16 may 12 webinar - christian brothers services...2016 spring webinar series may 12, 2016 christian...

5/13/2016

1

© 2016 Christian Brothers Services, Romeoville, IL. All Rights Reserved.No part of this presentation may be reproduced, stored in a retrieval system, or

transmitted by any means without the written permission of Christian Brothers Services.

Christian Brothers Services2016 Spring Webinar Series

May 12, 2016

Christian Brothers Information & Technology Services

2016 SPRING WEBINAR SERIES

Cybersecurity

Opening PrayerOpening PrayerCreator God, through your worldand people that surround us, we

pray that we may grow more awarethis day of your life giving presence.Open our minds and hearts to apply

the knowledge from today’s webinar for the good of all.

We ask these things in Jesus’ Name.Amen

Creator God, through your worldand people that surround us, we

pray that we may grow more awarethis day of your life giving presence.Open our minds and hearts to apply

the knowledge from today’s webinar for the good of all.

We ask these things in Jesus’ Name.Amen

5/13/2016

2

2016 SPRING WEBINAR SERIES

Cybersecurity

Tom DrezChief Privacy Officer/Chief Information

Officer/Chief Security OfficerChristian Brothers Services

Disclaimer

• For informational purposes only

• Not legal advice

• Not a substitute for your own prudent business practices and due diligence

Our Agenda

1. Your likely day‐to‐day world

2. Your potential cyberrisk exposures

3. The current state of cybersecurity

4. Legislation and privacy & security

5. Cyber liability as a concern

6. A best practice approach to cybersecurity

7. Data breach walk through

5/13/2016

3

1. Your Likely Day‐to‐Day World

Your Day‐to‐Day World

‐Vision

‐Mission

‐Strategic Plan

‐Strategic Objectives

‐Work Plans

‐Budgets

5/13/2016

4

Information & Technology Services

• Member Satisfaction

• Delivering Organizational Value

• Risk Management

• Enabling Technologies

• Business Process Management

PRIORITY FOCUS AREAS

Information & Technology Services

• Customer Service

• Operational Efficiency

• Overall Effectiveness

• Security

• Cloud

• Applications

• Mobile

• Social

Organizational Drivers Enabling Technologies

Your Day‐to‐Day World ‐ SUMMARY

• Your strategic plan is working.

• You are living your mission and charism and ensuring they will live on long after you do.

• Your Catholic, faith‐based, 501©3, NFP life is very good.

• What could go wrong!

5/13/2016

5

2. Your Potential Cyberrisk Eposures

Your Potential Cyberrisk Exposures

• Confidential Information

• Proprietary Information

• Individually Identifiable Information

• Website/Social Media/Blog

• Data Network

• Who are your stake holders?

• What types of data do you have on them?

• What is your online presence?


• Business Loss/ Disruption

• Reputational Harm

• Identity Theft

• Lawsuits

What are your main concerns from these risks?

5/13/2016

6


Members/staff

Donors

Customers

• PII

• PHI

• NPFI

• PCI

$If you don’t need it, don’t collect it and store it.


Data Price List


• You use people, process and technology to function efficiently and effectively.

• You have at least one pair of wires to the internet.

5/13/2016

7

Your Potential Cyberrisk Exposures ‐SUMMARY

• You have data that others want

• You have an electric fence with front doors, back doors and windows

• You want to protect your organization and stay out of the headlines, and for your CEO and CIO to keep their jobs (& stay out of jail)

3. The State of Cybersecurity

Your Day‐to‐Day World … is now larger

Cyberrisk

Cybersecurity

Cyber liability

5/13/2016

8

Based on:

‐‐ 100,000+ incidents

‐‐ 2,260 confirmed data breaches

Confirmed data breaches:

• ~80% from external actors

• 80% had a financial motive

• 9 incident classification still reign supreme

9 main threat actors

5/13/2016

9

CBS Security Awareness Education

‐‐ C‐Level Attacks

‐‐ $ Transfers

‐‐W2 data

5/13/2016

10

CBS Security Awareness Education

Observed Every October

5/13/2016

11

Top 4 Threats to Data

1. Lost Hardware

2. Network Penetration

3. Insider Threat

4. Physical Access

The New Normal

• Human firewalling will remain ineffective to sophisticated social engineering and phishing attacks

