Bar The Gates: Cyber Threat. Wednesday, August 12, 2015: ISACA Geek Week

Transcription

1 Bar The Gates: Cyber Threat Wednesday, August 12, 2015: ISACA Geek Week

2 Speaker Introductions Kimberley Mobley, CPA, CISA Partner Jill Cleaveland, CISA Senior Manager Greg Daniel, CISA, CRMA Manager 2

3 Planned Topics Breach Examples Baseline of Management and Organization Knowledge Legal Environment Small and Mid-Sized Company Response CISO perspective Training & awareness Limit exposure 3 3

4 4 Breach Examples

5 Baseline of Executive Management and Board Member Knowledge on Cyber Environment What is the level of organizational knowledge? Has training been provided to employees or regular updates provided to Executive Management and Board Members? Do you know your vulnerability or threat risk areas? Mobile? Wireless? at rest, processing, transmission, and deletion? Has Internal Audit adjusted IT general controls reviews to include procedures around Cybersecurity Principles or recovery/ continuity plans? How is security governance managed, budgeted, communicated? What is your incident categorization and protocol? 5 5

6 6 What is PII and Legal Environment

7 Our environment is changing, and our privacy policies and procedures need to keep pace. There is an increasing expectation from consumers, employees, stakeholders and courts that personal data be appropriately protected. 7

8 What is Personally Identifiable Information (PII) Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Stand Alone Social Security Number Drivers License or State ID # Passport # Alien Registration Number Financial Account Number, Credit Card Number Biometric Identifiers Linked or Linkable Medical, Education, and Employment Information Mother s Maiden Name Citizenship or Immigration Status Account Passwords Last 4 digits of SSN Date of Birth Criminal History 8

9 Example Regulations Regulation Gramm-Leach-Bliley Financial Modernization Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) The Health Information Technology for Economic and Clinical Health (HITECH) Act Sarbanes-Oxley Act of 2002 (SOX) Key Points Federal mandate to protect financial information. Required federal financial agencies and state insurance regulators to establish standards for consumer privacy protection by the institutions they oversee. Sets out guidelines for handling data that contains medical information about individuals created by a covered entity. Publicly traded companies must implement and maintain internal controls for the protection of corporate financial information. 9

10 Resulting Standards Standards NAIC/s Standards for Safeguarding Customer Information Model Regulation Key Points Standards insurance entities must meet to comply with GLBA s information security provisions. Insurance licensees must establish a comprehensive, written information security program that includes administrative, technical, and physical safeguards for protection of confidential data appropriate to the size and complexity of the licensee and the nature and scope of its activities. Payment Card Industry (PCI) Security Standards of 2005 NIST Cybersecurity Framework Issued by MasterCard and Visa to protect credit card data. Audit Programs and Guiding Principles 10

11 Cost of a Breach 2014 Cost of Breach Study: United States Ponemon Institute, May 2014 Cost of a data breach have increased: Cost per lost or stolen record = $201 Total average cost paid by organizations = $5.9 million Average rate of customer churn increase by 15% Cause of breaches: - 44% caused by malicious or criminal attack - 31% caused by employee negligence - 25% caused by system glitches Strong data security posture to prevent incident reduced cost by as much as $21 per record. 11

12 Legal Environment Target, TJX, Sony, ebay, Michaels Stores,Home Depot, JP Morgan Chase, Anthem, etc. AvMed Settlement Class Action Lawsuit result of data breach in 2009 two laptops were stolen that held unencrypted personal and health data of more than 1 million AvMed members and their dependents. $3 million settlement Financial redress for people who didn t actually experience identify theft. Separate claims may be filed by people that were victims of identify theft as a result of the breach. 12

13 Small and Mid-sized company response CISO Perspective Training & awareness Reduce Exposure 13

14 In the battle to keep your personal information private, it s not just hackers you have to worry about but lax security and stupidity. Martyn Williams, The 5 biggest data breaches of 2014 (so far) 14

15 15 Weakest links and assets

16 The Human Element People are often the businesses weakest link but are also the best defense against cyber threats. Phishing, social engineering, spear phishing and watering hole attacks are all tactics that cyber criminals use to gain a foothold in your environment. They target people, not systems to gain access. 16

17 Social Engineering Tactic that is used within Phishing and Spear Phishing schemes Expertly crafted context and content that goes far beyond the old spam tactics. Targeted attacks look for public info of targets (social media, press releases, public documents etc.) to craft and exploit human willingness to trust and communicate with others 17

18 Let s go Phishing What are these terms? Phish (verb) To attempt to obtain sensitive or confidential information from an individual via the internet by impersonating a legitimate organization with the intent to exploit that information for financial or personal gain. Phishing operations usually cast a wide net with no specific target in mind. These generally target consumers but some cast a wide net among businesses as well. Examples: Fake telephone bill, IRS communication, BBB complaint 18

19 Spear Phishing Spear Phishing Targeted phishing campaigns that seek information that is held by a company or companies These attacks are much more involved and often perpetrated by crime syndicates or government actors Research done on company and its vendors. Often Vendors are the way in to target companies and government agencies (White House State Dept.) Crafting of messages to look legitimate, from individuals within the company or vendor, with correct context. Often targets are the beach heads to further infiltrate environments. 19

20 Watering Hole attacks These types of attacks, while rare, target specific industries and are on the rise. These attacks compromise a legitimate website to gain access to targeted individuals computers. Often these websites are industry specific but sometimes attackers are opportunistic in their site selection Forbs.com Defense contractors VOHO Fin Serv. And Government 20

