SlideShare a Scribd company logo

The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09

Download as PPTX, PDF
Tammy Clark
Tammy Clark

EDUCAUSE National Conference in Denver, Nov 09

1 of 20
The Cost Of Preventing Breaches Tammy L. Clark, CISO, Georgia State University Adam Dodge, IT Security Officer, Eastern Illinois University
Introducing… In the early years of Georgia State University’s Information Security program, Tammy was a very persistent Hacker whacker. It was a thankless job, but someone had to do it… Tammy Clark
Key Topics For Today’s Discussion Today’s Threat Landscape Breaches and Root Causes What Seems to Be the Problem Here?! What Drives Change in Higher Ed? Can We Use Technology, Processes, and People Effectively to Assist with Breach Prevention? The ‘Nitty-Gritty’ About Our Information Security Programs Summary of Key Points Join in On the Fun With Questions or Comments
Today’s Threat Landscape What are the prevalent threats we’re seeing out there that affect our end users? Lots of spear phishing Infected websites Social Engineering, Scams, Organized Crime Our IT orgs are dealing with increasingly sophisticated malware, SSH attacks, and OS/APP vulnerabilities. New exploits continue to be developed at a dizzying pace and our vendors can’t ever seem to keep up!
Introducing… Adam maintains the Educational Security Incidents (ESI) site, which serves as a repository for reported information on security incidents that have occurred at institutions of higher education. Adam Dodge
Breaches and Root Causes Educational Security Incidents (ESI) reports that in 2008: 173 separate incidents were reported 24.5% increase over 2007 Primary Reasons: Unauthorized Disclosure - 75 Theft - 40 Unauthorized Access/Penetration – 35 Additionally, Privacy Rights Clearinghouse reports that so far in 2009, 38 colleges have reported incidents out of 196 total incidents reported… Of these, 17 were due to theft; 11 to unauthorized access/penetration, and 10 were the result of unauthorized disclosure
What Seems to Be the Problem Here!? Lack of Standardization/Plans, Policies and Standards Challenges in Data Classification and Risk Management Incorrectly configured/secured devices, apps and web sites Inadequate perimeter protection Lack of advanced intrusion detection & analysis skills Inadequate endpoint protection Lack of encryption Open Ended Culture Security ‘un-aware’ users—no ‘skin in the game’ or circumventing controls
What Drives Change in Higher Ed? Let’s Face it--Data Breaches (either our own or a neighboring institution) Compliance: PCI, FERPA, HIPAA, GLBA, Red Flags, DMCA Research Grants that require minimum levels of security or compliance with FISMA or ISO 27001/2 Budget Cuts Audits Emergency Management Risk Management University President’s/Provost’s Priorities
Can We Use Technology to Assist with Preventing Breaches? Network Intrusion Prevention, Intrusion Detection, Firewalls, AV and Anti-Spam Gateways, et al) Endpoint security tools and suites (AV, Anti-Spyware, Anti-Malware, Host firewalls/IPS, NAC, etc) Encryption Vulnerability Assessments Governance, Risk, and Compliance Data Loss Prevention Identity Access Management Security Information and Event Management The List Goes On…and On Bottom Line---$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Is Process Development Important as Well? YES! Why? Myriad of Compliance Requirements Standards (ISO, FISMA, COBIT, ITIL) and Standardization (Yes! In higher Ed) Get Rid of Confidential Data We Don’t Need or Require! Data Classification and Risk Management Audits/Corrective & Preventive Measures Physical & Logical Controls to Integrate Into IT/Business Processes 3rd parties processing or storing our data Contracts with customers on campus to manage their critical systems and data with central IT/Sec organizations
And What About the People?! Authority (must) = Accountability (The Golden Rule) Make IT system/data protection everyone’s job! Responsible for Compliance – in Some Cases, Personal Liability Data Cleanup Parties including non-electronic formats Security Reviews and mandated controls for systems processing confidential data (require encryption, not running P2P apps, etc.) Lots and lots of Security Awareness Training!
Higher Ed Information Security Programs—The ‘Nitty-Gritty’ Reactive Proactive Predictive
Reactive People – Depend on ‘security unaware’ End Users and (often) a Cheerleader ISO! Process – Too Busy Chasing the Threats and Incidents! Technology – Protecting either the outside perimeter or workstations/servers (AV, Firewalls) $$$ Investment in Breach Prevention - Low Aftermath of a potential breach – High Impact Information Security Program Maturity Index – 1 or 2 on the CMMI Largest Impacts to Information Security Programs in Reactive Mode - lots of unfunded mandates; inadequate resources and funding; threat of penalties/lawsuits due to noncompliance and lack of due diligence; difficulty detecting and responding to security incidents; increased reputational risk; high risk of widespread malware outbreaks and data breaches
Proactive People – Emphasis on securing adequate resources Process – Huge investment in process development and awareness training Technology – Implement defense in depth architecture $$$ Investment in Breach Prevention – Very High Aftermath of a potential breach – Medium Impact Information Security Program Maturity Index – 3 or 4 on the CMMI Largest Impacts to Information Security Programs in Proactive Stage/Mode – Heavy infrastructure costs, resource intensive activities; paradigm shifts towards incorporating standards and regulatory guidance; increased standardization, risk management, and attention to building out a fully functional information security program; heavy reliance by the IT org on the Information Security Dept. staff to protect institutional data/IT resources
Predictive People – Emphasis on integrating information security throughout the IT org and university Process – Continuing investment; Increased emphasis on security awareness education and training Technology –Emphasis on optimizing technology investment $$$ Investment in Breach Prevention –Spread and streamline costs as IS integrates throughout the IT org and campus Aftermath of a potential breach – Low Impact Information Security Program Maturity Index – 4 or 5 on the CMMI Largest Impacts to Information Security Programs in Predictive Stage/Mode – no information security silos; information security is integrated into every facet of the institution; data protection is everyone’s responsibility; authority=accountability; dedicated staff focus on core IS duties
Case Study—Infosec@Ga State Univ 2000-2003: Reactive Mode 2004-2009: Proactive Mode 2010: Moving into Predictive Mode
Case study – Eastern Illinois Univ
Summary of Key Points Threats continue to heavily target end users Human Errors account for over 70% of data breaches that Occur Information Security staffs should not be held accountable for protecting institutional assets and data Information Security needs to be integrated throughout our IT organizations and campuses In order to mature and ensure continuous improvement, information security programs must be adequately funded and ramped up in terms of people, process, and technology Effective policies, processes, guidelines, and security training/education must be emphasized and funded in terms of $$ and resources Building a solid community of ‘Security Aware’ users represents both our greatest challenge and our best defense against data breaches!
Questions? Contact Tammy Clark at tlclark@gsu.edu, 404 413 4509 Contact Adam Dodge at Copyright Tammy L. Clark, Oct 2009.. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
What did you think about this session? Your input is important to us! Click on “Evaluate This Session” on the conference program page.

