cybersecurity – protect you practice · – cybercrime as an industry ... economics, and...
TRANSCRIPT
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor
©20
20 C
lifto
nLar
sonA
llen
LLP
Lee Painter, Principal, HC CyberSecurity and Regulatory Compliance
CyberSecurity – Protect Your Practice
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
About CLA
• A professional services firm with three distinct business lines– Wealth Advisory– Outsourcing– Audit, Tax, and Consulting
• More than 6,100 employees• 120 offices coast to coast
Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC.
2
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Speaker Introduction (Huge Nerd)Lee Painter, CISSP, CRISC, HCISPP, CCSFPPrincipal, HealthCare CyberSecurity and Regulatory Compliance• 15 years of operational experience (DoD)
• Threat Analysis and Network Defense• Incident Detection and Response• Insider Threat Analyst/Lead• System/Network Administrator
• 5 years of consulting experience• HIPAA Security Risk Analysis• HIPAA Privacy and Security GAP Assessments• Penetration Testing• Vulnerability Assessments• GDPR Data Protection Impact Assessments• Payment Card Industry Compliance Assessments
3
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Financial Impact of Healthcare Breaches
4
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Raise Your Hand If…
5
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
When a TV is NOT a TV…
6
https://www.theverge.com/2019/6/17/18681683/samsung-smart-tv-virus-scan-malware-attack-tweet
©20
20 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor
The bad guys
7
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
“Know Thy Enemy”• Hackers have “monetized” their activity
– More sophisticated hacking– More “hands-on” effort– Smaller organizations targeted– Cybercrime as an industry
• Everyone is a target…
• Phishing is a root cause behind the majority of cyber fraud and hacking attacks
8
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Cybercrime as an “Industry”
• Black market economy to support cyber fraud• Hacking is run like a business where people
(criminals) specialize in different areas– Writing malware– Renting botnets– Stealing data– Selling data (collect data from various
sources/BIG DATA)– Etc.
9
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Largest Cyber Fraud Trends - Motivations• Black market economy to support cyber fraud
– Business models and specialization• Most common cyber fraud scenarios we see affecting our clients
– Theft of PII and PFIo W2/Payroll/Benefit info
– Theft of credit card information– Theft of Credentials and
Account take overs– Ransomware and Interference
w/ Operations
10
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Marketplace for Stolen Information
11
Attackers buy and sell data on cyber black market– “The Dark Web” - similar to amazon.com
©20
20 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor
12
Cautionary Tales
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
RansomwareMalware encrypts everything it can interact with
13
http://www.engadget.com/2016/02/19/hospital-ransomware-a-chilling-wake-up-call/
Common Ransomware Targets• Local Disk(s)• Connected devices (USB)• Managed network devices• Other accessible folders• Vulnerable hosts within the
network
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Everyone is a target
14
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Should Never Happen
15
• 37,000 Flash Drives sent to members
• Never trust a flash drive• Always perform a secure
download• Constantly update AntiVirus
software• Advanced (and maintained)
Firewalls
How to prevent
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Should Never Happen
16
• $10,000 Fine• Patient Information was disclosed
in response to a YELP Review (presumably negative)
• Last Name, Health Condition, Treatment Plan, Insurance, Cost Information
• No policies and procedures around PHI – Social Media Policy?
How to prevent• Policies and Procedures!• Training and Awareness• HIPAA Risk Analysis
©20
20 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor
Ransomware and Cybercrime
The Attacks!
