Title: Information Technology Security
1Information Technology Security
- Presented by
- Mike Russo, PMP, CISSP, CFE, CGEIT
- State Chief Information Security
- The Agency for Enterprise Information Technology
- State of Florida
2Overview
- What is Information?
- National Trends and Issues
- Current Hacks and Security Issues
- Floridas Response
- Policies, Rules and Guidelines
- Partnerships
3What is Information?Identify Your Risk?
- Paper
- Project Plans, Memos, Manuals, Phone Lists,
- Org Charts, Sensitive and Confidential Documents
- Electronic Data
- PCs, Laptops, Mainframes, Servers
- Palm Pilots, Cell Phones, I Phones, MP3s
- Diskette, CDs, Tape, Thumb Drives
- Conversation
- Discussions should be thoughtful, consider your
location, surroundings and individuals in your
midst
4Social Engineering
Employees
Social Engineering
Surveillance to gain access
Lack of physical security
5High Tech Vulnerabilities
Peer to Peer Sharing
Network Copy Machines Faxes
Cell Phones, I Phones MP3
Suring the web email
Wireless Router Wireless Network
Thumb drives, CD/DVD Disk
6National Trends and Issues
- Malware, worms, and Trojan horses These will
continue to spread by email, instant messaging,
malicious websites, and infected non-malicious
websites. Some websites will automatically
download the malware without the users knowledge
or intervention. This is known as a drive-by
download. Other methods will require the users
to click on a link or button. - Botnets and zombies These threats will continue
to proliferate as the attack techniques evolve
and become available to a broader audience, with
less technical knowledge required to launch
successful attacks. Botnets designed to steal
data are improving their encryption capabilities
and thus becoming more difficult to detect. - Scareware fake/rogue security software There
are millions of different versions of malware,
with hundreds more being created and used every
day. This type of scam can be particularly
profitable for cyber criminals -- as many users
believe the pop-up warnings telling them their
system is infected and are lured into downloading
and paying for the special software to protect
their system.
7National Trends and Issues
- Attacks on client-side software - With users
keeping their operating systems patched,
client-side software vulnerabilities are now an
increasingly popular means of attacking systems.
Client-side software includes things like
Internet browsers, media players, PDF readers,
etc. This software will continue to have
vulnerabilities and subsequently be targeted by
various malwares. - Ransom attacks occur when a user or company is
hit by malware that encrypts their hard drives or
they are hit with a Distributed Denial of Service
Attack (DDOS) attack. The cyber criminals then
notify the user or company that if they pay a
small fee, the DDOS attack will stop or the hard
drive will be unencrypted. This type of attack
has existed for a number of years and is now it
is gaining in popularity. - Social Network Attacks Social network attacks
will be one of the major sources of attacks in
2010 because of the volume of users and the
amount of personal information that is posted.
Users inherent trust in their online friends is
what makes these networks a prime target. For
example, users may be prompted to follow a link
on someone's page, which could bring users to a
malicious website.
8National Trends and Issues
- Cloud Computing Cloud computing is a growing
trend due to its considerable cost saving
opportunities for organizations. Cloud computing
refers to a type of computing that relies on
sharing computing resources rather than
maintaining and supporting local servers. The
growing use of cloud computing will make it a
prime target for attack. - Web Applications There continues to be a large
number of websites and online applications
developed with inadequate security controls.
These security gaps can lead to the compromise of
the site and potentially to the site's visitors. - Budget cuts will be a problem for security
personnel and a boon to cyber criminals. With
less money to update software, hire personnel and
implement security controls enterprises will be
trying to do more with less. By not having
up-to-date software, appropriate security
controls or enough personnel to secure and
monitor the networks, organizations will be more
vulnerable.
9National Trends and Issues
- Cybercrime costs American companies a median loss
of 3.8 million a year, according to a study
released by security firm ArcSight and the
Ponemon Institute, a privacy research
organization. - The study was based on interviews with data
protection and IT practitioners from 45 U.S.
organizations from various sectors, who shared
details about the volume of threats they face
every day. Over a four-week period, these
companies experienced 50 successful attacks per
week. That's more than one successful attack per
organization per week. - Losses to cybercrime ranged from 1 million on
the lower end to as much as 52 million, the
report said. - Cybercriminals are increasingly focussing on
money, a new report suggests, and improved
organisation means that toolkits have been
developed to methodically infect PCs so that
illegally obtained information can be bought and
sold. - In a survey by security firm AVG, 165 internet
domains were found to have attacked 12 million
visitors over the course of two months. More than
1.2 million computers were subsequently
infected.
