Information Security Jim Cusson, CISSP

Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical Center 1,500, Health Net 80, Universal American Insurance Recent Breaches 130,000, Heartland Payment Systems 94,000, TJX Companies Inc. 90,000, TRW, Sears Roebuck 76,000, National Archives and Records Administration

Cost of a Breach 40,000, CardSystems, Visa, MasterCard, American Express 30,000, America Online 26,500, U.S. Department of Veterans Affairs 25,000, HM Revenue and Customs, TNT 17,000, T-Mobile, Deutsche Telekom 16,000, Canada Revenue Agency Largest Breaches In its study of 43 companies that suffered a data breach last year, the Ponemon Institute found the cost per compromised record in 2008 to be $202 per record

Actual Costs Legal, Credit Monitoring, Reputation, Mailings, Stock Price, etc The security breach at TJX Companies Inc. could cost the company $100 per lost record, or a total of $4.5 billion Heartland Breach Cost Company $32 Million So Far (August 2009) According to the Ponemon Institute's study, the Heartland breach will likely be more costly than the theft of data from TJX In $6.6 million per incident Costs include the costs of detecting and responding to the loss of data, along with legal and administrative expenses, customer defections and opportunity loss

Identity Theft As of November 24, 2009 the total number of breaches reported by the ITRC (Identity Theft Resource Center) is 444 The taking of the victim’s identity to obtain credit, credit cards from banks and retailers, steal money from the victim’s existing accounts, apply for loans, establish accounts with utility companies, rent an apartment, file bankruptcy or obtain a job using the victim’s name Identity theft is "an absolute epidemic”. Increased in the last four or five years. It is nationwide. Affects everybody You can't detect it until it's probably too late.

Types Of Breaches Document Disposal – Paper documents improperly disposed Stolen Laptops – Laptop stolen and info retrieved from hard drive Virus – Malicious software, key loggers, etc send info off site Web – Vulnerability in web server exploited Lost Disk Drive – Lost/sold hard drive accessed to retrieve data Hack – Password guessed, system hacked Fraud – Social Engineering, people duped into giving bank accounts Lost Backup Tape – Backup tapes lost/stolen, accessed to retrieve data Internal – Trusted employees steal data and sell it

What Is Information Security Information security is the process of protecting information. It protects its confidentiality, integrity and availability. Confidentiality – Ensuring data is accessed only by those who should Integrity – Ensuring data is not modified Availability – Ensuring data is accessible

How To Secure Information Network Design Access Control Firewalls Intrusion Detection/Protection Systems Anti-Virus Backups Disaster Recovery/Business Continuity

Challenges Cost – Protection is expensive Compliance – GLBA, HIPPA, PCI, SOX Proving Effectiveness – How to show they’re getting value

Communication! Communication is huge! Project Teams – Most members don’t know security Management – Often aren’t technical Enforcement – How to tell someone “it’s not secure” Policy – Writing for end users, enforcement