8:30 am 9:30 am hst | 11:30 am - 12:30 pm pst
TRANSCRIPT
Slide 18:30 am – 9:30 am HST | 11:30 am - 12:30 pm PST
Learning Objectives
IoT + DDoS, botnets, ransomware and more
and review options for and how to implement a
cybersecurity framework
such as GDPR and ISO 27001 on an enterprise
cybersecurity program
defense
Agenda
1
2
2
3
4
3
The human body contains far more bacteria than it has body cells. Most of the bacteria are harmless, some
are helpful, while others have the potential to make one sick or even kill us. The human body is waging a
constant battle against harmful microscopic organisms.
One of the human body’s targeted line of defense is the immune system. The immune system recognizes
and defends against specific pathogens, cancer cells and certain chemicals. The immune system provides
a targeted defense because it must always distinguish between its own body cells, referred to as self, and
intruders, or non-self. When non-self cells or other intruders are identified, the immune system launches a
customized response. Such as response may take longer but it is long lasting and typically more effective
than non-specific defenses.
The immune system has a remarkable memory. It remembers the virus that causes an illness, that you may
have had in the past, such as chicken pox. The next time the human body is exposed to this virus, the body
recognizes it and destroys the virus before an illness may be triggered. We can learn so much from human
defense mechanisms, including our immune system.
Within the digital business, the PII volume will only increase, and so will attack surfaces. The challenge to
defend assets of value that extend across mobile platforms and a diverse cloud eco-system is not
insignificant.
Further, not just sensitive data but also our security controls may be at risk. The security controls must also
be formally assessed to ensure these have not been compromised.
Human Immune Defense
pathogens, cancer cells, and certain chemicals.
The immune system delivers a specific, or targeted defense.
The immune system is able to distinguish between its own
body cells (“self”) intruders (“non-self”).
When non-self cells or other intruders are identified, the
immune system launches a customized response.
While such a response may take longer it is longer lasting and
typically more effective than non-specific defences.
Bacteria may help prevent or treat some diseases.
Over a 100 trillion organisms in our gut
8,000 different bacteria, viruses
Human Body
Compliance Enforcement
Class Action Lawsuits & Settlements
The world has emerged flatter, as we witness COVID-19 disrupt
business. Cyber strategy now defined in two words, cyber resilience.
Complete
Mission
IP address #1 395 310
IP address #2 393 295
IP address #3 393 294
10,432
Total
3,394
High
5,908
Medium
1,584
2020 Client Cyber Assessment
Allow an attacker to gain unauthorized access to sensitive data [214 instances]
Allow an attacker to perform a Denial of Service attack [169 instances]
Provide an attacker with valuable information [167 instances]
Allow an attacker to gain elevated privileges [99 instances]
Allow an attacker to gain access to sensitive data [76 instances]
Allow an attacker to bypass security restrictions [22 instances]
Allow an attacker to take control of the system [745 instances]
Unique vulnerabilities,
per organization1,440
Ransomware and Cryptojacking
Malicious coin mining or “cryptojacking” is the act of installing a
cryptocurrency thus enslaving their device to slowly gather coins
for the attacker.
ransomware every 14 seconds in past
years, and every 11 seconds by 2021.
In recent years, ransomware from
phishing emails increased 109 percent.
The global IoT market is forecast to be worth
More than 80% of senior executives across industries, on average, say
IoT is critical to some or all lines of their business in recent years.
127 new IoT devices connect to the
internet every second.
segment.
Lack of Transmission Security
Lack of Appropriate Auditing
Inconsistent Patching of Software
Recurring Compliance Issues
The top five ransomware variants targeting U.S. companies
and individuals are CryptoWall, CTBLocker, TeslaCrypt,
MSIL/Samas, and Locky.
attacks as attackers are using COVID-19 as bait to
misleading employees and customers.
download COVID-19 ransomware disguised as legitimate
applications.
17
18
10
SB 327 requires manufacturers of connected devices to equip the
device with reasonable security features that are appropriate to the
nature and function of the device, appropriate to the information it may
collect, contain, or transmit.
Designed to protect the device and any information contained therein
from unauthorized access, destruction, use, modification, or
disclosure.
SB 327 Information Privacy: Connected Devices
Existing law also requires a business that owns, licenses, or maintains personal information
about a California resident to implement and maintain reasonable security procedures and
practices appropriate to the nature of the information, to protect the personal information
from unauthorized access, destruction, use, modification, or disclosure.
