SlideShare ist ein Scribd-Unternehmen logo
1 von 31
Downloaden Sie, um offline zu lesen
Information security
isn’t about information or security,
          it’s about people!

    Presented by Kevin Orth, VP of Operations
                 FRSecure LLC
Introduction - Topics
• About FRSecure
• Information Security Explained
• Why are people risky?
• Ingrained sense of trust
• Behaviors, moods, events, experiences, and
  surroundings
• Mistakes and malicious intent
• Twelve types of people
• Questions?
About FRSecure
FRSecure LLC is a full-service information security consulting company. We
are dedicated to providing value to our clients through well designed,
implemented, and managed information security solutions. Our mission
statement:

– We take the time to understand our client's business and align information
  security initiatives with their goals and objectives. In so doing, our clients
  benefit from solutions that help to drive business and add to the bottom
  line. Information security does not have to be a cost center.

FRSecure works with businesses of all sizes, in all industries. We understand
that our clients are in business to make money, so we design secure solutions
that drive business, protect sensitive information assets, and improve their
bottom line.
What we do
•   Information Security Assessments
         An independent and objective assessment of your current information security
         program based on well-established security standards.
     – ISO Assessments
     – Small Business Assessments
     – Compliance Assessments                                        Assess
          • GLBA
          • HIPAA
                                                           Test                Improve
          • PCI
     – Network Security Assessments
     – Wireless Networking Assessments
     – SAS70/SSAE16 Readiness Assessments                      Train       Manage
     – Customer Required Assessments



Visit FRSecure.com for more information
What we do
•   Information Security Program Development
         A Formal, cost-effective and customized information security program, that reduces
         risk and improves efficiency.
     –   Outsourced information security                                    Assess
     –   PCI Compliance
     –   Vendor Risk Management                                   Test               Improve
     –   Penetration Testing
     –   Policy Creation
     –   Training & Awareness Programs
                                                                      Train      Manage
     –   BC/DR Planning


•   Information Security Management
        Leverage years of expertise without the tremendous expense that can accompany it.
     – Outsourced CISO
     – Incident Response


Visit FRSecure.com for more information
Introduction – A Principle

People Present the Most Significant Risk to the
security of information

“It’s not the technology that’s to blame for most breaches; it’s the
people behind the technology”
Introduction – A Question




Give an example of a typical way people lose
           sensitive information.
Introduction – A Definition


   What is
information
  security?
Information Security Explained
Fundamentally, Information Security is:

The application of Administrative, Physical and Technical controls
in an effort to protect the Confidentiality, Integrity, and Availability
of Information.
Controls:
Administrative – Policies, procedures, processes
Physical – Locks, cameras, alarm systems
Technical – Firewalls, anti-virus software, permissions
Protect:
Confidentiality – Disclosure to authorized entities
Integrity – Accuracy and completeness
Availability – Accessible when required and authorized
Why are people risky?

The variables involved in human behavior are numerous and
often times unpredictable. People are affected by an
ingrained sense of trust in their fellow humans, and behaviors
can be affected by moods, events, experiences, and
surroundings. The risks involved can range from simple
mistakes to malicious intent. Understand that people present
the most significant risks to information assets, and design
controls to account for these risks. If we properly invest in
people through solid training and awareness, we can influence
behaviors and mitigate risk.
Ingrained Sense of Trust

People have a
   certain
  amount of
trust in other
   people.
Social engineering example #1
• You receive an urgent email from
  your bank that requires your
  immediate attention.
• Everything appears to be legit, so
  you click and login.
• You’ve been phished!
• Someone else now has your login
  credentials to your online banking
  account.
Social engineering example #2
• You get a call from XYZ Energy
  Company. They are performing account
  maintenance on all accounts in your area.