• Application vulnerabilities are an issue

• Online “Dark Markets” proving cheaper and faster automated tools to hackers

• Cyberattacks are the new battlefield, especially for nation states

Changes in Security Models

• Traditional perimeter defense approach being replaced with a multi‐layered approach to driving towards proactive intelligent security

• Security intelligence becoming critical to aggregate and analyze information

• New models emerging for identity and trust

• Encrypt, encrypt, encrypt

• Security Awareness Education now daily not annually

5/13/2016

12

Activities to Manage & Mitigate Cyberrisks

Complete an IT risk assessment

Review IT governance model

Review IT policies, standards, procedures and guidelines

Review identity management and access controls

Review operations center monitoring & management tools

Enhance infrastructure

Inventory all IT hardware, software and data assets

Review and update your security awareness program

Bake security into application acquisition and development

Conduct 3rd party vendor security assessment

Repeat for continuous improvement

The State of Cybersecurity ‐ SUMMARY• There are two kinds of organizations: Those that have been hacked, and those that don’t know they’ve been hacked.

• It’s not IF you will have a breach, it’s WHEN.

• You can be right 999 times out of 1,000. The hacker needs to be right just once.

• There is no silver bullet, but you can and must mitigate your risks.

• You are only as strong as your weakest link!

4. Legislation and Privacy & Security

5/13/2016

13

State Data Breach Notification Laws

• 47 states have laws requiring notification in the event of a breach of personal information (not AL, NM, SD)

• The laws vary in terms of what constitutes personal information along with notification timing, etc.

• Examples: SSN, first & last name, driver’s license #, account number, credit & debit card #, medical information

• Can cover everything from electronic data to all forms.

Federal Notification Laws

Breach Notification Laws Are Continuously Changing

• California recently passed new laws effective 1/1/16:

• Very specific wording and font:

• What happened

• What information was involved

• What are we doing

• For more information

• Post conspicuous notice on website

• Breach login credentials negate electronic notice

• Defined encryption

• Added to definition of personal information

5/13/2016

14

Privacy & Security LegislationSUMMARY

• Laws are continually being passed

• Be aware of those that apply to your organizations

• Be aware of compliance requirements and penalties

• Would be nice if Congress passed one comprehensive law

5. Cyber Liability as a Concern

Cyber Liability as a Concern

5/13/2016

15




5/13/2016

16


Considering Cyber Liability Coverage

Insuring Clauses

• Privacy liability

• Network security liability

• Network extortion

• Internet media liability

• Business policies (CGL) may not adequately cover cyber‐risks

• Review your policy within the context of cyberrisks

• Cyber liability coverage growing rapidly

• Underwriting a mix of customized art and science

Considering Cyber Liability Coverage ‐ SUMMARY

• Cyberrisks exist and may not be covered by your CGL policy

• Data breach costs can be very significant

• Cyber liability policies exist and are growing

• Review your CGL policy against cyberrisks

• Don’t over OR underinsure

5/13/2016

17

6. A Best Practice Approach to Cybersecurity

Security Levels

Network Level Protection

Computer Level Protection

Data LevelProtection

• Access to data to staff on an as‐needed basis at varying levels

• Appropriate levels of approval needed to gain access

• Limit access to sensitive data (e.g. SSN, account balances, etc.)

Security: Data‐Level Protection

5/13/2016

18

• Redundant multi‐vendor antivirus software at both desktop and server levels

• Proactive threat protection

• Prohibit ability for staff to load software

• Force computers to lock after period of inactivity

• Require “complex” passwords 12 characters, upper, lower, numeric, symbol

Security: Computer‐Level Protection

• Redundant Firewalls control traffic and prevent unwanted inbound access

• Intrusion Prevention System monitors inbound and outbound traffic and notifies IT of attempted security breaches

• Website Activity Monitor prevents access to restricted sites and monitors usage

• Security Information and Event Management (SIEM) provides real‐time analysis of security alerts generated by our network

• Secure VPN Server creates access to internal resources

• Website SSL Certificates ensures encryption between client and web server traffic

Security: Network‐Level Protection

Wi‐Fi

• Do you know all of your Wi‐Fi access points?

