are you cyber secure?
TRANSCRIPT
0 ARE YOU CYBER SECURE? SIMPLE WAYS TO IMPROVE YOUR CYBER HEALTH & WELLNESS MASSACHUSETTS LEAGUE OF COMMUNITY HEALTH CENTERS MAY 3, 2017
Presented by:
Sumit Pal, CISA, CGEIT, CRISC, MBA, Principal and
Team Leader, Cyber Secure Services
1 AGENDA
Cybersecurity – Why such a big deal?
Impact of Breaches
Types of Attacks & Safeguards
How to deal with cyber risks, security requirements & leverage commitment to security practices?
Recommendations
2 VIDEO: CAN IT HAPPEN TO ME?
3
AGENDA
CYBERSECURITY – WHY SUCH A BIG DEAL?
4 “INFORMATION IS THE NEW OIL!”
Companies are collecting and storing large amounts of data on a regular basis.
This data may include information about employees, customers, intellectual property/trade secrets and business operations.
This data has value to the companies producing/collecting it, to their competitors and to unknown third parties.
5 BREACH STATISTICS
Source: BreachLevelIndex.com
6
Source: BreachLevelIndex.com
2016: BREACH INCIDENTS BY TYPE
7
Source: BreachLevelIndex.com
2016: BREACHES BY INDUSTRY
8 MEDICAL CENTERS WITH CYBER INCIDENTS
• Great Falls Clinic, MT • Renville County Hospital & Clinics, MN • Brandywine Pediatrics. P.A., DE • Desert Care Family and Sports Medicine,
AZ • 4D Sound Diagnostics, TX • Office of Dr. Melissa D. Selke, MD • Berkshire Medical Center / Ambucor, MA • Wentworth-Douglass Hospital / Ambucor,
NH • HeartCare Consultants, FL • Remedi SeniorCare, MD • Rainbow Children's Clinic, TX • Seven Hills Foundation, MA
• Thomasville Eye Center, GA • Codman Square Health Center, MA • KidsPeace, PA • Athens Orthopedic Clinic, GA • My Pediatrician, PA / Bizmatics, FL • Patterson Dental Surgery, MA • Massachusetts Eye and Ear Infirmary,
Inc., MA • Singh and Arora Oncology
Hematology, PC, MI • You and Your Health Family Care, Inc.,
FL • Saint Agnes Medical Center, CA • Clinton Health Access Initiative, MA
9
Source: BreachLevelIndex.com
2016: BREACHES BY REGION
10 NEWS WORTHY DATA BREACHES
11 NEWS WORTHY DATA BREACHES
12 NEWS WORTHY DATA BREACHES
13 NEWS WORTHY DATA BREACHES
14 NEWS WORTHY DATA BREACHES
15 NEWS WORTHY DATA BREACHES
16
AGENDA
IMPACT OF BREACHES
17
Source: BreachLevelIndex.com
COST OF BREACHES
18 SMALL & MEDIUM BUSINESS MYTH
I am too insignificant to attract the interest of cyber criminals!!
19
“It is the data that makes a business attractive, not the size…
especially if it is delicious data, such as lots of customer contact
info, credit card data, health data, or valuable intellectual property”
SMALL & MEDIUM BUSINESS MYTH
20 SMB AN ATTRACTIVE TARGET.. WHY?
Automation allows modern cyber criminals to mass produce attacks with little investment!
“It’s easier to rob a house than a museum…”
The “porous” networks provide easy access.
21 IMPACT OF BREACHES - SMB
Direct costs.. Just the tip of the Iceberg!
22 IMPACT OF BREACHES
23
AGENDA
TYPES OF ATTACKS & SAFEGUARDS
24 1. PASSWORD ATTACKS
Attacker gains access to your systems by cracking a user’s password.
1. Dictionary Attacks 2. Brute Force 3. Rainbow Tables
25 1. PASSWORD ATTACKS
Works because of use of weak passwords
26 CYBER SECURITY TIP# 1
Easy to remember.. Complex passwords! Password should be: • Long and complex • Easy to remember • Different for each website/application
27 CYBER SECURITY TIP# 1
Pick your favorite song: “I drive your truck, I roll every window down”
i w e d y t i r d 9 Characters
i w e d y t i r d 1 Num, 1 Special 7 *
Base Password
i w e d y t i r d 7 * G M Site specific Prefix
13 Character long unique complex password
28 CYBER SECURITY TIP# 1
29 CYBER SECURITY TIP# 2
• What is your Mother’s maiden name? • What was the name of your first pet? • What was the make of your first car?
Security Questions… Thou shall not answer them correctly!!
30 2. SOCIAL ENGINEERING ATTACK
31 2. PHISHING
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details, by masquerading
as a trustworthy entity in an electronic communication
32 2. PHISHING: SAMPLE EMAIL
Sender Unknown
Looks like SPAM
Generic Emails
33 2. PHISHING: SAMPLE EMAIL
34 2. PHISHING: SAMPLE EMAIL
35 CYBER SECURITY TIP# 3
“Think before you Click” Never click a link or attachment you did not expect to receive. How may of us wouldn't be swayed to click on at least one of these? ADP (payroll processor) themed email Voicemail (Virtual PBX systems & Softphones) eFax Invoices Package Delivery (UPS, FedEx especially during Holiday Season) Social Networking (Facebook, LinkedIn Invitation) IRS Sports (NFL, NBA, Baseball, World Cup Soccer, etc.)
36 3. SPEAR PHISHING: “CEO FRAUD”
37 3. SPEAR PHISHING: “CEO FRAUD”
The largest known case of wire fraud from spear phishing to date.
