SlideShare uma empresa Scribd logo

The Accidental Insider: Managing Internal Risks at Secure360

Transferir como PPT, PDF
Barry Caplin
Barry Caplin

While insider threat is a reality, more problems are caused by mistakes. Workers are stressed and need to get the job done. These “accidental insiders” may be dealing with unclear process, security controls that aren’t well planned, or are just trying to get something done for the customer. In this session we will discuss: How internal process, policy and technical environment can lead to mistakes; Appropriate levels of access control, and; What we can do proactively to prevent these kinds of problems. Secure360 5-11-11 Capella University webcast 3-18-13

Tecnologia
1 de 39
BA RRY CA PLIN TH E A CCID EN TA L IN SID ER W ED . M A Y 13, 2014, 1:30P
WELCOME TO SECURE360 2014 Come see my talk tomorrow! The CISO Guide – How Do You Spell CISO? – Wed. 11A
The Accidental Insider Secure360 Tues. May 13, 2014 bcaplin1@fairview.org bc@bjb.org @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com Barry Caplin Chief Information Security Official Fairview Health Services
http://about.me/barrycaplin securityandcoffee.blogspot.com @bcaplin
Fairview Overview • Not-for-profit established in 1906 • Academic Health System since 1997 partnership with University of Minnesota • >22K employees • >3,300 aligned physicians  Employed, faculty, independent • 7 hospitals/medical centers (>2,500 staffed beds) • 40-plus primary care clinics • 55-plus specialty clinics • 47 senior housing locations • 30-plus retail pharmacies 5 2012 data •5.7 million outpatient encounters •74,649 inpatient admissions •$2.8 billion total assets •$3.2 billion total revenue
Who is Fairview? A partnership of North Memorial and Fairview
In The News
In The News
Agenda • What is it? • How big an issue? • What do we do?
Internal Risk Management v Insider Threat
What is Internal Risk Management? • Malicious Insider = Current or former staff who: – intentionally exceeded/misused authorized access to networks, systems or data, and; – affected security of organizations’ data, systems, or daily operations • Insider’s intentions can be good or evil • Actions can be intentional or accidental • Must consider errors and omissions – Accidents – Not following process (CERT/US Secret Service Insider Threat Study)
CSI/FBI Computer Crime Survey • Not a new issue • 2007 – Insiders #1 reported problem. • 2008 – Insider threat decreased • 2009 – Some attributed 60-100% of losses to accidents • 2010/2011 –  40% attributed some loss to malicious insiders  60% attributed some loss to non-malicious insiders (accidents)
Verizon DBIR (Data Breach Investigations Report) • 2008 & 2009 (based on Verizon-only) – Most = external, most costly = internal; 39% multiple parties – Didn’t consider insiders’ “inaction” • 2010 (included US Secret Service) – Most = external, internal 48% (up 26%) • 2011 • Most external; 17% internal (-31%); 9% multiple parties • Simple; targets of opportunity; avoidable; most found by 3rd party • But doesn’t consider accidents
2012 Verizon Breach Report 2012 report (included US Secret Service) • Most = “external”; “internal” greatly decreased • 79% of victims targets of opportunity • 96% of attacks considered not highly difficult • 96% of victims subject to PCI not compliant • 97% were avoidable through simple or intermediate controls
From: Dark Reading http://darkreading.com/insiderthreat
Types of Internal Risks • Fraud: obtaining property or services through deception or trickery. • Theft of Information: stealing confidential or proprietary information. • IT Sabotage: acting with intent to harm an individual, organization, or organization’s data, systems, operations. • Error/Omission: causing damage to assets or disclosure of information because of an unintentional mistake. – Leaving a system vulnerable (not patching, config error, etc.) – Improper disclosure (database accessible, posting to website, etc.)
Risk Calculation Asset, Threat, Vulnerability, Impact => Risk (probability of event × impact = risk)
Attack Surface Vulnerable Assets => “Attack Surface”
Attack Surface Contributing factors: • Open/listening ports on outward facing servers • Services available on the inside of the firewall • Code that processes input • Interfaces, SQL, web forms • An employee with access to sensitive information is socially engineered The Attack Surface Problem, Stephen Northcutt, SANS, 2007
Attack Surface Are problems in these contributing factors primarily due to mistakes (errors and omissions)?
External Attacks Are external attacks made possible because of internal mistakes (errors and omissions)? Caveats: offense v defense attacker skill level I'm not defending the attacker nor blaming the victim
What do we do?
CERT Good Practices • Risk assessments - insider/partners threats • Document and enforce policies and controls. • Security awareness training • Secure the physical environment. • Password and account management. • Separation of duties and least privilege. • SDLC - Consider insider threats
CERT Good Practices • Consider extra controls for privileged users • Change control • Log, monitor, and audit • Defense in Depth • Secure backup and recovery • Incident response plan http://www.cert.org/insider_threat/
According to Schneier Five basic techniques to deal with trusted people (Schneier): • Limit the number of trusted people. • Ensure that trusted people are also trustworthy. • Limit the amount of trust each person has. • Give people overlapping spheres of trust. • Detect breaches of trust after the fact and issue sanctions.
Good Practices I Like • Practical policies • Awareness • SDLC (SLM) • System Review • Vulnerability Management • Configuration Management • Backup • Response/Recovery Get the simple stuff right.
A Simple Approach • SET briefing –Philosophical direction –Previous focus on external threats –New area of focus –Cross-divisional work – Security, IT, Privacy, Audit, Legal, Compliance –Culture change
Examples • Media/device encryption • Privileged accounts/Local Admin/activity • Improved provisioning • Annual recertification • Security Lifecycle Management • Training via audio/video • Improved server control software /logging • Improved change/config management A Simple Approach
To-Do List • Communication and Awareness • Examine current environment and resources • Scope mitigations • Create implementation plan • Execute!
Where to Learn More… • CMU CyLab - http://www.cylab.cmu.edu/ • CERT - http://www.cert.org/insider_threat/ • Data Breach Blog - http://breach.scmagazineblogs.com/ • OSF DataLossdb - http://datalossdb.org/ • Dark Reading - http://darkreading.com/insiderthreat/ • http://slideshare.net/bcaplin
How Do You Spell CISO? Secure360 Wed. May 14, 2014 bcaplin1@fairview.org bc@bjb.org @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com Barry Caplin Chief Information Security Official Fairview Health Services
The Accidental Insider: Managing Internal Risks at Secure360