Effective January 1, 2020
NIST IR 8228 Internet of Things (IoT) Cybersecurity and Privacy Risks
IoT devices are an outcome of combining the worlds of IT and Operational Technology (OT).
IoT devices interact with the physical world in ways conventional IT devices usually do not.
Availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices
than conventional IT devices.
Risk is defined in NIST SP 800-37 Revision 2 as a measure of the extent to which an entity is threatened by a
potential circumstance or event.
For cybersecurity, risk is about threats, the exploitation of vulnerabilities by threat actors to compromise device or
data confidentiality, integrity, or availability.
For privacy, risk is about problematic data action operations that process PII through the information lifecycle to
meet mission or business needs of an organization or “authorized” PII processing, and, as a side effect, cause
individuals to experience some type of problem(s).
Three High-level Risk Mitigation Goals
Protect device
Device Interactions with the Physical World.
Device Access, Management, and Monitoring Features.
Cybersecurity and Privacy Capability Availability,
Efficiency, and Effectiveness.
Grants new enforcement power to the
Attorney General.
Key Facts
PII subject to Gramm – Leach – Bliley Act (GLBA);
Fair Credit Reporting Act (FCRA); Driver's License
Protection Act.
But note – privacy right of action for data breach is
not subject to the exemptions.
CCPA: Getting Prepared
Update policies
Engage in a data mapping activity that provides information on who in your organization collects, uses and shares what personal information for what purposes, and that tells you where and how that data is stored and accessed
Adopt and follow a cybersecurity framework
Encrypt or redact consumers’ personal information when collected, stored, and transmitted
Update written contracts with service providers and vendors with which you share consumers’ personal information to ensure the requirements of CCPA are addressed
25
26
14
Failure to comply with ‘accountability principal’
GDPR Recurring Compliance Issues
ISO 27002
Compliance
29
30
16
12.1 Establish, publish, maintain, & disseminate a
security policy that accomplishes the following:
12.1 Examine the information security policy & verify
that the policy is published & disseminated to all
relevant personnel (including vendors & business
partners).
12.1.1 Addresses all PCI DSS requirements. 12.1.1 Verify that the policy addresses all PCI DSS
requirements.
assessment.
include but are not limited to OCTAVE, ISO
27005 & NIST SP 800-30).
is documented that identifies threats, vulnerabilities,
& results in a formal risk assessment.
31
32
17
DFARS 252.204-7012
NIST SP 800-171 rev 1
Draft NIST SP 800-171B
United Kingdom’s Cyber Essentials
CMMC also adds a certification element to verify implementation of cybersecurity requirements.
CMMC is a DoD certification process that measures a company’s ability to protect
Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC combines various cybersecurity standards and maps these best practices
and processes to maturity levels, ranging from basic cyber hygiene to highly
advanced practices.
Certification (CMMC) Key Facts
CMMC has five defined levels, each with a set of supporting practices and processes.
To meet a specific CMMC level, an organization must meet the practices and
processes within that level and below.
CMMC Levels
Risk Management Plan (addressing risks identified in the Risk Analysis).
Security violation monitoring reports.
Penetration testing policy & procedure.
Results from most recent penetration test (network, application).
List of all user accounts with access to systems which store, transmit, or access PII
(for active & terminated employees).
Encryption or equivalent measures implemented on systems.
Evidence Updated?
Employee background checks & confidentiality agreements.
Establishing user access for new & existing employees.
List of authentication methods used to identify users authorized to access PII.
List of individuals & contractors with access to PII to include copies pertinent
business associate agreements.
List of software used to manage & control access to the Internet.
Detecting, reporting, & responding to security incidents.
Physical security.
Mechanisms to ensure integrity of data during transmission – including portable
media transmission.
43
44
23
Take periodic backup and encrypt your data using encryption tools.
Regularly update your anti-virus/anti-spam-ware/anti-ransomware definitions.
Do not open email attachments from unknown sources.
The moment you suspect any system(s) is infected, disconnect it from your computer network and
shut it down.
Enable system restore point, which is an in-built feature of Microsoft Windows operating system,
to assist in restoring files.
Ensure credible end point protection.
Use network protection - Network protection could also help prevent network encryption which
could also happen with some crypto Ransomware threats.
Use Software Restriction Policies to prevent or restrict the primary attack vectors, i.e. deny
execution of user that can write/create privileges on business critical systems.
