Information Technology Security

1
Information Technology Security

• Presented by
• Mike Russo, PMP, CISSP, CFE, CGEIT
• State Chief Information Security
• The Agency for Enterprise Information Technology
• State of Florida

2
Overview

• What is Information?
• National Trends and Issues
• Current Hacks and Security Issues
• Floridas Response
• Policies, Rules and Guidelines
• Partnerships

3
What is Information?Identify Your Risk?

• Paper
• Project Plans, Memos, Manuals, Phone Lists,
• Org Charts, Sensitive and Confidential Documents
  
• Electronic Data
• PCs, Laptops, Mainframes, Servers
• Palm Pilots, Cell Phones, I Phones, MP3s
• Diskette, CDs, Tape, Thumb Drives
• Conversation
• Discussions should be thoughtful, consider your
  location, surroundings and individuals in your
  midst

4
Social Engineering
Employees
Social Engineering
Surveillance to gain access
Lack of physical security
5
High Tech Vulnerabilities
Peer to Peer Sharing
Network Copy Machines Faxes
Cell Phones, I Phones MP3
Suring the web email
Wireless Router Wireless Network
Thumb drives, CD/DVD Disk
6
National Trends and Issues

• Malware, worms, and Trojan horses These will
  continue to spread by email, instant messaging,
  malicious websites, and infected non-malicious
  websites. Some websites will automatically
  download the malware without the users knowledge
  or intervention. This is known as a drive-by
  download. Other methods will require the users
  to click on a link or button.
• Botnets and zombies These threats will continue
  to proliferate as the attack techniques evolve
  and become available to a broader audience, with
  less technical knowledge required to launch
  successful attacks. Botnets designed to steal
  data are improving their encryption capabilities
  and thus becoming more difficult to detect.
• Scareware fake/rogue security software There
  are millions of different versions of malware,
  with hundreds more being created and used every
  day. This type of scam can be particularly
  profitable for cyber criminals -- as many users
  believe the pop-up warnings telling them their
  system is infected and are lured into downloading
  and paying for the special software to protect
  their system.

7
National Trends and Issues

• Attacks on client-side software - With users
  keeping their operating systems patched,
  client-side software vulnerabilities are now an
  increasingly popular means of attacking systems.
  Client-side software includes things like
  Internet browsers, media players, PDF readers,
  etc. This software will continue to have
  vulnerabilities and subsequently be targeted by
  various malwares.
• Ransom attacks occur when a user or company is
  hit by malware that encrypts their hard drives or
  they are hit with a Distributed Denial of Service
  Attack (DDOS) attack. The cyber criminals then
  notify the user or company that if they pay a
  small fee, the DDOS attack will stop or the hard
  drive will be unencrypted. This type of attack
  has existed for a number of years and is now it
  is gaining in popularity.
• Social Network Attacks Social network attacks
  will be one of the major sources of attacks in
  2010 because of the volume of users and the
  amount of personal information that is posted.
  Users inherent trust in their online friends is
  what makes these networks a prime target. For
  example, users may be prompted to follow a link
  on someone's page, which could bring users to a
  malicious website.

8
National Trends and Issues

• Cloud Computing Cloud computing is a growing
  trend due to its considerable cost saving
  opportunities for organizations. Cloud computing
  refers to a type of computing that relies on
  sharing computing resources rather than
  maintaining and supporting local servers. The
  growing use of cloud computing will make it a
  prime target for attack.
• Web Applications There continues to be a large
  number of websites and online applications
  developed with inadequate security controls.
  These security gaps can lead to the compromise of
  the site and potentially to the site's visitors.
• Budget cuts will be a problem for security
  personnel and a boon to cyber criminals. With
  less money to update software, hire personnel and
  implement security controls enterprises will be
  trying to do more with less. By not having
  up-to-date software, appropriate security
  controls or enough personnel to secure and
  monitor the networks, organizations will be more
  vulnerable.

9
National Trends and Issues

• Cybercrime costs American companies a median loss
  of 3.8 million a year, according to a study
  released by security firm ArcSight and the
  Ponemon Institute, a privacy research
  organization.
• The study was based on interviews with data
  protection and IT practitioners from 45 U.S.
  organizations from various sectors, who shared
  details about the volume of threats they face
  every day. Over a four-week period, these
  companies experienced 50 successful attacks per
  week. That's more than one successful attack per
  organization per week.
• Losses to cybercrime ranged from 1 million on
  the lower end to as much as 52 million, the
  report said.
• Cybercriminals are increasingly focussing on
  money, a new report suggests, and improved
  organisation means that toolkits have been
  developed to methodically infect PCs so that
  illegally obtained information can be bought and
  sold.
• In a survey by security firm AVG, 165 internet
  domains were found to have attacked 12 million
  visitors over the course of two months. More than
  1.2 million computers were subsequently
  infected.

