cybersecurity: how to protect your businesssouthfloridafpa.org/wp...how-to...presentation.pdf ·...
TRANSCRIPT
Cybersecurity:HowtoProtectYourBusiness
Presenter:CraigWatanabe,CSCPSr.ComplianceConsultantCoreCompliance&LegalServices,Inc.
Agenda
q Understandhowtomeetregulatoryexpectationsq Learnhowtodevelopanactionablecybersecurity
planq Explorecyberprotectionsthatarepractical,
economicalandeffective
2
Materialsq Cybersecuritycannotbethoroughlycoveredin50
minutessoextensivematerialshavebeenprovidedastakeawaysv Detailedoutlinewithbestpracticesv CybersecurityReadinessAssessmentToolv UserAwarenessTrainingmemov ITVendorDueDiligenceChecklist
3
Cybersecurityisaregulatoryandbusiness riskthataffectsnearlyallfirms.Formanyfirmscybersecurityistheirnumberonerisk.
4
UnderstandHowtoMeetRegulatoryExpectations
5
ExpectationsareArticulatedinRegulatoryGuidance
q SECOCIENationalExamProgramRiskAlert– OCIECybersecurityInitiative(Apr.15,2014)
q SECOCIEExamPrioritiesfor2015(Jan.3,2015)q SECOCIENEPRiskAlert– CybersecurityExamination
SweepSummary(Feb.3,2015)q FINRAReportonCybersecurityPractices(Feb.2015)q SECOCIENEPRiskAlert– OCIE’s2015Cybersecurity
ExaminationInitiative(Sep.15,2015)6
CaseStudyq IntheMatterofR.T.JonesCapitalEquities
Management,Inc.,SECRel.No.4204(Sep.22,2015)v SECstatesthatR.T.Jonesstoredsensitivepersonally
identifiableinformationofclientsonitswebserverwithoutadoptingwrittenpoliciesandproceduresregardingthesecurityandconfidentialityofthatinformationandtheprotectionofthatinformationfromanticipatedthreatsorunauthorizedaccess
v InJuly2013,thefirm’sserverwasattackedbyanunauthorized,unknownintruderwhogainedaccesstothedataontheserver
7
CaseStudyq IntheMatterofR.T.Jones(cont’d)
v Asaresultoftheattack,personallyidentifiableinformationofmorethan100,000individualswasrenderedvulnerabletotheftØ CyberattackhadbeenlaunchedfrommultipleIP
addresses,allofwhichtracedbacktoChinaØ Couldnotdeterminethefullextentofthebreach
becausetheintruderdestroyedthelogfiles
8
CaseStudyq IntheMatterofR.T.Jones(cont’d)
v RemediationeffortsØ ProvidednotificationofbreachtoindividualsØ Appointedaninformationsecuritymanagerto
overseedatasecurityØ AdoptedawritteninformationsecuritypolicyØ EncryptedtheinternalnetworkØ Retainedacybersecurityfirm
FINDINGS:C&D,Censure,CivilPenaltyof$75,000fine
9
LearnHowToDevelopanActionableCybersecurityPlan
10
TheFive-StepPlanningModel
1. Gatherinformationtoassessthecurrentsituation2. Defineandquantifyobjectives3. Performananalysis,consideralternatives,formulate
theplan4. Implementtheplan5. Periodicallyreviewandmakeadjustmentsas
necessary
11
CybersecuritySteps1&2q TheCybersecurityReadinessAssessmentTool
v Thistoolisanalogoustoafinancialplanningdatagatheringchecklist
v 42questionsin6categories
q VulnerabilityAssessmentPerformedbyanIndependentInformationSecurityConsultantv Theassessmentwillidentifyvulnerabilitiesandsuggest
remediation(defineandquantifyobjectives)12
Step3ExploreCyberProtectionsthat
arePractical,EconomicalandEffective
13
TheFortressModelofCybersecurity
q Fourcomponentsofthefortressmodelv Barriersv Entry/exitsv Locksv Keys
14
TheLocks(Encryption)areVeryStrong
q Inmostendeavorstheoffensehastheadvantageoverthedefenseandthisisespeciallytrueincybersecurity