Recomendados

Role of HR after discovering Fraud
Role of HR after discovering FraudRole of HR after discovering Fraud
Role of HR after discovering FraudNational HRD Network
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Dan Michaluk
 
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemThe Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemEric Vanderburg
 
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesCloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesEric Vanderburg
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breachDan Michaluk
 
Cyber, secrecy and the public body
Cyber, secrecy and the public bodyCyber, secrecy and the public body
Cyber, secrecy and the public bodyDan Michaluk
 
Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Dan Michaluk
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Dan Michaluk
 

Recomendados

Role of HR after discovering Fraud
Role of HR after discovering FraudRole of HR after discovering Fraud
Role of HR after discovering FraudNational HRD Network
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Dan Michaluk
 
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemThe Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemEric Vanderburg
 
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesCloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesEric Vanderburg
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breachDan Michaluk
 
Cyber, secrecy and the public body
Cyber, secrecy and the public bodyCyber, secrecy and the public body
Cyber, secrecy and the public bodyDan Michaluk
 
Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Dan Michaluk
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Dan Michaluk
 
CISOs are from Mars, CIOs are from Venus
CISOs are from Mars, CIOs are from VenusCISOs are from Mars, CIOs are from Venus
CISOs are from Mars, CIOs are from VenusBarry Caplin
 
Costume and prop ideas media as
Costume and prop ideas media asCostume and prop ideas media as
Costume and prop ideas media asisobelbay
 
