Insider Threat Assessing & Managing ‘People’ Related Risks to Technology John Rostern, CRISC, QSA Northeast Managing Director September 14, 2011.

Slides:



Advertisements
Similar presentations
BOARD EFFICIENCY: The Agenda Setting Role and Information Needs of the Supervisory Board Holly J. Gregory Weil, Gotshal & Manges LLP.
Advertisements

© Pearson Prentice Hall 2009
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
Control and Accounting Information Systems
Koen Maris – The Human Factor in Information technology – Copyright 2005 – The Human Factor in Information Technology.
Strategy 2022: A Holistic View Tony Hayes International President ISACA © 2012, ISACA. All rights reserved.
How JCPenney is Managing Corporate Risk
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Appendix B: Designing Policies for Managing Networks.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Security Management Practices Keith A. Watson, CISSP CERIAS.
Engineering Secure Software. Lottery Story A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes.
High-Level Assessment Month Year
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.
Best in Class Controls for AP The Institute of Financial Operations Indiana – Southern Illinois Chapter June 15, 2011 Sherry DePew.
Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.
MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.
The Board’s Fiduciary Role Presenter Insert Name Insert Organization.
Information Systems Security Computer System Life Cycle Security.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Matt Malinowski Susan Green. MYTHS Internal control starts with a strong set of policies and procedures Internal control – That’s why we have external/internal.
Chapter 2 Conflict of interest. SEC guiding principles not in book Independence in fact Independence in appearance Auditors are not independent if relationships.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 14 – Human Factors.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
FRAUD Prevention & Detection. Group Members Raven Smith Tommy Harville Kedron Hilario.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Sensitive Metric Collection and Reporting System Michael Aiello Hanning Gao Martin Goldberg Michael Sosonkin Jason Woloz.
1 PAMIC Corporate Governance Presentation September 23, 2015 Kevin Tate – CFO The Philadelphia Contributionship.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
Database Administration COMSATS INSTITUTE OF INFORMATION TECHNOLOGY, VEHARI.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
UNIT 15 WEEK 9 CLASS 1 LESSON OVERVIEW Pete Lawrence BTEC National Diploma Organisational System Security.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
Pro-active Security Measures
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
INTERNAL CONTROLS What are they? Why should I care?
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
PRESENTATION TITLE Presented by: Xxxx Xxxxx. Providence Health & Services Very large Catholic healthcare system 33 hospitals in AK, CA, MT, OR, WA 65,000.
Computer Security By Duncan Hall.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke Slide 1 Chapter 11 Information Systems Management Read this unit prior to the presentation.
1 Current Trends in Enterprise IT Network Security Key Takeaways Based on 100 Survey Responses © 2016 Lumeta Corporation.
Are you looking for an opportunity to join a company that has a long history and an exciting future? A place where you can grow within an international.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
INSIDER THREATS BY: DENZEL GAY COSC 356. ROAD MAP What makes the insider threat important Types of Threats Logic bombs Ways to prevent.
Stopping Attacks Before They Stop Business
Performing Risk Analysis and Testing: Outsource or In-house
Cybersecurity - What’s Next? June 2017
Team 1 – Incident Response
Compliance with hardening standards
Using MIS 2e Chapter 11 Information Systems Management
IS4680 Security Auditing for Compliance
Six Steps to Secure Access for Privileged Insiders and Vendors
DETAILED Global CYBERSECURITY SURVEY Summary RESULTS
Forensics Week 11.
CYB 110 Education Begins / Snaptutorial.com. CYB 110 All Assignments For more classes visit CYB 110 Week 1 Individual Protecting.
I have many checklists: how do I get started with cyber security?
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
© Pearson Prentice Hall 2009
What a non-IT auditor needs to know about IT & IT controls
What is corporate governance?
What is DBA? Discus the basic duties of DBA.
BACHELOR’S THESIS DEFENSE
16. Account Monitoring and Control
Least and Highest Privilege Access - Need to Know
Anatomy of a Common Cyber Attack
Presentation transcript:

Insider Threat Assessing & Managing ‘People’ Related Risks to Technology John Rostern, CRISC, QSA Northeast Managing Director September 14, 2011

Why I love this topic… We have met the enemy and he is us… - Pogo Social Engineering; because there is no patch for human stupidity! The potential size of the fraud is directly proportional to the level of access and the degree of trust placed in the individual.

If I were targeting a company…. Evil Plan #626 rev Identify capable IT staff (system admin, network admin, DBA, etc) 2.Determine how to compel/coerce/suborn them to your cause 3.Select your target company 4.Get these persons hired by the target company 5.Pay them over and above their salary to keep them ‘engaged’ 6.Wait a period of time while the ‘employees’ become ‘trusted members’ of the company 7.Extract insider knowledge to target information or tangible assets 8.Determine your target(s) 9.Time your move 10.Leave the ‘trusted employees’ to face law enforcement

Insert really boring statistics HERE to scare and impress the audience…

Technology Risk Interdependencies End Users download Malware that allows their computer to become part of a BotNet Executives at targeted companies advertise personal information on their Facebook pages The Executives are ‘spear-phished’ when they open a bogus crafted based on their personal information Internal, secure, systems are infected Data is exfiltrated IF the leak is discovered we hold a meeting and wonder how it happened… Must have been China!

The Fraud Triangle Uncontrolled access to information creates opportunity Are you creating opportunity?

‘Risky People’ Persons with extraordinary access to information assets C-Level Executives CEO President CFO Board Members ‘Privileged’ IT Staff Systems Administrators Database Administrators Programmers Third Parties Commercial Software Vendors Outsourced IT Staff Offshore Programming Resources ‘I know what I’m doing…’ ‘I need to do my job… ‘Trust us!’

Mitigating Risky People Do they have more access to information than needed? Who are they? When were they last background checked? Do you have background check requirements specific to job responsibilities? What other compensating controls can be or are in place? ‘2 Man System’ requirements Segregation of duties Continuous monitoring Ad hoc audits

Who is watching the store? Consider Security operations vs. oversight roles Potential conflicts of interest Who owns RISK for the organization?

Align the CISO with Risk Owners Align Security Operations with the IT organization Separate oversight functions under the CISO Dotted line relationship aligns policies, standards and procedures with risk The ability to say NO

Traditional IT Configuration

Provide Better Segregation

Controlled Environment Design

Key Takeaways Ecommerce Servers Who are the Riskiest People in my organization? How well do I know the people in my organization with access to information assets? Is my organization engaging in ‘Blind Trust’ instead of ‘Control’? Consider Stricter background check requirements for privileged staff Recurring and/or ad hoc background checks for certain roles What is the role of your CISO? Where does he/she report? How your network, systems and application architecture does or does not support effective segregation of duties Data Analytics as part of regular audit procedures The use of Continuous Controls Monitoring Доверяй, но проверяй Trust, but verify… - Ronald Reagan

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.