• The person on the telephone asks you to
  confirm your account information. “Sir,
  we just need to confirm the information on
  your account. As a thank you for your
  time, we will credit $10 to your next
  energy bill.”
Behaviors, Moods, Events,
            Experiences, and Surroundings

If you catch the right
person at the right
time, you might be
surprised at what they
do to put themselves
and their organization at
risk.
Example 1 – It’s been a bad day

• You’re in a bad mood. Your boss comes to you and
  asks you do some seemingly unimportant task.
• Do you do it?
• Probably, but do you think the quality of the work
  suffers?
• If the quality of the work suffers, details might be
  missed. Some of these details might lead to
  vulnerabilities.
Example 2 – I didn’t
                           know any better
• A member of your team has
  cancer and goes to the hospital
  for chemotherapy.
• You check on them and find out
  that they’re doing well.
• You email the rest of your team
  to let them know that your
  coworker is doing well and that
  the chemo seems to be working.
Example 3 – Desperate times
                          call for desperate measures
• You are a good worker, but you have fallen on hard times. Your
  transmission went out in your car, and one of your children was recently
  sick leaving you with some expensive hospital bills. To add insult to
  injury, your company was recently acquired and you could be out of a job
  in a few months.
• You work in customer service for your company, and you have access to
  sensitive customer information. You wouldn’t normally even consider
  taking the information and using it for financial gain, but these are
  desperate times.
• Desperate times call for desperate measures, right?
Example 4 – The quick stop
• On your way home from work, you decide to make a quick stop at the
  convenience store. You need some bread and milk.
• After you get home, you turn to your back seat to grab your bag. It’s
  gone!
• In your bag was your laptop; the same laptop that you use for work.
• You work in HR and you know that there were spreadsheets containing
  sensitive personal information stored on the laptop hard drive.
• Uh oh! Your company is out thousands (maybe millions) of dollars, and
  you are out of a job. That’s expensive milk!
Twelve types of people

• The disgruntled employee
  In her mind, she’s been done wrong. She’s looking for revenge.

• The criminal employee
  Eventually, he’s going to break the law to get what he wants.

• The poorly trained employee
  This person just didn’t know any better.

• The driven employee
  This gal is so busy; she doesn’t have time for rules.

• The overworked employee
  He wants to do the right thing, but he has deadlines to meet.

• The curious/opportunist employee
  What’s this directory; R&D? That might be cool!
Twelve types of people

• The vendor
  Does anybody even know this guy?

• The contractor and/or service provider
  They’re going to need administrator access.

• The customer
  They’re requesting administrative access to one of your systems so that they can run some
  tests.
Twelve types of people

• The outside criminal
  You’ve got something that the criminal wants.

• The outside opportunist
  While browsing your website, the opportunist recognizes something that catches his eye.

• The activist
  As long as everyone agrees with you; you should be okay. See: Operation Payback and
  “Anonymous”.
The thumb drive
The Right Approach
Companies who take a comprehensive, risk-based approach
to information security are able to:
•   Reduce (not eliminate) risks posed by people
•   Provide adequate information security training to their
    employees
•   Leverage new technologies that have potentially high
    people risk
•   Reduce downtime due to mistakes
The Right Approach

The Jigsaw Puzzle Analogy
•   Choose a standard – The Box Cover
•   Information security controls –
    The pieces
•   Build a framework – The edge and corner
    pieces
•   Complete the picture – Refer to the box
    often. Each piece in the right place.
The Right Approach

The Jigsaw Puzzle Rules:
•   Don’t build the puzzle from the inside out.
•   Don’t build the puzzle without the box cover.
•   If you don’t understand where
    a piece fits, don’t buy it.
The Right Approach

Who’s data is it? Company or
 individual.


This is why we’re passionate
The Right Approach

Are you an information security
  risk to your company?
Conclusion
•   Information Security Program Development
         A Formal, cost-effective and customized information security program, that
         reduces risk and improves efficiency.
     – Outsourced information security                                Assess
     – PCI Compliance
     – Vendor Risk Management                                Test            Improve
     – Penetration Testing
     – Policy Creation
     – Training & Awareness Programs                            Train      Manage
     – BC/DR Planning
Hopefully you have a better understanding of the reason why we use “People present
the most significant risk” as one of FRSecure’s Ten Principles that Guide our Work.
Exclusive to FRSecure
You made it! – Questions?
About FRSecure
As an information security firm, FRSecure protects sensitive, confidential business
information from unauthorized access, disclosure, distribution and destruction.
We assess existing information security systems and develop, implement and
manage plans tailored to each client’s specific security needs and overall business
interests. These plans spare clients from the irreparable financial and reputational
costs that invariably accompany the breach of sensitive business and personal
information.

