cybersecurity for retailers › ...sp 1800-6 november 2016 domain name systems-based electronic mail...
TRANSCRIPT
![Page 1: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/1.jpg)
Cybersecurity for Retailers
Presented by:Carly Devlin
![Page 2: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/2.jpg)
TODAY’S PRESENTER
Carly DevlinManaging DirectorColumbus Office
![Page 3: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/3.jpg)
Agenda
• Understanding Cyber Risk
• Cyber Threats
• Case Studies
• Managing Cyber Risk
• Cybersecurity Tools
• Questions
![Page 4: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/4.jpg)
Understanding Cyber Risk
![Page 5: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/5.jpg)
What is Cyber Risk
▪ Failure to mitigate this risk may cause:- Disruption of systems/business processes- Loss of confidential data- Financial loss- Fraudulent reporting and metrics- Damage to reputation
Any risk of financial loss, disruption, or damage to the reputation of an organization from a
failure of its information technology systems.
Source: The Institute of Risk Management
![Page 6: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/6.jpg)
Cybersecurity Industry Facts
Cyber Crime Damage:
$6 trillion annually by 2021
Cybersecurity Spending:
Will exceed $124 billion in 2019
Unfilled Cybersecurity Jobs:
3.5 million by 2021
Human Attack Surface:
6 billion people by 2022
Global Ransomware
Damage Costs:
Will reach $11.5 billion in 2019
Source: CSO
![Page 7: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/7.jpg)
Cybersecurity Definitions
Threat:
Circumstance or event with the potential to adversely impact organizational operations, organizational assets, and/or individuals, through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Threat Actors Actor Motives
National Governments Cyber warfare/espionage
Terrorist Groups Spread terror
Organized Crime Financial gain
Hacktivists Political agenda
Hackers Notoriety/financial gain
Insider Threats Revenge/financial gain
![Page 8: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/8.jpg)
Cyber Threats
![Page 9: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/9.jpg)
Security Incident Survey
2018 Verizon Data Breach Report: Retail
Frequency 317 incidents, 169 with confirmed data disclosure
Top 3 Patterns Denial of Service, Web Applications, and Payment Card Skimmers represent 75% of incidents
Threat Actors 93% External, 7% Internal (all incidents)
Actor Motives 96% Financial, 1% Fun, !% Convenience (all incidents)
Data Compromised Payment (73%), Personal (16%), Credentials (8%)
![Page 10: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/10.jpg)
Our Clients: Most Common Cyber Threats
Phishing
Ransomware
Human Error
Software Vulnerabilities
Internet of Things (IoT)
![Page 11: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/11.jpg)
Threat Horizon and Industry Outlook
▪ E-commerce applications are a critical asset for retailers. Defenses against availability as well as integrity and confidentiality losses must be implemented, tested, and refined.
▪ Retailers have traditionally used loss prevention controls (cameras, security guards, etc.) to rein in shoplifting. Extend that mentality to identify tampering of any card processing device (gas pumps in particular).
▪ Embrace technologies that make it harder for criminals to conduct card-present fraud. Chip and PIN, contactless-enabled POS terminals, as examples. Make the adversary shift their tactics.
![Page 12: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/12.jpg)
Case Studies
![Page 13: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/13.jpg)
Attack #1 – Under Armour
Attack Victim Under Armour
Attack Date March 2018
Description An unauthorized third party gained access to personal information from users of the company’s MyFitnessPal app.
# of Affected Customers
150 million
![Page 14: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/14.jpg)
Attack #2 – Lord & Taylor
Attack Victim Lord & Taylor
Attack Date April 2018
Description Malware running on certain point-of-sale systems at possibly all locations in North America exposed customer payment information. Customers from sister companies Lord & Taylor, Saks Fifth Avenue, and Saks Off 5th were affected.
# of Affected Customers
5 million
![Page 15: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/15.jpg)
Attack #3 – Marriot International
Attack Victim Marriot International
Attack Date November 2018
Description An unauthorized third-party had been accessing its Starwood network since 2014. The hacker had access to the Starwood guest reservation database, which contains sensitive information.
# of Affected Customers
500 million
![Page 16: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/16.jpg)
Attack #4 – Orbitz
Attack Victim Orbitz
Attack Date March 2018
Description The incident involved an older travel booking platform where information may have been accessed between October and December of 2017.
# of Customers Affected
880,000
![Page 17: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/17.jpg)
Managing Cyber Risk
![Page 18: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/18.jpg)
Managing Cyber Risk
Mitigation vs. Elimination of Risk
Residual Risk
Risk 3
Risk 2Risk 1
Inherent Risk
Co
ntr
ols
![Page 19: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/19.jpg)
Use of a Security Framework
A series of documented processes that are used to define policies and procedures around the implementation and ongoing management of information security controls in an enterprise environment.
