Staying Safe in Cyber-Space A Business and Personal Guide

Transcription

1 Staying Safe in Cyber-Space A Business and Personal Guide February 2017 Stan Stahl, Ph.D. President, Citadel Information Group President, Secure the Village Copyright Citadel Information Group. All Rights Reserved.

2

3 How Many of Your People Would Click the Link in the Above ? How Strong Are Your Defenses When They Do?

4 4 Online Financial Fraud: Business Compromise Deceives Controller From: Your Vendor, Stan Sent: Sunday, December 28, :07 PM To: Bill Hopkins, Controller Subject: Change of Bank Account Hi Bill Just an alert to let you know we ve changed banks. Please use the following from now on in wiring our payments. RTN: Account: I m still planning to be out your way in February. It will be nice to get out of the cold Montreal winter. Great thanks. Cheers - Stan The secret of success is honesty and fair-dealing. If you can fake that, you ve got it made... Groucho Marx

5 Known Los Angeles BEC Losses: $14 Million / Month

6 6 Your Money or Your Data: Ransomware Viruses Reach Epidemic Proportions Hollywood Presbyterian Medical Center paid $17,000 to ransomware hackers

7 7 Epidemic of Credit Card Theft Medical Records Theft Personnel Records Theft

8 8 Organizations Attacked for Political and Social Reasons

9 9 What It All Means: Brian Krebs s Five Immutable Truths About Data Breaches 1. If you connect it to the Internet, someone will try to hack it. 2. If what you put on the Internet has value, someone will invest time and effort to steal it. 3. Even if what is stolen does not have immediate value to the thief, he can easily find buyers for it. 4. The price he secures for it will almost certainly be a tiny slice of its true worth to the victim. 5. Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.

10 10 Data Breach Costs Expensive. Money Down the Drain. Approximately upwards of $150 Per Compromised Record $4 Million Per Event Investigative Costs Breach Disclosure Costs Legal Fees Identity Theft Monitoring Lawsuits Customers Shareholders

11 11 More than 1/3 of Victims Suffer Revenue Losses of More than 20%

12 12 Cybercrime s Greatest Impact is on Small & Medium Sized Organizations 30% of victims have fewer than 250 employees 60% of smallbusiness victims are out of business within 6 months

13 13 To warn of an evil is justified only if, along with the warning, there is a way of escape. Cicero, On Divination

14 14 What s Next Five Cybersecurity Tactics for Everyone Seven Cybersecurity Strategies for Your Organization Securing The Village Critical Infrastructure Discussion

15 Citadel s Three Defense Truths No matter how much money you spend, you will not be able to 100% protect your assets. 2. Small & mid-market businesses can get significant protection without spending a ton of money. * 3. You get your greatest bang-for-the-buck through formal risk management, leadership, and culture change. * Except when needing to defend themselves against a nation-state attack or from a group specifically targeting that organization

16 16 Verizon Data Breach Report: 80% of Breaches Preventable with Basic Security Analysis of 64,199 incidents and 2,260 breaches

17 17 Five Cybersecurity Tactics Distrust and caution are the parents of security. Benjamin Franklin

18 18 Tactic 1: Pay Attention. FREE Award-Winning Cybersecurity News of the Week. Delivered to your in-box Every Sunday Afternoon Sign-up at Citadel-Information.com If you do not know your enemies nor yourself, you will be imperiled in every single battle.

19 Tactic 2: Know with Whom You re Communicating 19 Phishing Legitimacy Friend requests Web-sites Ads

20 20 Tactic 3: Make Yourself Hard to Impersonate Passwords 2 nd -Factor Authentication Long Complex Unique Different Passwords for Different Accounts Bank / Credit Card password = Yahoo password? Password Manager Roboform Keepass LastPass

21 Tactic 4: Defend Aggressively 21 Use anti-malware Encrypt laptops, smart-devices and external hard drives Keep programs up-todate Diligently Install Updates

22 Verizon Data Breach Report Demonstrates Importance of Patching 80% of breaches preventable with basic security Cybercriminals Exploit Old Vulnerabilities That Users Have Not Patched

23 23 FREE Weekend Vulnerability and Patch Report. Delivered to your in-box Every Sunday Afternoon Sign-up at Citadel- Information.com

24 Tactic 5: Be Prepared. 24 Off-line Backups Test Restore Credit Card Monitoring Credit Freeze Monitor Medical

25 25 IdentityTheft.gov For Identity Theft Victims

26 Summary: Five Cybersecurity Tactics 26 Tactic 1: Pay Attention Tactic 2: Know Who You re Communicating With Tactic 3: Make Yourself Hard to Impersonate Tactic 4: Defend Aggressively Tactic 5: Be Prepared

27 27 Seven Organizational Strategies Distrust and caution are the parents of security. Benjamin Franklin