10
Current Hacks and Security Issues

• Infected USB drive blamed for 08 Military
  cyber breach 8.25.2010
• Malware spread undetected to both classified
  and unclassified systems, essentially
  establishing a digital beachhead from which
  data could be transferred to servers outside the
  U.S
• Cameron Diaz is the most dangerous celebrity in
  Cyberspace 8.19.2010 McAfee Most Dangerous
  Celebrities study found movie stars and models
  top the "most dangerous. Cybercriminals often
  use the names of popular celebrities to lure
  people to sites that are actually laden with
  malicious software.
• A Threat Worse Than 9/11 8.12.2010
• Warns the nations total dependence on our
  automated infrastructureelectric grid, air
  traffic control, manufacturing, and businessand
  our national defense networks are dangerously
  vulnerable to accelerated and insidious threats.
• Heartland Payment Systems - 1.20.2009 Largest
  Breach to date
• A credit card processor with clients in Florida,
  said a massive data breach exposed the personal
  information contained in more than 130 million
  credit and debit card transactions in 2008.
• Security officials warn of worm spread via USB
  drives - 1.13.2009
• A worm that took advantage of un-patched
  Microsoft Windows machines last week has sparked
  some security professionals to speculate
  cybercriminals may be preparing for a
  "large-scale attack.

11
Largest Incidents

• 100,000,000 2009-01-20 Heartland Payment Systems
  
• 17,000,000 2008-10-06 T-Mobile, Deutsche
  Telekom
• National Information Services
• 11,000,000 2008-09-06 GS Caltex
• 12,500,000 2008-05-07 Archive Systems Inc, Bank
  of New York Mellon
• 25,000,000 2007-11-20 HM Revenue and Customs,
  TNT
• 8,500,000 2007-07-03 Certegy Check Services
  Inc, Fidelity
• 8,637,405 2007-03-12 Dai Nippon Printing
  Company
• 94,000,000 2007-01-17 TJX Companies Inc.
• 26,500,000 2006-05-22 U.S. Department of
  Veterans Affairs
• 40,000,000 2005-06-19 CardSystems, Visa,
  MasterCard, American Express
• 145,000 2005-02-15 ChoicePoint
• 30,000,000 2004-06-24 America Online
• (http//datalossdb.org)

12
http//www.privacyrights.org/
13
YTD Incidents by sector
Outsider Incidents 52 Insider Incidents
25
September 2010 Data found at http//datalossdb.or
g
To date Over 510,544,441 Million Identities
Compromised
14
Reality Check

• Survey 81 Percent of U.S. Firms Lost Laptops
  with Sensitive Data in the Past Year
  (Computerworld)
• Security, like correctness, is not an add-on
  feature." (Andrew S. Tanenbaum)
• "The user's going to pick dancing pigs over
  security every time. (Bruce Schneier)

15
Floridas Response Security Triad

• 1998 Floridas Computer Crime Center
  established within FDLE
• 1999 Technology Office created within DMS
• 2001 Office of Information Security was created
• 2002 Legislature established the Florida
  Infrastructure Protection Center (FIPC)
• 2002 - State of Florida includes Cyber in
  Domestic Security Strategy
• 2003 - Federal Government includes Cyber in
  Homeland Security Strategy
• 2007 Legislature established the Agency for
  Enterprise Information Technology

16
The Florida Computer Crime Center

• The Center has a statewide mission to
  investigate complex computer crimes, assist with
  regional investigations, train investigators,
  disseminate information to the public, and
  proactively work to identify computer criminals
  to prevent future crimes.

17
www.secureflorida.org

• Secure Florida developed
• www.secureflorida.org, a website that provides
  citizens and businesses with tools to harden
  their own computer networks and information.
• Secureflorida.org is truly a one-stop shop for
  computer-related information, news, and security
  for every Floridians home or business.
• Secureflorida.org is continually updated with the
  latest information on security breaches, viruses,
  worms, and e-mail scams.

