1. IT Security/Online Loss Prevention Bill Finnerty Assistant Director of Information Technology Cumberland County

2. What is your gender? 1. Female 2. Male

3. What age group do you fall into? 1. 25 or less 2. 26 to 35 3. 36 to 45 4. 46 to 55 5. 56 or more

4. What job classification best fits you? 1. Elected Office 2. Human Resources 3. County Administration 4. Finance 5. Criminal Justice 6. Human Resources 7. IT 8. Other

5. I am attending this session because 1. I am a geek at heart 2. I am scared out of my mind 3. There was nothing else that interested me in this time slot 4. I heard there would be free food

6. I am confident in my organization’s IT security 1. Strongly Agree 2. Agree 3. Neutral 4. Disagree 5. Strongly Disagree

7. Who is the average hacker? Age – 16 to 19 Gender – 90% male Residence – 70% United States Spend an average of 57 hours working on a computer a week Knows c, c++, or perl

8. 1. Albert Gonzalez 2. Cody Reigle 3. Stephen Watt 4. Kevin Mitnick Who is the hacker? 1)2) 3)4)

9. How much would you be willing to pay for a security assessment? 1. Less than $10k 2. $10k to $30k 3. $30k to $50k 4. More than $50k

10. Online Fraud 2009 Over $560 million lost in online fraud Zeus botnet is able to over write online bank reports to cover fraud trailbotnet FBI investigates Citibank hack by Russian organized crime 2010 Zeus botnet adds licensing module and automatic notification via IM Most exploits sold in online black markets for $5000 or less

11. Cumberland County Redevelopment Authority Hack September 22, 2009 $479,000 lost Attack mechanism Clampi Virus Replaced banking website with maintenance message Used remote session to access the bank account Used Electronic Fund Transfers to quickly move money

12. Breach of Personal Information Notification Act § 2303. Notification of breach An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person … notice shall be made without unreasonable delay

13. What can we learn from a 3,000 year old Irish fort about IT security? Defense in depth The key is to have enough warning and delays to be able to react

14. Perimeter Security Firewall Intrusion Prevention Email gateway Web proxy server

15. Internal Security Anti-virus, Anti-malware, Anti-spam, etc Desktop firewall Host based instruction detection Permissions

16. IT Security Policy Cover what is needed for your environment Email Internet access Social media Hardware Software Anti-virus, Anti-malware, Anti-spam Use plain English, these are not for the legal and IT departments

17. Does your organization regularly present IT security training? 1. Yes 2. No

18. Security Training Know your learners Vary the delivery methods Presentations Video Blogs Contests Gotcha training

19. What type of bank(s) does your organization do business with? 1. Credit Unions 2. Regional 3. National

20. Coordinating with your Business Partners Establish a relationship with your banks IT security staff Service level agreements in contracts related to IT security

21. Resources Budget Man hours Internal vs. External

22. Assessing IT Security Readiness Industry standards ISO 27001 and 27002 NIST Special Publication 800-53A PCI Security Standard Independent external assessment IT responsibilities Business unit responsibilities Remediation

23. Questions http://www.govloop.com/profiles/blogs/ccap-administration-conference