10Current Hacks and Security Issues
- Infected USB drive blamed for 08 Military
cyber breach 8.25.2010 - Malware spread undetected to both classified
and unclassified systems, essentially
establishing a digital beachhead from which
data could be transferred to servers outside the
U.S - Cameron Diaz is the most dangerous celebrity in
Cyberspace 8.19.2010 McAfee Most Dangerous
Celebrities study found movie stars and models
top the "most dangerous. Cybercriminals often
use the names of popular celebrities to lure
people to sites that are actually laden with
malicious software. - A Threat Worse Than 9/11 8.12.2010
- Warns the nations total dependence on our
automated infrastructureelectric grid, air
traffic control, manufacturing, and businessand
our national defense networks are dangerously
vulnerable to accelerated and insidious threats. - Heartland Payment Systems - 1.20.2009 Largest
Breach to date - A credit card processor with clients in Florida,
said a massive data breach exposed the personal
information contained in more than 130 million
credit and debit card transactions in 2008. - Security officials warn of worm spread via USB
drives - 1.13.2009 - A worm that took advantage of un-patched
Microsoft Windows machines last week has sparked
some security professionals to speculate
cybercriminals may be preparing for a
"large-scale attack.
11Largest Incidents
- 100,000,000 2009-01-20 Heartland Payment Systems
- 17,000,000 2008-10-06 T-Mobile, Deutsche
Telekom - National Information Services
- 11,000,000 2008-09-06 GS Caltex
- 12,500,000 2008-05-07 Archive Systems Inc, Bank
of New York Mellon - 25,000,000 2007-11-20 HM Revenue and Customs,
TNT - 8,500,000 2007-07-03 Certegy Check Services
Inc, Fidelity - 8,637,405 2007-03-12 Dai Nippon Printing
Company - 94,000,000 2007-01-17 TJX Companies Inc.
- 26,500,000 2006-05-22 U.S. Department of
Veterans Affairs - 40,000,000 2005-06-19 CardSystems, Visa,
MasterCard, American Express - 145,000 2005-02-15 ChoicePoint
- 30,000,000 2004-06-24 America Online
-
- (http//datalossdb.org)
12http//www.privacyrights.org/
13YTD Incidents by sector
Outsider Incidents 52 Insider Incidents
25
September 2010 Data found at http//datalossdb.or
g
To date Over 510,544,441 Million Identities
Compromised
14Reality Check
- Survey 81 Percent of U.S. Firms Lost Laptops
with Sensitive Data in the Past Year
(Computerworld) - Security, like correctness, is not an add-on
feature." (Andrew S. Tanenbaum) - "The user's going to pick dancing pigs over
security every time. (Bruce Schneier)
15Floridas Response Security Triad
- 1998 Floridas Computer Crime Center
established within FDLE - 1999 Technology Office created within DMS
- 2001 Office of Information Security was created
- 2002 Legislature established the Florida
Infrastructure Protection Center (FIPC) - 2002 - State of Florida includes Cyber in
Domestic Security Strategy - 2003 - Federal Government includes Cyber in
Homeland Security Strategy - 2007 Legislature established the Agency for
Enterprise Information Technology
16The Florida Computer Crime Center
- The Center has a statewide mission to
investigate complex computer crimes, assist with
regional investigations, train investigators,
disseminate information to the public, and
proactively work to identify computer criminals
to prevent future crimes.
17www.secureflorida.org
- Secure Florida developed
- www.secureflorida.org, a website that provides
citizens and businesses with tools to harden
their own computer networks and information. - Secureflorida.org is truly a one-stop shop for
computer-related information, news, and security
for every Floridians home or business. - Secureflorida.org is continually updated with the
latest information on security breaches, viruses,
worms, and e-mail scams.