Recommended

Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingKimberly Hood
 
The need for effective information security awareness practices.
The need for effective information security awareness practices.The need for effective information security awareness practices.
The need for effective information security awareness practices.CAS
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security AwarenessThe Network Support Company
 
Whitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest Minds
Whitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest MindsWhitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest Minds
Whitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest MindsHappiest Minds Technologies
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness ProgramCommLab India – Rapid eLearning Solutions
 
Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Michael Kaishar, MSIA | CISSP
 
Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awarenessTerranovatraining
 
System Security Threats and Risks)
System Security Threats and Risks)System Security Threats and Risks)
System Security Threats and Risks)BPalmer13
 

Recommended

Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingKimberly Hood
 
The need for effective information security awareness practices.
The need for effective information security awareness practices.The need for effective information security awareness practices.
The need for effective information security awareness practices.CAS
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security AwarenessThe Network Support Company
 
Whitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest Minds
Whitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest MindsWhitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest Minds
Whitepaper: BATTLING IT OUT: APPLICATION AND MOBILE SECURITY - Happiest MindsHappiest Minds Technologies
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness ProgramCommLab India – Rapid eLearning Solutions
 
Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Michael Kaishar, MSIA | CISSP
 
Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awarenessTerranovatraining
 
System Security Threats and Risks)
System Security Threats and Risks)System Security Threats and Risks)
System Security Threats and Risks)BPalmer13
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
PACE-IT, Security+ 2.4: Basic Forensic Procedures
PACE-IT, Security+ 2.4: Basic Forensic ProceduresPACE-IT, Security+ 2.4: Basic Forensic Procedures
PACE-IT, Security+ 2.4: Basic Forensic ProceduresPace IT at Edmonds Community College
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk MitigationMukalele Rogers
 
