1. Information security
isn’t about information or security,
it’s about people!
Presented by Kevin Orth, VP of Operations
FRSecure LLC
2. Introduction - Topics
• About FRSecure
• Information Security Explained
• Why are people risky?
• Ingrained sense of trust
• Behaviors, moods, events, experiences, and
surroundings
• Mistakes and malicious intent
• Twelve types of people
• Questions?
3. About FRSecure
FRSecure LLC is a full-service information security consulting company. We
are dedicated to providing value to our clients through well designed,
implemented, and managed information security solutions. Our mission
statement:
– We take the time to understand our client's business and align information
security initiatives with their goals and objectives. In so doing, our clients
benefit from solutions that help to drive business and add to the bottom
line. Information security does not have to be a cost center.
FRSecure works with businesses of all sizes, in all industries. We understand
that our clients are in business to make money, so we design secure solutions
that drive business, protect sensitive information assets, and improve their
bottom line.
4. What we do
• Information Security Assessments
An independent and objective assessment of your current information security
program based on well-established security standards.
– ISO Assessments
– Small Business Assessments
– Compliance Assessments Assess
• GLBA
• HIPAA
Test Improve
• PCI
– Network Security Assessments
– Wireless Networking Assessments
– SAS70/SSAE16 Readiness Assessments Train Manage
– Customer Required Assessments
Visit FRSecure.com for more information
5. What we do
• Information Security Program Development
A Formal, cost-effective and customized information security program, that reduces
risk and improves efficiency.
– Outsourced information security Assess
– PCI Compliance
– Vendor Risk Management Test Improve
– Penetration Testing
– Policy Creation
– Training & Awareness Programs
Train Manage
– BC/DR Planning
• Information Security Management
Leverage years of expertise without the tremendous expense that can accompany it.
– Outsourced CISO
– Incident Response
Visit FRSecure.com for more information
6. Introduction – A Principle
People Present the Most Significant Risk to the
security of information
“It’s not the technology that’s to blame for most breaches; it’s the
people behind the technology”
7. Introduction – A Question
Give an example of a typical way people lose
sensitive information.
9. Information Security Explained
Fundamentally, Information Security is:
The application of Administrative, Physical and Technical controls
in an effort to protect the Confidentiality, Integrity, and Availability
of Information.
Controls:
Administrative – Policies, procedures, processes
Physical – Locks, cameras, alarm systems
Technical – Firewalls, anti-virus software, permissions
Protect:
Confidentiality – Disclosure to authorized entities
Integrity – Accuracy and completeness
Availability – Accessible when required and authorized
10. Why are people risky?
The variables involved in human behavior are numerous and
often times unpredictable. People are affected by an
ingrained sense of trust in their fellow humans, and behaviors
can be affected by moods, events, experiences, and
surroundings. The risks involved can range from simple
mistakes to malicious intent. Understand that people present
the most significant risks to information assets, and design
controls to account for these risks. If we properly invest in
people through solid training and awareness, we can influence
behaviors and mitigate risk.
11. Ingrained Sense of Trust
People have a
certain
amount of
trust in other
people.
12. Social engineering example #1
• You receive an urgent email from
your bank that requires your
immediate attention.
• Everything appears to be legit, so
you click and login.
• You’ve been phished!
• Someone else now has your login
credentials to your online banking
account.
13. Social engineering example #2
• You get a call from XYZ Energy
Company. They are performing account
maintenance on all accounts in your area.
• The person on the telephone asks you to
confirm your account information. “Sir,
we just need to confirm the information on
your account. As a thank you for your
time, we will credit $10 to your next
energy bill.”
14. Behaviors, Moods, Events,
Experiences, and Surroundings
If you catch the right
person at the right
time, you might be
surprised at what they
do to put themselves
and their organization at
risk.
15. Example 1 – It’s been a bad day
• You’re in a bad mood. Your boss comes to you and
asks you do some seemingly unimportant task.
• Do you do it?
• Probably, but do you think the quality of the work
suffers?
• If the quality of the work suffers, details might be
missed. Some of these details might lead to
vulnerabilities.
