PMINJ Chapter Symposium - 06 May 2019 PMP, PMI-ACP, PMI-RMP, CSM, CSPO, PSM I, CISSP, ITIL, RESILIA,...

Click here to load reader

  • date post

    20-Mar-2020
  • Category

    Documents

  • view

    0
  • download

    0

Embed Size (px)

Transcript of PMINJ Chapter Symposium - 06 May 2019 PMP, PMI-ACP, PMI-RMP, CSM, CSPO, PSM I, CISSP, ITIL, RESILIA,...

  • Susan Parente

    PMP, PMI-ACP, PMI-RMP, CSM, CSPO, PSM I, CISSP, ITIL, RESILIA, CRISC,

    MS Eng. Mgmt.

    GLS Team- Practice Consultant for Agile Scrum and IT Practice, Senior Instructor

    Instructor, University of Virginia: Agile Project Mgmt.

    Cybersecurity

    Am I at risk…?

    PMINJ Chapter

    Symposium - 06 May 2019

  • © International Institute for Learning, Inc. All rights reserved. 2

    Susan Parente

    • Risk Management and Agile Consultant and Trainer • Master of Science (MSEM — Focus in Marketing of Technology) George Washington University • Bachelor’s in Mechanical Engineering (BS ME)

    • Certifications:

    Project Management Professional (PMPTM) — 2006

    Project Risk Management Professional (PMI-RMPTM) — 2011

    Certified Information Systems Security Professional (CISSP) — 2007

    RESILIATM — 2006

    CRISC — 2018

    ITIL Foundations — 2006

    Agile Certified Practitioner (PMI-ACPTM) — 2014

    Certified Scrum Master (CSM) & CSPO — 2017 Professional Scrum Master I (PSM I) — 2017

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 3

    Am I at Risk…?

    What is Cybersecurity?

    • Why is IT Security so important?

    Information Security

    Attacks/ Breaches

    Common Threats/ Vulnerabilities

    • Examples of threats

    What Can I Do?

    • Prevent (Risk Assessment, Planning, Training)

    • React (Recognizing/ Malware Detection)

    • Safe and Secure?: Defense Dept.

    Cybersecurity

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 4

    Cybersecurity: Also known as information technology security

    • Includes techniques to protect computers, networks, programs and data from unauthorized access or attacks on one’s computer or systems.

    Cyber Attack: A attempt to cause damage or destruction to a computer system or network.

    • Targets an individual or enterprise with the intent to disrupt, disable, destroy, or control a computer, its environment, or infrastructure, or to destroy the integrity of data or steal information.

    What is Cybersecurity?

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 5

    Definitions

    Attack: Attempt to obtain unauthorized access to information or services, or to harm or damage IT systems.

    Breach: An incident which results in an attack, resulting from bypassing of the system’s security structure.

    Attacks/ Breaches

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 6

    Attacks/ Breaches

    *Verizon, 2015 Data Breach Investigations Report

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 7

    Phishing:

    A fraudulent practice of sending email masked as coming from a viable source, with the purpose of having individuals divulge personal information. Phishing is very commonly used and unfortunately it often works!

    Social Engineering:

    Deception by fraudulent parties to manipulate someone into sharing personal or confidential information (sensitive data)

    Spyware/ Trojan Horse:

    This is a malicious program which is packaged in what appears to be legitimate software. It runs in the background and spies on your computer system, or may delete files.

    Viruses:

    This is hidden in software. It infects ones computer & attempts to spread to all on your contact list.

    Common Threats/ Vulnerabilities

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 8

    Phishing Example:

    How do you know?

    Take a closer look…

    Common Threats/ Vulnerabilities

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 9

    Phishing Example Identification:

    • It looks legitimate

    (from HR, your bank, an invoice, shipping confirmation, etc.)

    • Hover over the link

    If you don’t recognize it don’t click!

    • Spelling or grammar errors

    • Urgency!! (invoking fear)

    Common Threats/ Vulnerabilities

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 10

    Ransomware:

    You computer data is held ‘hostage’ and you are asked for payment to release it and regain access to your computer. (This is another great reason to backup your data!)

    Worm:

    One your computer is infected with it, it works on its own, and propagates by sending itself to other computers.

    DoS (Denial of Service) Attack:

    The goal of this is to hit a specific website or server until the volume of hits takes the system down.

    Common Threats/ Vulnerabilities

    *Axelos Limited, 2017. RESILIA Frontline Overview

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 11

    Common Threats

    *Axelos Limited, 2017. RESILIA Frontline Overview

    “You need to really work with your people and embark on

    conversations with them about the threats that are out there.

    That’s what we want to change – we want people to talk

    about security, discuss the risks, but help each other out. The

    more people talk about security with each other, the better things

    will become.”

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 12

    Common Threats

    *Axelos Limited, 2017. RESILIA Frontline Overview

    “It takes 20 years to build a reputation and 5

    minutes to ruin it. If you think about that, you’ll

    do things differently.”

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 13

    Common Threats

    *Axelos Limited, 2017. RESILIA Frontline Overview

    “It is important companies remain vigilant, taking steps to

    proactively and intelligently address cyber security risks.

    beyond the technological solutions, we can accomplish even

    more through better training, awareness and insight on human

    behaviour. Confidence, after all, is not a measure of technological

    systems, but of the people entrusted to manage them.”

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 14

    Prevent attacks

    • Risk Assessment, Planning, Awareness

    React to attacks

    • Recognizing/ Malware Detection

    What can I do…?

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 15

    IT Security Guidelines/ Standards

    • Develop and implement these to prevent and manage IT security for the organization.

    Password Safety:

    • Guidance in the creation and management of high-strength passwords to help stop attackers gaining unauthorized access to the organization’s network.

    Remote and Mobile Working:

    • Safe use of office devices outside of the organizational environment.

    General Prevention

    *Axelos Limited, 2017. RESILIA Frontline Overview

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 16

    Identification of Cybersecurity Risks

    Operations Cybersecurity Risks (as per SEI):

    • Actions of People- including: unintentional, intentional, lack of action

    • Systems and Technology Failures- including: hardware, software, systems

    • Failed Internal Processes- including: design of processes, execution of processes, controls for processes, supporting processes

    • External Events- including: hazards, legal, business, dependencies of services

    Prevent Attacks- Risk Identification

    *Reference: SEI (May 2014) “A Taxonomy of Operational Cyber Security Risks Version 2”. Retrieved from

    https://resources.sei.cmu.edu/asset_files/TechnicalNote/2014_004_001_91026.pdf

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 17

    Enterprise Security Risk Assessment

    • Include an assessment of both probability and impact to evaluate the risk exposure

    Risk Response Planning

    • For those vulnerabilities (risks) which are above the risk tolerance

    Prevent Attacks- Risk Awareness

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 18

    Prevent Attacks- Awareness

    *Axelos Limited, 2017. RESILIA Frontline Overview

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 19

    Prevent Attacks- Awareness

    *Axelos Limited, 2017. RESILIA Frontline Overview

    May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 20 May 6, 2019

  • © International Institute for Learning, Inc. All rights reserved. 21 May 6, 2019