Security Firm Program - Corporate College
Security Firm Program - Corporate CollegeSecurity Firm Program - Corporate College
Security Firm Program - Corporate CollegeWorkSmart Integrated Marketing
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
Threat Modelling And Threat Response
Threat Modelling And Threat ResponseThreat Modelling And Threat Response
Threat Modelling And Threat ResponseVivek Jindaniya
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
PACE-IT, Security+3.8: Vulnerability Scanning vs Pen Testing
PACE-IT, Security+3.8: Vulnerability Scanning vs Pen TestingPACE-IT, Security+3.8: Vulnerability Scanning vs Pen Testing
PACE-IT, Security+3.8: Vulnerability Scanning vs Pen TestingPace IT at Edmonds Community College
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...Stephen Cobb
 
PACE-IT, Security+ 2.1: Risk Related Concepts (part 1)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 1)PACE-IT, Security+ 2.1: Risk Related Concepts (part 1)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 1)Pace IT at Edmonds Community College
 
Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Deepa Devadas
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnKloudLearn
 
PACE-IT, Security+2.9: Goals of Security Controls
PACE-IT, Security+2.9: Goals of Security ControlsPACE-IT, Security+2.9: Goals of Security Controls
PACE-IT, Security+2.9: Goals of Security ControlsPace IT at Edmonds Community College
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
PACE-IT, Security+1.4: Common Network Protocols (part 3)
PACE-IT, Security+1.4: Common Network Protocols (part 3)PACE-IT, Security+1.4: Common Network Protocols (part 3)
PACE-IT, Security+1.4: Common Network Protocols (part 3)Pace IT at Edmonds Community College
 
Executive Information Security Training
Executive Information Security TrainingExecutive Information Security Training
Executive Information Security TrainingAngela Samuels
 
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
How To Successfully Defend Against Irc Bots, Compromises, And Information LeaksHow To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
How To Successfully Defend Against Irc Bots, Compromises, And Information LeaksTammy Clark
 
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad AndrewsNorth Texas Chapter of the ISSA
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaTechBiz Forense Digital
 
Information Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based ApproachInformation Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based ApproachGlobal Business Events - the Heart of your Network.
 

More Related Content

What's hot

End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk MitigationMukalele Rogers
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
Threat Modelling And Threat Response
Threat Modelling And Threat ResponseThreat Modelling And Threat Response
Threat Modelling And Threat ResponseVivek Jindaniya
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...Stephen Cobb
 
Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Deepa Devadas
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnKloudLearn
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Executive Information Security Training
Executive Information Security TrainingExecutive Information Security Training
Executive Information Security TrainingAngela Samuels
 
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
How To Successfully Defend Against Irc Bots, Compromises, And Information LeaksHow To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
How To Successfully Defend Against Irc Bots, Compromises, And Information LeaksTammy Clark
 
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad AndrewsNorth Texas Chapter of the ISSA
 

What's hot (20)

End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
PACE-IT, Security+ 2.4: Basic Forensic Procedures
PACE-IT, Security+ 2.4: Basic Forensic ProceduresPACE-IT, Security+ 2.4: Basic Forensic Procedures
PACE-IT, Security+ 2.4: Basic Forensic Procedures
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk Mitigation
 
Security Firm Program - Corporate College
Security Firm Program - Corporate CollegeSecurity Firm Program - Corporate College
Security Firm Program - Corporate College
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
Threat Modelling And Threat Response
Threat Modelling And Threat ResponseThreat Modelling And Threat Response
Threat Modelling And Threat Response
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
 
PACE-IT, Security+3.8: Vulnerability Scanning vs Pen Testing
PACE-IT, Security+3.8: Vulnerability Scanning vs Pen TestingPACE-IT, Security+3.8: Vulnerability Scanning vs Pen Testing
PACE-IT, Security+3.8: Vulnerability Scanning vs Pen Testing
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
 
PACE-IT, Security+ 2.1: Risk Related Concepts (part 1)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 1)PACE-IT, Security+ 2.1: Risk Related Concepts (part 1)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 1)
 
Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - Kloudlearn
 
PACE-IT, Security+2.9: Goals of Security Controls
PACE-IT, Security+2.9: Goals of Security ControlsPACE-IT, Security+2.9: Goals of Security Controls
PACE-IT, Security+2.9: Goals of Security Controls
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
PACE-IT, Security+1.4: Common Network Protocols (part 3)
PACE-IT, Security+1.4: Common Network Protocols (part 3)PACE-IT, Security+1.4: Common Network Protocols (part 3)
PACE-IT, Security+1.4: Common Network Protocols (part 3)
 
Executive Information Security Training
Executive Information Security TrainingExecutive Information Security Training
Executive Information Security Training
 
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
How To Successfully Defend Against Irc Bots, Compromises, And Information LeaksHow To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
 
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 2 - STRIDE by Brad Andrews
 

Similar to The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09

Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistancePaul-Charife Allen
 
ERAU webinar november 2016 cyber security
ERAU webinar november 2016 cyber security ERAU webinar november 2016 cyber security
ERAU webinar november 2016 cyber security Bill Gibbs
 
Cybersecurity Challenges in the Modern Digital Landscape.docx
Cybersecurity Challenges in the Modern Digital Landscape.docxCybersecurity Challenges in the Modern Digital Landscape.docx
Cybersecurity Challenges in the Modern Digital Landscape.docxPelorusTechnologies
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber securityInderjeet Singh
 
Importance Of Cybersecurity In Education System | SOCVault
Importance Of Cybersecurity In Education System | SOCVaultImportance Of Cybersecurity In Education System | SOCVault
Importance Of Cybersecurity In Education System | SOCVaultSOCVault
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overviewdr_edw777
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksMatthew Rosenquist
 
Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Atlantic Security Conference
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141sraina2
 
InfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 AInfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 AWard Pyles
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...PECB
 
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfInsider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfEnterprise Insider
 
Top 10 Cyber Security Threats and How to Prevent Them
Top 10 Cyber Security Threats and How to Prevent ThemTop 10 Cyber Security Threats and How to Prevent Them
Top 10 Cyber Security Threats and How to Prevent ThemChinmayee Behera
 
How to Catch a Wolf in Sheep's Clothing
How to Catch a Wolf in Sheep's ClothingHow to Catch a Wolf in Sheep's Clothing
How to Catch a Wolf in Sheep's ClothingThinAir
 
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Morakinyo Animasaun
 

Similar to The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09 (20)

Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
Information Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based ApproachInformation Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based Approach
 
Sarwono sutikno nisd2013 - transforming cybersecurity
Sarwono sutikno nisd2013 - transforming cybersecuritySarwono sutikno nisd2013 - transforming cybersecurity
Sarwono sutikno nisd2013 - transforming cybersecurity
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistance
 
ERAU webinar november 2016 cyber security
ERAU webinar november 2016 cyber security ERAU webinar november 2016 cyber security
ERAU webinar november 2016 cyber security
 
Cybersecurity Challenges in the Modern Digital Landscape.docx
Cybersecurity Challenges in the Modern Digital Landscape.docxCybersecurity Challenges in the Modern Digital Landscape.docx
Cybersecurity Challenges in the Modern Digital Landscape.docx
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber security
 
Importance Of Cybersecurity In Education System | SOCVault
Importance Of Cybersecurity In Education System | SOCVaultImportance Of Cybersecurity In Education System | SOCVault
Importance Of Cybersecurity In Education System | SOCVault
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overview
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
 
Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
 
InfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 AInfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 A
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
 
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfInsider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
 
Top 10 Cyber Security Threats and How to Prevent Them
Top 10 Cyber Security Threats and How to Prevent ThemTop 10 Cyber Security Threats and How to Prevent Them
Top 10 Cyber Security Threats and How to Prevent Them
 
How to Catch a Wolf in Sheep's Clothing
How to Catch a Wolf in Sheep's ClothingHow to Catch a Wolf in Sheep's Clothing
How to Catch a Wolf in Sheep's Clothing
 
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
 

More from Tammy Clark

Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Tammy Clark
 
The Impact Of Breaches On Higher Ed Tlc 27 Sep09
The Impact Of Breaches On Higher Ed Tlc 27 Sep09The Impact Of Breaches On Higher Ed Tlc 27 Sep09
The Impact Of Breaches On Higher Ed Tlc 27 Sep09Tammy Clark
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramTammy Clark
 
