Cybersecurity Conference Presentation North Bay Business Journal September 27, 2016 1
PRESENTER Francis Tam, CPA, CISM, CISA, CITP, CRISC, PCI QSA Partner Information Security and Infrastructure Practice Partner 2
THE STATE OF CYBERSECURITY Over half a billion personal records were stolen or lost in 2015 Spear phishing campaigns targeting employees increased 55% in 2015 Ransomware increased 35% in 2015 Phone-based impersonation for technical support continues to be an avenue for attack IT staff are consumed with the number of ingress points to protect Cost of data breaches and cybercrime will top $2 trillion by 2019 Source: The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation by Juniper 3
RISING INFORMATION SECURITY RISKS: COST INCREASES BY SIZE AND INDUSTRY The cost per record varies by industry: Average cost = $217/record (U.S. Data) Total cost of a breach varies size of the breach: Average cost = $6.53 Million (US Data) Source: Research Report, 2015 Cost of Data Breach Study: United States, Ponemon Institute (2015) 4
WHY CYBER ATTACKS ARE SO INSIDIOUS 5
WHY NOW? Big Data Connectivity/Internet of Things (IoT) System Complexity Interconnectivity with Vendors, Business Partners, and Other Third Parties Ability to Steal from Many Quickly and in Many Ways 6
REGULATORY CONSIDERATIONS BY INDUSTRY GROUPS Regulation Health Insurance Portability and Accountability Act of 1996 (HIPAA) Federal Financial Institutions Examination Council (FFIEC) Gramm-Leach-Bliley Act (GLBA) Industry Group Health Care Financial Institutions Sarbanes-Oxley (SOX) Publically traded companies Federal Information Security Management Act of 2002 (FISMA) Cybersecurity Act of 2015 Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act Homeland Security Act 2002 Federal Family Educational Rights and Privacy Act (FERPA) Education Payment Card Industry Data Security Standards (PCI DSS) Critical infrastructure Any organization that processes, transmits, or stores payment card data 7
STATE CYBER-REGULATIONS As of April 2016, 25 states have introduced changes or new cybersecurity regulations The District of Columbia, Guam, Puerto Rico, the Virgin Islands, and 47 states have enacted legislation requiring entities to notify individuals of security breaches of information involving personally identifiable information (PII) A number of states have expanded their definition of PII to include medical insurance data, biometric data, and online account usernames and passwords 8
STATE CYBER-REGULATIONS (CONT.) 2015-16 Breach Law Firsts Connecticut (2015) o Provide free credit monitoring for one year Washington (2015) o Exemption from notification if NIST cybersecurity framework is followed Tennessee (2016) o Notification required even if information was encrypted 9
STATE CYBER-REGULATIONS (CONT.) 2015-16 Data Security Law Firsts Nevada (2016) o Information sent regarding online accounts must be encrypted New Jersey (2015) o Health insurers must encrypt PI they store electronically 10
EXAMPLES OF STATE CYBER- REGULATIONS State Regulation Purpose California Notice of Security Breach Act California Assembly Bill 1950 Massachusetts Data Security Law 201 CMR 17.00 Any company that owns or maintains personal information of California citizens and has a security breach must disclose the details of the event Establishes minimum standards that any person, agency, or entity that owns or licenses personal information of Massachusetts residents must meet to safeguard personal information 11
TYPES OF ATTACKS Attackers are more sophisticated Multi-faceted Social engineering attacks o Spear phishing o Phone-based impersonation Why hack a system (lower probability) when you can hack people? Ransomware Mobile devices/iot 12
INFRASTRUCTURE SECURITY How do we best identify the people threats education and outside assistance? Real security personnel often look down at audit efforts, but they cannot do their job if auditors are not doing their job. Auditors need to ask themselves, What are we actually trying to do? Only compliance? o Compliance Security Audits set the foundation for security teams to build on. o Don t ask the security team to build the walls and roof until you ve laid the foundation. 13
INFRASTRUCTURE SECURITY (CONT.) The old threat models no longer apply Historically attackers went after big targets because the payday justified their investment, while small targets consumed similar resources for minimal return That model has flipped big targets are often hard targets while new methods reduce the resource costs for small, soft targets We re too small for anyone to bother with us. 14
INFRASTRUCTURE SECURITY (CONT.) Smaller companies often: o Use off-the-shelf software with many basic, default settings o Do not invest in advanced security technologies o Do not have security specialists on staff o DO contain highly valuable information, just not in the quantities of a large target o Attackers now use a variety of automation techniques to lower the resources necessary to handle large numbers of small hacks o Congratulations, you ve been monetized 15
PROTECTING AGAINST INFRASTRUCTURE SECURITY FAILURES You can t buy security o Tools are tools, not solutions o You can absolutely do security on the cheap if it is done correctly o Security cannot be successful unless it is embedded in a variety of enterprise policies and processes 16
PROTECTING AGAINST INFRASTRUCTURE SECURITY FAILURES (CONT.) Design infrastructure security from the outside-in o Start with proper perimeter security, including firewalls, intruder prevention systems (IPS), and intrusion detection systems (IDS) o Ensure that any systems that need to be accessed from the Internet are in a proper demilitarized zone (DMZ), separate from the internal network o All external devices should have active monitoring for threat remediation o Internal network security should not be overlooked, and should be invested in as funds allow 17
PROTECTING AGAINST INFRASTRUCTURE SECURITY FAILURES (CONT.) Design infrastructure security from the outside-in o Ensuring that users have only the access they need for their job function is a free yet powerful protection method many companies overlook o Internal IPS/IDS scanners to help detect infections from the inside should be deployed if financially possible o Proper anti-virus, malware, and e-mail security should always be kept up to date and leveraged throughout the enterprise o Understand the impact BYOD (bring your own device) might have on your environment, and ensure that adequate mobile device management is in place 18
QUESTIONS? 19