Today’s Security Threats: Emerging Issues Keeping CFOs

Up at Night

Understanding & Protecting Against Information Security Breaches

Chris Bucolo, PCIP, MBA

Today’s Speaker

Chris BucoloSr. Manager, Sikich Technology

Chris Bucolo, Senior Manager for Sikich, has over 30 years' experience in the financial technology, payments and security/compliance industries. At Sikich, he is a Senior Manager of Client Relations: Compliance and Security Services.

Prior to Sikich, Bucolo was a Senior Manager of Security Consulting for ControlScan, where he was a key part of building the security consulting group, including QSA assessments and security testing services.

Agenda» About Us» How Breaches Happen» Review of Attack Vectors

» Emerging: Ransomware, Skimmers» Risk Mitigation

» Cyber Security Insurance» Incident Response Planning

» The CFO’s Role in IT Security» Six Questions to Ask Your IT Folks» 2016 Data Security Outlook» Top Ten Tips List» Questions

About Sikich Security & Compliance» Dedicated to information security and

compliance» Compliance audits» Security assessments and consulting» Penetration tests» Vulnerability management» Forensic investigations

About Sikich Security & Compliance» Handle anything having to do with security or

protecting data, including:

» Credit card data (PCI DSS)» Patient data (HIPAA/HITECH)» Bank account numbers (GLBA)» Service provider reviews (SOC 1/2/3)» Federal information security standards (NIST/FISMA)» Intellectual property

The Latest Breach Data

Source: Verizon 2016 Breach Investigations Report

More Breach Data

Source: Verizon 2016 Breach Investigations Report

Many Impacts» Forensic investigation to determine the cause

and extent of the breach» Remediation activities including clean up of old

databases and possible migration of IT systems to third parties

» Additional IT audit scrutiny in following years» Navigate State by state notification laws-Ags» Insurance carriers» Credit monitoring for victims » Brand damage repair

Breaches – Not Just for Merchants

Every morning in Africa…

Frequent Attack Vector: Malware» Malware includes viruses, Trojans, spyware,

rootkits and other malicious software» Often delivered through phishing, “drive-by”

downloads or removable media

Malware in Targeted Attacks» The attacker has a specific organization in mind» Spearphishing, social media, removable devices» May include custom malware with no anti-virus

signature

Malware in Opportunistic Attacks» The attacker is trying to infect as many systems

as possible» Broad phishing attacks» Internet scanning» Self-propagating viruses» Malvertising

Malware Command and Control» The initial infection is a small “gain a foothold”

program» That program calls back to the attacker to

download the malware package» Keylogging» Memory scraping» Network scanning and spreading» Anti-virus evasion and other tactics to hide its presence

» Once the malware is installed, it initiates a command-and-control channel to the attacker’s systems on the Internet

Frequent Attack Vector:Third-Party Connections

Remote Access Breach Formula

What are the Weaknesses?» Single-factor authentication» Weak passwords» Password re-use» Malware on home PCs

Frequent Attack Vector:Website Vulnerabilities

Frequent Attack Vector:Social Engineering

Email from the CFO“Hey I’m travelling, but we need to wire $22,000 to this vendor ASAP or we’re going to lose a discount on the contract.”

» Forged emails are extremely easy to create» Compromise of the CFO’s work or home PC, allowing access to

inbox» Email system security settings that don’t authenticate a sender» Use of a similar domain name (for example kevin@grnail.com)

» Fraudsters monitor and take advantage of out-of-office

» How would your peers or staff respond?

Step 1: Focus on Doing the Basics Well

» Anti-virus» Patch management» User account management» Rights management» Firewall/filtering configuration

A.K.A. “Do a good job configuring and managing the stuff you already own.”

Step 2: Don’t be Afraid of Mature Solutions » Multi-factor authentication for remote access» Automated patching» Vulnerability scanning» Web filtering» Password complexity

Step 3: Reinforce the Need for Secure Behaviors » Employee security awareness training

» Password practices» Information protection» Social engineering

» Doing their jobs well

Step 4: Evaluate Your Environment» Risk assessments» Audits» Penetration testing

» Internal» External» Physical» Social engineering

What threats are you exposed to?

Risk Assessments» Risk assessments are used to identify, estimate

and prioritize risk to an organization’s operations, assets, and individuals resulting from the operation and use of information systems.

