IT Security/Online Loss Prevention

1
IT Security/Online Loss Prevention

• Bill Finnerty
• Assistant Director of Information Technology
• Cumberland County

2
What is your gender?

1. Female
2. Male

3
What age group do you fall into?

1. 25 or less
2. 26 to 35
3. 36 to 45
4. 46 to 55
5. 56 or more

4
What job classification best fits you?

1. Elected Office
2. Human Resources
3. County Administration
4. Finance
5. Criminal Justice
6. Human Resources
7. IT
8. Other

5
I am attending this session because

1. I am a geek at heart
2. I am scared out of my mind
3. There was nothing else that interested me in this
   time slot
4. I heard there would be free food

6
I am confident in my organizations IT security

1. Strongly Agree
2. Agree
3. Neutral
4. Disagree
5. Strongly Disagree

7
Do you have Cyber Liability Insurance?

1. Yes
2. No

8
Who is the average hacker?

• Age 16 to 19
• Gender 90 male
• Residence 70 United States
• Spend an average of 57 hours working on a
  computer a week
• Knows c, c, or perl

9
Who is the hacker?

1. Albert Gonzalez
2. Cody Reigle
3. Stephen Watt
4. Kevin Mitnick

1)
2)
3)
4)
10
How much would you be willing to pay for a
security assessment?

1. Less than 10k
2. 10k to 30k
3. 30k to 50k
4. More than 50k

11
Online Fraud

• 2009
• Over 560 million lost in online fraud
• Zeus botnet is able to over write online bank
  reports to cover fraud trail
• FBI investigates Citibank hack by Russian
  organized crime
• 2010
• Zeus botnet adds licensing module and automatic
  notification via IM
• 2011
• Zeus, SpyEye, Carberp, Gozi and Patcher
• Most exploits sold in online black markets for
  5000 or less

12
Cumberland County Redevelopment Authority Hack

• September 22, 2009
• 479,000 lost
• Attack mechanism
• Clampi Virus
• Replaced banking website with maintenance message
• Used remote session to access the bank account
• Used Electronic Fund Transfers to quickly move
  money

13
Hacktivism

• Motivation political
• Groups
• Anonymous
• LulzSec
• AntiSec
• Tools
• website defacement
• distributed denial of service attacks
• information theft

14
Breach of Personal Information Notification Act
2303. Notification of breach
An entity that maintains, stores or manages
computerized data that includes personal
information shall provide notice of any breach of
the security of the system following discovery of
the breach of the security of the system to any
resident of this Commonwealth whose unencrypted
and unredacted personal information was or is
reasonably believed to have been accessed and
acquired by an unauthorized person notice shall
be made without unreasonable delay
15
What can we learn from a 3,000 year old Irish
fort about IT security?

• Defense in depth
• The key is to have enough warning and delays to
  be able to react

16
Physical Security

• Physical access to computers and computer
  equipment is a

17
Perimeter Security

• Firewall
• Intrusion Prevention
• Email gateway
• Web proxy server

18
Internal Security

• Anti-virus, Anti-malware, Anti-spam, etc
• Desktop firewall
• Host based instruction detection
• Permissions

19
IT Security Policy

• Cover what is needed for your environment
• Email
• Internet access
• Social media
• Hardware
• Software
• Anti-virus, Anti-malware, Anti-spam
• Use plain English, these are not for the legal
  and IT departments

20
Does your organization regularly present IT
security training?

1. Yes
2. No

21
Security Training

• Know your learners
• Vary the delivery methods
• Presentations
• Video
• Blogs
• Contests
• Gotcha training

22
What type of bank(s) does your organization do
business with?

1. Credit Unions
2. Regional
3. National

23
Coordinating with your Business Partners

• Establish a relationship with your banks IT
  security staff
• Service level agreements in contracts related to
  IT security

24
Resources

• Budget
• Man hours
• Internal vs. External

25
Assessing IT Security Readiness

• Industry standards
• ISO 27001 and 27002
• NIST Special Publication 800-53A
• PCI Security Standard
• Independent external assessment
• IT responsibilities
• Business unit responsibilities
• Remediation

26
Questions