Cybersecurity:HowtoProtectYourBusiness

Presenter:CraigWatanabe,CSCPSr.ComplianceConsultantCoreCompliance&LegalServices,Inc.

Agenda

q Understandhowtomeetregulatoryexpectationsq Learnhowtodevelopanactionablecybersecurity

planq Explorecyberprotectionsthatarepractical,

economicalandeffective

2

Materialsq Cybersecuritycannotbethoroughlycoveredin50

minutessoextensivematerialshavebeenprovidedastakeawaysv Detailedoutlinewithbestpracticesv CybersecurityReadinessAssessmentToolv UserAwarenessTrainingmemov ITVendorDueDiligenceChecklist

3

Cybersecurityisaregulatoryandbusiness riskthataffectsnearlyallfirms.Formanyfirmscybersecurityistheirnumberonerisk.

4

UnderstandHowtoMeetRegulatoryExpectations

5

ExpectationsareArticulatedinRegulatoryGuidance

q SECOCIENationalExamProgramRiskAlert– OCIECybersecurityInitiative(Apr.15,2014)

q SECOCIEExamPrioritiesfor2015(Jan.3,2015)q SECOCIENEPRiskAlert– CybersecurityExamination

SweepSummary(Feb.3,2015)q FINRAReportonCybersecurityPractices(Feb.2015)q SECOCIENEPRiskAlert– OCIE’s2015Cybersecurity

ExaminationInitiative(Sep.15,2015)6

CaseStudyq IntheMatterofR.T.JonesCapitalEquities

Management,Inc.,SECRel.No.4204(Sep.22,2015)v SECstatesthatR.T.Jonesstoredsensitivepersonally

identifiableinformationofclientsonitswebserverwithoutadoptingwrittenpoliciesandproceduresregardingthesecurityandconfidentialityofthatinformationandtheprotectionofthatinformationfromanticipatedthreatsorunauthorizedaccess

v InJuly2013,thefirm’sserverwasattackedbyanunauthorized,unknownintruderwhogainedaccesstothedataontheserver

7

CaseStudyq IntheMatterofR.T.Jones(cont’d)

v Asaresultoftheattack,personallyidentifiableinformationofmorethan100,000individualswasrenderedvulnerabletotheftØ CyberattackhadbeenlaunchedfrommultipleIP

addresses,allofwhichtracedbacktoChinaØ Couldnotdeterminethefullextentofthebreach

becausetheintruderdestroyedthelogfiles

8

CaseStudyq IntheMatterofR.T.Jones(cont’d)

v RemediationeffortsØ ProvidednotificationofbreachtoindividualsØ Appointedaninformationsecuritymanagerto

overseedatasecurityØ AdoptedawritteninformationsecuritypolicyØ EncryptedtheinternalnetworkØ Retainedacybersecurityfirm

FINDINGS:C&D,Censure,CivilPenaltyof$75,000fine

9

LearnHowToDevelopanActionableCybersecurityPlan

10

TheFive-StepPlanningModel

1. Gatherinformationtoassessthecurrentsituation2. Defineandquantifyobjectives3. Performananalysis,consideralternatives,formulate

theplan4. Implementtheplan5. Periodicallyreviewandmakeadjustmentsas

necessary

11

CybersecuritySteps1&2q TheCybersecurityReadinessAssessmentTool

v Thistoolisanalogoustoafinancialplanningdatagatheringchecklist

v 42questionsin6categories

q VulnerabilityAssessmentPerformedbyanIndependentInformationSecurityConsultantv Theassessmentwillidentifyvulnerabilitiesandsuggest

remediation(defineandquantifyobjectives)12

Step3ExploreCyberProtectionsthat

arePractical,EconomicalandEffective

13

TheFortressModelofCybersecurity

q Fourcomponentsofthefortressmodelv Barriersv Entry/exitsv Locksv Keys

14

TheLocks(Encryption)areVeryStrong

q Inmostendeavorstheoffensehastheadvantageoverthedefenseandthisisespeciallytrueincybersecurity

q However,oneareawherethedefensehastheadvantageisencryptionv Encryptionispractical,economicalandeffectivev ThecaseofApplevs.theFBIv EdwardSnowden

