Cybersecurity Fundamentals Paul Jones CIO Clerk & Comptroller Palm Beach County CISSP, ITIL Expert, Security+, Project+

Transcription

1 Cybersecurity Fundamentals Paul Jones CIO Clerk & Comptroller Palm Beach County CISSP, ITIL Expert, Security+, Project+

2 NOT SO LONG AGO 1981

3 IS IT FUNNY OR WHAT?

4 THE BALANCING ACT Ease of Use Maintenance Speed to Delivery Cost Cutting Simplicity Get-R-Done Security Projects Quality Availability Functionality Customer Service 4

5 THE UNBALANCED BALANCING ACT 5

6 THE CHALLENGE Day to Day Operations Research/Development Security Project Management Maintenance/Support Installations Communications Life Cycle Management Testing Analysis/Consultation Fire Fighting wwwmypalmbeachclerk.com

7 EMPATHY The Clerk The Directors Security State Initiatives Fiscal Responsibilities Politics Legal Concerns Budgets Finance Operations IT Justice Partners Citizens Security Day to Day Ops Employee Relations Staff Development Process Analysis Budgets Statutes/Rules Communications Customer Service Training Fire Fighting wwwmypalmbeachclerk.com

8 Hackers WHO ARE THE CULPRITS? Hacktivist Insiders (customers or employee) Pranksters Organized crime Competitors Thrill seekers Revenge seekers Anybody/Anywhere 6

9 9 ATTACKS Malware / Viruses Breaches Leakage Insider threats Bots/Botnets Denial of Service Vendor Mistakes Ransomware Social Engineering

10 Data WHY US? WE HAVE WHAT THEY WANT!! Data Data Data Data 10

11 THE VALUE OF STOLEN INFORMATION & THE COST OF A BREACH Record Type Estimated Underground Value pre record (McAfee and World Privacy Forum) Financial Account $14-$25 Credit/Debit Card $4-$5 Medical Account Data $0.03-$2.42 Full Medical Record with $50 supporting documents Record Type Estimated Breach Cost Per Record (Ponemon Institute 2016 Report) Health $355 Education $246 Financial $221 11

12 THE DARK SIDE 12

13 SHOPPING MADE EASY!!! 13

14 SHOPPING MADE EASY!!! 14

15 SHOPPING MADE EASY!!! 15

16 MISCONCEPTION SECURITY IS AN IT THING A new study reveals the more than 8 out of 10 (88%) companies surveyed admit their organization experienced a significant security event in the last twelve months with as many a 73% of the companies indicating that the cause was insiders (The Norris Corporation) Internal disclosures Disgruntled employee Social engineering scams Phishing scams Human errors Human naivety

17 SOCIAL ENGINEERING You could spend a fortune purchasing technology and services and your network infrastructure could still remain vulnerable to old-fashion manipulation. -Kevin Mitnick 17

18 SOCIAL ENGINEERING ATTACKS 1. Pretexting Creating a fake scenario 1. Phishing Send out bait to fool victims into giving away their information 2. Fake Websites Molded to look like the real thing. Log in with real credentials that are now compromised 3. Fake Pop-up Pops up in front of real web site to obtain user credentials 18

19 They sounded so legitimate SOCIAL ENGINEERING Hello John, this is Bill from IT (Microsoft) and I am updating your computer right now but I need your password to install these new much-improved applications for you. You are going to love these new features!!! 11

20 SECURITY AWARENESS Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational assets of that organization. 4

21 CREATING A CULTURE OF SECURITY AWARENESS Annual security awareness training (must have) Monthly security tips Sending social engineering examples Send alerts and attack notifications Test users by going phishing Establish peer groups The See it Say it Program Do reward and recognition 21

22 IT S NOT A MATTER OF IF!! IT S A MATTER OF WHEN!! 1,093 breaches were reported in 2016, a 40% increase from Bloomberg Reports: 80% of the top 100 US Law firms have had a breach Office of Texas Attorney General 6,500,000 records o Access mistakenly given out Washington State Court System - 160,000 records o Hackers exploiting old version of software Phishing attacks targeting W-2 Data hit 41 organizations 22

