Date post: | 18-May-2018 |
Category: |
Documents |
Upload: | nguyenkiet |
View: | 215 times |
Download: | 1 times |
Today we’ll cover• The ‘so what?’ – The principles of the confidentiality,
integrity and availability (CIA) triad as it pertains to financial management systems
• The ‘what matters?’ – The principles of risk-based security assessment including the elements of criticality, vulnerability, threat
• The ‘what do we do?’ – What data owners and system users can do to help their IT staff better secure their systems
Goals haven’t changed, really• Security has always had three elements
• Confidentially• Integrity• Availability
Confidentially• What it means: Keeping private things private• What threatens it: Outsider ‘hacking’ into financial
systems, insiders who are not properly handling sensitive data
• What controls promote it:• Complex passwords, two-factor authentication, least-
privilege, encryption and a host of network controls
Confidentially (Disclosure) - Examples• 2008 Heartland Payment Systems• 34 million credit cards exposed• Paid out an estimated $145 million in compensation for
fraudulent payments• Deemed out of compliance with the Payment Card
Industry Data Security Standard (PCI DSS)• Not allowed to process the payments of major credit
card providers for five months
Integrity• What it means: Knowing that nobody has made
unauthorized changes• What threatens it: Malicious outsiders, environment
malfunctions (server crashes, corrupted files), malicious insiders
• What controls promote it:• Prevention: Network controls, segregation of financial
systems, least privilege • Response: Backups, disaster recovery drills
Integrity (Corruption) - Examples• 2014 JP Morgan Chase• Hit with exploit that compromised the data of more than
half of all US households • 76 million households and 7 million small businesses• names, addresses, phone numbers and email addresses
• Was reported that attackers gained “root" privileges on more than 90 of the bank’s servers• Means they could do almost anything to any file: change
balances, transferring funds, close/open accounts.
• What it means: Being able to get to your data when you need to
• What threatens it: Network stability, ‘DDoS’ attacks, ransomware
• What controls promote it: • Prevention: Network controls, segregation of financial
systems• Response: Backups, disaster recovery drills
Availability
Availability (Disruption) - Examples• 2016 HSBC
• Hit with a denial of service attack that lasted two days• Not unusual – denial of service is most common attack
against financial institutions (2015 Verizon Data Breach Investigations Report)
• Average cost is $40,000 per hour• 2017 “Wannacry” ransomware hit 150 countries and cost up
to $4B
Not everything is (equally) important• In protecting (pre-event) and recovering (post-
event)….not all information and systems are handled equally
• The level of protection, frequency of back-ups, level of access can vary according to the nature of the information and system
Risk tells us what (not) to worry about
Vulnerability
How well have we protected our
financial data and systems based on implementation of measures drawn
from policies, best practices?
More/more effective measures
means lower vulnerability to threat actions
Criticality
How important is specific information
or systems to the organization?
Think costs associated with loss
– business interruption, fines,
recovery costs
Threat
How likely are we to have incidents on a particular system.
IT can tell us the volume/type of activity against
certain systems. Internal controls
can tell us insider-related incidents
within the organization.
Risk
Is the product of :
- Vulnerability to threats actions
- Criticality of the assets
- Rate/types of threat activities within the system
If any factor is zero, then risk
is zero
Know yourself – understand criticality“If you know the enemy and know yourself, you need not
fear the result of a hundred battles.” – Sun Tzu (545 BC)• Inventory the systems on which you depend
• Shared files, financial management systems, SharePoint, email archives, etc.
• Rank them by ‘pain points’• If ___________ disappeared/was disclosed, how bad
would it hurt?
Ask the right questions – Vulnerability“Now you know, and knowing is half the battle.” – G.I. Joe
(1985)
• Although much of information security is out of control of financial managers control, there is power in knowing the answers to key questions.
• Focus the questions on the systems with high criticality (pain) scores
Recovery questionsThe ‘bad thing’ will happen…are they prepared?
1. Is _________ system backed up? (How often?)2. Is it backed up off-site? (Could fire burn both?)3. How long would it take to switch to the backup?
(How long to switch back?)4. How high is __________ on the recovery priority list.
(They cannot bring back everything immediately)
‘Test’ questions“You get what you inspect, not what you expect”
1. Have we ever hired someone external to find security problems? (If they haven’t, assume the problems are there)
2. Have you ever practiced going to the backup site/data? (If they haven’t, assume they can’t)
3. How would we know if our data was compromised? (Failure of security isn’t always obvious..you have to look)
Threat – Not much you can do• You information security staff may (should) understand
what is being targeted in your organization• Often, not much is useful to the layman
What can you do yourself?• Question the links you click and how you browse the
internet • Links are like people – they have to earn trust• Links wear disguises
• http://ameribank.ru/myaccount/• https://bit.ly/2Gd6NQ
• Legitimate sources never as you to “Verify your information”
• Go to the source…you already know the URL
What can you do yourself?• Avoid all suspicious emails.
• Compromised systems start here!• Don’t download anything without a system admin
• “Click here to install”• Control your data! Things not to allow:
• Downloading data onto portable media• Downloading/using personal computers for work data• Taking unencrypted data out of the office
• Department of Veterans Affairs lost data on 26.5 million active and paid $20,000,000
If you don’t have already….oops!• Antivirus updated for all work devices (& personal) • Strong Password Policy
• Use ‘passphrases’ - Thi$1SmuchS+ronger• Don’t duplicate!
• Use Automatic Screen Lock• Data/equipment disposal policy • Work from home/secure connection and BYOD (Bring Your
Own Device) Policy
Summary• Know yourself – What is critical and where is it at?• Communicate with your I.T. staff
• Tell them what’s critical• Ask hard questions
• Expect an ‘event’ – plan and practice• Take reasonable precautions…the threat is out there!