Silent Sideline Week
Silent Sideline WeekSilent Sideline Week
Silent Sideline WeekJennifer Jaquith
 
IT Consumerization – iPad’ing the Enterprise or BYO Malware?
IT Consumerization – iPad’ing the Enterprise or BYO Malware?IT Consumerization – iPad’ing the Enterprise or BYO Malware?
IT Consumerization – iPad’ing the Enterprise or BYO Malware?Barry Caplin
 
Valley United Soccer Club new coach training
Valley United Soccer Club new coach trainingValley United Soccer Club new coach training
Valley United Soccer Club new coach trainingBarry Caplin
 
Nor'West Soccer LTPD 101
Nor'West Soccer LTPD 101Nor'West Soccer LTPD 101
Nor'West Soccer LTPD 101Jennifer Jaquith
 
Dreaded Embedded sec360 5-17-16
Dreaded Embedded sec360 5-17-16Dreaded Embedded sec360 5-17-16
Dreaded Embedded sec360 5-17-16Barry Caplin
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightCBIZ, Inc.
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya
 
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Fasoo
 
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...Case IQ
 
Stop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudStop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudWynyard Group
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Lawley Insurance
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk GovernanceDan Michaluk
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessCBIZ, Inc.
 
Counterintelligence & The Insider Threat January 2019 (1).pptx
Counterintelligence & The Insider Threat January 2019 (1).pptxCounterintelligence & The Insider Threat January 2019 (1).pptx
Counterintelligence & The Insider Threat January 2019 (1).pptxZakiAhmed70
 
2012 777 The Seven Blind Spots in Business and How to Prevent Them
2012 777 The Seven Blind Spots in Business and How to Prevent Them2012 777 The Seven Blind Spots in Business and How to Prevent Them
2012 777 The Seven Blind Spots in Business and How to Prevent ThemSmith Family Business Initiative at Cornell
 
Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Barry Caplin
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015Health IT Conference – iHT2
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 

Mais conteúdo relacionado

Destaque

CISOs are from Mars, CIOs are from Venus
CISOs are from Mars, CIOs are from VenusCISOs are from Mars, CIOs are from Venus
CISOs are from Mars, CIOs are from VenusBarry Caplin
 
Costume and prop ideas media as
Costume and prop ideas media asCostume and prop ideas media as
Costume and prop ideas media asisobelbay
 
IT Consumerization – iPad’ing the Enterprise or BYO Malware?
IT Consumerization – iPad’ing the Enterprise or BYO Malware?IT Consumerization – iPad’ing the Enterprise or BYO Malware?
IT Consumerization – iPad’ing the Enterprise or BYO Malware?Barry Caplin
 
Valley United Soccer Club new coach training
Valley United Soccer Club new coach trainingValley United Soccer Club new coach training
Valley United Soccer Club new coach trainingBarry Caplin
 
Dreaded Embedded sec360 5-17-16
Dreaded Embedded sec360 5-17-16Dreaded Embedded sec360 5-17-16
Dreaded Embedded sec360 5-17-16Barry Caplin
 

Destaque (7)

CISOs are from Mars, CIOs are from Venus
CISOs are from Mars, CIOs are from VenusCISOs are from Mars, CIOs are from Venus
CISOs are from Mars, CIOs are from Venus
 
Costume and prop ideas media as
Costume and prop ideas media asCostume and prop ideas media as
Costume and prop ideas media as
 
Silent Sideline Week
Silent Sideline WeekSilent Sideline Week
Silent Sideline Week
 
IT Consumerization – iPad’ing the Enterprise or BYO Malware?
IT Consumerization – iPad’ing the Enterprise or BYO Malware?IT Consumerization – iPad’ing the Enterprise or BYO Malware?
IT Consumerization – iPad’ing the Enterprise or BYO Malware?
 