45
46
24
Preparation
47
48
25
Learning Objectives
IoT + DDoS, botnets, ransomware and more
and review options for and how to implement a
cybersecurity framework
such as GDPR and ISO 27001 on an enterprise
cybersecurity program
defense
Agenda
1
2
2
3
4
3
The human body contains far more bacteria than it has body cells. Most of the bacteria are harmless, some
are helpful, while others have the potential to make one sick or even kill us. The human body is waging a
constant battle against harmful microscopic organisms.
One of the human body’s targeted line of defense is the immune system. The immune system recognizes
and defends against specific pathogens, cancer cells and certain chemicals. The immune system provides
a targeted defense because it must always distinguish between its own body cells, referred to as self, and
intruders, or non-self. When non-self cells or other intruders are identified, the immune system launches a
customized response. Such as response may take longer but it is long lasting and typically more effective
than non-specific defenses.
The immune system has a remarkable memory. It remembers the virus that causes an illness, that you may
have had in the past, such as chicken pox. The next time the human body is exposed to this virus, the body
recognizes it and destroys the virus before an illness may be triggered. We can learn so much from human
defense mechanisms, including our immune system.
Within the digital business, the PII volume will only increase, and so will attack surfaces. The challenge to
defend assets of value that extend across mobile platforms and a diverse cloud eco-system is not
insignificant.
Further, not just sensitive data but also our security controls may be at risk. The security controls must also
be formally assessed to ensure these have not been compromised.
Human Immune Defense
pathogens, cancer cells, and certain chemicals.
The immune system delivers a specific, or targeted defense.
The immune system is able to distinguish between its own
body cells (“self”) intruders (“non-self”).
When non-self cells or other intruders are identified, the
immune system launches a customized response.
While such a response may take longer it is longer lasting and
typically more effective than non-specific defences.
Bacteria may help prevent or treat some diseases.
Over a 100 trillion organisms in our gut
8,000 different bacteria, viruses
Human Body
Compliance Enforcement
Class Action Lawsuits & Settlements
The world has emerged flatter, as we witness COVID-19 disrupt
business. Cyber strategy now defined in two words, cyber resilience.
Complete
Mission
IP address #1 395 310
IP address #2 393 295
IP address #3 393 294
10,432
Total
3,394
High
5,908
Medium
1,584
2020 Client Cyber Assessment
Allow an attacker to gain unauthorized access to sensitive data [214 instances]
Allow an attacker to perform a Denial of Service attack [169 instances]
Provide an attacker with valuable information [167 instances]
Allow an attacker to gain elevated privileges [99 instances]
Allow an attacker to gain access to sensitive data [76 instances]
Allow an attacker to bypass security restrictions [22 instances]
Allow an attacker to take control of the system [745 instances]
Unique vulnerabilities,
per organization1,440
Ransomware and Cryptojacking
Malicious coin mining or “cryptojacking” is the act of installing a
cryptocurrency thus enslaving their device to slowly gather coins
for the attacker.
ransomware every 14 seconds in past
years, and every 11 seconds by 2021.
In recent years, ransomware from
phishing emails increased 109 percent.
The global IoT market is forecast to be worth
More than 80% of senior executives across industries, on average, say
IoT is critical to some or all lines of their business in recent years.
127 new IoT devices connect to the
internet every second.
segment.
Lack of Transmission Security
Lack of Appropriate Auditing
Inconsistent Patching of Software
Recurring Compliance Issues
The top five ransomware variants targeting U.S. companies
and individuals are CryptoWall, CTBLocker, TeslaCrypt,
MSIL/Samas, and Locky.
attacks as attackers are using COVID-19 as bait to
misleading employees and customers.
download COVID-19 ransomware disguised as legitimate
applications.
17
18
10
SB 327 requires manufacturers of connected devices to equip the
device with reasonable security features that are appropriate to the
nature and function of the device, appropriate to the information it may
collect, contain, or transmit.
Designed to protect the device and any information contained therein
from unauthorized access, destruction, use, modification, or
disclosure.
SB 327 Information Privacy: Connected Devices
Existing law also requires a business that owns, licenses, or maintains personal information
about a California resident to implement and maintain reasonable security procedures and
practices appropriate to the nature of the information, to protect the personal information
from unauthorized access, destruction, use, modification, or disclosure.
