Presentation is loading. Please wait.

Presentation is loading. Please wait.

NYBA 2017 Technology, Compliance &

Published byConstance Manning Modified over 6 years ago

Similar presentations

Presentation on theme: "NYBA 2017 Technology, Compliance &"— Presentation transcript:

1 NYBA 2017 Technology, Compliance &
CIS Top 20 NYBA 2017 Technology, Compliance &  Risk Management Forum 

2 INTRODUCTIONS Derek Boczenowski Nick Hnatiw
Sr. IT Security Analyst for Compass IT Compliance, performing audits and risk assessments for multiple verticals. Prior to Compass, worked for a FI in Massachusetts in the IT department for 15 years. Nick Hnatiw Co-Founder and CEO of Loki Labs Inc., a managed security services provider located in NYC. Loki provides the LokiSOC, a scalable managed SOC platform as well as red team/pentest assessments. Prior to Loki Labs, Nick worked for the US DoD facilitating offensive on-net operations and as a technical director that coordinated research for 10 years.

3 AGENDA How are we doing? Why the CIS Top 20? The Top 20 

4 HOW ARE WE DOING? Cybercrime damage to exceed $6,000,000,000,000 by 2021 68% of funds lost as a result of a cyber attack were declared unrecoverable *Ponemon Institute study 90% of large organisations reported suffering a security breach in 2015 Online banking fraud increases 48% year-on-year

5 HOW ARE WE DOING? 53% - external notification of breaches
47% - internal notifications of breaches Source: Mandient M-Trends 2016

6 WHY THE CIS TOP 20?

7 If you did nothing, you would still be protected.
PRIORITIZED LIST If you did nothing, you would still be protected.

8 RISK BASED “[The CIS Top 20] map directly to the CSF core requirements and provide a realistic and community-driven risk management approach for making sure your security program will be both effective and efficient against real-world threats.” Risk is a function of attack surface, vulnerability of the attack surface, and the impact it will have on business operations.

9 The focus of CIS Top 20 is consistent with other compliance standards:
COMPLIANCE IS NOT AN AFTERTHOUGHT The focus of CIS Top 20 is consistent with other compliance standards:

10 COMMUNITY DRIVEN Community of experts votes on changes Anyone can apply to be a member

11 DYNAMIC Re-ordered so that Controlled Use of Admin Privileges is higher (moved form 12 to 5) Deletion of Control 19 – Secure Network Engineering  New Control: 7 and Web Browser Protections The top 4 controls have not changed: CIS still views these controls as their most important 

12 TOP 20 LIST 1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software  4. Continuous Vulnerability Assessment and Remediation  5. Controlled Use of Administrative Privileges 6. Maintenance, Monitoring, and Analysis of Audit Logs 7. and Web Browser Protections 8. Malware Defenses 9. Limitation and Control of Network Ports 10. Data Recovery Capability

13 TOP 20 LIST 11. Secure Configurations for Network Devices
12. Boundary Defense 13. Data Protection 14. Controlled Access Based on the Need to Know 15. Wireless Access Control 16. Account Monitoring and Control 17. Security Skills Assessment and Appropriate Training to Fill Gaps 18. Application Software Security I9. Incident Response and Management 20. Penetration Tests and Red Team Exercises

14 Admins have the keys to the network – protect the keys.
05 – CONTROLLED USE OF ADMIN PRIVLEDGES Admins have the keys to the network – protect the keys. Technical: Limit User Inventory/Monitor admin accounts

15 Malware is the vehicle of hackers. Technical:
08 – MALWARE DEFENSES Malware is the vehicle of hackers.  Technical: AV/EDR, Firewalls, IPS/IDS

16 Your data is the treasure. Technical: Backup images and data
10 – DATA RECOVERY CAPABILITY Your data is the treasure. Technical: Backup images and data

17 Users are the keys for hackers to get in. Technical:
16 – ACCOUNT MONITORING & CONTROL Users are the keys for hackers to get in. Technical: Review all accounts Disable unknown/unused accounts

18 Prior proper preparedness prevents piss poor performance!
19 – INCIDENT RESPONSE & MANAGEMENT Hope is not a plan. Technical: The seven P’s: Prior proper preparedness prevents piss poor performance!

19 Derek Boczenowski dboczenowski@compassitc.com
Questions? Nick Hnatiw Derek Boczenowski

Download ppt "NYBA 2017 Technology, Compliance &"

Similar presentations

Department of Revenue Lessons for Management by Department of Revenue Internal Audit.

Department of Revenue Lessons for Management by Department of Revenue Internal Audit.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September.

1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Chapter 3 Ethics, Privacy & Security

Chapter 3 Ethics, Privacy & Security
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.
Information Security– SNO International Zanzibar, Tanzania Joe Beaulac, Sr. Manager – Cyber Defense Center & Risk/Vulnerability Management 23 September.

Information Security– SNO International Zanzibar, Tanzania Joe Beaulac, Sr. Manager – Cyber Defense Center & Risk/Vulnerability Management 23 September.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.

Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.

E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
August 1999 Mr. Mike Finley, CISSP Senior Security Engineer Computer Science Corporation.

August Mr. Mike Finley, CISSP Senior Security Engineer Computer Science Corporation.
ISS SiteProtector and Internet Scanner LanAdmin Group Meeting 12/8/2005.

ISS SiteProtector and Internet Scanner LanAdmin Group Meeting 12/8/2005.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

Similar presentations

Ads by Google