Valley United Soccer Club new coach training
Valley United Soccer Club new coach trainingValley United Soccer Club new coach training
Valley United Soccer Club new coach training
 
Nor'West Soccer LTPD 101
Nor'West Soccer LTPD 101Nor'West Soccer LTPD 101
Nor'West Soccer LTPD 101
 
Dreaded Embedded sec360 5-17-16
Dreaded Embedded sec360 5-17-16Dreaded Embedded sec360 5-17-16
Dreaded Embedded sec360 5-17-16
 

Semelhante a The Accidental Insider: Managing Internal Risks at Secure360

Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightCBIZ, Inc.
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya
 
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Fasoo
 
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...Case IQ
 
Stop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudStop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudWynyard Group
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Lawley Insurance
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk GovernanceDan Michaluk
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessCBIZ, Inc.
 
Counterintelligence & The Insider Threat January 2019 (1).pptx
Counterintelligence & The Insider Threat January 2019 (1).pptxCounterintelligence & The Insider Threat January 2019 (1).pptx
Counterintelligence & The Insider Threat January 2019 (1).pptxZakiAhmed70
 
Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Barry Caplin
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 
Clasify information in education field
Clasify information in education fieldClasify information in education field
Clasify information in education fieldNebojsa Stefanovic
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Asad Zaman
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension Inc.
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceEvan Francen
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 

Semelhante a The Accidental Insider: Managing Internal Risks at Secure360 (20)

Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky Breaches
 
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
 
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
 
Stop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraudStop occupational fraud - Three simple steps to help stop fraud
Stop occupational fraud - Three simple steps to help stop fraud
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk Governance
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
 
Counterintelligence & The Insider Threat January 2019 (1).pptx
Counterintelligence & The Insider Threat January 2019 (1).pptxCounterintelligence & The Insider Threat January 2019 (1).pptx
Counterintelligence & The Insider Threat January 2019 (1).pptx
 
2012 777 The Seven Blind Spots in Business and How to Prevent Them
2012 777 The Seven Blind Spots in Business and How to Prevent Them2012 777 The Seven Blind Spots in Business and How to Prevent Them
2012 777 The Seven Blind Spots in Business and How to Prevent Them
 
Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
 
Clasify information in education field
Clasify information in education fieldClasify information in education field
Clasify information in education field
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to Compliance
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 

Mais de Barry Caplin

Healing healthcare security
Healing healthcare securityHealing healthcare security
Healing healthcare securityBarry Caplin
 
It’s not If but When 20160503
It’s not If but When 20160503It’s not If but When 20160503
It’s not If but When 20160503Barry Caplin
 
It’s not if but when 20160503
It’s not if but when 20160503It’s not if but when 20160503
It’s not if but when 20160503Barry Caplin
 
Online Self Defense - Passwords
Online Self Defense - PasswordsOnline Self Defense - Passwords
Online Self Defense - PasswordsBarry Caplin
 
The CISO Guide – How Do You Spell CISO?
The CISO Guide – How Do You Spell CISO?The CISO Guide – How Do You Spell CISO?
The CISO Guide – How Do You Spell CISO?Barry Caplin
 
Bullying and Cyberbullying
Bullying and CyberbullyingBullying and Cyberbullying
Bullying and CyberbullyingBarry Caplin
 
3 factors of fail sec360 5-15-13
3 factors of fail sec360 5-15-133 factors of fail sec360 5-15-13
3 factors of fail sec360 5-15-13Barry Caplin
 
Tech smart preschool parent 2 13
Tech smart preschool parent 2 13Tech smart preschool parent 2 13
Tech smart preschool parent 2 13Barry Caplin
 
Embracing the IT Consumerization Imperative NG Security
Embracing the IT Consumerization Imperative NG SecurityEmbracing the IT Consumerization Imperative NG Security
Embracing the IT Consumerization Imperative NG SecurityBarry Caplin
 
Online Self Defense
Online Self DefenseOnline Self Defense
Online Self DefenseBarry Caplin
 
Embracing the IT Consumerization Imperitive
Embracing the IT Consumerization ImperitiveEmbracing the IT Consumerization Imperitive
Embracing the IT Consumerization ImperitiveBarry Caplin
 
