self-assessment and formulation of a national cyber security/ciip strategy: culture of security

Self-Assessment and Formulation of a National Cyber security/ciip

Strategy:

culture of security

The Self-Assessmentpurpose

Snapshot of where the nation is• Educate participants

Identify strengths and weaknesses

Identify gaps

Allocate responsibilities

Establish priorities

Provide input to a national cyber security strategy

10/19/1010/19/10

The self-assessmentaudience

All participants – the ultimate target

• But to ensure national action, the self-assessment must be addressed to key decision makers in Government (executive and legislative) Business and industry Other organizations and institutions Individuals and the general public

10/19/1010/19/10

key elements

10/18/1010/18/1044

Legal Framework

Culture ofCybersecurity

IncidentManagement

Collaborationand Information

Exchange

Key Elements of a National Cybersecurity Strategy

The Self-Assessmentkey elements

D. Culture of Security:

Develop security awareness programs for and outreach to all participants, for example, children, small business, etc.

Enhance science and technology (S&T) and research and development (R&D)

Other initiatives

10/19/1010/19/10

Yael WeinmanCounsel for International Consumer Protection

Office of International AffairsU.S. Federal Trade Commission

September 2010

A Cultural Shift:Cybersecurity Gets Personal

Federal Trade Commission

General jurisdiction consumer protection agency

Enforcement through federal district court and administrative litigation

Small agency

www.ftc.gov

Federal Trade Commission

Three-prong approach: Individual Culture Organizational Culture FTC Enforcement

Components of Cybersecurity Privacy and Data Security Spam Spyware Identity Theft

How the FTC Can Help Consumer and Business Education Research and Consultation International cooperation

Personal Culture

Privacy and Data Security

• It is every individual’s responsibility

• You don’t need computer

expertise or to be a member of IT to ensure data privacy and security

Organizational Culture

Privacy and Data Security

• Build in privacy and data security from the ground up

• Privacy Impact Assessments

• Routine use of data security hardware and software

Enforcement

Privacy and Data Security

Personal Culture

Spam and Phishing

Don’t open unknown emails

Never open attachments

unless you know the sender

Type URLs into the address

bar rather than clicking

Don’t respond with account or personal

information

Organizational Culture

Spam and Phishing

Let customers know how you

will use their personal

information—and stick to it

Know the rules on sending

unsolicited commercial email

(UCE)

Know how to communicate with your

customers

Enforcement

Spam and Phishing

$2.5 Million court-ordered fine for

weight loss spam

$413,000 fine under a settlement

with an X rated website

Personal Culture

Spyware

Don’t install software from an

unknown source on your computer

Be aware that games and other

freeware can contain spyware

Maintain virus protection software

Organizational Culture

Spyware

A consumer’s computer belongs to him or her, not software distributors

Full disclosures must be clear andconspicuous

A consumer must be able to uninstallor disable downloaded software

Enforcement

Spyware

Zango: $3 million disgorgement

Seismic Entertainment

ERG Ventures

Identity Theft

Identity Theft Task Force

Strategy – 4 key areas

keeping sensitive consumer data out of the hands of identity thieves through better data security and more accessible education;

making it more difficult for identity thieves who obtain consumer data to use it to steal identities;

assisting the victims of identity theft in recovering from the crime; and

deterring identity theft by more aggressive prosecution and punishment of those who commit the crime

Consumer and Business Education

Guidance to Business

Consumer Education

Communicating effectively

OnGuardOnline

En Español

Spam

Spyware

Identity Theft

1. Take stock.

2. Scale down.

3. Lock it.

4. Pitch it.

5. Plan ahead.

"Protecting PERSONAL INFORMATION: A Guide for Business"

Five Key Principles

Additional Resources

National Institute of Standards and Technology (NIST) Computer Security Resource Center. www.csrc.nist.gov

NIST’s Risk Management Guide for Information Technology Systems. www.csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

Department of Homeland Security’s National Strategy to Secure Cyberspace. www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy.pdf

SANS (SysAdmin, Audit, Network, Security) Institute’s Twenty Most Critical Internet Security Vulnerabilities. www.sans.org/top20

United States Computer Emergency Readiness Team (US-CERT). www.us-cert.govCarnegie Mellon Software Engineering Institute’s CERT Coordination Center.

http://www.cert.org/certcc.htmlCenter for Internet Security (CIS). www.cisecurity.orgThe Open Web Application Security Project. www.owasp.orgInstitute for Security Technology Studies. www.ists.dartmouth.eduOnGuard Online. www.OnGuardOnline.gov

Thank youThank you

Yael WeinmanCounsel for International Consumer Protection

Office of International AffairsU.S. Federal Trade Commission

yweinman@ftc.govyweinman@ftc.gov

Questions?

Thank YouThank You

Joseph Richardson

10/19/1010/19/10