2016 Security: Are You

Prepared?

2

Shannon GlassPractice Director, Information Security and Compliance

Brian BoyceSenior Leadership, Business Development

Dustin Werden Practice Director, Project Management Services

3

AfidenceIT Overview

State Of Security

Culture Of Awareness

Why Should You Care?

Shannon’s Top 10

Agenda

4

AfidenceIT ServicesSTRATEGY

PROJECT MANAGEMENT

IT SUPPORT

SHAREPOINT

SECURITY/COMPLIANCE NEW!

CO-SOURCING

5

 AfidenceIT Differentiators

Knowledge Transfer

People No Contracts Truly Objective

“To be recognized as the most trusted leader in business and technology.”

6

Shannon GlassPractice Director, Information Security And Compliance

• Certifications: PCIP, CPISM, MCPM• BS In Organizational

Communication & Management • MBA 2016• 15 Years Of IT, Information

Security And Compliance• Security, Compliance,

Outsourcing/Right Sourcing, Acquisition Integration, Program Management

• Clients: Healthcare, Financial & Retail

7

Dustin WerdenPractice Director, Project Management Services

• Certifications: MCITP, CISSP, PMP, Security+

• BA In IS & Management • MBA 2016• 14 Years Of Enterprise & Large Scale

IT Project Management Experience And Technology Deployment And Integration

• Clients: Aerospace, Public Utilities, DoD, Manufacturing, Family Foundations.

State Of The Union? No, Just Security.

9

State of the Security Industry

1.Protecting Assets

2.Emerging Technologies

3.Risk Framework

http://idgknowledgehub.com/2015/10/23/2016-global-state-of-information-security-survey-research-results/

Playing Catch Up

Leveraging Technology1.Cloud

2.Big Data

3.Internet Of Things

The Human Factor

1.Executive Oversight

2.Security Awareness

3.Increased Budget

10

Changing Security Mindset Produces Results

You Get Results

1.49% Identify Risks

2.47% Detect And Mitigate Quicker

3.37% Know Gaps

Threat Intelligence

Cultural Changes

1.Collaboration

2.Actionable

3.Size Matters

1.Executive Sponsorship

2.Culture Awareness

3.Aligning Security, Risk And Business

11

Effects Of Board Participation

Security Budget0%5%

10%15%20%25%30%35%40%45%50%

40% 42%

36%

30%25%

46% 45%41%

37%32%

2014 2015

Security Policy Security Technology

Review RisksOverall

Strategy

12

Dark Web Rising

• Nation States• The Dark Web• Hacktivists

Creating A Culture Of Awareness

14

Know the Marketplace

1. Security Spending ~ $80 Billion in 2015*

2. 47% Will Hire 1-10 Security Employees in 2016**

3. Security Awareness Training: - Must Be Measurable- Understand Your Audience - Train Based On Risk Tolerance

*Gartner 2015 Report**www.cio.com December 17, 2015: The hottest security certifications, most in-demand skills.

15

5 Questions Every

CEO Should

Ask

1. Business Impact Of Security? 2. Plan To Address Risks? 3. Using Industry Best

Practices? 4. Velocity And Vectors For

Security Incidents & Threats?5. Do We Have An Incident

Response Plan?

16

Good vs. Bad Passwords

Based on AD Accounts

Length > Complexity

Good PasswordsBad

PasswordsWhineyRunawayGiant201 password123

42Blue-eyedPrimVictorians qwerty910MaternalMatchboxElectrician8 qazxsw8! MyKidsDontLetMeSleep! lKjuIo8#

Bad because the keys are consecutive on a keyboard!

17

Hacking By The NumbersPassword

Length

U/L Case,Special,Alpha

Numeric

U/L Case, Alpha

Numeric U/L Case Only

Lowercase

6  1.67 

Seconds    7   98 Seconds    8 52 Hours 93 Minutes 26 Minutes 6 Seconds10   286 days    14       61 Years

1645 Billion

Years

41 Thousand

Years

Length Of Time It Takes To Crack A Password:

Red = BadGreen = Good

18

Trending Threat Vectors

• Retail• Medical• Ransomware• Browser Plug Ins• Bootkits

Why You Should CareEverything Is Vulnerable

Anything Can Be Hacked

Because Security Is Everyone’s Responsibility

Hackers Are Not Going To Stop, So Neither Can We

20

Get Hacked in 10 Easy Steps!

1. Don't Patch Anything2. Run Unhardened Applications3. Log On Everywhere As “Domain Admin"4. Open Lots Of Holes In The Firewall5. Allow Unrestricted Internal Traffic6. Allow All Outbound Traffic7. Don't Harden Servers At All8. Use Lame Passwords9. Use Service Accounts In Multiple Places10. Assume Everything Is OK

Source: Jesper Johansson, 2004

21

Shannon’s Top 101. Security Awareness Training2. Malware Detection3. Policy And Procedures4. Patching And Vulnerabilities5. Securing Cloud Infrastructure6. Segment Your Network7. Protect The Perimeter8. Log, Monitor And Understand9. Protect Your End Points: IoT10. Continuous Compliance

22

Best Practice Approach1. Conduct A Security Assessment2. Understand The Threat

Landscape3. Test And Scan Network4. Use A Risk Based Approach5. Follow A Control Framework6. Build A Security Program7. Continuous Compliance

Building On A Budget

24

Join The Conversation #LeadWithTrust

Twitter: @Afidence Facebook: /Afidence LinkedIn: /company/Afidence

Thank you(513) 234-5822

www.Afidence.com

Info@Afidence.com

25

26

INFORMATION SECURITY& COMPLIANCE NEW FOR 2016!

& COMPLIANCE

27

Resources• 1. Global IT Security Risks Survey. (2015). Retrieved December 17, 2015, from

http://media.kaspersky.com/en/business-security/it-security-risks-survey-2015.pdf• 2. Moore, S. (2014, August 22). Gartner Says Worldwide Information Security Spending Will Grow Almost

8 Percent in 2014 as Organizations Become More Threat-Aware. Retrieved December 17, 2015, from http://www.gartner.com/newsroom/id/2828722

• http://www.natlawreview.com/article/2016-data-breach-predictions-hackers-more-active-ever#sthash.jfXPPLZ8.dpuf

• http://www.foxnews.com/tech/2016/01/09/3-biggest-security-threats-2016.html• http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/• http://

searchenterprisedesktop.techtarget.com/news/1002600/Get-your-network-hacked-in-10-easy-steps• http://www.healthslide.com/simple-security-through-better-password-practices-2/