Embracing the IT Consumerization Imperitive
Embracing the IT Consumerization ImperitiveEmbracing the IT Consumerization Imperitive
Embracing the IT Consumerization ImperitiveBarry Caplin
 
Stuff my ciso says
Stuff my ciso saysStuff my ciso says
Stuff my ciso saysBarry Caplin
 
Toys in the office 11
Toys in the office 11Toys in the office 11
Toys in the office 11Barry Caplin
 
Teens 2.0 - Teens and Social Networks
Teens 2.0 - Teens and Social NetworksTeens 2.0 - Teens and Social Networks
Teens 2.0 - Teens and Social NetworksBarry Caplin
 
Laws of the Game For Valley United Soccer Club travel soccer refs
Laws of the Game For Valley United Soccer Club travel soccer refsLaws of the Game For Valley United Soccer Club travel soccer refs
Laws of the Game For Valley United Soccer Club travel soccer refsBarry Caplin
 
Laws of the Game for Valley Athletic Assn (VAA) Community Soccer refs
Laws of the Game for Valley Athletic Assn (VAA) Community Soccer refsLaws of the Game for Valley Athletic Assn (VAA) Community Soccer refs
Laws of the Game for Valley Athletic Assn (VAA) Community Soccer refsBarry Caplin
 
How to be a Tech-Smart Parent
How to be a Tech-Smart ParentHow to be a Tech-Smart Parent
How to be a Tech-Smart ParentBarry Caplin
 
Internet Safety for Families and Children
Internet Safety for Families and ChildrenInternet Safety for Families and Children
Internet Safety for Families and ChildrenBarry Caplin
 
Security Lifecycle Management
Security Lifecycle ManagementSecurity Lifecycle Management
Security Lifecycle ManagementBarry Caplin
 

Mais de Barry Caplin (20)

Healing healthcare security
Healing healthcare securityHealing healthcare security
Healing healthcare security
 
It’s not If but When 20160503
It’s not If but When 20160503It’s not If but When 20160503
It’s not If but When 20160503
 
It’s not if but when 20160503
It’s not if but when 20160503It’s not if but when 20160503
It’s not if but when 20160503
 
Online Self Defense - Passwords
Online Self Defense - PasswordsOnline Self Defense - Passwords
Online Self Defense - Passwords
 
The CISO Guide – How Do You Spell CISO?
The CISO Guide – How Do You Spell CISO?The CISO Guide – How Do You Spell CISO?
The CISO Guide – How Do You Spell CISO?
 
Bullying and Cyberbullying
Bullying and CyberbullyingBullying and Cyberbullying
Bullying and Cyberbullying
 
3 factors of fail sec360 5-15-13
3 factors of fail sec360 5-15-133 factors of fail sec360 5-15-13
3 factors of fail sec360 5-15-13
 
Tech smart preschool parent 2 13
Tech smart preschool parent 2 13Tech smart preschool parent 2 13
Tech smart preschool parent 2 13
 
Embracing the IT Consumerization Imperative NG Security
Embracing the IT Consumerization Imperative NG SecurityEmbracing the IT Consumerization Imperative NG Security
Embracing the IT Consumerization Imperative NG Security
 
Online Self Defense
Online Self DefenseOnline Self Defense
Online Self Defense
 
Embracing the IT Consumerization Imperitive
Embracing the IT Consumerization ImperitiveEmbracing the IT Consumerization Imperitive
Embracing the IT Consumerization Imperitive
 
Embracing the IT Consumerization Imperitive
Embracing the IT Consumerization ImperitiveEmbracing the IT Consumerization Imperitive
Embracing the IT Consumerization Imperitive
 
Stuff my ciso says
Stuff my ciso saysStuff my ciso says
Stuff my ciso says
 
Toys in the office 11
Toys in the office 11Toys in the office 11
Toys in the office 11
 