23 IT S NOT A MATTER OF IF!! IT S A MATTER OF WHEN!! Northwest Florida Police Department o Ransomware Hit Leon County s government website o Hacked with a defacement of the site Florida counties that use Nuance o Petya attack causes major redaction issues University of Central Florida o 63,000 records Florida Department of Juvenile Justice o 100,000 records Department of Health, Palm Beach County o 1000 records Pinellas County Board of Commissioners o 1800 records Florida Department of Health o 1076 records Town of Palm Beach o Ransomware hit 23

24 RANSOMWARE BREACHES 24

25 REDUCING LIABILITY THE OFFENSIVE STRATEGY Due Diligence is the act of continually investigating and understanding the risks and vulnerabilities the organization faces. Due Care is implementing security policies, procedures, standards and countermeasures to provide protection from those threats. If an organization does not practice due care and due diligence pertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence (Harris, 2010, p. 110) CYO Cover Your Organization 25

26 THREE Balanced Security TIERS Strategy Plans Policies Processes Procedures Standards Guidelines Administrative Compliance Governance Oversite Due Diligence Due Care Audits Awareness Documentation Response Technical Physical Technical Considerations and Infrastructure 26

27 THE ADMINISTRATIVE TIER Must Haves: Data Classification Risk Assessment, Prioritization & Management Organizational Structure & Governance DEFINES Due Care & Due Diligence Roles, Responsibility & Accountability Audit Processes & Requirements Strategic Plan Policies and Procedures General Security o Organization Governance o Risk Assessment o HW & SW Asset Control o Human Resources o Data Centers o Access (all including 3 rd party) o Data and Resource Ownership o Incident Management o Physical Security Acceptable Use Incident Response Plan 27

28 THE COMPLIANCE / GOVERNANCE TIER Best Practices: Verify, validate, monitor and mitigate Don t just collect data use it If you see something do something If you know, you must act Audit and Respond If it isn t documented it isn t real Ensure legal compliance Implement the policy Defined part of every procedure Patching and updates Direction Prioritization Oversight GOVERNANCE 28

29 THE TECHNICAL / PHYSICAL TIER The basis of any good security program is the technical infrastructure; and clearly, if this tier is not strong the entire security program will be vulnerable. A solid platform for protection, prevention, and reporting must be in place at the core of a three-tiered security program. 29

30 30 ML 0 - Incomplete Practices in a particular domain are not being performed, as measured by responses to the relevant practice questions in the CRR. ML Maturity Level ML 1 Performed ML 2 Planned ML 3 Managed ML 4 Measured ML 5 - Defined All Practices in a particular domain are being performed as measured by responses to the relevant practice questions in the CRR. MIL-1 means that there is sufficient and substantial support for the existence of the practices. ML2 includes ML1 and is established by the organization (i.e., the practice is documented and communicated to all who need to know); All practices are performed, planned and have a basic infrastructure in place to support the process: Governed by the organization (i.e., the practice is supported by policy, and there is appropriate oversight over the performance of the practice); All practices are not only performed, planned, and managed, but are also: Periodically evaluated for effectiveness (i.e., the practice is periodically reviewed to ensure that it is effective and producing intended results); ML-5, a process or practice is: Defined by the organization and tailored by organizational units for their use (i.e., there is an organization-sponsored definition of the practice from which organizational units can derive practices that fit their unique operating circumstances);

31 31 ORGANIZATIONAL BEST PRACTICES Establish strong senior leader buy-in (make security important) Communicate and educate at all levels Create a culture of security awareness Develop robust governance (what you permit you promote) Incorporate change management Integrate all three tiers (technical, Admin, Compliance) Trust but verify (external audits) Be prepared(incident response plan) Demand continual improvement Reward and recognize

32 IT S A NUMBERS GAME If we only have so much time and resources, where and how we focus our efforts is the key!! wwwmypalmbeachclerk.com

33 QUESTIONS? 33