18(No Transcript)
19Florida Infrastructure Protection Center (FIPC)
- The FIPC has three components
- Analysis and Warning Point
- Computer Incident Response Team and (CIRT) and
Computer Security Incident Response Teams
(CSIRTS) - Secure Florida
20(No Transcript)
21Floridas Domestic Security Strategy Goals
- Prevention, preempt and deter acts of terrorism
- Prepare for terrorism response mission
- Protect Floridas citizens, visitors and critical
infrastructure - Respond in an immediate, effective, and
coordinated manner, focused on the victims of an
attack - Recover quickly and restore our way of life
following a terrorist act
22Office of Information Security
23- Templates Links to our partners via our website
http//aeit.myflorida.com
24Office of Information Security
- 2010 Information Security Strategic Focus Areas
- Policies, Procedures and Rules
- Training for Information Security
Managers/Officers - Domestic Security Coordination and Outreach
- Risk Assessments and Security Audits
- Incident Response
- Survivability Planning
25Office of Information Security
- Policy/Rule
- Florida Law - F.S. 282.318
- Information Security Policies
- Information Security Guidelines
- Security Rule
26Office of Information Security
- Risk Management/Audit
- Baseline Audit
- Risk Assessment NIST 800-30
- HIPAA Security Rule/PCI Compliance
- Security Tools
- CSIRT Coordination
- FISMA/FIPS/NIST
27Enterprise Risk Management
- 1999 SAIC IT Audit
- 2002 Tru-Secure Assessment
- 2005 Comprehensive Risk Assessment
- 2008 Agency Managed Risk Assessment
- Goal - Protect the organization and its ability
to perform its mission. Focus is Mission, not IT
assets. Therefore, the risk management is an
essential management function of the
organization.
28Common Findings
- Poor Security Awareness Training
- Poor Access Control to Network and Information
- Poor Patch Management
- Poor Server Hardening
- Absence of COOP/ITDRP
- Absence of Event Log Management Monitoring
- Poor Contractual Requirements
- Poor Background Check Process
- Risk Mitigation
- Senior management and functional and business
managers ensure that the most appropriate
controls are implemented to enable required
mission capability
29Office of Information Security
- Training/Consulting
- CSIRT Training
- Advanced Incident Training
- CISSP Certification
- Basic/Advanced Ethical Hacking
- Cyber Defense Prevention and Response
- Wireless LAN Design and Deployment
- Cyber Security Webcast
- CISA Certification
- ISM Monthly Training
- Cyber Academy
30Office of Information Security
- Domestic Security Coordination
- Domestic Security Law Enforcement Terrorism
Prevention Committee State CISO - Domestic Security Oversight Council
- Executive Committee MS-ISAC Council
- Cyber Center - Equipment
- Risk Assessments All Agencies
- Tools
- Physical Security
- Homeland Security Portal Florida ISAC
31Security Guidelines
- Information Security Policy Guidelines
- 11 Core guides
- Guidelines for Risk Management in Florida
- CSIRT Agency Guidelines and Template
- Information Technology Disaster Recovery Plan
Guidelines and Checklist - Information Security Managers Handbook
32Office of Information Security
- Incident Response and Survivability
- CSIRT Lead
- ITDRP Minimum Standards
- IT Disaster Recovery Template
- IT Disaster Recovery Checklist
- Based on Industry Standards
- COOP
- COG
33Partnerships
- Department of Homeland Security
- Floridas Domestic Security Task Forces
- CIO Council
- FDLEs Computer Crimes Center
- InfraGard
- Multi-State ISAC
- US-CERT
- Florida ISAC
- Private Industry
- Small Businesses
34(No Transcript)
35(No Transcript)
36http//www.fdle.state.fl.us/bsafe/
37Local Government Guides
- Internet Acceptable Use Policy Template
- Erasing Information and Disposal of Electronic
Media - Beginners Guide to Firewalls
- Cyber Security Getting Started
38Office of Information Security
39Floridas Future
- Improvements in
- Executive level Education
- Training
- Security Awareness
- CSIRT development
- Risk Assessments
- Notification and Mitigation
- Room to improve
- Data Classification
- Application and Website Security
- Certification and Accreditation of data systems
40(No Transcript)