CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

Transcription

1 0 CYBER SECURITY WORKSHOP NOVEMBER 2, 2016 Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

2 VIDEO: CAN IT HAPPEN TO ME? 1

3 2 AGENDA CYBERSECURITY WHY SUCH A BIG DEAL?

4 INFORMATION IS THE NEW OIL! 3 Companies are collecting and storing large amounts of data on a regular basis. This data may include information about employees, customers, intellectual property/trade secrets and business operations. This data has value to the companies producing/collecting it, to their competitors and to unknown third parties.

5 BREACH STATISTICS 4

6 BREACH STATISTICS 5 Source: BreachLevelIndex.com Source: BreachLevelIndex.com

7 NEWS WORTHY DATA BREACHES 6

8 NEWS WORTHY DATA BREACHES 7

9 NEWS WORTHY DATA BREACHES 8

10 NEWS WORTHY DATA BREACHES 9

11 NEWS WORTHY DATA BREACHES 10

12 COST OF BREACHES 11 Source: BreachLevelIndex.com

13 SMALL & MEDIUM BUSINESS MYTH 12 I am too insignificant to attract the interest of cyber criminals!!

14 SMALL & MEDIUM BUSINESS MYTH 13 It is the data that makes a business attractive, not the size especially if it is delicious data, such as lots of customer contact info, credit card data, health data, or valuable intellectual property

15 SMB AN ATTRACTIVE TARGET.. WHY? 14 Lack of time, budget and expertise No dedicated IT security specialist Lack of risk awareness Lack of employee training Failure to keep security defenses up Outsourcing security to unqualified contractors

16 SMB AN ATTRACTIVE TARGET.. WHY? 15 Automation allows modern cyber criminals to mass produce attacks with little investment! It s easier to rob a house than a museum

17 IMPACT OF BREACHES - SMB 16 Direct costs.. Just the tip of the Iceberg!

18 COSTS HIDDEN UNDERWATER 17 Litigation Costs Costs of investigation Rebuild or replacement of Network Damage to your reputation Public relations costs Increase in Insurance premiums Increase in borrowing cost

19 18 AGENDA HOW TO DEAL WITH CYBER RISKS?

20 FRAMEWORK LANDSCAPE 19 The different Cybersecurity Frameworks ISO COBIT NIST SP 800 Series PCI DSS ITIL & ISO ISO & BS NFPA 1600 ISO 27032, etc.

21 NIST CYBERSECURITY FRAMEWORK In 2014, the National Institute of Standards and Technology (NIST) released the comprehensive NIST Cybersecurity Framework. This NIST Framework: Allows organizations regardless of size, degree of cyber risk or cybersecurity sophistication to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.

22 FOCUS: 5 FUNCTIONAL AREAS 21 WHAT ASSETS NEED PROTECTION? IDENTIFY Cyber Risk Assessment Systems Data

23 FOCUS: 5 FUNCTIONAL AREAS 22 WHAT SAFEGUARDS ARE AVAILABLE? IDENTIFY PROTECT Security Training Access & Network Security Encryption & Backup

24 FOCUS: 5 FUNCTIONAL AREAS 23 WHAT TECHNIQUES CAN DETECT INCIDENTS? Monitoring tools IDENTIFY PROTECT DETECT Security Monitoring services Look for visible signs

25 FOCUS: 5 FUNCTIONAL AREAS 24 WHAT TECHNIQUES CAN CONTAIN IMPACT OF INCIDENTS? IDENTIFY PROTECT DETECT RESPOND Quarantine Breach Response Plan Perform Forensic

26 FOCUS: 5 FUNCTIONAL AREAS WHAT TECHNIQUES CAN RESTORE CAPABILITIES? 25 IDENTIFY PROTECT DETECT RESPOND RECOVER

27 FOCUS: 5 FUNCTIONAL AREAS 26 IDENTIFY PROTECT DETECT RESPOND RECOVER CYBERSECURITY

28 NIST CYBERSECURITY ASSESSMENT 27 INDENTIFY (ID) RECOVER (RC) PROTECT (PR) RESPOND (RS) DETECT (DE)

29 28 AGENDA REGULATORY ENVIRONMENT

30 REGULATIONS HEALTHCARE SECTOR 29 HIPAA Compliance HHS Clarification on Ransomware Ransomware Security Incidence Demonstrate low probability of compromise Was ephi encrypted by ransomware? Yes! BREACH HAS OCCURED Incidence Response & Reporting Proc. BREACH notification provisions

31 NY STATE DEPT. OF FINANCIAL SERVICES NYCRR 500

32 CURRENT STATUS OF THIS REGULATION? 31 Proposed Regulation as of Sep 28, day public comment period. In each of the last 3 years: < 1000 Customers & < $5 million in gross revenue & < $10 million in total assets If finalized, effective from Jan 1, days from 1/1/17 to comply. Certification of Compliance Jan 15, 2018 Limited exemptions WAIT & WATCH NOT A PRUDENT STRATEGY!!

33 THANK YOU 32 PRINCIPAL