FRSecure works with businesses of all sizes, in all industries. We understand that
our clients are in business to make money, so we design secure solutions that drive
business, protect sensitive information assets, and improve their bottom line.

Achievements, experience and continuous referrals separate FRSecure as reliable
information security experts who provide the resources and services that every
business needs, but only FRSecure can deliver.
Contact Information


Kevin Orth
www.FRSecure.com
korth@frsecure.com
952-442-1709 x11

Weitere ähnliche Inhalte

Andere mochten auch

Mobile Information Security
Mobile Information SecurityMobile Information Security
Mobile Information SecurityEvan Francen
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceEvan Francen
 
TIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceTIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceEvan Francen
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance WorldEvan Francen
 
AFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionAFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionEvan Francen
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environmentEvan Francen
 

Andere mochten auch (6)

Mobile Information Security
Mobile Information SecurityMobile Information Security
Mobile Information Security
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to Compliance
 
TIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceTIES 2013 Education Technology Conference
TIES 2013 Education Technology Conference
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
 
AFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionAFCOM - Information Security State of the Union
AFCOM - Information Security State of the Union
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environment
 

Ähnlich wie People are the biggest risk

How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?PECB
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Matt Hathaway
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Alexandre Sieira
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Robi Sen
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Great Learning & Information Security - English edition
Great Learning & Information Security - English editionGreat Learning & Information Security - English edition
Great Learning & Information Security - English editionChuan Lin
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT IssueEvan Francen
 
Data Protection – How Not to Panic and Make it a Positive
Data Protection – How Not to Panic and Make it a PositiveData Protection – How Not to Panic and Make it a Positive
Data Protection – How Not to Panic and Make it a PositiveTargetX
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Information Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderInformation Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderEvan Francen
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessCBIZ, Inc.
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsInfonaligy
 

Ähnlich wie People are the biggest risk (20)

How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Fraud Awareness
Fraud AwarenessFraud Awareness
Fraud Awareness
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Great Learning & Information Security - English edition
Great Learning & Information Security - English editionGreat Learning & Information Security - English edition
Great Learning & Information Security - English edition
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
 
Data Protection – How Not to Panic and Make it a Positive
Data Protection – How Not to Panic and Make it a PositiveData Protection – How Not to Panic and Make it a Positive
Data Protection – How Not to Panic and Make it a Positive
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Information Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderInformation Security For Leaders, By a Leader
Information Security For Leaders, By a Leader
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
 
Isa 2
Isa 2 Isa 2
Isa 2
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
 

Mehr von Evan Francen

WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemEvan Francen
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasEvan Francen
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemEvan Francen
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Evan Francen
 
Managing Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyManaging Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyEvan Francen
 
Step Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksStep Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksEvan Francen
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & ManufacturingEvan Francen
 
Simple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudSimple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudEvan Francen
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917Evan Francen
 
People. The Social Engineer's Dream - TechPulse 2017
People.  The Social Engineer's Dream - TechPulse 2017People.  The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017Evan Francen
 
FRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByFRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByEvan Francen
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisEvan Francen
 
An Introduction to Information Security
An Introduction to Information SecurityAn Introduction to Information Security
An Introduction to Information SecurityEvan Francen
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales DeckEvan Francen
 

Mehr von Evan Francen (14)

WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language Problem
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware Dallas
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language Problem
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219
 
Managing Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyManaging Third-Party Risk Effectively
Managing Third-Party Risk Effectively
 
Step Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksStep Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party Risks
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & Manufacturing
 
Simple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudSimple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment Fraud
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917
 
People. The Social Engineer's Dream - TechPulse 2017
People.  The Social Engineer's Dream - TechPulse 2017People.  The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017
 
FRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByFRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) By
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
 