28 28 Strategy 1: Put Someone in Charge. Establish Leadership. Information Security Manager / Chief Information Security Officer C-Suite and Board Governance Independent Perspective from CIO or Technology Director Supported by Cross- FunctionalSteering Committee; Leadership Team Supported with Subject- Matter Expertise Compliance is asking you to put a lock on the door. Security is making sure you lock it every day. Bob Russo, PCI Security Standards Council

29 Manage to an Established Framework 29 Framework for Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology Version 1.0 February 2014 Version 1.1 [Draft] January 2017

30 30 Strategy 2: Implement Risk-Driven Information Security Policies & Standards Establish Commitment Establish Standards and Provide Guidance Users Managers IT Staff Required for HIPAA and other information security laws / regulations Aspirational Perfection is not attainable, but if we chase perfection we can catch excellence. Vince Lombardi

31 31 Strategy 3: Identify, Document and Control Sensitive Information Online Banking Credentials Credit cards Employee Health Information Salaries Trade Secrets Intellectual Property Customer Information Access to Sensitive Information Based on Need-to-Know Servers Desktops Cloud Home PCs BYOD devices

32 Strategy 4: Train and Educate Personnel 32 From: Facebook Sent: Saturday, July 23, :32 PM To: Kathrine Hepburn Subject: See Your Friends at 20 th High School Reunion Facebook Hi Kate Mark your calendar. June 18 is the 20th Anniversary of our graduation from Algonquin High. Visit Our Facebook Page for More Information. Visit Page See All Requests

33 33 Strategy 5: Manage Vendor Security

34 34 Strategy 6: Manage IT Infrastructure from Information Security Point of View IT Infrastructure Security Architecture Device configuration Network & end-point protection Vulnerability & patch management Mobile devices Cloud security Web-site Security Spam Management Logging & Review Back ups. Incident Response. Business Continuity Encryption Access Management Documentation Training & Education

35 35 Strategy 7: Be Prepared. Incident Response & Business Continuity Planning. In preparing for battle I have always found that plans are useless, but planning is indispensable. General Dwight Eisenhower Failing to Plan is Planning to Fail

36 36 Summary: Seven Key Information Security Management Strategies Strategy 1: Put Someone in Charge. Establish Leadership. Strategy 2: Implement Formal Risk-Driven Information Security Policies and Standards Strategy 3: Identify, Document and Control Sensitive Information Strategy 4: Train and Educate Personnel. Change Culture. Strategy 5: Manage Vendor Security Strategy 6: Manage IT Infrastructure from Information Security Point Of View Strategy 7: Be Prepared. Incident Response and Business Continuity Planning.

37 37 Getting Started It is always your next move. Napoleon Hill

38 A Roadmap for Getting Started 38 Put Someone in Charge Establish Policies & Standards Train Staff Review IT Network Management Compliance with Security Standards Conduct IT Network Vulnerability Scan Develop Strategy. Plan the Work. Work the Plan.

39 Protecting Critical Infrastructure Securing the Village Critical infrastructure is defined as systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. Water and Wastewater Systems Sector

40 40 October 21, 2016 The Day the Internet Disappeared

41 41 December 2016 Electrical Power Outage in Ukraine

42 Cyberattack of Water Treatment Plant Management believed there was no evidence of unauthorized access Verizon Security Solutions Findings Hackers had infiltrated plant and changed chemical levels four times Internet-facing payments system directly connected to SCADA systems Several outdated systems, known critical vulnerabilities, and missing patches Administrative passwords in cleartext IT team had seen unexplained pattern of valve and duct movements over the previous 60 days which they did not act on

43 43 February 2017 SCADA Security Woes Linger On

44 44 Learn from the mistakes of others. You can never live long enough to make them all yourself Groucho Marx

45 The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)

46 46 InfraGard: The FBI s Public/Private Partnership

47 47 Water ISAC: Information Sharing and Analysis Center

48 48 SecureTheVillage: Providing Executives and Boards with Needed Knowledge and Relationships

49 49 In Conclusion

50 50 The number one thing at the Board level and CEO level is to take cybersecurity as seriously as you take business operations and financial operations. It s not good enough to go to your CIO and say are we good to go. You ve got to be able to ask questions and understand the answers. Major Gen Brett Williams, U.S. Air Force (Ret) This Week with George Stephanopoulos, December 2014

51 Information Security Proactively Managed Commercially Reasonable Information Security Practices Security is Lower Proactively Total Managed Cost of Information Security SM ation Security Standard Support of Care Public Interest

52 The pessimist complains about the wind. The optimist expects it to change. The realist adjusts the sails. William Arthur Ward

53 For More Information 53 Stan Stahl LinkedIn: Stan Stahl Citadel Information Group: citadel-information.com Information Security Resource Library Free: Cyber Security News of the Week Free: Weekend Vulnerability and Patch Report SecureTheVillage: SecureTheVillage.org Information Security Resource Library Join the Community Attend a Cybersecurity Roundtable

54 Staying Safe in Cyber-Space A Business and Personal Guide Stan Stahl, Ph.D. President, Citadel Information Group President, Secure the Village Copyright Citadel Information Group. All Rights Reserved.