trust of your clients and donors, it conf 5-29-19... · 2019. 6. 7. · 2014. as cyberattacks...
TRANSCRIPT
Kyle KucheraVP - Sales, Zog Inc.
www.zoginc.com
You’ve Worked Hard to Gain the Trust of Your Clients and Donors,
Don’t Be Careless In How You Protect Them
Today We’re Going To Cover
• The Evolving Cyber Security Landscape• Regulatory Environment / Your
Obligations• Recent Events Affecting Non-Profits• Economic Impacts of Cybercrime• Why the Non-Profit Industry is a Target• What Non-Profits can do to Protect
Themselves• What to do when an Attack Occurs
How To Avoid Being A Sitting Duck To Cybercriminals And Protect Everything
You’ve Worked So Hard To Achieve
Ultimately We’re Going To Cover…
The Biggest Danger Is Complacency
“Success breeds complacency. Complacency breeds failure. Only the paranoid survive.” - Andrew Grove, former CEO of Intel
A Quick Overview Of The Sophistication
And Proliferation Of The
Cybercrime Business
The Digital Underground’s
Thriving Black Market
• Credit card details: $2 to $90
• iTunes accounts: $8
• Physical credit cards: $190
• Card cloners: $200-$300
• Fake ATMs: $35,000
• Anyone can easily buy training, tools and services for committing fraud, hacking systems, buying stolen credit cards, setting up fake websites, etc.
Ransomware
How Ransomware Works
!
Files
Inaccessible
Email w/ Malicious
Attachment
Ransomware
Payload
Encryption Key C2
Infrastructure
Files
Inaccessible
Encryption Key C2
Infrastructure
User Clicks a Link
or Malvertising
Ransomware
Payload
Malicious
Infrastructure
EMAIL-BASED INFECTION
WEB-BASED INFECTION
!www
Emails are still popular and are
getting better
TACTIC
Trick SMB into
opening link or
attachment
Malvertising Using Hijacked Images to Target SMBs
YourFiles Are Encrypted
Malware & DropperMalware
Increasingly Common Step: DropperIncreasingly common option for ransomware
1
Bad actor gets a piece of malware onyour computer
2
Malware sits quietly and just phones home; not the flashy/noisymalware
3Bad actor sellsor rents ability to infectcomputer• Malware phones
home• Installs main
payload:Ransomware, Keylogger,Spambot
4
If contract ends or more capacity,install moremalware
TACTICMalware thatinstalls othermalware
The AV-TEST Institute registers over 350,000 new malicious programs every day.
Source: https://www.av-test.org/en/statistics/malware/
Why Isn’t My Antivirus
Catching This?
Getting around signatures:Crypters
Can bypass 35 AV’s in under 3 minutes
Regulatory Concerns
& Your Obligations
HIPAA
• HIPAA - The Health Insurance Portability and Accountability Act (HIPAA) mandates that health care organizations protect the privacy of patients’ personal information.
• Maintaining HIPAA compliance requires several key cyber security measures.
PCI / DSS
• PCI/ DSS stands for “Payment Card Industry Data Security Standards.”
• This means that the Payment Card Industry has put in place certain standards which ensure any company who handles cardholder data maintains a secure environment.
• Cardholder data is defined as any sensitive data associated with the credit card account.
• This includes the primary account number, cardholder names, expiration date, and service code.
NIST
• The NIST CSF is a set of optional standards, best practices, and recommendations for improving cybersecurity at the organizational level.
• NIST wrote the CSF at the behest of President Obama in 2014. As cyberattacks become more complex, repelling them becomes more difficult, especially without a single cohesive strategy.
• The CSF aims to standardize practices to ensure uniform protection of all US cyber assets.
• The CSF affects anyone who makes decisions about cybersecurity in their organization, and those responsible for implementing new IT policies.
GDPR
• The European Union General Data Protection Regulation (GDPR) is a set of rules about how companies should process the personal data of data subjects.
• GDPR lays out responsibilities for organizations to ensure the privacy and protection of personal data, provides data subjects with certain rights, and assigns powers to regulators to ask for demonstrations of accountability or even impose fines in cases where an organization is not complying with GDPR requirements.
• California’s COPAA has similar requirements.
Recent Events
Arc of Erie county
• 3751 records compromised
• $200,000 HIPAA Fine
• “The Arc of Erie County’s work serves our most vulnerable New Yorkers and that comes with the responsibility to protect them and their sensitive personal information,” New York Attorney General Barbara Underwood said in a news release. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”
Delaware Guidance Services
• Delaware Guidance Services Ransomware Attack Impacts 50,000
• Ransomware locked the mental health service provider out of its data servers and officials say they paid the ransom to unlock the encrypted files.
Columbia Surgical Specialists of Spokane
• Reported they paid the hackers about $14,000 during a ransomware attack so they could “immediately begin proceed unlocking the data.”
• Officials said they were concerned for patient care, as there were surgeries planned just hours after the attack.
What is the potential impact to
YOUR Non-Profit?
• HIPAA Fines
–2018 was a record year - $28.7mm in fines
• Reputation often can’t be recovered
• Costly Downtime
• Website down = Loss of Donations / Data
“But We’re Small...
Nobody Would Bother To Hack Us, Right?”
Wrong!• One in five small organizations falls victim to cybercrime
each year and that number is GROWING.(Source: National Cyber Security Alliance)
• Small organizations are low-hanging fruit because they don’t believe they are a target, and therefore have very loose or no security systems and protocols in place.
• Half of all cyber-attacks are aimed at SMBs and non profit organizations. (Source: Forbes Article, “5 Ways Small Businesses Can Protect Against Cybercrime”)
Why the Non-Profit segment has
been and remains a target
• Tons of Personal Data
– Credit Card Records
– EMR / EHR
• Free software / inexpensive hosting
• Limited IT expertise
• Frequent use of volunteers
• Limited budget for security
So How Do Non-Profits Protect Themselves?
Reducing
Security Risks
Security is About Managing Risk Through Layers
On-network Off-network/Roaming
Email security
Endpoint antivirus
Firewall
Filtering Services
Training and policy
Recommendations
Employee Education
Anti-Virus
Filtering (Email, Content,
Spam, DNS)
Firewall
SIEM Tools
Vulnerability Testing
Patching
Backup and Recovery
Local Drive Encryption
Mobile device policy &
security policies
Multi-Factor Authentication
Password Policies
Device Lockout Policies
Onboarding / Offboarding
Polices
Step 1: Threat AssessmentWhat’s lacking in your security right now? How are employees using your company-owned devices? What third-party cloud apps are you using? Are your systems truly backed up? Where are you exposed to risk? Whose job is it to make sure your network is protected, and how do you know if they’re doing their job?
Step 2: Action PlanBased on what’s discovered, what do we need to do to ensure our systems, data and operations are secure from theft, compromise, corruption, etc.?
Step 3: Ongoing MaintenanceYou definitely don’t want to take a “set-it-and-forget-it” approach to security – your attackers won’t!
3 Steps To Protecting Your Organization:
What to do in the event of an attack?
Disconnect affected device from network
Implement your Incident Response Plan
Notify your security officer
Assets the damage and severity