21 Prevention Employee education is critical to a strong security program. Culture of security from top down is a way to breed engagement by employees. Train once is not an option, consistent training programs are key. Gamification Getting employees to care a breech at the company puts the employee s own personal privacy at risk 76% less is spent on security events when employees are trained yet 54% do not provide security training for new hires 1 21

22 Security Frameworks o ISO/IEC 27001:2013 o COBIT o ITIL o NIST - Cybersecurity Framework o HITRUST CSF o SoGP o COSO 22

23 Process Overview Inventory Training & Education Monitor Classification Guide Classify User Awareness Programs Remediate Assess Security 23

24 Creating awareness Policies and procedures Comprehensive policies and procedures for handling PII Foundational privacy principles and objectives Privacy rules of behavior Proper handling of PII Consequences for failure to comply Awareness, training and education Designed to change behavior or reinforce desired PII practices Focus attention on the protection of PII Use of attention-grabbing techniques New scams breaches Self-remediation User Awareness Programs Training & Education 24

25 Process Overview Inventory Training & Education Monitor Classification Guide Classify User Awareness Programs Remediate Assess Security 25

26 classification guide A risk-based approach to determine what data must be protected Foundation for identification, classification and remediation of PII Defines how data and systems will be addressed at each classification level Example Classification Categories Highly Sensitive Sensitive Internal Public Classification Guide In addition to data confidentiality, the classification can include broader considerations - data integrity and data availability 26

27 Process Overview Inventory Training & Education Monitor Classification Guide Classify User Awareness Programs Remediate Assess Security 27

28 Inventory data 1) Business process walkthroughs Understand types of data accessed, systems and tools used, and controls in place Determine where data is coming from, where it is stored, and where it is processed 2) IT data flow diagrams Identify supporting applications and infrastructure Identify other data locations (e.g., interfaces, data warehouses, shared folders, , cloud providers) 3) discovery tools PII, PHI, PCI, Intellectual property (custom searches) Inventory 28

29 Process Overview Inventory Training & Education Monitor Classification Guide Classify User Awareness Programs Remediate Assess Security 29

30 Classify Classify Risk-rate the data, systems and infrastructure in terms of confidentiality, integrity and availability needs Information system owners review the pre-defined data categories in the Classification Guide to locate matches for all information system data for which they are responsible category is officially recorded for each data type processed or stored by the information system When all data types constituting the information system have been classified, the security categorization of the information system will be determined based on the most sensitive information received by, processed in, stored in, and/or generated by the system under review Once objectively categorized, and appropriate security and control requirements can be applied based on the data categorization 30

31 Process Overview Inventory Training & Education Monitor Classification Guide Classify User Awareness Programs Remediate Assess Security 31

32 Assess Security Assess Security Management Configuration Management Access Controls Authentication User Administration Vendor Management 32

33 Management Assess Security Communicate data classification standards and security procedures User awareness campaign Define life cycle for confidential/highly sensitive data Creation/collection Use Storage/ Retention Delivery Destruction Define data owners and data stewards Make and implement decisions about data 33

34 Access Controls Assess Security Restrict access to sensitive or confidential information through IT systems, copy, and paper distribution Periodic access reviews for sensitive/confidential data Remove system access from personnel that no longer work with the organization or who have changed job roles Restrict vendor access to confidential data Encryption for transmission and storage of sensitive data Limit the number of paper copies of confidential data Store paper copies in locked cabinets Develop and adhere to destruction policy 34

35 User Administration Onboarding/Off-boarding process Assess Security Internal personnel Vendors Contractors Documentation Education Orientation - new hire Basics - security, data sensitivity, transmission Internal policies and procedures 35

36 Configuration management Inventory IT assets Assess Security Define minimum configuration standards Limit access to modify configurations Periodic reviews to ensure compliance Penetration testing 36

37 Vendor Management Assess Security Inventory Vendors Risk Profile Each Vendor Assess Compliance Report & Remediate Identify data involved and the related vendors Assess vendor controls over sensitive data Questionnaires Right to audit Availability of service organization control reports (SOC 1/2) Maintain contract requirements Monitor regulations and update requirements Communicate changes 37

38 Process Overview Inventory Training & Education Monitor Classification Guide Classify User Awareness Programs Remediate Assess Security 38

39 Remediation Remediate PII-specific safeguards: Define a process to safely destroy PII that is no longer relevant and necessary De-identifying information Masking/obscuring portions of the PII De-identified information can be re-identified Anonymizing information De-identified information where the code for re-identification no longer exists Minimize the use, collection, and retention of PII Limit PII collections to the least amount necessary 39

40 Process Overview Inventory Training & Education Monitor Classification Guide Classify User Awareness Programs Remediate Assess Security 40

41 Incident response plan for PII Monitor Preparation Ability to respond quickly is critical (reporting 24/7) Clearly define the information to be reported Insurance Detection and analysis Did the incident involve PII? Containment, eradication, and recovery Was PII accessed? How many records were affected? Post-incident activity Lessons learned / continually update incident response plan Providing individuals with remedial assistance (e.g., credit monitoring) 41

42 Resources NAIC Financial Condition Examiners Handbook requires an IT review as part of regulators examination process and provides guidance to identify information security risks and evaluate the adequacy of controls and applicable risk management practices NAIC Market Regulation Handbook requires a review of computer security procedures to ensure insurance entities have appropriate controls, safeguards and procedures for protecting the integrity of customer information. NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) - provides guidelines for a risk-based approach to protecting the confidentiality of PII. Cybersecurity Nexus, ISACA Cybercrime Audit Assurance Program, 2-12, SIACA Cybersecurity Foundation Training, ISACA 42

43 Questions?

44 Contact Information Kim Mobley Jill Cleaveland Greg Daniel