Presented by Kevin Orth, VP of OperationsFRSecure LLC

Information security isn’t about information or security,

it’s about people!

• About FRSecure

• Information Security Explained

• Why are people risky?

• Ingrained sense of trust

• Behaviors, moods, events, experiences, and surroundings

• Mistakes and malicious intent • Twelve types of people • Questions?

Introduction - Topics

FRSecure LLC is a full-service information security consulting company. We are dedicated to providing value to our clients through well designed, implemented, and managed information security solutions. Our mission statement:

– We take the time to understand our client's business and align information security initiatives with their goals and objectives. In so doing, our clients benefit from solutions that help to drive business and add to the bottom line. Information security does not have to be a cost center.

 

FRSecure works with businesses of all sizes, in all industries. We understand that our clients are in business to make money, so we design secure solutions that drive business, protect sensitive information assets, and improve their bottom line.

About FRSecure

• Information Security Assessments

An independent and objective assessment of your current information security program based on well-established security standards.

– ISO Assessments– Small Business Assessments– Compliance Assessments

• GLBA• HIPAA• PCI

– Network Security Assessments– Wireless Networking Assessments– SAS70/SSAE16 Readiness Assessments– Customer Required Assessments

Visit FRSecure.com for more information

What we do

Assess

Improve

ManageTrain

Test

• Information Security Program DevelopmentA Formal, cost-effective and customized information security program, that reduces risk and improves efficiency.

– Outsourced information security– PCI Compliance– Vendor Risk Management– Penetration Testing– Policy Creation– Training & Awareness Programs– BC/DR Planning

• Information Security ManagementLeverage years of expertise without the tremendous expense that can accompany it.

– Outsourced CISO– Incident Response

Visit FRSecure.com for more information

What we do

Assess

Improve

ManageTrain

Test

People Present the Most Significant Risk to the security of information

“It’s not the technology that’s to blame for most breaches; it’s the people behind the technology”

Introduction – A Principle

Give an example of a typical way people lose sensitive information.

Introduction – A Question

What is information

security?

Introduction – A Definition

Fundamentally, Information Security is:

The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information.

Controls:Administrative – Policies, procedures, processesPhysical – Locks, cameras, alarm systemsTechnical – Firewalls, anti-virus software, permissions

Protect:Confidentiality – Disclosure to authorized entitiesIntegrity – Accuracy and completenessAvailability – Accessible when required and authorized

Information Security Explained

The variables involved in human behavior are numerous and often times unpredictable.  People are affected by an ingrained sense of trust in their fellow humans, and behaviors can be affected by moods, events, experiences, and surroundings.  The risks involved can range from simple mistakes to malicious intent.  Understand that people present the most significant risks to information assets, and design controls to account for these risks.  If we properly invest in people through solid training and awareness, we can influence behaviors and mitigate risk.

Why are people risky?

People have a certain

amount of trust in other

people.

Ingrained Sense of Trust

• You receive an urgent email from your bank that requires your immediate attention. 

• Everything appears to be legit, so you click and login. 

• You’ve been phished!  • Someone else now has your login

credentials to your online banking account.

Social engineering example #1

• You get a call from XYZ Energy Company.  They are performing account maintenance on all accounts in your area.

  • The person on the telephone asks you to

confirm your account information.  “Sir, we just need to confirm the information on your account.  As a thank you for your time, we will credit $10 to your next energy bill.” 

Social engineering example #2

If you catch the right person at the right time, you might be surprised at what they do to put themselves and their organization at risk.

Behaviors, Moods, Events, Experiences, and Surroundings

• You’re in a bad mood.   Your boss comes to you and asks you do some seemingly unimportant task. 

• Do you do it?  • Probably, but do you think the quality of the work

suffers?  • If the quality of the work suffers, details might be

missed.  Some of these details might lead to vulnerabilities.

Example 1 – It’s been a bad day

• A member of your team has cancer and goes to the hospital for chemotherapy.

• You check on them and find out that they’re doing well.

• You email the rest of your team to let them know that your coworker is doing well and that the chemo seems to be working.