Security Frameworks
ISO
NIST
![Page 20: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/20.jpg)
ISO/IEC 27001: 2013
▪ Established by:
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)
▪ Designed to:
Provide requirements for an information security management system (ISMS)
▪ Overview:
Specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of an organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements are intended to be applicable to all organizations, regardless of type, size, or nature.
![Page 21: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/21.jpg)
NIST Cybersecurity Framework
▪ Established by:
The National Institute of Standards and Technology (NIST)
▪ Designed to:
Be a US government-ordered, cybersecurity framework
▪ Overview:
A structure for the nation’s financial, energy, healthcare, and other critical systems to better protect their information and physical assets from cyber attack. NIST provides a common language with which to address and manage cyber risk in a cost-effective way based on business needs, without additional regulatory requirements.
![Page 22: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/22.jpg)
NIST Cybersecurity Framework (CSF)
▪ Three Parts:
– Framework Core
– Framework Implementation Tiers
– Framework Profiles
Allows organizations to:▪ Describe current cybersecurity posture▪ Describe target state for cybersecurity▪ Identify and prioritize opportunities for improvement▪ Assess progress towards target state▪ Communicate using common language among internal and external stakeholders
about cybersecurity risk
![Page 23: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/23.jpg)
CSF Core
![Page 24: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/24.jpg)
CSF Core
![Page 25: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/25.jpg)
CSF Tiers/Profiles
▪ Tiers
– Tier 1: Partial
– Tier 2: Risk Informed
– Tier 3: Repeatable
– Tier 4: Adaptive
▪ Profiles
– Current profile (“as is”)
– Target profile (“to be”)
![Page 26: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/26.jpg)
CSF – Applying the Framework
1. Prioritize & scope
2. Orient
3. Create a current profile
4. Conduct a risk assessment
5. Create a target profile
6. Determine, analyze & prioritize gaps
7. Implement action plans
Rep
eata
ble
![Page 27: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/27.jpg)
CSF – Benefits and Challenges
▪ Benefits:
– Voluntary
– Expose new risks
– Sharing, collaboration
– Layered approach
▪ Challenges:
– Not “set it and forget it”
– Requires “buy-in”
– Communicating risks
– Large, complex organizations
– Lack of quantifiable metrics
![Page 28: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/28.jpg)
Other Cybersecurity Tools
![Page 29: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/29.jpg)
NIST 800-53
▪ Security and Privacy Controls for Federal Information Systems and Organizations
▪ 18 security areas
– Management/enterprise
– Operational
– Technical
▪ 8 privacy areas
![Page 30: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/30.jpg)
NIST 800-53: Example Control
![Page 31: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/31.jpg)
NIST 800-53: Benefits and Challenges
▪ Benefits:
– Comprehensive
– Supplemental guidance useful
– Baselines allow risk-based approach
– Supported by 53A, allowing for corresponding assessment
– Cross references throughout and to other NIST SPs
▪ Challenges:
– Comprehensive! (Complex)
– Focus on Federal systems
• Private entities? State/Local government?
– Focus on information systems
• IoT devices, industrial control systems, weapons systems
![Page 32: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/32.jpg)
NIST 800-61: Computer Security Incident Handling Guide
▪ Organizing a Computer Security Incident Response Capability
-Understanding Events and Incidents
-Incident Response Policy, Plan, Procedures
-Incident Response Team Structure
▪ Handing an Incident
-Preparation
-Detection and Analysis
-Containment, Eradication, and Recovery
-Post-Incident Activity
![Page 33: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/33.jpg)
NIST 800-61: Benefits and Challenges
▪ Benefits:
-Easy to understand for detection, analyzing, prioritizing, handling incidents
-Provides checklists, scenarios, examples, recommendations
▪ Challenges:
-Less focus on establishing incident response program
-Doesn’t provide specific template for Incident Response Policy or Plan
![Page 34: Cybersecurity for Retailers › ...SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security SP 1800-7 February 2017 Situational Awareness for Electric Utilities SP](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0cb7547e708231d436c7b5/html5/thumbnails/34.jpg)
1800 Series: Cybersecurity Practice Guides
SP 1800-1 July 2015 Securing Electronic Health Records on Mobile Devices
SP 1800-2 August 2015 Identity and Access Management for Electric Utilities
SP 1800-3 September 2015 Attribute Based Access Control
SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds
SP 1800-5 October 2015 IT Asset Management: Financial Services
SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security
SP 1800-7 February 2017 Situational Awareness for Electric Utilities
SP 1800-8 May 2017 Securing Wireless Infusion Pumps in Healthcare Delivery Organizations
SP 1800-9 August 2017 Access Rights Management for the Financial Services Sector
SP 1800-10 Not yet released Identity and Access Management
SP 1800-11 September 2017 Data Integrity: Recovering from Ransomware and Other Destructive Events
SP 1800-12 September 2017 Derived Personal Identity Verification (PIV) Credentials