16. Example 2 – I didn’t
know any better
• A member of your team has
cancer and goes to the hospital
for chemotherapy.
• You check on them and find out
that they’re doing well.
• You email the rest of your team
to let them know that your
coworker is doing well and that
the chemo seems to be working.
17. Example 3 – Desperate times
call for desperate measures
• You are a good worker, but you have fallen on hard times. Your
transmission went out in your car, and one of your children was recently
sick leaving you with some expensive hospital bills. To add insult to
injury, your company was recently acquired and you could be out of a job
in a few months.
• You work in customer service for your company, and you have access to
sensitive customer information. You wouldn’t normally even consider
taking the information and using it for financial gain, but these are
desperate times.
• Desperate times call for desperate measures, right?
18. Example 4 – The quick stop
• On your way home from work, you decide to make a quick stop at the
convenience store. You need some bread and milk.
• After you get home, you turn to your back seat to grab your bag. It’s
gone!
• In your bag was your laptop; the same laptop that you use for work.
• You work in HR and you know that there were spreadsheets containing
sensitive personal information stored on the laptop hard drive.
• Uh oh! Your company is out thousands (maybe millions) of dollars, and
you are out of a job. That’s expensive milk!
19. Twelve types of people
• The disgruntled employee
In her mind, she’s been done wrong. She’s looking for revenge.
• The criminal employee
Eventually, he’s going to break the law to get what he wants.
• The poorly trained employee
This person just didn’t know any better.
• The driven employee
This gal is so busy; she doesn’t have time for rules.
• The overworked employee
He wants to do the right thing, but he has deadlines to meet.
• The curious/opportunist employee
What’s this directory; R&D? That might be cool!
20. Twelve types of people
• The vendor
Does anybody even know this guy?
• The contractor and/or service provider
They’re going to need administrator access.
• The customer
They’re requesting administrative access to one of your systems so that they can run some
tests.
21. Twelve types of people
• The outside criminal
You’ve got something that the criminal wants.
• The outside opportunist
While browsing your website, the opportunist recognizes something that catches his eye.
• The activist
As long as everyone agrees with you; you should be okay. See: Operation Payback and
“Anonymous”.
23. The Right Approach
Companies who take a comprehensive, risk-based approach
to information security are able to:
• Reduce (not eliminate) risks posed by people
• Provide adequate information security training to their
employees
• Leverage new technologies that have potentially high
people risk
• Reduce downtime due to mistakes
24. The Right Approach
The Jigsaw Puzzle Analogy
• Choose a standard – The Box Cover
• Information security controls –
The pieces
• Build a framework – The edge and corner
pieces
• Complete the picture – Refer to the box
often. Each piece in the right place.
25. The Right Approach
The Jigsaw Puzzle Rules:
• Don’t build the puzzle from the inside out.
• Don’t build the puzzle without the box cover.
• If you don’t understand where
a piece fits, don’t buy it.
28. Conclusion
• Information Security Program Development
A Formal, cost-effective and customized information security program, that
reduces risk and improves efficiency.
– Outsourced information security Assess
– PCI Compliance
– Vendor Risk Management Test Improve
– Penetration Testing
– Policy Creation
– Training & Awareness Programs Train Manage
– BC/DR Planning
Hopefully you have a better understanding of the reason why we use “People present
the most significant risk” as one of FRSecure’s Ten Principles that Guide our Work.
30. You made it! – Questions?
About FRSecure
As an information security firm, FRSecure protects sensitive, confidential business
information from unauthorized access, disclosure, distribution and destruction.
We assess existing information security systems and develop, implement and
manage plans tailored to each client’s specific security needs and overall business
interests. These plans spare clients from the irreparable financial and reputational
costs that invariably accompany the breach of sensitive business and personal
information.
FRSecure works with businesses of all sizes, in all industries. We understand that
our clients are in business to make money, so we design secure solutions that drive
business, protect sensitive information assets, and improve their bottom line.
Achievements, experience and continuous referrals separate FRSecure as reliable
information security experts who provide the resources and services that every
business needs, but only FRSecure can deliver.