Download - PMINJ Chapter Symposium - 06 May 2019PMP, PMI-ACP, PMI-RMP, CSM, CSPO, PSM I, CISSP, ITIL, RESILIA, CRISC, MS Eng. Mgmt. GLS Team- Practice Consultant for Agile Scrum and IT Practice,

Susan Parente

PMP, PMI-ACP, PMI-RMP, CSM, CSPO, PSM I, CISSP, ITIL, RESILIA, CRISC,

MS Eng. Mgmt.

GLS Team- Practice Consultant for Agile Scrum and IT Practice, Senior Instructor

Instructor, University of Virginia: Agile Project Mgmt.

Cybersecurity

Am I at risk…?

PMINJ Chapter

Symposium - 06 May 2019

© International Institute for Learning, Inc. All rights reserved. 2

Susan Parente

• Risk Management and Agile Consultant and Trainer • Master of Science (MSEM — Focus in Marketing of Technology) George Washington University • Bachelor’s in Mechanical Engineering (BS ME)

• Certifications:

Project Management Professional (PMPTM) — 2006

Project Risk Management Professional (PMI-RMPTM) — 2011

Certified Information Systems Security Professional (CISSP) — 2007

RESILIATM — 2006

CRISC — 2018

ITIL Foundations — 2006

Agile Certified Practitioner (PMI-ACPTM) — 2014

Certified Scrum Master (CSM) & CSPO — 2017 Professional Scrum Master I (PSM I) — 2017

May 6, 2019


Am I at Risk…?

What is Cybersecurity?

• Why is IT Security so important?

Information Security

Attacks/ Breaches

Common Threats/ Vulnerabilities

• Examples of threats

What Can I Do?

• Prevent (Risk Assessment, Planning, Training)

• React (Recognizing/ Malware Detection)

• Safe and Secure?: Defense Dept.

Cybersecurity

May 6, 2019


Cybersecurity: Also known as information technology security

• Includes techniques to protect computers, networks, programs and data from unauthorized access or attacks on one’s computer or systems.

Cyber Attack: A attempt to cause damage or destruction to a computer system or network.

• Targets an individual or enterprise with the intent to disrupt, disable, destroy, or control a computer, its environment, or infrastructure, or to destroy the integrity of data or steal information.

What is Cybersecurity?

May 6, 2019


Definitions

Attack: Attempt to obtain unauthorized access to information or services, or to harm or damage IT systems.

Breach: An incident which results in an attack, resulting from bypassing of the system’s security structure.

Attacks/ Breaches

May 6, 2019


Attacks/ Breaches

*Verizon, 2015 Data Breach Investigations Report

May 6, 2019


Phishing:

A fraudulent practice of sending email masked as coming from a viable source, with the purpose of having individuals divulge personal information. Phishing is very commonly used and unfortunately it often works!

Social Engineering:

Deception by fraudulent parties to manipulate someone into sharing personal or confidential information (sensitive data)

Spyware/ Trojan Horse:

This is a malicious program which is packaged in what appears to be legitimate software. It runs in the background and spies on your computer system, or may delete files.

Viruses:

This is hidden in software. It infects ones computer & attempts to spread to all on your contact list.


May 6, 2019


Phishing Example:

How do you know?

Take a closer look…


May 6, 2019


Phishing Example Identification:

• It looks legitimate

(from HR, your bank, an invoice, shipping confirmation, etc.)

• Hover over the link

If you don’t recognize it don’t click!

• Spelling or grammar errors

• Urgency!! (invoking fear)


May 6, 2019


Ransomware:

You computer data is held ‘hostage’ and you are asked for payment to release it and regain access to your computer. (This is another great reason to backup your data!)

Worm:

One your computer is infected with it, it works on its own, and propagates by sending itself to other computers.

DoS (Denial of Service) Attack:

The goal of this is to hit a specific website or server until the volume of hits takes the system down.


*Axelos Limited, 2017. RESILIA Frontline Overview

May 6, 2019


Common Threats


“You need to really work with your people and embark on

conversations with them about the threats that are out there.

That’s what we want to change – we want people to talk

about security, discuss the risks, but help each other out. The

more people talk about security with each other, the better things

will become.”

May 6, 2019


Common Threats


“It takes 20 years to build a reputation and 5

minutes to ruin it. If you think about that, you’ll

do things differently.”

May 6, 2019


Common Threats


“It is important companies remain vigilant, taking steps to

proactively and intelligently address cyber security risks.

beyond the technological solutions, we can accomplish even

more through better training, awareness and insight on human

behaviour. Confidence, after all, is not a measure of technological

systems, but of the people entrusted to manage them.”

May 6, 2019


Prevent attacks

• Risk Assessment, Planning, Awareness

React to attacks

• Recognizing/ Malware Detection

What can I do…?

May 6, 2019


IT Security Guidelines/ Standards

• Develop and implement these to prevent and manage IT security for the organization.

Password Safety:

• Guidance in the creation and management of high-strength passwords to help stop attackers gaining unauthorized access to the organization’s network.

Remote and Mobile Working:

• Safe use of office devices outside of the organizational environment.

General Prevention


May 6, 2019


Identification of Cybersecurity Risks

Operations Cybersecurity Risks (as per SEI):

• Actions of People- including: unintentional, intentional, lack of action

• Systems and Technology Failures- including: hardware, software, systems

• Failed Internal Processes- including: design of processes, execution of processes, controls for processes, supporting processes

• External Events- including: hazards, legal, business, dependencies of services

Prevent Attacks- Risk Identification

*Reference: SEI (May 2014) “A Taxonomy of Operational Cyber Security Risks Version 2”. Retrieved from

https://resources.sei.cmu.edu/asset_files/TechnicalNote/2014_004_001_91026.pdf

May 6, 2019


Enterprise Security Risk Assessment

• Include an assessment of both probability and impact to evaluate the risk exposure

Risk Response Planning

• For those vulnerabilities (risks) which are above the risk tolerance

Prevent Attacks- Risk Awareness

May 6, 2019


Prevent Attacks- Awareness


May 6, 2019