Teens 2.0 - Teens and Social Networks
Teens 2.0 - Teens and Social NetworksTeens 2.0 - Teens and Social Networks
Teens 2.0 - Teens and Social Networks
 
Laws of the Game For Valley United Soccer Club travel soccer refs
Laws of the Game For Valley United Soccer Club travel soccer refsLaws of the Game For Valley United Soccer Club travel soccer refs
Laws of the Game For Valley United Soccer Club travel soccer refs
 
Laws of the Game for Valley Athletic Assn (VAA) Community Soccer refs
Laws of the Game for Valley Athletic Assn (VAA) Community Soccer refsLaws of the Game for Valley Athletic Assn (VAA) Community Soccer refs
Laws of the Game for Valley Athletic Assn (VAA) Community Soccer refs
 
How to be a Tech-Smart Parent
How to be a Tech-Smart ParentHow to be a Tech-Smart Parent
How to be a Tech-Smart Parent
 
Internet Safety for Families and Children
Internet Safety for Families and ChildrenInternet Safety for Families and Children
Internet Safety for Families and Children
 
Security Lifecycle Management
Security Lifecycle ManagementSecurity Lifecycle Management
Security Lifecycle Management
 

Último

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 

Último (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 

The Accidental Insider: Managing Internal Risks at Secure360

  • 2. WELCOME TO SECURE360 2014 Come see my talk tomorrow! The CISO Guide – How Do You Spell CISO? – Wed. 11A
  • 3. The Accidental Insider Secure360 Tues. May 13, 2014 bcaplin1@fairview.org bc@bjb.org @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com Barry Caplin Chief Information Security Official Fairview Health Services
  • 5. Fairview Overview • Not-for-profit established in 1906 • Academic Health System since 1997 partnership with University of Minnesota • >22K employees • >3,300 aligned physicians  Employed, faculty, independent • 7 hospitals/medical centers (>2,500 staffed beds) • 40-plus primary care clinics • 55-plus specialty clinics • 47 senior housing locations • 30-plus retail pharmacies 5 2012 data •5.7 million outpatient encounters •74,649 inpatient admissions •$2.8 billion total assets •$3.2 billion total revenue
  • 6. Who is Fairview? A partnership of North Memorial and Fairview
  • 9.
  • 10.
  • 11.
  • 12. Agenda • What is it? • How big an issue? • What do we do?
  • 13. Internal Risk Management v Insider Threat
  • 14. What is Internal Risk Management? • Malicious Insider = Current or former staff who: – intentionally exceeded/misused authorized access to networks, systems or data, and; – affected security of organizations’ data, systems, or daily operations • Insider’s intentions can be good or evil • Actions can be intentional or accidental • Must consider errors and omissions – Accidents – Not following process (CERT/US Secret Service Insider Threat Study)
  • 15. CSI/FBI Computer Crime Survey • Not a new issue • 2007 – Insiders #1 reported problem. • 2008 – Insider threat decreased • 2009 – Some attributed 60-100% of losses to accidents • 2010/2011 –  40% attributed some loss to malicious insiders  60% attributed some loss to non-malicious insiders (accidents)
  • 16. Verizon DBIR (Data Breach Investigations Report) • 2008 & 2009 (based on Verizon-only) – Most = external, most costly = internal; 39% multiple parties – Didn’t consider insiders’ “inaction” • 2010 (included US Secret Service) – Most = external, internal 48% (up 26%) • 2011 • Most external; 17% internal (-31%); 9% multiple parties • Simple; targets of opportunity; avoidable; most found by 3rd party • But doesn’t consider accidents
  • 17. 2012 Verizon Breach Report 2012 report (included US Secret Service) • Most = “external”; “internal” greatly decreased • 79% of victims targets of opportunity • 96% of attacks considered not highly difficult • 96% of victims subject to PCI not compliant • 97% were avoidable through simple or intermediate controls
  • 18. From: Dark Reading http://darkreading.com/insiderthreat
  • 19.
  • 20.
