this information.
Document auditing and testing procedures used
to validate your security policy.
Document acceptable use of information and
technology by employees.
Document how you will identify, contain, and
respond to a security incident; including
communication with third parties, regulators, authorities, and customers.
Document how you will recover from a disaster.
R
ESOURCES HIPAA Security Rule
33
Presenter:
Chad Knutson, Secure Banking Solutions chad@protectmybank.com
C
ONTACTI
NFORMATION Dr. Kevin Streff
Professor at Dakota State University Director - National Center for the
Protection of the Financial Infrastructure
Managing Partner at SBS kevin@protectmybank.com
Chad Knutson
Senior Information Security Consultant CISSP, CISA, CRISC
Phone: 605-480-3366
chad.knutson@protectmybank.com
