Helping Businesses Grow & Succeed

Transcription

1 Florida SBDC at UCF's Cybersecurity for Small Businesses: Protecting Your Digital Assets in 2018 BYTE-SIZE: The Small Business Cybersecurity Program of the FSBDC Network

2 This presentation is a companion to the publication entitled The Florida SBDC Network Byte-Size Program: Cybersecurity Basics for Small Business. For more information, visit floridasbdc.org/cybersecurity NOTE: These materials are intended to provide information to assist small businesses consider key cybersecurity concepts, to share ideas for reducing cyber risk, and to identify helpful resources from multiple public and private organizations. However, no single technology or program can eliminate all cyber risk nor can they guarantee protection from constantly evolving digital attacks. It is always best to consult IT security and legal professionals to understand your responsibilities and to manage the specific cyber risks associated with your business.

3 Lee V. Mangold Co-Founder & CEO GoldSky Security Co-Founder & Vice President Florida Cyber Alliance President Information Systems Security Association (CFL Chapter) Board Director Security BSides Orlando Adjunct Professor University of Central (CISSP, CEH, GLSC, ITIL...)

4 Section 1 CYBERSECURITY BASICS

5 Trends ( )

6 Who are the attackers? Organized Crime Organizations Large syndicates of attackers Hierarchical organizations; Mafia State-Sponsored Attackers Government organizations Russia, China, Iran, North Korea, etc... Script Kiddies Use downloaded tools and scripts Motivated by fame Other Professionals Usually experimenting, learning, or shaming Hacktivists All-the-above Motivated by a social cause

7 Top Threats & Targets Top Threats Malware Specifically Ransomware Social Engineering Phishing s Extortion attempts 3 rd Party Data Theft Stolen Credentials 3 rd Party breaches Top Targets Medical Industry Compromising PHI Compromising PHI Potentially more... Legal Industry Compromising PII Compromising PHI Financial & Administrative Services Compromising PII Fraud and monetary theft Retail Monetary theft (PCI)

8

9

10 Three Foundational Cybersecurity Principles What Know what your critical data/assets are Where Know where your critical data/assets are How Know how they are protected

11 CLOUD!! IaaS PaaS SaaS

12

13 Types of Attacks

14 MALWARE Malicious software Steal credentials or other information Steal money Ransomware Botnets Sabotage Denial of service

15 PHISHING designed to lure you in to doing something ill-advised Execute an attachment Click on a link Unwittingly give away sensitive information Some are really good at exploiting human gullibility

16

17 INTERNET OF THINGS (IoT) Increasingly, tech devices are being targeted Eavesdropping Steal data Botnet agents DDoS attacks

18 APPLICATION ATTACKS Maliciously manipulate application software Steal data from database server Run attack scripts on other users PCs Steal user credentials

19 Remediation Activities

20 Employee Education Technology is great, but your most important assets are your employees First line of defense Train them on the tools you use Encourage them to report strange computer activity

21 Passwords & MFA Use Strong Passwords or Passphrases NEVER share your passwords Don t re-use passwords Enable Multi-Factor Authentication where possible!

22 PROTECTIONS Policies and policy management Software updates Configurations Security products Application software controls

23 DETECTION MEASURES Event monitoring Intrusion detection and prevention systems Threat monitoring User reports

24 RESPONSES Incident response Advocates for the business Reduce the losses Get back in businesses as quickly as possible Support investigations Decision support during incident Crisis communications

25 INSURANCE Is cybersecurity insurance right for you? It depends Policies exist Read the fine print and comply with their requirements Answer their questions candidly Understand what is and is not covered

26 Bundled Electronic Data Processing (EDP) Stand-Alone Stop-Loss (DIC) INSURANCE 101 Key questions: Bundled vs. Stand alone? What are the policy exclusions? How much coverage should I purchase? Bundled cyber policies often offer limited coverage, not broad protection Have gaps and more exclusions. Usually are an endorse- ment to other liability policies. Can result in greater exposure EDP policies are not cyber coverage. They usually cover: Data processing equipment. Hardware replacement. Property coverage. Stand alone cyber policies offer the most protection. Normally cover: Third party liability. Breach Response. Notification. Restoration. Business interruption. Reputation risk. DIC plans are for larger organizations with greater risk profiles. They provide: Catastrophic backstop Covers gaps Meant for large Losses when underlying coverage is exhausted. Who is the breach response firm? Danger Zone Safe(r) Zone

27 Section 2 CASE STUDIES IN CYBERSECURITY

28 Breach Case Studies Insurance Company COO s Account Credentials Phished Account Data stolen from & Storage Data exfiltrated to unknown destinations in Russia Had to notify individuals, pay for credit monitoring, etc... Healthcare Practice Hard Drive Stolen during A/C Maintenance Owners extorted, police involved Had to notify 37,000+ individuals CPA & Patent Firm User sent a fake Docusign link, logged in, downloaded malware Forwarded the to colleagues Data exfiltrated to unknown destinations in Russia