18
(No Transcript)
19
Florida Infrastructure Protection Center (FIPC)

• The FIPC has three components
• Analysis and Warning Point
• Computer Incident Response Team and (CIRT) and
  Computer Security Incident Response Teams
  (CSIRTS)
• Secure Florida

20
(No Transcript)
21
Floridas Domestic Security Strategy Goals

• Prevention, preempt and deter acts of terrorism
• Prepare for terrorism response mission
• Protect Floridas citizens, visitors and critical
  infrastructure
• Respond in an immediate, effective, and
  coordinated manner, focused on the victims of an
  attack
• Recover quickly and restore our way of life
  following a terrorist act

22
Office of Information Security
23

• Templates Links to our partners via our website

http//aeit.myflorida.com
24
Office of Information Security

• 2010 Information Security Strategic Focus Areas
• Policies, Procedures and Rules
• Training for Information Security
  Managers/Officers
• Domestic Security Coordination and Outreach
• Risk Assessments and Security Audits
• Incident Response
• Survivability Planning

25
Office of Information Security

• Policy/Rule
• Florida Law - F.S. 282.318
• Information Security Policies
• Information Security Guidelines
• Security Rule

26
Office of Information Security

• Risk Management/Audit
• Baseline Audit
• Risk Assessment NIST 800-30
• HIPAA Security Rule/PCI Compliance
• Security Tools
• CSIRT Coordination
• FISMA/FIPS/NIST

27
Enterprise Risk Management

• 1999 SAIC IT Audit
• 2002 Tru-Secure Assessment
• 2005 Comprehensive Risk Assessment
• 2008 Agency Managed Risk Assessment
• Goal - Protect the organization and its ability
  to perform its mission. Focus is Mission, not IT
  assets. Therefore, the risk management is an
  essential management function of the
  organization.

28
Common Findings

• Poor Security Awareness Training
• Poor Access Control to Network and Information
• Poor Patch Management
• Poor Server Hardening
• Absence of COOP/ITDRP
• Absence of Event Log Management Monitoring
• Poor Contractual Requirements
• Poor Background Check Process
• Risk Mitigation
• Senior management and functional and business
  managers ensure that the most appropriate
  controls are implemented to enable required
  mission capability

29
Office of Information Security

• Training/Consulting
• CSIRT Training
• Advanced Incident Training
• CISSP Certification
• Basic/Advanced Ethical Hacking
• Cyber Defense Prevention and Response
• Wireless LAN Design and Deployment
• Cyber Security Webcast
• CISA Certification
• ISM Monthly Training
• Cyber Academy

30
Office of Information Security

• Domestic Security Coordination
• Domestic Security Law Enforcement Terrorism
  Prevention Committee State CISO
• Domestic Security Oversight Council
• Executive Committee MS-ISAC Council
• Cyber Center - Equipment
• Risk Assessments All Agencies
• Tools
• Physical Security
• Homeland Security Portal Florida ISAC

31
Security Guidelines

• Information Security Policy Guidelines
• 11 Core guides
• Guidelines for Risk Management in Florida
• CSIRT Agency Guidelines and Template
• Information Technology Disaster Recovery Plan
  Guidelines and Checklist
• Information Security Managers Handbook

32
Office of Information Security

• Incident Response and Survivability
• CSIRT Lead
• ITDRP Minimum Standards
• IT Disaster Recovery Template
• IT Disaster Recovery Checklist
• Based on Industry Standards
• COOP
• COG

33
Partnerships

• Department of Homeland Security
• Floridas Domestic Security Task Forces
• CIO Council
• FDLEs Computer Crimes Center
• InfraGard
• Multi-State ISAC
• US-CERT
• Florida ISAC
• Private Industry
• Small Businesses

34
(No Transcript)
35
(No Transcript)
36
http//www.fdle.state.fl.us/bsafe/
37
Local Government Guides

• Internet Acceptable Use Policy Template
• Erasing Information and Disposal of Electronic
  Media
• Beginners Guide to Firewalls
• Cyber Security Getting Started

38
Office of Information Security

• Pamphlets

39
Floridas Future

• Improvements in
• Executive level Education
• Training
• Security Awareness
• CSIRT development
• Risk Assessments
• Notification and Mitigation
• Room to improve
• Data Classification
• Application and Website Security
• Certification and Accreditation of data systems

40
(No Transcript)