Upload
ngonga
View
216
Download
2
Embed Size (px)
Citation preview
The views and opinions expressed in this presentation are those of the
author and do not necessarily reflect the official policy or position of the
author’s employer.
Technology used in this presentation is not endorsed by the author or the
author’s employer.
• http://MyChurchSecurity.com/disclaimers/
OTHER DISCLAIMERS
Been doing security/audit/fraud work for over 20 years finding malicious hackers and
fraudsters and bored insiders and involved in FBO/Church Security since 1991
13 US Patents and bunch more pending involving fraud, cyber security, and
visualization of threats
Significant work on large scale country-by-country offshoring security risk assessment
based on 150 statistic sources for 85 countries
Blogger / Podcaster @ MyChurchSecurity.com
I’m not a sports fan or related to Payton Manning (who?)
WHY ME?
MINIMUM REQUIREMENTS FOR FBO/NGO
Chief Security Officer
Definitions Security vs. Safety vs. Fraud
Trust / Balance / Priority
Information Inventory Travel Itinerates, HIPAA, PCI, Counseling notes, donors,
strategic discussions, email, suppliers, discussions with governments are EXAMPLES ONLY
Response Plan
Training & Training
Techie Stuff
THE PROBLEM OF (CYBER) SECURITY FOR FBO / NGO
Trust Humans need for Trust
Trust is like air
Everything is untrusted or is everyone untrusted? “I’m not worried about your driving, I’m worried about everyone
else’s driving”
Criminals need trust but so does businesses and FBOs/NGOs
Balance Why Church Security – My Secret Service Agent discussion
Priority Grandma
INVENTORY – “ALL” = “ALL”
ALL / “SECURE” – Not goin’ to happen… # of Threats
# of Assets
# of vulnerabilities
# of entry points
# of humans
# of suppliers
# of sub(sub-sub-sub-) contractors
# of pieces of software……..Refer to Slide 2…..
# of trips
# of customers
# of partner customers
# of users
# of websites
# of databases
# of tables
# of user IDs
# of ________
INFORMATION SHARING & RESPONSE PLAN
ISAO – Trusted Networking
Media
Tracking “threats”
Fields/columns for domain, IP address, handle
Case Management “system”
(Tested) Incident Response Plan
Get the skills sets available now or
unplug…..5000 cables
TRAINING….TRAINING…TRAINING
Who (Touching your info / brand….) The person in the mirror
Staff
Volunteers
Board
Guests
Travelling missionaries
Short Term missions
Vendors/Suppliers
On What AV, Attachments, travel w/devices
When Before EVERY trip….threats / technology changes
WHY PROTECT CYBER STUFF…..
Threats Foreign Countries
Customs / Immigration
Good ol’ fashion pick pockets
Competitors
Suppliers
Victims
If I get your email……somewhere it is available in cleartext Who are you connected to, whether you meant to be or not
6 degrees of separation
Confidentiality, Integrity, Availability
Value of the device vs. Value of the Info Cable Lock Anyone?
Think that Hotel “safe” is “safe”?
You need to think about 100% of the holes, the bad guy only has to find one hole
RANDOM IDEAS
(Trusted Countries / Vendors) “Cloud” Solutions
Have contract on YOUR “paper” that gives you access to (security) logs
Types of things to “Cloud”:
Email (web client only if at all possible), Accounting, Contacts, Shared Documents
Stripped Laptops
AV and Patch Management (repeat this statement 10 times Jim)
Multiple SIM cards
Throw Phones
Backup SD Cards for Cameras
Watch out for EXIF data
Lots of Tools / Apps (e.g. Tor) – It’s a tool, it may not be legal or good idea
RANDOM IDEAS
Encrypted Thumb Drives/SD Cards
Log AND monitor all remote access
Change Subject Line: e.g. [EXTERNAL]
One Time Passwords (OTP)
“TSA” approved bag
Basic Office software encryption is good, but not great
Phishing
Facebook, Linkedin, email, phone
Testing
Brand protection
Social Media
Domains (Private Registration?)
Sometimes it’s about looking normal for where you are
Jim McConnell
http://MyChurchSecurity.com
@AskJimMcConnell
Meet me outside….
Special OSAC Conference Page
http://MyChurchSecurity.com/OSAC2015
PERSONAL CONTACT INFORMATION
….Thank You For the Honor to Serve You Today….