CYBER SECURITY FOR TRAVELERS / FBO’S

2

A (NOT “THE”) CYBER SECURITY CHALLENGE

84

The views and opinions expressed in this presentation are those of the

author and do not necessarily reflect the official policy or position of the

author’s employer.

Technology used in this presentation is not endorsed by the author or the

author’s employer.

• http://MyChurchSecurity.com/disclaimers/

OTHER DISCLAIMERS

Been doing security/audit/fraud work for over 20 years finding malicious hackers and

fraudsters and bored insiders and involved in FBO/Church Security since 1991

13 US Patents and bunch more pending involving fraud, cyber security, and

visualization of threats

Significant work on large scale country-by-country offshoring security risk assessment

based on 150 statistic sources for 85 countries

Blogger / Podcaster @ MyChurchSecurity.com

I’m not a sports fan or related to Payton Manning (who?)

WHY ME?

My Most Important

“cyber” assets…..

….are the records of my

(organization’s)

relationships

MINIMUM REQUIREMENTS FOR FBO/NGO

Chief Security Officer

Definitions Security vs. Safety vs. Fraud

Trust / Balance / Priority

Information Inventory Travel Itinerates, HIPAA, PCI, Counseling notes, donors,

strategic discussions, email, suppliers, discussions with governments are EXAMPLES ONLY

Response Plan

Training & Training

Techie Stuff

CHIEF SECURITY OFFICER

Accountability vs. Training / Expertise

It maybe you….

A mindset vs a human

DEFINITIONS – THESE ARE JUST MINE….

Security

Safety

Safe

Fraud

Compliant

Secure

THE PROBLEM OF (CYBER) SECURITY FOR FBO / NGO

Trust Humans need for Trust

Trust is like air

Everything is untrusted or is everyone untrusted? “I’m not worried about your driving, I’m worried about everyone

else’s driving”

Criminals need trust but so does businesses and FBOs/NGOs

Balance Why Church Security – My Secret Service Agent discussion

Priority Grandma

INVENTORY – “ALL” = “ALL”

ALL / “SECURE” – Not goin’ to happen… # of Threats

# of Assets

# of vulnerabilities

# of entry points

# of humans

# of suppliers

# of sub(sub-sub-sub-) contractors

# of pieces of software……..Refer to Slide 2…..

# of trips

# of customers

# of partner customers

# of users

# of websites

# of databases

# of tables

# of user IDs

# of ________

INCIDENT RESPONSE

I am a great liar and a terrible liar,

sometimes at the same time.

INFORMATION SHARING & RESPONSE PLAN

ISAO – Trusted Networking

Media

Tracking “threats”

Fields/columns for domain, IP address, handle

Case Management “system”

(Tested) Incident Response Plan

Get the skills sets available now or

unplug…..5000 cables

TRAINING….TRAINING…TRAINING

Who (Touching your info / brand….) The person in the mirror

Staff

Volunteers

Board

Guests

Travelling missionaries

Short Term missions

Vendors/Suppliers

On What AV, Attachments, travel w/devices

When Before EVERY trip….threats / technology changes

WHY PROTECT CYBER STUFF…..

Threats Foreign Countries

Customs / Immigration

Good ol’ fashion pick pockets

Competitors

Suppliers

Victims

If I get your email……somewhere it is available in cleartext Who are you connected to, whether you meant to be or not

6 degrees of separation

Confidentiality, Integrity, Availability

Value of the device vs. Value of the Info Cable Lock Anyone?

Think that Hotel “safe” is “safe”?

You need to think about 100% of the holes, the bad guy only has to find one hole

RANDOM IDEAS

(Trusted Countries / Vendors) “Cloud” Solutions

Have contract on YOUR “paper” that gives you access to (security) logs

Types of things to “Cloud”:

Email (web client only if at all possible), Accounting, Contacts, Shared Documents

Stripped Laptops

AV and Patch Management (repeat this statement 10 times Jim)

Multiple SIM cards

Throw Phones

Backup SD Cards for Cameras

Watch out for EXIF data

Lots of Tools / Apps (e.g. Tor) – It’s a tool, it may not be legal or good idea

RANDOM IDEAS

Encrypted Thumb Drives/SD Cards

Log AND monitor all remote access

Change Subject Line: e.g. [EXTERNAL]

One Time Passwords (OTP)

“TSA” approved bag

Basic Office software encryption is good, but not great

Phishing

Facebook, Linkedin, email, phone

Testing

Brand protection

Social Media

Domains (Private Registration?)

Sometimes it’s about looking normal for where you are

My Most Important

assets…..

….are my (organization’s)

relationships

Jim McConnell

http://MyChurchSecurity.com

fbowg@mychurchsecurity.com

@AskJimMcConnell

Meet me outside….

Special OSAC Conference Page

http://MyChurchSecurity.com/OSAC2015

PERSONAL CONTACT INFORMATION

….Thank You For the Honor to Serve You Today….