• Are they using the latest security?

• Throw away WEP devices

• Use WPA/WPA2 with complex PSK’s

•BEWARE OF PINEAPPLES!

• Always use your cell phone or hot spot first before FREE Wi‐Fi

• Use computer firewall, VPN and VDI

5/13/2016

19

7. A Data Breach Walk Through

Pension Board ABC (PB‐ABC)

• Non‐profit Benefits Organization that provides retirement and health benefits to the ABC Group

• PB‐ABC provides services to:

• 100,000 active participants

• 25,000 inactive participants

• 15,000 retirees

Data Breach

• On September 15, 2014, the PB‐ABC was contacted by the FBI to inform them that they had discovered during a recent investigation that PB‐ABC's data had been stolen, sold and was used in seven known identity theft incidents

• PB‐ABC was totally surprised by the FBI's discovery and report of data theft. They fully cooperated with law enforcement and launched an immediate internal investigation into the incident

5/13/2016

20

Investigation

• The investigation uncovered that, sometime in June 2014, an attacker utilized a SQL injection vulnerability on the website of the PB‐ABC to deposit malware on the database server

• The malware was not detected by their security software because it had not been updated to the latest release

• Their IT department noticed the malware on Monday morning, June 9, when the security software was updated to the latest release

Investigation• They utilized security software to immediately remove the malware from their website

• However, unbeknownst to them, the malware had already successfully propagated to their internal production database server and then went dormant

• One month later, on July 6, the malware was activated, and it dumped the entire contents of their participant database to an external server out on the internet

• This data included name, address, email address, social security number, date of birth and account balance for 140,000 participants

Investigation

• The internal investigation was completed on September 18, 2014. The Senior Management team gathered and was informed of this detail by the Chief Information Officer

5/13/2016

21

Data Breach Protocol

• Best practices call for an organization to have a Data Breach Protocol or Plan, just like having a Business Continuity Plan

• If Pension Board ABC had a Data Breach Protocol, it might look like the following:


CEO• Notifies Pension Board’s Board of Trustees

CFO• Notifies Insurance Broker of breach – acts as liaison to broker for the claim processing and activities

General Counsel or Legal Consultant• Take point on ensuring compliance with any applicable breach notification law(s)


COO or Communications Dept. Head• Oversees development of communications plan to affected constituents and media, as required

COO or Customer Service Dept. Head• Coaches Call Center on response protocols for inquiries by participants or media

5/13/2016

22


CIO or Head of Information Technology Dept.

• Engages external forensics firm to assist in analysis of breach and method of elimination

• Review all other similar and related systems to make sure any similar vulnerabilities have been addressed

• Review procedures, protocols and security tools –change any and all of these to ensure a repeated breach doesn’t occur


Additional Note

• If data breach were personnel‐caused rather than a technology breach (e.g., staff member accidentally emailed report containing bulk SSNs to an outside entity), technology forensics would be replaced with internal procedures review and possible Human Resources involvement and remediation with education

Recap

• Your likely day‐to‐day world

• Your potential cyberrisk exposures

• The current state of cybersecurity

• Legislation and privacy & security

• Cyber liability as a concern

• A best practice approach to cybersecurity

• Data breach walk through

5/13/2016

23

For Questions Regarding

Contact:

Cybersecurity

Tom Drez [email protected]

800.807.0200 x 2930

For the link to the handouts from today’s webinar email:

[email protected]

5/13/2016

24

To sign up for any of our spring webinars:

cbservices.org/educationalresources.php

© 2016 Christian Brothers Services, Romeoville, IL. All Rights Reserved.No part of this presentation may be reproduced, stored in a retrieval system, or

transmitted by any means without the written permission of Christian Brothers Services.

16 may 12 webinar - christian brothers services...2016 spring webinar series may 12, 2016 christian...

Documents