IT Security/Online Loss Prevention Bill Finnerty Assistant Director of Information Technology Cumberland County
What is your gender? 1. Female 2. Male
What age group do you fall into? or less to to to or more
What job classification best fits you? 1. Elected Office 2. Human Resources 3. County Administration 4. Finance 5. Criminal Justice 6. Human Resources 7. IT 8. Other
I am attending this session because 1. I am a geek at heart 2. I am scared out of my mind 3. There was nothing else that interested me in this time slot 4. I heard there would be free food
I am confident in my organization’s IT security 1. Strongly Agree 2. Agree 3. Neutral 4. Disagree 5. Strongly Disagree
Who is the average hacker? Age – 16 to 19 Gender – 90% male Residence – 70% United States Spend an average of 57 hours working on a computer a week Knows c, c++, or perl
1. Albert Gonzalez 2. Cody Reigle 3. Stephen Watt 4. Kevin Mitnick Who is the hacker? 1)2) 3)4)
How much would you be willing to pay for a security assessment? 1. Less than $10k 2. $10k to $30k 3. $30k to $50k 4. More than $50k
Online Fraud 2009 Over $560 million lost in online fraud Zeus botnet is able to over write online bank reports to cover fraud trailbotnet FBI investigates Citibank hack by Russian organized crime 2010 Zeus botnet adds licensing module and automatic notification via IM Most exploits sold in online black markets for $5000 or less
Cumberland County Redevelopment Authority Hack September 22, 2009 $479,000 lost Attack mechanism Clampi Virus Replaced banking website with maintenance message Used remote session to access the bank account Used Electronic Fund Transfers to quickly move money
Breach of Personal Information Notification Act § Notification of breach An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person … notice shall be made without unreasonable delay
What can we learn from a 3,000 year old Irish fort about IT security? Defense in depth The key is to have enough warning and delays to be able to react
Perimeter Security Firewall Intrusion Prevention gateway Web proxy server
Internal Security Anti-virus, Anti-malware, Anti-spam, etc Desktop firewall Host based instruction detection Permissions
IT Security Policy Cover what is needed for your environment Internet access Social media Hardware Software Anti-virus, Anti-malware, Anti-spam Use plain English, these are not for the legal and IT departments
Does your organization regularly present IT security training? 1. Yes 2. No
Security Training Know your learners Vary the delivery methods Presentations Video Blogs Contests Gotcha training
What type of bank(s) does your organization do business with? 1. Credit Unions 2. Regional 3. National
Coordinating with your Business Partners Establish a relationship with your banks IT security staff Service level agreements in contracts related to IT security
Resources Budget Man hours Internal vs. External
Assessing IT Security Readiness Industry standards ISO and NIST Special Publication A PCI Security Standard Independent external assessment IT responsibilities Business unit responsibilities Remediation
Questions