Upload
koko
View
24
Download
0
Embed Size (px)
DESCRIPTION
Information Security. Jim Cusson, CISSP. Largest Breaches. Recent Breaches. 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical Center 1,500,000 2009-11-19 Health Net 80,000 2009-11-18 Universal American Insurance. - PowerPoint PPT Presentation
Citation preview
Information Security
Jim Cusson, CISSP
Largest Breaches
110,000 2009-11-27 NorthgateArinso, Verity Trustees
6,400 2009-11-25 Aurora St. Luke's Medical Center
1,500,000 2009-11-19 Health Net
80,000 2009-11-18 Universal American Insurance
Recent Breaches
130,000,000 2009-01-20 Heartland Payment Systems
94,000,000 2007-01-17 TJX Companies Inc.
90,000,000 1984-06-01 TRW, Sears Roebuck
76,000,000 2009-10-05 National Archives and Records
Administration
Cost of a Breach
40,000,000 2005-06-19 CardSystems, Visa, MasterCard,American Express
30,000,000 2004-06-24 America Online26,500,000 2006-05-22 U.S. Department of Veterans
Affairs25,000,000 2007-11-20 HM Revenue and Customs, TNT17,000,000 2008-10-06 T-Mobile, Deutsche Telekom16,000,000 1986-11-01 Canada Revenue Agency
Largest Breaches
In its study of 43 companies that suffered a data breach last year, the Ponemon Institute found the cost per compromised record in 2008 to be $202 per record
Actual CostsLegal, Credit Monitoring, Reputation, Mailings, Stock Price, etc
• The security breach at TJX Companies Inc. could cost the company $100 per lost record, or a total of $4.5 billion
• Heartland Breach Cost Company $32 Million So Far (August 2009)• According to the Ponemon Institute's study, the Heartland breach
will likely be more costly than the theft of data from TJX• In 2008 - $6.6 million per incident• Costs include the costs of detecting and responding to the loss of
data, along with legal and administrative expenses, customer defections and opportunity loss
Identity Theft
• As of November 24, 2009 the total number of breaches reported by the ITRC (Identity Theft Resource Center) is 444
• The taking of the victim’s identity to obtain credit, credit cards from banks and retailers, steal money from the victim’s existing accounts, apply for loans, establish accounts with utility companies, rent an apartment, file bankruptcy or obtain a job using the victim’s name
• Identity theft is "an absolute epidemic”. • Increased in the last four or five years.• It is nationwide.• Affects everybody• You can't detect it until it's probably too late.
Types Of Breaches
• Document Disposal – Paper documents improperly disposed• Stolen Laptops – Laptop stolen and info retrieved from hard drive• Virus – Malicious software, key loggers, etc send info off site• Web – Vulnerability in web server exploited• Lost Disk Drive – Lost/sold hard drive accessed to retrieve data• Hack – Password guessed, system hacked• Fraud – Social Engineering, people duped into giving bank accounts• Lost Backup Tape – Backup tapes lost/stolen, accessed to retrieve
data• Internal – Trusted employees steal data and sell it
What Is Information Security
• Information security is the process of protecting information. It protects its confidentiality, integrity and availability.
• Confidentiality – Ensuring data is accessed only by those who should
• Integrity – Ensuring data is not modified
• Availability – Ensuring data is accessible
How To Secure Information
• Network Design
• Access Control
• Firewalls
• Intrusion Detection/Protection Systems
• Anti-Virus
• Backups
• Disaster Recovery/Business Continuity
Challenges
• Cost – Protection is expensive
• Compliance – GLBA, HIPPA, PCI, SOX
• Proving Effectiveness – How to show they’re getting value
Communication!
Communication is huge!
• Project Teams – Most members don’t know security
• Management – Often aren’t technical
• Enforcement – How to tell someone “it’s not secure”
• Policy – Writing for end users, enforcement