15

DefenseinDepth

q Thisisamilitaryprinciplewhichprescribesmultiplelayersofdefense

q Incybersecurityyoudeploymultiplelayersofencryptionv Firewallv Diskorfileencryption

16

TheKeys(Passwords)aretheWeakestLink

q Althoughencryptionisstrongitcanbedefeatedbystealingthekeys(thepassword)

q Threecontrolstostrengthencontrolstopreventunauthorizedaccessv Strongpasswordpolicyv Utilizepasswordmanagersv Employtwo-factorauthentication

17

StrongPasswordPolicyq Any8characterpasswordcanbecrackedin15

minutesusingreadilyavailablehackertoolsq A10characterpasswordwouldtakeseveralweeksto

crackq Thekeytopasswordstrengthislengthq Teachthetechniqueofpasswordpaddingtocreate

longpasswordsthatareeasytorememberandeasytotype

18

UsePasswordManagersq Passwordmanagersallowuserstosetdifferent

passwordsforeachsiteandtheuserneedonlyrememberthemasterpassword

q Passwordmanagersaddconvenienceq Lastpass andRoboform areexamplesofcommon

passwordmanagers

19

Two-FactorAuthentication(2FA)q A2FAprotocolrequiresasecondformof

authenticationinadditiontothepasswordsuchasabiometric,answertoachallengequestionorenteringasecuritytoken

q Thisisakintorequiringeachlocktobeopenedwithtwokeys

q 2FAispractical,economicalandeffective

20

UserAwarenessTraining

21

TheHumanElementofCybersecurity

q Accordingtothe2015VerizonDataBreachInvestigationsReport,abouttwo-thirdsofallbreachesentailedacompromiseduser

q Userawarenesstrainingisacriticalcomponentofcybersecurity

q Trainingismosteffectivewhendeliveredinthecontextofhomecomputersandpersonaldevices

22

UserAwarenessTraining

q Theprinciplesofeffectivetrainingapplytoteachingcyberhygienev Trainingmustberelevantandengagingv Principlesshouldbereinforcedcontinuallywellafter

thetrainingiscompletedv Livetrainingisthemosteffectivefollowedbywebinar

andself-study

23

WeakControls

24

IntrusionDetectionMonitoring

q Accordingtoa2015studydonebyTrustwave onover600breaches,over80%wereneverdiscoveredbythevictim

q Thevictimwasoftencontactedbythehackerornotifiedbylawenforcement

q Skilledhackersareveryadeptatavoidingdetectionwitheventhebestsystemsavailable

25

VendorDueDiligence

q Asignificantpercentageofbreachesoriginatefromathird-partyvendor

q Vendorduediligenceisrecommendedbutnotveryeffective

q Dealingwithvendorsthatarelargeandwell-respectedreducesthedownsideversusasmallvendor

26

PenetrationTests

q Forsmallfirmsavulnerabilityassessmentismorevaluablethanapenetrationtest

q Vulnerabilityassessmentsaremorecomprehensiveandmorecostlythanpenetrationtests

27

Step4- Don’tProcrastinate!

q Asinfinancialplanning,procrastinationisoneofthebiggestreasonsforfailureincybersecurity

q Developandimplementyourcybersecurityplan!

28

Step5- PeriodicallyReview

q Likefinancialplanning,cybersecurityisnotaone-timeevent,itisanongoingprocess

q Itisabestpracticetoperformannualvulnerabilityassessments

29

Questions?

30

Craig Watanabe, CFP® AIF® CSCPSr. Compliance Consultantcraig.watanabe@corecls.com

Core Compliance & Legal Services, Inc.1350 Columbia Street, Suite 300San Diego, CA 92101Tel: (619) 278-0020www.corecls.com