Transforming Communities:

IT, Civic Engagement, and Economic Development

- IT and the Need for Regulation

October 31, 2009

Deepa SaldanhaCISA, CISSP, QSA

Agenda

• Technology as the Enabler – the Trust DNA

• Threats and Drivers

• Observation from the Frontlines

• Regulatory Trends

• Conclusion

2 Confidential

IT Security

3

Technology as the Enabler

4 Confidential

Can you Trust what you see on your screen?- Phishing

5 Confidential

In addition to being a phishing page and stealing the individual’s identity, the page automatically forces the user to download what looks to be a software package of Adobe Player. If downloaded and executed, the individual’s computer is Trojaned and joined to a botnet for use in one or more illicit actions.

Can you Trust what you see on your screen?-More Phishing

6

Citibank_phishing_czech-republic.bmp – Sophisticated phishing attack on Citibank Business cards. If the long URL (to the Czech Republic) doesn’t give away that it is a phishing site, there is little else that would clue in users to avoid submitting their credentials.

7

New Threats

www.information-security-resources.com

How much is data worth?

8

Breaches as of Today

Major Breaches

10

http://www.privacyrights.org/ar/ChronDataBreaches.htm

How many data breaches have been reported in the month of October?

16

Verizon Data Breach Statistics 2009

11

12

Verizon Data Breach Statistics 2009

1970-1980

1980-1990

1990-2000

2000-

Present

A Brief History of

Regulatory Time

Computer Security Act of 1987

EU Data Protection HIPAA FDA 21CFR Part 11 C6-Canada GLBA

COPPA USA Patriot Act 2001 CAN-SPAM Act FISMA Sarbanes Oxley (SOX) CIPA 2002 Basel II NERC 1200 (2003) CISP State Privacy Laws (i.e.

California SB1386) Payment Card Industry (PCI) FTC Red Flags Rules HITECH CIP

Regulatory Trends

13

What’s your Top Priority?

14

Do we need more regulation?

Questions?

Deepa Saldanha

Coalfire Systems, Inc.

Senior Security Auditor

Deepa.Saldanha@coalfiresystems.com

Phone: 206-335-1063

15