Audits» An IT audit is the examination and evaluation of

an organization's information technology infrastructure, policies and operations, typically against an internal or industry baseline or standard.

Penetration Testing» Penetration Testing is the practice of testing a

computer system, network or application to find vulnerabilities that an attacker could exploit.

The CFO’s Role in IT Security» Request regular reports to monitor key IT

security metrics» Microsoft, Java, and Adobe patch coverage» Anti-virus coverage» Virus infections» External vulnerability scan finding counts

The CFO’s Role in IT Security» Make certain IT vendor management is sufficient

» Are all vendors tracked?» Do all have a vendor relationship manager assigned?» Is someone monitoring the vendor’s financial health?» Is someone monitoring adherence to service level agreements?» Is someone reviewing vendor’s third party audit and security

testing reports» Educate your IT staff how to interpret a SOC report

The CFO’s Role in IT Security» Make informed decisions on security spending

» Did we seek out this solution based on a risk or gap we identified, or did we realize we had the problem after we saw the solution?

» Don’t be afraid of mature solutions, especially those available from multiple vendors (Next-gen firewalls, multi-factor authentication)

» Be a bit skeptical of emerging technologies, especially those only available from one vendor

» Fully understand the initial and ongoing effort required of IT staff to get the full value out of new security solutions

Safe and (financially un)sound

The CFO’s Role in IT Security» Finance is mature in its application of internal

controls to prevent fraud and mistakes» IT has these same challenges but does not have

the same maturity of controls» Use your experience to teach and promote the

adoption of internal controls in IT» Separation of duties» Generation of audit trails» Formal documented approval processes» Exception reports» Independent reviews

Getting Started» You don’t need to be technical to oversee that IT

is doing its job well» The following six questions can help you gauge

where your IT shop stands.

Question 1How many of our computers are not running up-to-date anti-virus?

Organizations should have a centralized automated system to deploy and manage anti-virus. No systems should be exempt. Reliable reports of anti-virus coverage levels should be regularly generated and reviewed.

Question 2How many of our computers are not up to date on Microsoft security patches?

Organizations should have a centralized automated system to deploy Microsoft patches. Reliable reports of patch coverage levels should be regularly generated and reviewed.

Question 3How many of our computers are running unpatched versions of Java and Adobe software?

Organizations should have a centralized automated system to deploy and manage security patches for third party software, with Java and Adobe being the most important.

Question 4How do we keep employees from using the same password here and on other Internet sites?

Password rotation, password complexity rules and user awareness training all help reduce password re-use.

Question 5Can people log into our internal computers or network from the Internet with just a user ID and password?

Remote access services such as VPN, remote desktops and Citrix should be protected with multi-factor authentication.

Question 6If a virus on an internal computer was talking to a hacker’s server on the Internet, how would we know?

Secure organizations rely on web filtering, intrusion detection systems or threat prevention features of a next-generation firewall. Desktop anti-virus should not be the only protection from malware command-and-control channels.

2016 Data Security OutlookBased on our experience and the trends: anticipate the top data breach issues and trends of 2016 to include the following:

» Focus on healthcare: very valuable data» Higher education represents a treasure trove of pii

» Increase in IoT attacks: Mobile» Smaller orgs.- Lowest hanging fruit

» Social engineering/physical threats» Chip cards will start shift to ecommerce fraud-but not

quickly» Ransom attacks: I have your data» Hacktivism: I do not like your behavior» Increased legislative/regulatory focus: State AG offices

Top Ten Tips List» Start somewhere/Build on what you have

» Risk assessment is key for PCI, HIPAA/HiTECH, etc.» Need at least 2 trusted outside advisors

» Consulting, etc.» Employee education/Executive education

» Not once and done. Create security aware culture» Develop more technical security knowledge

» CISSP, ISA» Identify and manage 3rd Party Service Providers!» Develop robust incident response plan-coordinated across

departments-cyber security task force» Mitigate risks via Cyber Insurance/Breach coverage» Know the basics on state by state breach notification laws and AG

involvement.» When in doubt use PCI DSS as a guide for sensitive data: Most

prescriptive and most often updated-reflects emerging threats» Become a student of Data Security!

Questions?

Chris Bucolo, PCIP, MBAcbucolo@sikich.com

www.sikich.com877.403.5227 x265