Cyber Security for the Lay Person

March 28, 2018

Caleb JonesAlion Science & TechnologyManger – Risk Assessment Programs

Today we’ll cover• The ‘so what?’ – The principles of the confidentiality,

integrity and availability (CIA) triad as it pertains to financial management systems

• The ‘what matters?’ – The principles of risk-based security assessment including the elements of criticality, vulnerability, threat

• The ‘what do we do?’ – What data owners and system users can do to help their IT staff better secure their systems

The setting…security always mattered

The users’ level of control has changed

Goals haven’t changed, really• Security has always had three elements

• Confidentially• Integrity• Availability

Confidentially• What it means: Keeping private things private• What threatens it: Outsider ‘hacking’ into financial

systems, insiders who are not properly handling sensitive data

• What controls promote it:• Complex passwords, two-factor authentication, least-

privilege, encryption and a host of network controls

Confidentially (Disclosure) - Examples• 2008 Heartland Payment Systems• 34 million credit cards exposed• Paid out an estimated $145 million in compensation for

fraudulent payments• Deemed out of compliance with the Payment Card

Industry Data Security Standard (PCI DSS)• Not allowed to process the payments of major credit

card providers for five months

Integrity• What it means: Knowing that nobody has made

unauthorized changes• What threatens it: Malicious outsiders, environment

malfunctions (server crashes, corrupted files), malicious insiders

• What controls promote it:• Prevention: Network controls, segregation of financial

systems, least privilege • Response: Backups, disaster recovery drills

Integrity (Corruption) - Examples• 2014 JP Morgan Chase• Hit with exploit that compromised the data of more than

half of all US households • 76 million households and 7 million small businesses• names, addresses, phone numbers and email addresses

• Was reported that attackers gained “root" privileges on more than 90 of the bank’s servers• Means they could do almost anything to any file: change

balances, transferring funds, close/open accounts.

• What it means: Being able to get to your data when you need to

• What threatens it: Network stability, ‘DDoS’ attacks, ransomware

• What controls promote it: • Prevention: Network controls, segregation of financial

systems• Response: Backups, disaster recovery drills

Availability

Availability (Disruption) - Examples• 2016 HSBC

• Hit with a denial of service attack that lasted two days• Not unusual – denial of service is most common attack

against financial institutions (2015 Verizon Data Breach Investigations Report)

• Average cost is $40,000 per hour• 2017 “Wannacry” ransomware hit 150 countries and cost up

to $4B

Not everything is (equally) important• In protecting (pre-event) and recovering (post-

event)….not all information and systems are handled equally

• The level of protection, frequency of back-ups, level of access can vary according to the nature of the information and system

Risk tells us what to worry about

Risk tells us what (not) to worry about

Vulnerability

How well have we protected our

financial data and systems based on implementation of measures drawn

from policies, best practices?

More/more effective measures

means lower vulnerability to threat actions

Criticality

How important is specific information

or systems to the organization?

Think costs associated with loss

– business interruption, fines,

recovery costs

Threat

How likely are we to have incidents on a particular system.

IT can tell us the volume/type of activity against

certain systems. Internal controls

can tell us insider-related incidents

within the organization.

Risk

Is the product of :

- Vulnerability to threats actions

- Criticality of the assets

- Rate/types of threat activities within the system

If any factor is zero, then risk

is zero

What can we do to help?

Know yourself – understand criticality“If you know the enemy and know yourself, you need not

fear the result of a hundred battles.” – Sun Tzu (545 BC)• Inventory the systems on which you depend

• Shared files, financial management systems, SharePoint, email archives, etc.

• Rank them by ‘pain points’• If ___________ disappeared/was disclosed, how bad

would it hurt?

Ask the right questions – Vulnerability“Now you know, and knowing is half the battle.” – G.I. Joe

(1985)

• Although much of information security is out of control of financial managers control, there is power in knowing the answers to key questions.

• Focus the questions on the systems with high criticality (pain) scores

Recovery questionsThe ‘bad thing’ will happen…are they prepared?

1. Is _________ system backed up? (How often?)2. Is it backed up off-site? (Could fire burn both?)3. How long would it take to switch to the backup?

(How long to switch back?)4. How high is __________ on the recovery priority list.

(They cannot bring back everything immediately)

‘Test’ questions“You get what you inspect, not what you expect”

1. Have we ever hired someone external to find security problems? (If they haven’t, assume the problems are there)

2. Have you ever practiced going to the backup site/data? (If they haven’t, assume they can’t)

3. How would we know if our data was compromised? (Failure of security isn’t always obvious..you have to look)

Threat – Not much you can do• You information security staff may (should) understand

what is being targeted in your organization• Often, not much is useful to the layman

What can you do yourself?• Question the links you click and how you browse the

internet • Links are like people – they have to earn trust• Links wear disguises

• http://ameribank.ru/myaccount/• https://bit.ly/2Gd6NQ

• Legitimate sources never as you to “Verify your information”

• Go to the source…you already know the URL

What can you do yourself?• Avoid all suspicious emails.

• Compromised systems start here!• Don’t download anything without a system admin

• “Click here to install”• Control your data! Things not to allow:

• Downloading data onto portable media• Downloading/using personal computers for work data• Taking unencrypted data out of the office

• Department of Veterans Affairs lost data on 26.5 million active and paid $20,000,000

If you don’t have already….oops!• Antivirus updated for all work devices (& personal) • Strong Password Policy

• Use ‘passphrases’ - Thi$1SmuchS+ronger• Don’t duplicate!

• Use Automatic Screen Lock• Data/equipment disposal policy • Work from home/secure connection and BYOD (Bring Your

Own Device) Policy

Summary• Know yourself – What is critical and where is it at?• Communicate with your I.T. staff

• Tell them what’s critical• Ask hard questions

• Expect an ‘event’ – plan and practice• Take reasonable precautions…the threat is out there!

Questions?