Cyber Security Updates and Trends Affecting the Real Estate Industry

Transcription

1 Cyber Security Updates and Trends Affecting the Real Estate Industry

2 What, Why, and How? Agenda Cyber Security Today Changes to Security Standards and Trends Protecting Yourself and Your Organization Takeways 2

3 Introductions David Hendrickson Cyber Security Manager Micah Wenz IT Risk Services Manager 3

4 Cyber Security Today The Why 4

5 5

6 Cyber Attacks Path of Attack Services in the Cloud i Employees Web App Firewall Remote Access Customers / Clients 3 rd Parties 6

7 Cyber Attacks Anatomy of a Breach Discovery Capture Web App Firewall Remote Access Internal Attacks Exfiltration 9

8 Breach Snapshot Malicious Actors in a Breach Organized Criminal Groups 51% Involved Partners Multiple Parties 2% 3% State-Affiliated Actors Internal Actors 18% 25% Outsiders 75% 0% 10% 20% 30% 40% 50% 60% 70% 80% Verizon Enterprise 2017 Data Breach Investigations Report (4/27/2017) 8

9 Breach Snapshot Tactics Used in a Breach Physical Actions Privilege Misuse Errors 8% 14% 14% Social Attacks 43% Stolen/Weak Passwords 81% Malware 51% Hacking 62% 0% 20% 40% 60% 80% 100% Verizon Enterprise 2017 Data Breach Investigations Report (4/27/2017) 9

10 Big 3 Issues Now Security Hygiene Assess Third Parties Operate Design Implement People 10

11 High Profile Breaches from the Big 3 Fraud & Extortion Intelligence Gathering Massively Successful 11

12 And of course. Equifax data breach affects 143 million consumers Handling of breach called a dumpster fire Stock is already down 36% from high Separate breach in March was just disclosed Lawsuits are on the way This will likely be the most costly breach in U.S. history 12

13 Changes to Security Standards and Trends Part of the How 13

14 General Information Discussion: Why this matters to your business Every major standard update is now including: Supply Chain Security Emphasis/Focus on Multi-Factor Authentication Standards changes are migrating from: U.S. Government Critical Infrastructure Highly Regulated All organizations 14

15 Real Estate Concerns and Considerations 15

16 The Real Estate Industry is a Current Target Primary Target: $$ Re-directing payments Fake bills and invoices Theft of Tenant financial information Secondary Targets: Personal Information Sensitive/Confidential Information Control of Systems and Devices Access to Additional Locations 16

17 Example FBI Reports: $19 Million diverted from real estate purchases in 2016 using (phishing) techniques As of Jan 2017, one Memphis real estate company had lost at least $2.2 Million and was targeted on a daily basis for additional fraud. Targets of the Attacks Include: 17 Real Estate Agents Real Estate Companies Closing and Title Companies Tenants

18 Understand Your Current Exposure Assessing Security and Risk 18

19 Risk and Security Assessments Understand the current posture Prepare the environment Consider the following assessments: Enterprise Risk Assessment IT/Cyber Risk Assessment Data Classification Compliance (as needed) Technical Assessments Readiness Assessments 19

20 Understand Our Environment Data Flow Our Environment File Storage Service Provider On Premise Systems Service Provider and Workflow Service Provider Portals & Documents Direct management Third Party Management 33

21 Understand Our Environment Risk 34

22 Design Better Security Resources & Capabilities People Process Technology Assess Drivers & Requirements Confidentiality Integrity Availability Cyber Security Program 35

23 Basic Cybersecurity No need to be a technical guru to be able to implement basic cybersecurity practice. Topics to be knowledgeable on: Phishing s USB practices Internet browsing Password security 23

24 Phishing s 24

25 Phishing s 25

26 USB Good Practice USB devices can be utilized to migrate malware onto the target computer. Do not accept or use USBs from strangers. Disable USB ports on computers. 26

27 Internet Browsing Beware URLs and links that contain typos. HTTP vs HTTPS 27

28 Password Security Do not reuse passwords across websites. Use a combination of letters, symbols, and numbers in your password. The longer the password, the more difficult it is for a hacker to crack it. Don t store passwords in plain text files or on your desk. Encrypted, centralized location for passwords. 28

29 What we can do People Training DON T CLICK! Culture Reporting & Response Technical Controls designed in to the process Internal Controls use your people & processes 29 I may have clicked on something. Use the capabilities included in your technology. Processes designed to support proper controls and approvals.

30 Key Takeaways & Action Items Get Started! Perform initial cyber risk assessment Define what is important and why Define how you want to proceed Design and Build Your Program Perform ongoing assessments to support needs 30

31 Questions? 31

32 Contact Information RubinBrown Denver office David Hendrickson Micah Wenz