29 Breach Case Studies TerraCom and YourTel America (2014) Failed to protect PII of customers 300,000 identities at risk Settled with FCC for $3.5M Verizon (2017) Failed to protect PII of customers 3 rd party IT contractor left data unprotected in AWS Undisclosed Carrier Hackers gained unauthorized access to SIP trunks Hundreds of thousands in fraudulent charges billed to customers Company had no idea how to track or prevent the attacks

30 Case Study: Mossack Fonseca

31 Case Study: Mossack Fonseca Drupal Web Portal Outdated; Several Critical Vulnerabilities Exploited Get Data! Get Mail! Log In Exploited Passwords Passwords WordPress Website Plugin: Revolution Slider Plugin: WP-SMTP plugin Plugin: ALO EasyMail Server

32 Misconfiguration Configuration Management Are all your systems provisioned to a baseline standard? Are all your systems audited REGULARLY? Could you audit your systems if you had to? Who has access to what data and how is it protected?

33 3 rd Party Problems How do you know your 3 rd parties are secure? What data do you share with them? Do you know? How often have you (or can you) audit 3 rd parties? Have THEY been breached already?

34 Mismanagement Have you formed a security team or a formal security effort? Do you have procedures in place to help prevent breaches? What do you do when you HAVE a breach? Would you know? Are you practicing risk management in IT and Security?

35 Seek out best practices! Begin practicing security risk management Work across IT (and all domains) to identify the what, where, how Establish baseline security standards Have a plan and seek help where you need it!

36 Section 3 CYBERSECURITY COMPLIANCE (AND RISK MANAGEMENT)

37 Cybersecurity Management IS Risk Management

38 NIST Cyber Security Framework NOT A STEP-BY-STEP PROCESS

39 Cyber Risk Management Objectives What are my BIGGEST areas of risk? What are my potential mitigation strategies? What is the cost-benefit of implementing various mitigation strategies? What is the cost of doing nothing?

40 NIST Security Risk Assessment

41 Security - vs - Compliance Security Protecting what s important Following the rules Compliance Confidentiality Data Integrity Availability HIPAA FIPA and other PII regs PCI GLBA, etc...

42 Three Foundational Cybersecurity Principles What Know what your critical data/assets are Where Know where your critical data/assets are How Know how they are protected

43 Legal Frameworks (Federal) Government Contractors Compliance (and more...) Healthcare Health Insurance Portability and Accountability Act (HIPAA) Financial Institutions Gramm-Leach-Bliley Act (GLBA) Credit Unions Various FFIEC / NCUA Regulations Federal Agencies Homeland Security Act (FISMA) Public Companies Sarbanes-Oxley Act (SOX, Section 302 & 404) International General Data Protection Regulation (GDPR) EU-PrivacyShield

44 Florida Information Protection Act Each covered entity shall take reasonable measures to protect and secure data in electronic form containing personal information. A covered entity shall provide notice to the department of any breach of security affecting 500 or more individuals in this state What is PII First & Last Name and one of: SSN Financial Account Number Government ID number Health Information or Insurance ID Username or Address, including password or security questions Encrypted passwords are not considered PII!

45 Other States 48 States with Data Breach and/or Data Privacy Laws Excludes Alabama and South Dakota District of Columbia Puerto Rico US Virgin Islands Guam

46 NIST SP Compliance Describes information protection requirements for: Non-Federal Organizations holding Controlled Unclassified Information (CUI) 22 Categories of CUI Data

47 Agriculture Controlled Technical Info Critical Infrastructure Emergency Management Export Control Research Financial Data Geodetic Information Immigration Information Systems Vulns Intelligence Data or Records International Agreements Compulsory Tax Information What is CUI? 22 Categories of Controlled CUI Law Enforcement Data Legal Data Natural and Cultural Resources NATO-Related Data Nuclear Data Patent Information Privacy Information Procurement and Acquisition Proprietary Business Data SAFETY Act Information Statistical/Census Data Some Transportation Data

48 Controlled Technical Info Research and engineering data Engineering drawings and associated lists Specifications, standards, process sheets Manuals Technical reports Technical orders Data sets Studies and analyses and related information Computer software executable code and source code etc...

49 Requirements 14 Families of Controls Access Control Media Protection Awareness and Training Personnel Security Audit and Accountability Physical Protection Configuration Management Risk Assessment Identification and Authentication Security Assessment Incident Response System and Communications Protection Maintenance System Information Integrity

50 Control Example From NIST SP

51 Control Example From NIST SP

52 Next Steps... Download & Read NIST SP ons/nist.sp pdf Plan for Implementation of Controls Assess for applicability and impact Implement controls like a project Continually assess your security!

53 Section 4 CYBERSECURITY RESOURCES

54 RESOURCES AND PLANNING Information: Florida Small Business Development Center Network: US Chamber of Commerce Threat Reporting & Alerts: FBI IC3: Secure Florida: Planning Materials: SBA Learning Center US Small Business Administration (SBA): at: National Institutes for Standards & Technology (NIST): 21r1.pdf Note: Additional resources may be found in the Florida SBDC Network s Byte-Size program publication: Cybersecurity Basics For Small Business

55 RELATED TIPS Get to know your law enforcement Who are they, what resources do they have? Meet them in person (prior to needing to) Consider FBI s Infragard