q However,oneareawherethedefensehastheadvantageisencryptionv Encryptionispractical,economicalandeffectivev ThecaseofApplevs.theFBIv EdwardSnowden
15
DefenseinDepth
q Thisisamilitaryprinciplewhichprescribesmultiplelayersofdefense
q Incybersecurityyoudeploymultiplelayersofencryptionv Firewallv Diskorfileencryption
16
TheKeys(Passwords)aretheWeakestLink
q Althoughencryptionisstrongitcanbedefeatedbystealingthekeys(thepassword)
q Threecontrolstostrengthencontrolstopreventunauthorizedaccessv Strongpasswordpolicyv Utilizepasswordmanagersv Employtwo-factorauthentication
17
StrongPasswordPolicyq Any8characterpasswordcanbecrackedin15
minutesusingreadilyavailablehackertoolsq A10characterpasswordwouldtakeseveralweeksto
crackq Thekeytopasswordstrengthislengthq Teachthetechniqueofpasswordpaddingtocreate
longpasswordsthatareeasytorememberandeasytotype
18
UsePasswordManagersq Passwordmanagersallowuserstosetdifferent
passwordsforeachsiteandtheuserneedonlyrememberthemasterpassword
q Passwordmanagersaddconvenienceq Lastpass andRoboform areexamplesofcommon
passwordmanagers
19
Two-FactorAuthentication(2FA)q A2FAprotocolrequiresasecondformof
authenticationinadditiontothepasswordsuchasabiometric,answertoachallengequestionorenteringasecuritytoken
q Thisisakintorequiringeachlocktobeopenedwithtwokeys
q 2FAispractical,economicalandeffective
20
UserAwarenessTraining
21
TheHumanElementofCybersecurity
q Accordingtothe2015VerizonDataBreachInvestigationsReport,abouttwo-thirdsofallbreachesentailedacompromiseduser
q Userawarenesstrainingisacriticalcomponentofcybersecurity
q Trainingismosteffectivewhendeliveredinthecontextofhomecomputersandpersonaldevices
22
UserAwarenessTraining
q Theprinciplesofeffectivetrainingapplytoteachingcyberhygienev Trainingmustberelevantandengagingv Principlesshouldbereinforcedcontinuallywellafter
thetrainingiscompletedv Livetrainingisthemosteffectivefollowedbywebinar
andself-study
23
WeakControls
24
IntrusionDetectionMonitoring
q Accordingtoa2015studydonebyTrustwave onover600breaches,over80%wereneverdiscoveredbythevictim
q Thevictimwasoftencontactedbythehackerornotifiedbylawenforcement
q Skilledhackersareveryadeptatavoidingdetectionwitheventhebestsystemsavailable
25
VendorDueDiligence
q Asignificantpercentageofbreachesoriginatefromathird-partyvendor
q Vendorduediligenceisrecommendedbutnotveryeffective
q Dealingwithvendorsthatarelargeandwell-respectedreducesthedownsideversusasmallvendor
26
PenetrationTests
q Forsmallfirmsavulnerabilityassessmentismorevaluablethanapenetrationtest
q Vulnerabilityassessmentsaremorecomprehensiveandmorecostlythanpenetrationtests
27
Step4- Don’tProcrastinate!
q Asinfinancialplanning,procrastinationisoneofthebiggestreasonsforfailureincybersecurity
q Developandimplementyourcybersecurityplan!
28
Step5- PeriodicallyReview
q Likefinancialplanning,cybersecurityisnotaone-timeevent,itisanongoingprocess
q Itisabestpracticetoperformannualvulnerabilityassessments
29
Questions?
30
Craig Watanabe, CFP® AIF® CSCPSr. Compliance [email protected]
Core Compliance & Legal Services, Inc.1350 Columbia Street, Suite 300San Diego, CA 92101Tel: (619) 278-0020www.corecls.com