An Introduction to Information Security
An Introduction to Information SecurityAn Introduction to Information Security
An Introduction to Information Security
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
 

Kürzlich hochgeladen

Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 

Kürzlich hochgeladen (20)

Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 

People are the biggest risk

  • 1. Information security isn’t about information or security, it’s about people! Presented by Kevin Orth, VP of Operations FRSecure LLC
  • 2. Introduction - Topics • About FRSecure • Information Security Explained • Why are people risky? • Ingrained sense of trust • Behaviors, moods, events, experiences, and surroundings • Mistakes and malicious intent • Twelve types of people • Questions?
  • 3. About FRSecure FRSecure LLC is a full-service information security consulting company. We are dedicated to providing value to our clients through well designed, implemented, and managed information security solutions. Our mission statement: – We take the time to understand our client's business and align information security initiatives with their goals and objectives. In so doing, our clients benefit from solutions that help to drive business and add to the bottom line. Information security does not have to be a cost center. FRSecure works with businesses of all sizes, in all industries. We understand that our clients are in business to make money, so we design secure solutions that drive business, protect sensitive information assets, and improve their bottom line.
  • 4. What we do • Information Security Assessments An independent and objective assessment of your current information security program based on well-established security standards. – ISO Assessments – Small Business Assessments – Compliance Assessments Assess • GLBA • HIPAA Test Improve • PCI – Network Security Assessments – Wireless Networking Assessments – SAS70/SSAE16 Readiness Assessments Train Manage – Customer Required Assessments Visit FRSecure.com for more information
  • 5. What we do • Information Security Program Development A Formal, cost-effective and customized information security program, that reduces risk and improves efficiency. – Outsourced information security Assess – PCI Compliance – Vendor Risk Management Test Improve – Penetration Testing – Policy Creation – Training & Awareness Programs Train Manage – BC/DR Planning • Information Security Management Leverage years of expertise without the tremendous expense that can accompany it. – Outsourced CISO – Incident Response Visit FRSecure.com for more information
  • 6. Introduction – A Principle People Present the Most Significant Risk to the security of information “It’s not the technology that’s to blame for most breaches; it’s the people behind the technology”
  • 7. Introduction – A Question Give an example of a typical way people lose sensitive information.
  • 8. Introduction – A Definition What is information security?
  • 9. Information Security Explained Fundamentally, Information Security is: The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information. Controls: Administrative – Policies, procedures, processes Physical – Locks, cameras, alarm systems Technical – Firewalls, anti-virus software, permissions Protect: Confidentiality – Disclosure to authorized entities Integrity – Accuracy and completeness Availability – Accessible when required and authorized
  • 10. Why are people risky? The variables involved in human behavior are numerous and often times unpredictable. People are affected by an ingrained sense of trust in their fellow humans, and behaviors can be affected by moods, events, experiences, and surroundings. The risks involved can range from simple mistakes to malicious intent. Understand that people present the most significant risks to information assets, and design controls to account for these risks. If we properly invest in people through solid training and awareness, we can influence behaviors and mitigate risk.
  • 11. Ingrained Sense of Trust People have a certain amount of trust in other people.
  • 12. Social engineering example #1 • You receive an urgent email from your bank that requires your immediate attention. • Everything appears to be legit, so you click and login. • You’ve been phished! • Someone else now has your login credentials to your online banking account.
  • 13. Social engineering example #2 • You get a call from XYZ Energy Company. They are performing account maintenance on all accounts in your area. • The person on the telephone asks you to confirm your account information. “Sir, we just need to confirm the information on your account. As a thank you for your time, we will credit $10 to your next energy bill.”
  • 14. Behaviors, Moods, Events, Experiences, and Surroundings If you catch the right person at the right time, you might be surprised at what they do to put themselves and their organization at risk.
  • 15. Example 1 – It’s been a bad day • You’re in a bad mood. Your boss comes to you and asks you do some seemingly unimportant task. • Do you do it? • Probably, but do you think the quality of the work suffers? • If the quality of the work suffers, details might be missed. Some of these details might lead to vulnerabilities.
