NYBA 2017 Technology, Compliance &

Slides:

Advertisements

Similar presentations

Department of Revenue Lessons for Management by Department of Revenue Internal Audit.

Advertisements

1 MIS 2000 Class 22 System Security Update: Winter 2015.

David A. Brown Chief Information Security Officer State of Ohio

1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Stephen S. Yau CSE , Fall Security Strategies.

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Chapter 3 Ethics, Privacy & Security

Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Information Security– SNO International Zanzibar, Tanzania Joe Beaulac, Sr. Manager – Cyber Defense Center & Risk/Vulnerability Management 23 September.

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

August Mr. Mike Finley, CISSP Senior Security Engineer Computer Science Corporation.

ISS SiteProtector and Internet Scanner LanAdmin Group Meeting 12/8/2005.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Security Trends & Industry Insights

Scott Charney Cybercrime and Risk Management PwC.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

Information Security tools for records managers Frank Rankin.

Best Cyber Security Practices for Counties An introduction to cybersecurity framework.

Common Network Penetration Testing Techniques Russel Van Tuyl.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Douglas DiJulio Director – Enterprise Operations Application Support Cyber Security.

September 20, 2016 How to Defend Your Organization from a Cyber Breach LTC Tim Bloechl (U.S. Army, Ret.) Director, Cyber Security Business.

Defining your requirements for a successful security (and compliance

Brian Ventura SANS Community Instructor

Enhancing Network Security

Cyber Security Zafar Sadik

Your security risk is higher than ever.

Cybersecurity - What’s Next? June 2017

Healthcare Cybersecurity: State of Industry

Critical Security Controls

Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.

Security Standard: “reasonable security”

Capabilities Matrix Access and Authentication

Compliance with hardening standards

Hot Topics:Mobility in the Cloud

Leverage What’s Out There

Cybersecurity Policies & Procedures ICA

Introduction to the Federal Defense Acquisition Regulation

Cyber Protections: First Step, Risk Assessment

Joe, Larry, Josh, Susan, Mary, & Ken

Today’s Risk. Today’s Solutions. Cyber security and

CompTIA CAS-003 Exam Study Material - CompTIA CAS-003 Exam Dumps Realexamdumps.com

I have many checklists: how do I get started with cyber security?

Risks & Reality Cyber Security Risks & Reality

Implementing and Auditing the Critical Controls

UConn NIST Compliance Project

IS4680 Security Auditing for Compliance

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

National Cyber Security

Security Essentials for Small Businesses

Brandon Traffanstedt Systems Engineer - Southeast

12 STEPS TO A GDPR AWARE NETWORK

Information Security Awareness

How to Mitigate the Consequences What are the Countermeasures?

Cybercrime and Canadian Businesses

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

Security week 1 Introductions Class website Syllabus review

Cybersecurity Threat Assessment

November 30, 2017 By: Richard D. Condello NRECA Senior Director

6. Application Software Security

Presentation transcript:

NYBA 2017 Technology, Compliance & CIS Top 20 NYBA 2017 Technology, Compliance & Risk Management Forum

INTRODUCTIONS Derek Boczenowski Nick Hnatiw Sr. IT Security Analyst for Compass IT Compliance, performing audits and risk assessments for multiple verticals. Prior to Compass, worked for a FI in Massachusetts in the IT department for 15 years. Nick Hnatiw Co-Founder and CEO of Loki Labs Inc., a managed security services provider located in NYC. Loki provides the LokiSOC, a scalable managed SOC platform as well as red team/pentest assessments. Prior to Loki Labs, Nick worked for the US DoD facilitating offensive on-net operations and as a technical director that coordinated research for 10 years.

AGENDA How are we doing? Why the CIS Top 20? The Top 20

HOW ARE WE DOING? Cybercrime damage to exceed $6,000,000,000,000 by 2021 68% of funds lost as a result of a cyber attack were declared unrecoverable *Ponemon Institute study 90% of large organisations reported suffering a security breach in 2015 Online banking fraud increases 48% year-on-year

HOW ARE WE DOING? 53% - external notification of breaches 47% - internal notifications of breaches Source: Mandient M-Trends 2016

WHY THE CIS TOP 20?

If you did nothing, you would still be protected. PRIORITIZED LIST If you did nothing, you would still be protected.

RISK BASED “[The CIS Top 20] map directly to the CSF core requirements and provide a realistic and community-driven risk management approach for making sure your security program will be both effective and efficient against real-world threats.” Risk is a function of attack surface, vulnerability of the attack surface, and the impact it will have on business operations.

The focus of CIS Top 20 is consistent with other compliance standards: COMPLIANCE IS NOT AN AFTERTHOUGHT The focus of CIS Top 20 is consistent with other compliance standards:

COMMUNITY DRIVEN Community of experts votes on changes Anyone can apply to be a member

DYNAMIC Re-ordered so that Controlled Use of Admin Privileges is higher (moved form 12 to 5) Deletion of Control 19 – Secure Network Engineering New Control: 7 Email and Web Browser Protections The top 4 controls have not changed: CIS still views these controls as their most important

TOP 20 LIST 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software 4. Continuous Vulnerability Assessment and Remediation 5. Controlled Use of Administrative Privileges 6. Maintenance, Monitoring, and Analysis of Audit Logs 7. Email and Web Browser Protections 8. Malware Defenses 9. Limitation and Control of Network Ports 10. Data Recovery Capability

TOP 20 LIST 11. Secure Configurations for Network Devices 12. Boundary Defense 13. Data Protection 14. Controlled Access Based on the Need to Know 15. Wireless Access Control 16. Account Monitoring and Control 17. Security Skills Assessment and Appropriate Training to Fill Gaps 18. Application Software Security I9. Incident Response and Management 20. Penetration Tests and Red Team Exercises

Admins have the keys to the network – protect the keys. 05 – CONTROLLED USE OF ADMIN PRIVLEDGES Admins have the keys to the network – protect the keys. Technical: Limit User Inventory/Monitor admin accounts

Malware is the vehicle of hackers. Technical: 08 – MALWARE DEFENSES Malware is the vehicle of hackers. Technical: AV/EDR, Firewalls, IPS/IDS

Your data is the treasure. Technical: Backup images and data 10 – DATA RECOVERY CAPABILITY Your data is the treasure. Technical: Backup images and data

Users are the keys for hackers to get in. Technical: 16 – ACCOUNT MONITORING & CONTROL Users are the keys for hackers to get in. Technical: Review all accounts Disable unknown/unused accounts

Prior proper preparedness prevents piss poor performance! 19 – INCIDENT RESPONSE & MANAGEMENT Hope is not a plan. Technical: The seven P’s: Prior proper preparedness prevents piss poor performance!

Derek Boczenowski dboczenowski@compassitc.com Questions? Nick Hnatiw nick@lokilabs.io Derek Boczenowski dboczenowski@compassitc.com