Giving The Heave Ho To Worms, Spyware, And Bots!
Giving The Heave Ho To Worms, Spyware, And Bots!Giving The Heave Ho To Worms, Spyware, And Bots!
Giving The Heave Ho To Worms, Spyware, And Bots!Tammy Clark
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
How Technology, People, And Processes Converged To Achieve A 95 Percent Reduc...
How Technology, People, And Processes Converged To Achieve A 95 Percent Reduc...How Technology, People, And Processes Converged To Achieve A 95 Percent Reduc...
How Technology, People, And Processes Converged To Achieve A 95 Percent Reduc...Tammy Clark
 
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...Tammy Clark
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!Tammy Clark
 

More from Tammy Clark (9)

Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
 
The Impact Of Breaches On Higher Ed Tlc 27 Sep09
The Impact Of Breaches On Higher Ed Tlc 27 Sep09The Impact Of Breaches On Higher Ed Tlc 27 Sep09
The Impact Of Breaches On Higher Ed Tlc 27 Sep09
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 
Giving The Heave Ho To Worms, Spyware, And Bots!
Giving The Heave Ho To Worms, Spyware, And Bots!Giving The Heave Ho To Worms, Spyware, And Bots!
Giving The Heave Ho To Worms, Spyware, And Bots!
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
How Technology, People, And Processes Converged To Achieve A 95 Percent Reduc...
How Technology, People, And Processes Converged To Achieve A 95 Percent Reduc...How Technology, People, And Processes Converged To Achieve A 95 Percent Reduc...
How Technology, People, And Processes Converged To Achieve A 95 Percent Reduc...
 
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!
 

