Is Your Small Business Online Smart? Jonathan Rajewski, MS, CCE, CFE, CISSP, ENCE Director - Senator Leahy Center for Digital Investigation Associate Professor - Digital Forensics | Cyber Security Digital Forensic Examiner - Vermont Internet Crimes Against Children Task Force rajewski@champlain.edu | 802-318-4804 @jtrajewski
Jonathan Rajewski, MS, CCE, CFE, CISSP, ENCE Director - Senator Leahy Center for Digital Investigation @jtrajewski Associate Professor - Digital Forensics | Cyber Security rajewski@champlain.edu Digital Forensic Examiner - Vermont Internet Crimes Against Children Task Force Professional Certifications EnCe, CCE, CISSP , CFE Professional Associations Board Member - BTV Ignite, DFCB – Digital Forensic Certified Practitioner “Founder”, CDFS - Consortium of Digital Forensic Specialists, ISFCE – International Society of Forensic Computer Examiners, ACFE – Association of Certified Fraud Examiners, HTCC – High Tech Crime Consortium Recent Awards/Recognition 2013 C. Bader Brouilette Alumni Leadership Award - Champlain College 2014 US Ignite Application Summit Best Public Safety Application 2012 Top Digital Forensic Professor – Digital Forensics - Princeton Review 2014 Honored by FBI director James B. Comey 2012 Best 300 Professors in the United States - Princeton Review 2013 4 under 40 - Hilbert College 2011 Digital Forensic Examiner of the Year - Forensic 4cast Awards
s "Behind this glass is incredible talent and this country in general and the FBI in particular needs those folks," -FBI Director James Comey
Do you think your data is safe? What Where Specifically laptops | tablets databases Personal Identifiable Information Protected Health Information computers email Private / Sensitive Information spreadsheets removable devices documents servers pictures cloud videos
What makes most sense for your organization
Why do we have security & privacy issues with technology? Usability Security Usability Security
If you have an IT staff, ask them to questions… When was the last time they experienced a data breach? Are they currently breached?
Who owns Cyber Security in ..your organization?
Cyber Who is accountable for Security in your Organization?
Information Human Legal Employees Technology Resources Our job is to Our job is to Our job is to Our job is to shift liability make it work avoid trouble do work Employee Security is Security is a behavior is both a legal Security is technical not our and IT trouble problem problem problem
Effective/Clear/Accountable Policy Human Information Legal Employees Resources Technology
11
Baseball is back! Reactive Proactive
So how do we do “proactive security”? We prioritize. We design. We educate. We test. We hunt.
Ask your IT staff the following but be wary of number three
Security Operations Centers (SOC) Buzzword central Can’t we just buy “X” and be secure?
Data Breach Imagine that you just received a phone call that said all of your personal information was posted on pastebin 300,000 identities were just stolen from your customer database 75,000 health records were just stolen from your wearable devices What Would You Do?
Data Breach So you’re a company that has “big data” Congratulations - You have customers from all 50 States Someone just stole all of your data
Unauthorized release of personal data •SSN •Taxpayer ID •Passport number •Bank numbers •Credit card numbers •PIN •Digital Signature •Biometric data •Fingerprints •Name/Email/Password
Data Breach Full album & lyrics: http://goo.gl/S6rxCv Music by Renald Francoeur, Drawing by Craighton Berman, Video by Don Markus, Video Editor Brad Taylor.
Adopted from Sheryl Falk sfalk@winston.com Aftermath of a data breach Credit) Impacted) Government) Contractual) repor5ng) Press) individuals) Authori5es) Partners) agencies) Notification obligations The trigger for notification Who to notify Timing of notification Contents of notice Methods for providing notice
What should breach notices look like? Describe(incident( Categories(of(informa2on(involved( Consequences(of(breach/nature(of(risk( Protec2on(measures(put(in(place( Advice(about(how(to(protect(self( Adopted from Sheryl Falk sfalk@winston.com
PR strategy? Have a Breach Communications Plan Communicate breach facts accurately and quickly Understand and follow breach notification timetables Stay focused and concise Be prepared to update with new information What you might offer: Information about security freezes and credit monitoring What happened? Contact information for credit reporting agencies, When did it happen? FTC or state authorities What information was compromised? Central “ombudsman” for all questions Was my information compromised? Credit monitoring or identity restoration services How many people’s information was impacted? Coupons or gift certificates Was the information encrypted? Was my social security number compromised? Did anyone misuse this information? What should I do? What are you doing to protect me? Will this happen again? Who should I contact if I have more questions? Adopted from Sheryl Falk sfalk@winston.com
Some action items to consider Understand your Data Evaluate your Data Security Fully Plan your Data Incident Response Identify your Data Security Response Team Identify your Response Partners Check for Cyberliability Insurance coverage Assess your Information Security Representations Adopted from Sheryl Falk sfalk@winston.com
Case Studies (time permitting)
Recommend
More recommend