  • 21. Types of Internal Risks • Fraud: obtaining property or services through deception or trickery. • Theft of Information: stealing confidential or proprietary information. • IT Sabotage: acting with intent to harm an individual, organization, or organization’s data, systems, operations. • Error/Omission: causing damage to assets or disclosure of information because of an unintentional mistake. – Leaving a system vulnerable (not patching, config error, etc.) – Improper disclosure (database accessible, posting to website, etc.)
  • 22. Risk Calculation Asset, Threat, Vulnerability, Impact => Risk (probability of event × impact = risk)
  • 23. Attack Surface Vulnerable Assets => “Attack Surface”
  • 24. Attack Surface Contributing factors: • Open/listening ports on outward facing servers • Services available on the inside of the firewall • Code that processes input • Interfaces, SQL, web forms • An employee with access to sensitive information is socially engineered The Attack Surface Problem, Stephen Northcutt, SANS, 2007
  • 25. Attack Surface Are problems in these contributing factors primarily due to mistakes (errors and omissions)?
  • 26. External Attacks Are external attacks made possible because of internal mistakes (errors and omissions)? Caveats: offense v defense attacker skill level I'm not defending the attacker nor blaming the victim
  • 27.
  • 28. What do we do?
  • 29. CERT Good Practices • Risk assessments - insider/partners threats • Document and enforce policies and controls. • Security awareness training • Secure the physical environment. • Password and account management. • Separation of duties and least privilege. • SDLC - Consider insider threats
  • 30. CERT Good Practices • Consider extra controls for privileged users • Change control • Log, monitor, and audit • Defense in Depth • Secure backup and recovery • Incident response plan http://www.cert.org/insider_threat/
  • 31. According to Schneier Five basic techniques to deal with trusted people (Schneier): • Limit the number of trusted people. • Ensure that trusted people are also trustworthy. • Limit the amount of trust each person has. • Give people overlapping spheres of trust. • Detect breaches of trust after the fact and issue sanctions.
  • 32. Good Practices I Like • Practical policies • Awareness • SDLC (SLM) • System Review • Vulnerability Management • Configuration Management • Backup • Response/Recovery Get the simple stuff right.
  • 33. A Simple Approach • SET briefing –Philosophical direction –Previous focus on external threats –New area of focus –Cross-divisional work – Security, IT, Privacy, Audit, Legal, Compliance –Culture change
  • 34.
  • 35. Examples • Media/device encryption • Privileged accounts/Local Admin/activity • Improved provisioning • Annual recertification • Security Lifecycle Management • Training via audio/video • Improved server control software /logging • Improved change/config management A Simple Approach
  • 36. To-Do List • Communication and Awareness • Examine current environment and resources • Scope mitigations • Create implementation plan • Execute!
  • 37. Where to Learn More… • CMU CyLab - http://www.cylab.cmu.edu/ • CERT - http://www.cert.org/insider_threat/ • Data Breach Blog - http://breach.scmagazineblogs.com/ • OSF DataLossdb - http://datalossdb.org/ • Dark Reading - http://darkreading.com/insiderthreat/ • http://slideshare.net/bcaplin
  • 38. How Do You Spell CISO? Secure360 Wed. May 14, 2014 bcaplin1@fairview.org bc@bjb.org @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com Barry Caplin Chief Information Security Official Fairview Health Services

Notas do Editor

  1. Check out my about.me, with links to twitter feed and Security and Coffee blog.
  2. April 9, 2009. Bob Quick, Britain's most senior counterterrorism officer, was forced to stand down today after an embarrassing security leak resulted in a major anti-terror operation, designed to foil an alleged al-Qaida plot to bomb Britain, being rushed forward.
  3. Accidents don’t only cause data loss… accidental outages can have highly negative results.
  4. Twenty-five percent of respondents said more than 60 percent of financial losses came from accidental breaches by insiders, not external hacks, and 16.1 percent said 81 to 100 percent of all losses came from accidental breaches as well.
  5. datalossdb