Effective January 1, 2020
NIST IR 8228 Internet of Things (IoT) Cybersecurity and Privacy Risks
IoT devices are an outcome of combining the worlds of IT and Operational Technology (OT).
IoT devices interact with the physical world in ways conventional IT devices usually do not.
Availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices
than conventional IT devices.
Risk is defined in NIST SP 800-37 Revision 2 as a measure of the extent to which an entity is threatened by a
potential circumstance or event.
For cybersecurity, risk is about threats, the exploitation of vulnerabilities by threat actors to compromise device or
data confidentiality, integrity, or availability.
For privacy, risk is about problematic data action operations that process PII through the information lifecycle to
meet mission or business needs of an organization or “authorized” PII processing, and, as a side effect, cause
individuals to experience some type of problem(s).
Three High-level Risk Mitigation Goals
Protect device
Device Interactions with the Physical World.
Device Access, Management, and Monitoring Features.
Cybersecurity and Privacy Capability Availability,
Efficiency, and Effectiveness.
Grants new enforcement power to the
Attorney General.
Key Facts
PII subject to Gramm – Leach – Bliley Act (GLBA);
Fair Credit Reporting Act (FCRA); Driver's License
Protection Act.
But note – privacy right of action for data breach is
not subject to the exemptions.
CCPA: Getting Prepared
Update policies
Engage in a data mapping activity that provides information on who in your organization collects, uses and shares what personal information for what purposes, and that tells you where and how that data is stored and accessed
Adopt and follow a cybersecurity framework
Encrypt or redact consumers’ personal information when collected, stored, and transmitted
Update written contracts with service providers and vendors with which you share consumers’ personal information to ensure the requirements of CCPA are addressed
25
26
14
Failure to comply with ‘accountability principal’
GDPR Recurring Compliance Issues
ISO 27002
Compliance
29
30
16
12.1 Establish, publish, maintain, & disseminate a
security policy that accomplishes the following:
12.1 Examine the information security policy & verify
that the policy is published & disseminated to all
relevant personnel (including vendors & business
partners).
12.1.1 Addresses all PCI DSS requirements. 12.1.1 Verify that the policy addresses all PCI DSS
requirements.
assessment.
include but are not limited to OCTAVE, ISO
27005 & NIST SP 800-30).
is documented that identifies threats, vulnerabilities,
& results in a formal risk assessment.
31
32
17
DFARS 252.204-7012
NIST SP 800-171 rev 1
Draft NIST SP 800-171B
United Kingdom’s Cyber Essentials
CMMC also adds a certification element to verify implementation of cybersecurity requirements.
CMMC is a DoD certification process that measures a company’s ability to protect
Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC combines various cybersecurity standards and maps these best practices
and processes to maturity levels, ranging from basic cyber hygiene to highly
advanced practices.
Certification (CMMC) Key Facts
CMMC has five defined levels, each with a set of supporting practices and processes.
To meet a specific CMMC level, an organization must meet the practices and
processes within that level and below.
CMMC Levels
Risk Management Plan (addressing risks identified in the Risk Analysis).
Security violation monitoring reports.
Penetration testing policy & procedure.
Results from most recent penetration test (network, application).
List of all user accounts with access to systems which store, transmit, or access PII
(for active & terminated employees).
Encryption or equivalent measures implemented on systems.
Evidence Updated?
Employee background checks & confidentiality agreements.
Establishing user access for new & existing employees.
List of authentication methods used to identify users authorized to access PII.
List of individuals & contractors with access to PII to include copies pertinent
business associate agreements.
List of software used to manage & control access to the Internet.
Detecting, reporting, & responding to security incidents.
Physical security.
Mechanisms to ensure integrity of data during transmission – including portable
media transmission.
43
44
23
Take periodic backup and encrypt your data using encryption tools.
Regularly update your anti-virus/anti-spam-ware/anti-ransomware definitions.
Do not open email attachments from unknown sources.
The moment you suspect any system(s) is infected, disconnect it from your computer network and
shut it down.
Enable system restore point, which is an in-built feature of Microsoft Windows operating system,
to assist in restoring files.
Ensure credible end point protection.
Use network protection - Network protection could also help prevent network encryption which
could also happen with some crypto Ransomware threats.
Use Software Restriction Policies to prevent or restrict the primary attack vectors, i.e. deny
execution of user that can write/create privileges on business critical systems.
45
46
24
Preparation
47
48
25