  • 16. Example 2 – I didn’t know any better • A member of your team has cancer and goes to the hospital for chemotherapy. • You check on them and find out that they’re doing well. • You email the rest of your team to let them know that your coworker is doing well and that the chemo seems to be working.
  • 17. Example 3 – Desperate times call for desperate measures • You are a good worker, but you have fallen on hard times. Your transmission went out in your car, and one of your children was recently sick leaving you with some expensive hospital bills. To add insult to injury, your company was recently acquired and you could be out of a job in a few months. • You work in customer service for your company, and you have access to sensitive customer information. You wouldn’t normally even consider taking the information and using it for financial gain, but these are desperate times. • Desperate times call for desperate measures, right?
  • 18. Example 4 – The quick stop • On your way home from work, you decide to make a quick stop at the convenience store. You need some bread and milk. • After you get home, you turn to your back seat to grab your bag. It’s gone! • In your bag was your laptop; the same laptop that you use for work. • You work in HR and you know that there were spreadsheets containing sensitive personal information stored on the laptop hard drive. • Uh oh! Your company is out thousands (maybe millions) of dollars, and you are out of a job. That’s expensive milk!
  • 19. Twelve types of people • The disgruntled employee In her mind, she’s been done wrong. She’s looking for revenge. • The criminal employee Eventually, he’s going to break the law to get what he wants. • The poorly trained employee This person just didn’t know any better. • The driven employee This gal is so busy; she doesn’t have time for rules. • The overworked employee He wants to do the right thing, but he has deadlines to meet. • The curious/opportunist employee What’s this directory; R&D? That might be cool!
  • 20. Twelve types of people • The vendor Does anybody even know this guy? • The contractor and/or service provider They’re going to need administrator access. • The customer They’re requesting administrative access to one of your systems so that they can run some tests.
  • 21. Twelve types of people • The outside criminal You’ve got something that the criminal wants. • The outside opportunist While browsing your website, the opportunist recognizes something that catches his eye. • The activist As long as everyone agrees with you; you should be okay. See: Operation Payback and “Anonymous”.
  • 23. The Right Approach Companies who take a comprehensive, risk-based approach to information security are able to: • Reduce (not eliminate) risks posed by people • Provide adequate information security training to their employees • Leverage new technologies that have potentially high people risk • Reduce downtime due to mistakes
  • 24. The Right Approach The Jigsaw Puzzle Analogy • Choose a standard – The Box Cover • Information security controls – The pieces • Build a framework – The edge and corner pieces • Complete the picture – Refer to the box often. Each piece in the right place.
  • 25. The Right Approach The Jigsaw Puzzle Rules: • Don’t build the puzzle from the inside out. • Don’t build the puzzle without the box cover. • If you don’t understand where a piece fits, don’t buy it.
  • 26. The Right Approach Who’s data is it? Company or individual. This is why we’re passionate
  • 27. The Right Approach Are you an information security risk to your company?
  • 28. Conclusion • Information Security Program Development A Formal, cost-effective and customized information security program, that reduces risk and improves efficiency. – Outsourced information security Assess – PCI Compliance – Vendor Risk Management Test Improve – Penetration Testing – Policy Creation – Training & Awareness Programs Train Manage – BC/DR Planning Hopefully you have a better understanding of the reason why we use “People present the most significant risk” as one of FRSecure’s Ten Principles that Guide our Work.
  • 30. You made it! – Questions? About FRSecure As an information security firm, FRSecure protects sensitive, confidential business information from unauthorized access, disclosure, distribution and destruction. We assess existing information security systems and develop, implement and manage plans tailored to each client’s specific security needs and overall business interests. These plans spare clients from the irreparable financial and reputational costs that invariably accompany the breach of sensitive business and personal information. FRSecure works with businesses of all sizes, in all industries. We understand that our clients are in business to make money, so we design secure solutions that drive business, protect sensitive information assets, and improve their bottom line. Achievements, experience and continuous referrals separate FRSecure as reliable information security experts who provide the resources and services that every business needs, but only FRSecure can deliver.