$46.7 Million Attacker impersonated the CEO and authorized a wire transfer via
email to the Chief Accounting Officer. $46.7 Million wired out of their Hong Kong Subsidiary The Chief Accounting Officer resigned. This category of theft is also sometimes known as a “CEO fraud” or “business email compromise” scam.
38 CYBER SECURITY TIP# 4
Between Oct 2013 and Feb 2016: $2.3 Billion in losses (17,642 victims). 270 % increase in instances since Jan 2015. Average loss per scam is between $25,000 and $75,000.
Be wary of e-mail-only wire transfer requests and requests involving urgency. Pick up the phone and verify legitimate business partners. Be cautious of mimicked e-mail addresses.
39 4. RANSOMWARE
Ransomware (e.g CryptoLocker)
40 CYBER SECURITY TIP# 5
• Perform daily data backup • Ensure offsite storage of
backup • Use a reputable anti-malware
/anti-virus • Educate your employees
41 CYBER SECURITY TIP# 6
Enable “automated installation” of “Important updates” from Microsoft
Make your Laptop/Desktop less vulnerable to attacks!
42 CYBER SECURITY TIP# 7
If you don’t trust the source, don’t plug the USB drive!
Disable USB Ports
43 CYBER SECURITY TIP# 8
EDUCATE YOUR STAFF Phishing, spear-phishing, social engineering and other human-
based attacks are increasingly popular and highly effective attack vectors
Turn on your “Human Firewall” Poorly trained staff can be your greatest weakness Well trained staff can be your greatest asset, watching for issues across you
network
Training topics Why Employees Need To Protect Your Organization Password Security Securely Sending and Storing Data Social Engineering Malware
44
45 CYBER SECURITY TIP# 9 .. FINALLY
MONITOR YOUR THIRD PARTY RELATIONSHIPS A business is only as strong as the chain of third parties it works
with to run their businesses. Leaders must recognize and understand the factors that promote strong third-party monitoring. Ensuring that your products/services are provided on time is only a piece of the puzzle.
Third party monitoring must cover all activities related to your third parties, including risk ranking, screening, data collection, documentation and ongoing monitoring.
Third Parties include: Consultants / Contractors Agents Vendors Suppliers / Distributors Joint Ventures
46 LEVERAGING COMMITMENT TO SECURITY PRACTICES TO ATTRACT NEW CUSTOMERS
• Have a third party audit conducted: • Service Organization Control (SOC) 2 Type II Audit
performed covering a selection one or more of the following Trust Principles:
• ISO 27001 Certification
Security Availability Processing Integrity Confidentiality Privacy
47 LEVERAGING COMMITMENT TO SECURITY PRACTICES TO ATTRACT NEW CUSTOMERS
• Such third party reports can assist with: • Meeting frequently required clauses for major
customers / contractual requirements
• Complying with Contractual Service Level Agreements (SLAs)
• Providing significant competitive advantages in the market place vis-à-vis your competitors
48
AGENDA
HOW TO DEAL WITH CYBER RISKS?
49 NIST CYBERSECURITY FRAMEWORK
In 2014, the National Institute of Standards and Technology (NIST) released
the comprehensive NIST Cybersecurity Framework.
This NIST Framework: Allows organizations- regardless of size, degree of cyber risk or
cybersecurity sophistication - to apply the principles and
best practices of risk management to improve the
security and resilience of critical infrastructure.
01010101010101010101010101110110101011010100000001111010101101010101110101010101010101010 10101010101110010101010101010101010101011101101010110101000000011110101011010101011101110 10101101010000000111101010110101010111010101010101010101010101010111011010101101010000000 11110101011010101011101010101010101010101010101011101101010110101000000011110101011010101
50 FOCUS: 5 FUNCTIONAL AREAS ID
ENTI
FY
PRO
TECT
DETE
CT
RESP
ON
D
RECO
VER
CYBERSECURITY
51
Do you have a plan to restore capabilities and your reputation? • Digital Forensic Services • Cyber Insurance Services • Litigation Support • Valuation of Damages • Asset Impairment
Do you have a plan to contain the impact of an attack? • Information Security Services • Digital Forensic Services • Incident Response Plan & Assistance
Would you know if you are being attacked? •Security Monitoring Services (Intrusion Detection Service) •Network Vulnerability Assessment •Ethical Hacking & Penetration Testing Services •Phishing as a Service
Do you have adequate safeguards in place to protect your assets? • Security Awareness and Training • Outsources CISO (Certified Information Security Officer) • Information Security Services • Cyber Insurance Services • Business Continuity & Disaster Recovery Plan
Do you know your “crown jewels”? • NIST Cybersecurity Assessment • IT Applications Controls Assessment • Information Security Assessment • Third Party Provider Risk Assessment
CYBER SECURE ECO SYSTEMS
Cyber Secure
Services
IDENTIFY PROTECT
DETECT
RESPOND
RECOVER
52
PROFILE EXAMPLE
Tiers Tier 1: Partial Tier 2: Risk-Informed Tier 3: Repeatable Tier 4: Adaptive
GAPS
NIST CYBERSECURITY ASSESSMENT
53 NIST CYBERSECURITY ASSESSMENT
INDENTIFY (ID)
RECOVER (RC)
RESPOND (RS) DETECT (DE)
PROTECT (PR)
54
AGENDA
RECOMMENDATIONS
55 RECOMMENDATIONS
Laptops should be encrypted Security awareness training Password change periodically Consider Cyber Insurance Policy Network Penetration Testing Backup recovery testing Monitor Third party providers
56
QUESTIONS?
Sumit Pal, CISA, CGEIT, CRISC Principal Cyber Secure Team Leader Practice Leader, Risk Advisory 609.514.5595 [email protected]