The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09

  • 1. The Cost Of Preventing Breaches Tammy L. Clark, CISO, Georgia State University Adam Dodge, IT Security Officer, Eastern Illinois University
  • 2. Introducing… In the early years of Georgia State University’s Information Security program, Tammy was a very persistent Hacker whacker. It was a thankless job, but someone had to do it… Tammy Clark
  • 3. Key Topics For Today’s Discussion Today’s Threat Landscape Breaches and Root Causes What Seems to Be the Problem Here?! What Drives Change in Higher Ed? Can We Use Technology, Processes, and People Effectively to Assist with Breach Prevention? The ‘Nitty-Gritty’ About Our Information Security Programs Summary of Key Points Join in On the Fun With Questions or Comments
  • 4. Today’s Threat Landscape What are the prevalent threats we’re seeing out there that affect our end users? Lots of spear phishing Infected websites Social Engineering, Scams, Organized Crime Our IT orgs are dealing with increasingly sophisticated malware, SSH attacks, and OS/APP vulnerabilities. New exploits continue to be developed at a dizzying pace and our vendors can’t ever seem to keep up!
  • 5. Introducing… Adam maintains the Educational Security Incidents (ESI) site, which serves as a repository for reported information on security incidents that have occurred at institutions of higher education. Adam Dodge
  • 6. Breaches and Root Causes Educational Security Incidents (ESI) reports that in 2008: 173 separate incidents were reported 24.5% increase over 2007 Primary Reasons: Unauthorized Disclosure - 75 Theft - 40 Unauthorized Access/Penetration – 35 Additionally, Privacy Rights Clearinghouse reports that so far in 2009, 38 colleges have reported incidents out of 196 total incidents reported… Of these, 17 were due to theft; 11 to unauthorized access/penetration, and 10 were the result of unauthorized disclosure
  • 7. What Seems to Be the Problem Here!? Lack of Standardization/Plans, Policies and Standards Challenges in Data Classification and Risk Management Incorrectly configured/secured devices, apps and web sites Inadequate perimeter protection Lack of advanced intrusion detection & analysis skills Inadequate endpoint protection Lack of encryption Open Ended Culture Security ‘un-aware’ users—no ‘skin in the game’ or circumventing controls
  • 8. What Drives Change in Higher Ed? Let’s Face it--Data Breaches (either our own or a neighboring institution) Compliance: PCI, FERPA, HIPAA, GLBA, Red Flags, DMCA Research Grants that require minimum levels of security or compliance with FISMA or ISO 27001/2 Budget Cuts Audits Emergency Management Risk Management University President’s/Provost’s Priorities
  • 9. Can We Use Technology to Assist with Preventing Breaches? Network Intrusion Prevention, Intrusion Detection, Firewalls, AV and Anti-Spam Gateways, et al) Endpoint security tools and suites (AV, Anti-Spyware, Anti-Malware, Host firewalls/IPS, NAC, etc) Encryption Vulnerability Assessments Governance, Risk, and Compliance Data Loss Prevention Identity Access Management Security Information and Event Management The List Goes On…and On Bottom Line---$$$$$$$$$$$$$$$$$$$$$$$$$$$$
  • 10. Is Process Development Important as Well? YES! Why? Myriad of Compliance Requirements Standards (ISO, FISMA, COBIT, ITIL) and Standardization (Yes! In higher Ed) Get Rid of Confidential Data We Don’t Need or Require! Data Classification and Risk Management Audits/Corrective & Preventive Measures Physical & Logical Controls to Integrate Into IT/Business Processes 3rd parties processing or storing our data Contracts with customers on campus to manage their critical systems and data with central IT/Sec organizations
  • 11. And What About the People?! Authority (must) = Accountability (The Golden Rule) Make IT system/data protection everyone’s job! Responsible for Compliance – in Some Cases, Personal Liability Data Cleanup Parties including non-electronic formats Security Reviews and mandated controls for systems processing confidential data (require encryption, not running P2P apps, etc.) Lots and lots of Security Awareness Training!
  • 12. Higher Ed Information Security Programs—The ‘Nitty-Gritty’ Reactive Proactive Predictive
  • 13. Reactive People – Depend on ‘security unaware’ End Users and (often) a Cheerleader ISO! Process – Too Busy Chasing the Threats and Incidents! Technology – Protecting either the outside perimeter or workstations/servers (AV, Firewalls) $$$ Investment in Breach Prevention - Low Aftermath of a potential breach – High Impact Information Security Program Maturity Index – 1 or 2 on the CMMI Largest Impacts to Information Security Programs in Reactive Mode - lots of unfunded mandates; inadequate resources and funding; threat of penalties/lawsuits due to noncompliance and lack of due diligence; difficulty detecting and responding to security incidents; increased reputational risk; high risk of widespread malware outbreaks and data breaches
  • 14. Proactive People – Emphasis on securing adequate resources Process – Huge investment in process development and awareness training Technology – Implement defense in depth architecture $$$ Investment in Breach Prevention – Very High Aftermath of a potential breach – Medium Impact Information Security Program Maturity Index – 3 or 4 on the CMMI Largest Impacts to Information Security Programs in Proactive Stage/Mode – Heavy infrastructure costs, resource intensive activities; paradigm shifts towards incorporating standards and regulatory guidance; increased standardization, risk management, and attention to building out a fully functional information security program; heavy reliance by the IT org on the Information Security Dept. staff to protect institutional data/IT resources
  • 15. Predictive People – Emphasis on integrating information security throughout the IT org and university Process – Continuing investment; Increased emphasis on security awareness education and training Technology –Emphasis on optimizing technology investment $$$ Investment in Breach Prevention –Spread and streamline costs as IS integrates throughout the IT org and campus Aftermath of a potential breach – Low Impact Information Security Program Maturity Index – 4 or 5 on the CMMI Largest Impacts to Information Security Programs in Predictive Stage/Mode – no information security silos; information security is integrated into every facet of the institution; data protection is everyone’s responsibility; authority=accountability; dedicated staff focus on core IS duties
  • 16. Case Study—Infosec@Ga State Univ 2000-2003: Reactive Mode 2004-2009: Proactive Mode 2010: Moving into Predictive Mode
  • 17. Case study – Eastern Illinois Univ
  • 18. Summary of Key Points Threats continue to heavily target end users Human Errors account for over 70% of data breaches that Occur Information Security staffs should not be held accountable for protecting institutional assets and data Information Security needs to be integrated throughout our IT organizations and campuses In order to mature and ensure continuous improvement, information security programs must be adequately funded and ramped up in terms of people, process, and technology Effective policies, processes, guidelines, and security training/education must be emphasized and funded in terms of $$ and resources Building a solid community of ‘Security Aware’ users represents both our greatest challenge and our best defense against data breaches!
  • 19. Questions? Contact Tammy Clark at tlclark@gsu.edu, 404 413 4509 Contact Adam Dodge at Copyright Tammy L. Clark, Oct 2009.. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
  • 20. What did you think about this session? Your input is important to us! Click on “Evaluate This Session” on the conference program page.

Editor's Notes

  1. Show movie