IT Security/Online Loss Prevention

Bill FinnertyAssistant Director of Information TechnologyCumberland County

What is your gender?

Fem

ale

Mal

e

38%

62%

1. Female2. Male

What age group do you fall into?

25

or le

ss

26

to 3

5

36

to 4

5

46

to 5

5

56

or m

ore

0% 0%

14%

64%

21%

1. 25 or less2. 26 to 353. 36 to 454. 46 to 555. 56 or more

What job classification best fits you?

Ele

cted

Offi

ce

Hum

an R

esourc

es

County

Adm

inis

tratio

n

Fin

ance

Crim

inal

Just

ice

Hum

an R

esourc

es IT

Oth

er

0%

8% 8%

0%

15%

0%0%

69%

1. Elected Office2. Human Resources3. County

Administration4. Finance5. Criminal Justice6. Human Resources7. IT8. Other

I am attending this session because

I am

a g

eek

at h

eart

I am

sca

red

out o

f m...

Ther

e w

as n

othin

g el..

I hea

rd th

ere

would b

e...

42%

8%

42%

8%

1. I am a geek at heart

2. I am scared out of my mind

3. There was nothing else that interested me in this time slot

4. I heard there would be free food

I am confident in my organization’s IT security

Stro

ngly A

gree

Agre

e

Neu

tral

Dis

agre

e

Stro

ngly D

isag

ree

54%

31%

0%

8%8%

1. Strongly Agree2. Agree3. Neutral4. Disagree5. Strongly

Disagree

Who is the average hacker?

Age – 16 to 19 Gender – 90% male Residence – 70% United States Spend an average of 57 hours working

on a computer a week Knows c, c++, or perl

1. Albert Gonzalez

2. Cody Reigle

3. Stephen Watt

4. Kevin Mitnick

Who is the hacker?

Alb

ert G

onza

lez

Cody

Reigl

e

Ste

phen W

att

Kev

in M

itnic

k

0%

33%

25%

42%1) 2)

3) 4)

How much would you be willing to pay for a security assessment?

Less than$10k

$10k to $30k $30k to $50k More than$50k

27%

9%9%

55%1. Less than $10k2. $10k to $30k3. $30k to $50k4. More than $50k

Online Fraud 2009

Over $560 million lost in online fraud Zeus botnet is able to over write online bank

reports to cover fraud trail FBI investigates Citibank hack by Russian

organized crime 2010

Zeus botnet adds licensing module and automatic notification via IM

Most exploits sold in online black markets for $5000 or less

Cumberland County Redevelopment Authority Hack September 22, 2009 $479,000 lost Attack mechanism

Clampi Virus Replaced banking website with maintenance

message Used remote session to access the bank

account Used Electronic Fund Transfers to quickly move

money

Breach of Personal Information Notification Act § 2303. Notification of breach

An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person … notice shall be made without unreasonable delay

What can we learn from a 3,000 year old Irish fort about IT security?

Defense in depth

The key is to have enough warning and delays to be able to react

Perimeter Security

Firewall Intrusion Prevention Email gateway Web proxy server

Internal Security

Anti-virus, Anti-malware, Anti-spam, etc

Desktop firewall Host based instruction detection Permissions

IT Security Policy Cover what is needed for your environment

Email Internet access Social media Hardware Software Anti-virus, Anti-malware, Anti-spam

Use plain English, these are not for the legal and IT departments

Does your organization regularly present IT security training?

Yes N

o

64%

36%

1. Yes2. No

Security Training

Know your learners Vary the delivery methods

Presentations Video Blogs Contests

Gotcha training

What type of bank(s) does your organization do business with?

Cre

dit Uni

ons

Reg

ional

Nat

ional

0% 0%

100%1. Credit Unions2. Regional3. National

Coordinating with your Business Partners Establish a

relationship with your banks IT security staff

Service level agreements in contracts related to IT security

Resources

Budget Man hours Internal vs. External

Assessing IT Security Readiness

Industry standards ISO 27001 and 27002 NIST Special Publication 800-53A PCI Security Standard

Independent external assessment IT responsibilities Business unit responsibilities

Remediation

Questions

http://www.govloop.com/profiles/blogs/ccap-administration-conference