Steve Peters, President

1
Steve Peters, President Community Information and
Telecommunications Alliance Co Chair, Arizona
Cyber Security Alliance Matt Hymowitz,
Partner GMP NetworksCo Chair, Arizona Cyber
Security Alliance
2
This Presentation

• Intro to the Arizona Cyber Security Alliance
• Overview of cyber crimes and security threats
• Tips to prevent compromise of your systems and
  information
• Strategies to insure business continuity and
  disaster recovery if they are compromised

3
Arizona Cyber Security Alliance

• A project of CITA, Tucson's nonprofit Community
  Information and Telecommunications Alliance
• This statewide security Alliance will help the
  Arizona community
• understand the rising security threats
• develop strategies to reduce personal, customer
  and business risks

4

• Targeting
• Small business and nonprofit executives
• IT professionals
• Home users
• Includes large and small businesses, non-profits,
  law enforcement, government, and information
  technology and security professional

5
Secure Computer

• The only secure computer is one that is turned
  off, locked in a safe, and buried twenty feet
  down in a secret location--and I'm not completely
  confident of that one, either.
• BRUCE SCHNEIER, E-MAIL SECURITY HOW TO KEEP YOUR
  ELECTRONIC MESSAGES PRIVATE (1995)
• Internet crime is the fastest growing crimein
  the U.S

6
Five Key Messages

• The frequency and seriousness of threats are
  growing
• Whether you have
• a single computer
• or a corporate network
• you are at risk
• Securing your system will help secure the
  Internet

7
Five Key Messages (2)

• Information security is a core business
  requirement, not just a technology problem.
• Dont rely just on hardware and software
  solutions. You also need to address
• security policies and plans
• employee awareness programs
• insurance and legal issues
• business continuity and disaster recovery plans
• Hardware and software are essential, but people
  are the key

8
What is Vulnerable

• Computer Systems
• VoIP Phone systems
• PDAs and cell phones
• Wired and wireless networks
• Xbox and Tivo
• Internet Relay Chat, peer-to-peer networks,
  instant messaging
• Web based applications and browsers
• RFID Tags

9
Threats

• Cyber Threats
• Physical Threats
• Internal Threats
• External Threats
• Intentional Threats
• Unintentional Threats

10
Cyber Threats

• Wired Wireless Intrusions
• Destructive worms, viruses and trojans
• Spam and Spyware (keyboard and event logging)
• Phishing, Identity Theft, and Fraud (Websites,
  URLs, Spoofing, Redirection)
• Your computer as a bot to attack other computers
• Applications and OS vulnerabilities
• Denial of Service Attacks
• Cyber terrorism
• Ransomware

11
Cyber Threats (2)

• Cyber attacks
• Damage computers and destroy data
• Monitor or interrupt communications
• Provide access to private information
• Monitor your computer and browsing behavior
• Make your computer a bot to attack other
  computers
• Deny access to your websites
• Steal information and money
• Support Cyber terrorism

12
Recent Trends

• Professional cyber criminals, gangs, cyber
  terrorism
• While past attacks were designed to destroy data,
  todays attacks are increasingly designed to
  silently steal data for profit without doing
  noticeable damage that would alert a user to its
  presence.
• using bot networks
• targeted attacks on Web applications and Web
  browsers
• Targeted phising attacks
• Narrow focused attacks aiming at specific
  companies
• Growing Regulatory Compliance Requirements

13
Threats

• Physical Threats
• Fire, theft, natural disasters
• Internal Threats (70 of crimes)
• employee errors and attacks
• disgruntled employees
• opening attachments
• downloading and use of unauthorized software
  (IM)
• unauthorized use of computer systems
• cyber loafing
• wireless networks (rogue)
• theft systems and data

14
A Few Stats

• Over 112,438 old and new viruses in 2004 -
  estimated 55 Billion in businesses damages  in
  2003
• Arizona ranked No. 1 for identity theft in 2003
  with 6,832 reported cases
• 70-80 attacks are internal
• 18 million phishing attempts in 2004
• An unprotected computer could be compromised in
  less than 20 minutes after being connected to
  the Internet
• e-mail messages that include a virus 1 in 16
• spam 73 of all e-mail

15
Question

• What will happen to your business or organization
  if your communications are disrupted or your
  information is compromised or stolen?
• Direct losses
• Indirect Losses
• Legal and Insurance issues
• Will You Be Out of Business?

