Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIO City Of West Palm Beach

Published byMarianna Davis Modified over 5 years ago

Similar presentations

Presentation on theme: "CIO City Of West Palm Beach"— Presentation transcript:

1 CIO City Of West Palm Beach
Cyber Security What You Don’t Know Will Hurt You Paul Jones CIO City Of West Palm Beach

2 Presentation Roadmap Not SO Long ago Social Engineering The Dark Side
. A Brief History The Security Landscape Social Engineering The Dark Side Reducing Liability Must Haves

3 Objectives Provide an overview of the current security landscape
Define challenges from the perspective of the organization and IT Take a look at the dark side Define security awareness / social engineering Review ways to reduce liability Discuss security must haves and best practices

4 Not so Long Ago Not SO Long ago

5 The Security Challenge
Organization IT State Initiatives Fiscal Responsibilities Politics Legal Concerns Budgets Finance Processes Asset Management Audits Citizens Day-to-Day Ops Innovation Project Mgmt. Maintenance Installations Life Cycle Mgmt. Communications Customer Service Testing Business Analysis Security Security

6 The Balancing Act Ease-of-Use Security Maintenance Projects
Speed to Delivery Cost Cutting Simplicity Get-It-Done Security Projects Quality Availability Functionality Customer Service

7 Unbalanced VISIBLE ISSUES INVISIBLE SUCCESSES

8 Is IT Funny?

9 Who are the Bad Guys Hackers Hacktivists Insiders Vendors Pranksters
Organized crime Competitors Thrill seekers Revenge seekers Anybody/Anywhere

10 Attacks Malware / Viruses Breaches Leakage Insider Threats
Bots/Botnets Denial of Service Vendor Mistakes Ransomware Social Engineering

11 Information Value & Cost
Record Type Estimated Underground Value per record (McAfee and World Privacy Forum) Financial Account $14.00–$25.00 Credit/Debit Card $4.00–$5.00 Medical Account Data $0.03–$2.42 Full Medical Record with supporting documents $50.00 Record Type Estimated Breach Cost Per Record (Ponemon Institute 2016 Report) Health $355.00 Education $246.00 Financial $221.00

12 The Dark Side

13 Shopping Made Easy

14 Shopping Made Easy

15 Shopping Made Easy

16 One to Many

17 Misconception – “Security is an IT thing”
A new study reveals the more than 8 out of 10 (88%) companies surveyed admit their organization experienced a significant security event in the last twelve months with as many a 73% of the companies indicating that the cause was insiders” (The Norris Corporation) Internal Disclosures Disgruntled employee Social engineering scams Phishing scams Human errors Human naivety

18 Security Awareness Security awareness is the knowledge and attitude that members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization.

19 An Easy Target Weak passwords Not changing passwords
Writing passwords down Opening any and everything Being gullible to scams Ignoring good security policies and practices Thinking IT has it all taken care of NOT BEING AWARE

20 Social Engineering “You could spend a fortune purchasing technology and services…and your network infrastructure could still remain vulnerable to old-fashion manipulation.” -Kevin Mitnick

21 Social Engineering Pretexting – Creating a fake scenario
Phishing – Send out bait to fool victims into giving away their information Fake Websites – Molded to look like the real thing. Login with real credentials that are now compromised Fake Pop-up – Pops up in front of real website to obtain user credentials Deepfakes – Fake audio and video that makes a person appear to be saying something the did not say

22 Social Engineering “They sounded so legitimate“ Hello John, this is Bill from IT (Microsoft) and I am updating your computer right now – but I need your password to install these new much-improved applications for you. You are going to love these new features!!!

23 A Culture of Awareness Annual security awareness training
Monthly security tips Send social engineering examples Send alerts and attack notifications Test users by going phishing Establish peer groups The “See it Say it” Program Do reward and recognition

24 Cover Your Organization
Reducing Liability Due Diligence is the act of continually investigating and understanding the risks and vulnerabilities the organization faces.  Due Care is implementing security policies, procedures, standards, and countermeasures to provide protection from those threats.  “If an organization does not practice due care and due diligence pertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence” (Harris, 2010, p. 110) CYO Cover Your Organization

25 The Three Tiers Balanced Security Oversite Strategy Due Diligence
Administrative Technical Physical Balanced Security Compliance Governance Oversite Due Diligence Due Care Audits Awareness Documentation Response Strategy Plans Policies Processes Procedures Standards Guidelines Technical Considerations and Infrastructure

26 It is not a Matter of IF It is a Matter of When!!!!!
$600,000 Riviera Beach $460,000 Lake City $30,000 Key Biscayne $400,000 Jackson County GA $18,000,000 Baltimore $17,000,000 Atlanta $470,000 Tallahassee The Wheel of Misfortune

27 Ransomware Breaches

28 Organization Must Haves
Establish strong senior leadership buy-in (make security important) Develop robust governance (what you permit, you promote) Communicate and educate at all levels Create a culture of security awareness Incorporate security in change management Integrate all three tiers (Technical, Administrative, Compliance) Trust but verify (external audits) Be prepared (incident response plan) Demand continual action and improvement Reward and recognize

29 It’s about Risk Mitigation
If we only have so much time and resources, where and how we focus our efforts is the key!! Risk Management Process Identity Risk Control Assess Review Controls Risk Management Process

30 Questions?

Download ppt "CIO City Of West Palm Beach"

Similar presentations

The Whole/Hole of Security A Consultants Perspective August 25, 2004 Potomac Consulting Group Don Philmlee, CISSP.

The Whole/Hole of Security A Consultants Perspective August 25, 2004 Potomac Consulting Group Don Philmlee, CISSP.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.

SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.
Network security policy: best practices

Network security policy: best practices
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
Steering Committee CSRIC Working Group 2A Cyber Security Best Practices October 7, 2010.

Steering Committee CSRIC Working Group 2A Cyber Security Best Practices October 7, 2010.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Agenda Do You Need to Be Concerned? Information Risk at Nationwide

Agenda Do You Need to Be Concerned? Information Risk at Nationwide
Www.softwareassist.net Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:

Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Kevin Casady Hanna Short BJ Rollinson.  Centralized and Structured collection of data stored in a computer system  An electronic filing system  Easy.

Kevin Casady Hanna Short BJ Rollinson.  Centralized and Structured collection of data stored in a computer system  An electronic filing system  Easy.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
April 14, 2003- A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, 2014 -WITH THANKS TO.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

Similar presentations

Ads by Google