17
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
RansomwareAttack on the availability of network data
Easier to do than exfiltration of the data
Uses strong encryption to render victims files unreadable
Payments are often in Bitcoin
Cyber criminals attempt to delete host and network backups
User credentials are used for network access
Many variants and constant evolution
18
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Ransomware Evolution
2004 Misleading Applications
2008 Fake anti-virus
2013 Locks you out of your device (browser, etc.)
2015-2019 Locks you out of your data
19
• This evolution of ransomware has been greatly influenced by a range of developments in technology, economics, and security.o Cryptocurrency and anonymization networks has made it difficult to hunt down
cyber criminals
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
RansomwareTypes• CryptoWall, CryptoLocker, etc.• Encrypt all data, hold it “ransom” for $$
– Data on local machine and on network• Attackers are putting much more time and
effort into these types of attacks over the last year(s)
• Starting to target other operating systems, like Macs, Android, IoT
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Ransomware as a Service (RaaS)
Attackers buy and sell anti-security services on cyber black markets– “The Dark Web” - similar to amazon.com
21
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Ransomware(One year ago)
22
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
(Six months ago)
23
Ransomware
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities 24
Ransomware
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Ransomware(More Recently…)
25
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Image source from NPR
26
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Defensive Strategies
• Defense in depth• Staff awareness (users that are aware
and savvy)• Current operating systems and up to
date/patched software• Minimized User Access Rights• Email spam filters
– Setup– Tested– Examine spam
• Removal of ads from the network– Web proxy
27
©20
20 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor
28
Phishing
The Attacks!
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
What is Phishing?
• Simply put:– Convince someone to perform an action that will benefit the attacker
• What is that action?– Visit a malicious website– Download and open a malicious file– Provide confidential information (Password, Account Number, etc.)– Wire money out of the organization
29
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Types of Attacks
• Traditional Attack (Spamming) – Attacker targets a large amount of users
• Spear Phishing – A custom message is built for a specific target
• Whaling – “C-level” executives or management is specifically targeted
30
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Phishing Email
You can forge the sender address in a letter
31
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Poor Email Filtering
32
Connected to mail.cogentco.com (38.9.X.X).MAIL FROM: <[email protected]>250 OKRCPT TO: <[email protected]>250 Accepted
DATA354 Enter message, ending with "." on a line by itselfFROM: <[email protected]>TO: <[email protected]>Subject: Free Tesla Car
SMTP Envelope
SMTP Message
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Phishing Email
33
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Phishing Email
34
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Ransomware
35
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Phishing Website
36
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Protect Against Email Phishing
• Harden email gateway (spam filter)– Block potentially malicious file attachments (e.g. ZIP, RAR, HTA, JAR)– Flag Office documents that contain Macros as suspicious– Prevent your organization’s domain from being spoofed
◊ Sender Policy Framework (SPF)◊ Custom rule to evaluate SMTP Letter FROM field
– Flag emails that originate from the Internet◊ E.g. Modify subject line to say ‘External’
37
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Protect Against Email Phishing
• Continue to Train Employees– Train employees how to spot odd wire requests– Politely challenge the request and ask if it has been verified through
proper channels – Provide sample policies/guidelines for organizations that don’t have
them– Explain simple controls to implement (limits, two-step/two-factor,
etc.)– Make sure request is not authorized via email
38
©20
20 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor
Ransomware Recovery Strategies
None of that worked – Now What?
39
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Data Backup
• Ensure ALL critical systems and data are being backed up
• Practice a full system and data restore to verify your confidence in full system and data restore capabilities– Understand how long it will take to recover various
backup types
• Segment critical backups to prevent deletion– Attackers will attempt to delete or encrypt all
accessible backups
40
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Incident Response
• Playbooks for common incident types• Ensure employees understand their
responsibilities and procedures to follow in the event of an incident
• TEST!
41
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Cyber Insurance
• Average cyber insurance payout:– Median $150,000– Mean $700,000
42
©20
20 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor
43
An Ounce of Prevention
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
• Evaluate your risks (and be compliant) – Perform a HIPAA Risk Analysis• Establish policies and procedures• Train staff to policies and procedures• Test your security – Penetration Testing, Vulnerability Assessment(s)• Plan for an incident/disaster• Practice your plan• Assess, Adjust, Operate (Repeat)
Prevent the Breach and/or Limit the Impact
44
“You can outsource IT and the responsibility, but you can never outsource theaccountability for protecting Patient Health Information….Choose yourvendors carefully.” Lee Painter, Today – and a bunch of times since 2014
©20
20 C
lifto
nLar
sonA
llen
LLP
Create Opportunities
Thank you!
45
©20
20 C
lifto
nLar
sonA
llen
LLP
CLAconnect.com
Lee PainterPrincipal, HC CyberSecurity and Regulatory Compliance