16
Why Should You Care?

• Direct Losses
• Operational and customer information
• Network, computer and communications systems
• Money

17
Indirect Losses

• interrupted communications
• reduced productivity and damage to operations
• loss of potential sales disrupted revenue flow
• reduced customer confidence and negative branding
  impact
• loss of competitive advantage
• loss of goodwill
• continuity and recovery expenses

18
Legal Exposure and Insurance

• Failure to meet business obligations
• Compromised confidential client information
• Illegal user activity
• Director liability
• Losses not covered by insurance
• Lack of business continuity and disaster recovery
  coverage
• Regulatory Compliance
• HIPPA, GLBA, SARBOX,
• Due diligence is the key

19
Security Technologies

• Virus Protection
• Hardware and Software Firewalls
• Back-up Solutions
• Managed Services - Outsourcing
• Intrusion Detection Systems
• Spyware protection programs
• Encryption and Virtual Private Networks
• Applications and OS patches
• Content Filtering Inbound / Outbound

20
Security Checklist

• Are You Protected?
• Current antivirus protection updated daily
• Firewalls (hardware/software) or Intrusion
  Detection Systems
• Security patches for your software OS
• Spyware (2-3 programs)
• Do not open unexpected e-mail attachments from
  strangers or acquaintances
• Daily backups

21
Security Checklist (2)

• Business assessment -can your business survive a
  security disaster?
• Outside Security Assessments
• Avoid legal liabilities for failure to exercise
  due diligence, to protect confidential
  information, or if you cannot fulfill business
  obligations
• Californias Data Breach Law SB 1386 and Privacy
  Laws
• Gramm-Leach Bliley Act
• USA Patriot Act and the Banking Secrecy Act
• HIPAA and Sarbanes-Oxley Act
• CAN-SPAM Act

22
Security Checklist (3)

• Insure that your insurance coverage will cover
  business continuity, disaster recovery and legal
  costs
• Physically secure your machines and backups from
  theft, fire and natural disasters
• Designate an employee or a trusted vendor to be
  responsible for your Cyber Security, including
  updates
• Know what normal computer, network and Internet
  behavior looks like so that you can tell what's
  abnormal
• Control access to your systems information

23
Security Checklist (4)

• Use complex passwords (8-10 characters) and
  change them regularly (mYsEcrE1T)
• Dont share passwords or post them on your
  computer
• Log off when your computer is not being used
• Disconnect from the Internet when you do not need
  to be online
• Perform reference checks on new employees, and
  background checks for IT staff. Have employees
  sign a non-disclosure agreement
• Turn OFF the Outlook "Preview Pane"

24
Security Checklist (5)

• Cleanup old machines before you dispose of them
• Develop written plans and policies
• Internet use
• cyber and physical security
• business continuity and disaster recovery
• Provide regular security training and awareness
  programs for your employees
• security strategies
• employee responsibilities?

25
New Laws

• The Gramm-Leach-Bliley Act,
• Provides for criminal and civil liability for
  businesses who do not adequately protect personal
  and financial information. Applies to any
  financial institution that provides financial
  products or services to consumers
• Sarbanes-Oxley Act of 2002
• Prevents destruction of documents relevant to
  audits of companies that report their financial
  information to the SEC
• Regulation S-X requires accountants to retain
  certain records for a period of seven years after
  an audit or review of financial statements

26
New Laws (2)

• Health Insurance Portability and Accountability
  Act
• A covered entity may not use or disclose an
  individuals protected health information (PHI)
  to any person including a business associate,
  except as permitted or required by the privacy
  rules.
• A covered entity MUST secure individually
  identifiable information
• USA Patriot Act Title III Applies to - Financial
  Institutions
• Amended the Bank Secrecy Act regarding strict
  customer identification, retention of records for
  5 years after close of account, and checking
  terrorist lists every 2 weeks

27

• Californias Data Breach Law SB 1386
• Requires companies to notify California residents
  of any actual or suspected breach of the security
  of the system that contains personal information
  - applies to any online business with California
  customers, even if the company is not based in
  California
• California SB 27 - Shine the Light Bill
• Gives consumers the right to ask about what
  information an organization has about them and
  where has it been shared
• California AB 68 - Online Privacy Protection
  Act
• Commercial websites or online services that
  collect personal information on California
  residents must post and comply with a privacy
  policy

28
If you have an incident
Bottom Line

• Protect Your Systems and Your Data
• Advise Your Clients To Protect Their Systems and
  Your Data

• Call a professional!
• Keep all records
• Logs
• Dates times etc.
• Freeze the machine(s Protect

29
1, 2, 3, 4

• Whether you have a single computer or a corporate
  network you are at risk
• Provide technology solutions - virus protection,
  firewalls, security patches, spyware programs
• Develop written plans and policies
• Provide regular security training and awareness
  programs for your employees

30
Contact Info
Steve Peters Community Information and
Telecommunications Alliance 520 -
321-1309 stevepeters_at_tucsonlink.org Matt
Hymowitz, Partner GMP Networks 520-577-3891
x11 mhymowit_at_gmpnet.net