Presentation is loading. Please wait.

Presentation is loading. Please wait.

Insider Threat Assessing & Managing ‘People’ Related Risks to Technology John Rostern, CRISC, QSA Northeast Managing Director September 14, 2011.

Published byMartha Summers Modified over 9 years ago

Similar presentations

Presentation on theme: "Insider Threat Assessing & Managing ‘People’ Related Risks to Technology John Rostern, CRISC, QSA Northeast Managing Director September 14, 2011."— Presentation transcript:

1 Insider Threat Assessing & Managing ‘People’ Related Risks to Technology John Rostern, CRISC, QSA Northeast Managing Director September 14, 2011

2 Why I love this topic… We have met the enemy and he is us… - Pogo Social Engineering; because there is no patch for human stupidity! The potential size of the fraud is directly proportional to the level of access and the degree of trust placed in the individual.

3 If I were targeting a company…. Evil Plan #626 rev 0.9 1.Identify capable IT staff (system admin, network admin, DBA, etc) 2.Determine how to compel/coerce/suborn them to your cause 3.Select your target company 4.Get these persons hired by the target company 5.Pay them over and above their salary to keep them ‘engaged’ 6.Wait a period of time while the ‘employees’ become ‘trusted members’ of the company 7.Extract insider knowledge to target information or tangible assets 8.Determine your target(s) 9.Time your move 10.Leave the ‘trusted employees’ to face law enforcement

4 Insert really boring statistics HERE to scare and impress the audience…

5 Technology Risk Interdependencies End Users download Malware that allows their computer to become part of a BotNet Executives at targeted companies advertise personal information on their Facebook pages The Executives are ‘spear-phished’ when they open a bogus email crafted based on their personal information Internal, secure, systems are infected Data is exfiltrated IF the leak is discovered we hold a meeting and wonder how it happened… Must have been China!

6 The Fraud Triangle Uncontrolled access to information creates opportunity Are you creating opportunity?

7 ‘Risky People’ Persons with extraordinary access to information assets C-Level Executives CEO President CFO Board Members ‘Privileged’ IT Staff Systems Administrators Database Administrators Programmers Third Parties Commercial Software Vendors Outsourced IT Staff Offshore Programming Resources ‘I know what I’m doing…’ ‘I need to do my job… ‘Trust us!’

8 Mitigating Risky People Do they have more access to information than needed? Who are they? When were they last background checked? Do you have background check requirements specific to job responsibilities? What other compensating controls can be or are in place? ‘2 Man System’ requirements Segregation of duties Continuous monitoring Ad hoc audits

9 Who is watching the store? Consider Security operations vs. oversight roles Potential conflicts of interest Who owns RISK for the organization?

10 Align the CISO with Risk Owners Align Security Operations with the IT organization Separate oversight functions under the CISO Dotted line relationship aligns policies, standards and procedures with risk The ability to say NO

11 Traditional IT Configuration

12 Provide Better Segregation

13 Controlled Environment Design

14 Key Takeaways Ecommerce Servers Who are the Riskiest People in my organization? How well do I know the people in my organization with access to information assets? Is my organization engaging in ‘Blind Trust’ instead of ‘Control’? Consider Stricter background check requirements for privileged staff Recurring and/or ad hoc background checks for certain roles What is the role of your CISO? Where does he/she report? How your network, systems and application architecture does or does not support effective segregation of duties Data Analytics as part of regular audit procedures The use of Continuous Controls Monitoring Доверяй, но проверяй Trust, but verify… - Ronald Reagan

Download ppt "Insider Threat Assessing & Managing ‘People’ Related Risks to Technology John Rostern, CRISC, QSA Northeast Managing Director September 14, 2011."

Similar presentations

BOARD EFFICIENCY: The Agenda Setting Role and Information Needs of the Supervisory Board Holly J. Gregory Weil, Gotshal & Manges LLP.

BOARD EFFICIENCY: The Agenda Setting Role and Information Needs of the Supervisory Board Holly J. Gregory Weil, Gotshal & Manges LLP.
© Pearson Prentice Hall 2009

© Pearson Prentice Hall 2009
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Koen Maris – The Human Factor in Information technology – Copyright 2005 – The Human Factor in Information Technology.

Koen Maris – The Human Factor in Information technology – Copyright 2005 – The Human Factor in Information Technology.
Strategy 2022: A Holistic View Tony Hayes International President ISACA 2013-2014 © 2012, ISACA. All rights reserved.

Strategy 2022: A Holistic View Tony Hayes International President ISACA © 2012, ISACA. All rights reserved.
How JCPenney is Managing Corporate Risk

How JCPenney is Managing Corporate Risk
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Appendix B: Designing Policies for Managing Networks.

Appendix B: Designing Policies for Managing Networks.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Security Management Practices Keith A. Watson, CISSP CERIAS.

Security Management Practices Keith A. Watson, CISSP CERIAS.
Engineering Secure Software. Lottery Story A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes.

Engineering Secure Software. Lottery Story A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes.
High-Level Assessment Month Year

High-Level Assessment Month Year
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.
Best in Class Controls for AP The Institute of Financial Operations Indiana – Southern Illinois Chapter June 15, 2011 Sherry DePew.

Best in Class Controls for AP The Institute of Financial Operations Indiana – Southern Illinois Chapter June 15, 2011 Sherry DePew.
Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.

Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.
MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.

MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.
The Board’s Fiduciary Role Presenter Insert Name Insert Organization.

The Board’s Fiduciary Role Presenter Insert Name Insert Organization.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.

Similar presentations

Ads by Google