Example 2 – I didn’t know any better

• You are a good worker, but you have fallen on hard times.  Your transmission went out in your car, and one of your children was recently sick leaving you with some expensive hospital bills.  To add insult to injury, your company was recently acquired and you could be out of a job in a few months. 

• You work in customer service for your company, and you have access to sensitive customer information.  You wouldn’t normally even consider taking the information and using it for financial gain, but these are desperate times. 

• Desperate times call for desperate measures, right?

Example 3 – Desperate times call for desperate measures

• On your way home from work, you decide to make a quick stop at the convenience store.  You need some bread and milk. 

• After you get home, you turn to your back seat to grab your bag.  It’s gone! 

• In your bag was your laptop; the same laptop that you use for work.  • You work in HR and you know that there were spreadsheets containing

sensitive personal information stored on the laptop hard drive.  • Uh oh!  Your company is out thousands (maybe millions) of dollars, and

you are out of a job.  That’s expensive milk!

Example 4 – The quick stop

• The disgruntled employeeIn her mind, she’s been done wrong.  She’s looking for revenge.

• The criminal employeeEventually, he’s going to break the law to get what he wants.

• The poorly trained employeeThis person just didn’t know any better.

• The driven employeeThis gal is so busy; she doesn’t have time for rules.

• The overworked employeeHe wants to do the right thing, but he has deadlines to meet. 

• The curious/opportunist employeeWhat’s this directory; R&D?  That might be cool!

Twelve types of people

• The vendorDoes anybody even know this guy?

• The contractor and/or service providerThey’re going to need administrator access. 

• The customerThey’re requesting administrative access to one of your systems so that they can run some tests. 

Twelve types of people

• The outside criminalYou’ve got something that the criminal wants.

• The outside opportunistWhile browsing your website, the opportunist recognizes something that catches his eye.

• The activistAs long as everyone agrees with you; you should be okay. See: Operation Payback and “Anonymous”.

Twelve types of people

The thumb drive

Companies who take a comprehensive, risk-based approach to information security are able to:

• Reduce (not eliminate) risks posed by people

• Provide adequate information security training to their employees

• Leverage new technologies that have potentially high people risk

• Reduce downtime due to mistakes

The Right Approach

The Jigsaw Puzzle Analogy• Choose a standard – The Box Cover

• Information security controls – The pieces

• Build a framework – The edge and corner pieces

• Complete the picture – Refer to the box often. Each piece in the right place.

The Right Approach

The Jigsaw Puzzle Rules:• Don’t build the puzzle from the inside out.

• Don’t build the puzzle without the box cover.

• If you don’t understand where a piece fits, don’t buy it.

The Right Approach

Who’s data is it? Company or individual.

This is why we’re passionate

The Right Approach

Are you an information security risk to your company?

The Right Approach

• Information Security Program Development

A Formal, cost-effective and customized information security program, that reduces risk and improves efficiency.

– Outsourced information security– PCI Compliance– Vendor Risk Management– Penetration Testing– Policy Creation– Training & Awareness Programs– BC/DR Planning

Hopefully you have a better understanding of the reason why we use “People present the most significant risk” as one of FRSecure’s Ten Principles that Guide our Work. 

Conclusion

Assess

Improve

ManageTrain

Test

Exclusive to FRSecure

About FRSecureAs an information security firm, FRSecure protects sensitive, confidential business

information from unauthorized access, disclosure, distribution and destruction. We assess existing information security systems and develop, implement and manage plans tailored to each client’s specific security needs and overall business interests. These plans spare clients from the irreparable financial and reputational costs that invariably accompany the breach of sensitive business and personal information.

FRSecure works with businesses of all sizes, in all industries. We understand that our clients are in business to make money, so we design secure solutions that drive business, protect sensitive information assets, and improve their bottom line.

Achievements, experience and continuous referrals separate FRSecure as reliable information security experts who provide the resources and services that every business needs, but only FRSecure can deliver.

You made it! – Questions?

Kevin Orth

www.FRSecure.comkorth@frsecure.com952-442-1709 x11

Contact Information