Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Similar documents
Security Breaches: How to Prepare and Respond

Cybersecurity in Higher Ed

Cybersecurity The Evolving Landscape

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

DeMystifying Data Breaches and Information Security Compliance

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

PROFESSIONAL SERVICES (Solution Brief)

CCISO Blueprint v1. EC-Council

What To Do When Your Data Winds Up Where It Shouldn t

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

What is Cybersecurity?

Data Compromise Notice Procedure Summary and Guide

THE CCPA AND PREPARING FOR STATE PRIVACY LEGISLATION. Nathan Taylor Morrison & Foerster LLP

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

Cloud Security Implications for Financial Services

Security industry overview December 2016

Cybersecurity and Nonprofit

Healthcare HIPAA and Cybersecurity Update

UC Systemwide Information Security Awareness Workgroup

Cybersecurity is a Company-Wide Issue

Breach Notifications: How to Handle Breaches Across Jurisdictions. Moderated by: Zach Warren, Editor-in-Chief, Legaltech News

Security Awareness Compliance Requirements. Updated: 11 October, 2017

Helping Businesses Grow & Succeed

The Impact of Cybersecurity, Data Privacy and Social Media

Compliance in 5 Steps

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Keeping It Under Wraps: Personally Identifiable Information (PII)

Bar The Gates: Cyber Threat. Wednesday, August 12, 2015: ISACA Geek Week

Sales Training for DataMotion Products. March, 2014

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Protecting Your Gear, Your Work & Cal Poly

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

FDIC InTREx What Documentation Are You Expected to Have?

UCOP ITS Systemwide CISO Office Systemwide IT Policy

All 3 Billion Yahoo Accounts Were Affected by 2013 Attack NY Times 10/3/17

Mastering Data Privacy, Social Media, & Cyber Law

Building a Security & Compliance Strategy with the Cloud

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Achieving PCI-DSS Compliance with ZirMed financial services Darren J. Hobbs, CPA and James S. Lacy, JD

Operational Network Security

What to do if your business is the victim of a data or security breach?

Demonstrating Compliance in the Financial Services Industry with Veriato

Information Security Management in a Regulation Driven World

Why you MUST protect your customer data

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

New Data Protection Laws

Cyber Risks in the Boardroom Conference

When the Other Brother Steps Up: State Privacy Enforcement Actions

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Post-Secondary Institution Data-Security Overview and Requirements

Entertaining & Effective Security Awareness Training

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

Dealing with the Reality of a Privacy Breach: Civil Litigation, Regulatory Response, and Minimizing Your Risks

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

This Webcast Will Begin Shortly

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Data Breach Trends: What Local Government Lawyers Need to Know

Cyber Insurance: What is your bank doing to manage risk? presented by

CipherCloud CASB+ Connector for ServiceNow

A Comprehensive Guide to Remote Managed IT Security for Higher Education

Oracle Database Vault

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

ITT Technical Institute. IT360 Networking Security I Onsite Course SYLLABUS

Exploring Emerging Cyber Attest Requirements

Best Practices in Securing a Multicloud World

ISE North America Leadership Summit and Awards

Art of Performing Risk Assessments

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

2016 Tri-State CF Partnership Webinar Series. Cyber Crime Trends a State of the Union April 7, 2016

Security Terminology Related to a SOC

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

GLBA, information security and incident response a compliance perspective

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

Information Security Risk Strategies. By

Learning from a breach

Legal Considerations and Case Studies

Payment Card Compliance and Challenges

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Data Security: Public Contracts and the Cloud

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Is Your Compliance Strategy Putting Your Business at Risk?

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

IT SECURITY FOR LIBRARIES PART 1: SECURING YOUR LIBRARY BRIAN PICHMAN EVOLVE PROJECT

Tokenisation: Reducing Data Security Risk

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

Cybersecurity It Matters to SMB

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

Transcription:

Cybersecurity Conference Presentation North Bay Business Journal September 27, 2016 1

PRESENTER Francis Tam, CPA, CISM, CISA, CITP, CRISC, PCI QSA Partner Information Security and Infrastructure Practice Partner 2

THE STATE OF CYBERSECURITY Over half a billion personal records were stolen or lost in 2015 Spear phishing campaigns targeting employees increased 55% in 2015 Ransomware increased 35% in 2015 Phone-based impersonation for technical support continues to be an avenue for attack IT staff are consumed with the number of ingress points to protect Cost of data breaches and cybercrime will top $2 trillion by 2019 Source: The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation by Juniper 3

RISING INFORMATION SECURITY RISKS: COST INCREASES BY SIZE AND INDUSTRY The cost per record varies by industry: Average cost = $217/record (U.S. Data) Total cost of a breach varies size of the breach: Average cost = $6.53 Million (US Data) Source: Research Report, 2015 Cost of Data Breach Study: United States, Ponemon Institute (2015) 4

WHY CYBER ATTACKS ARE SO INSIDIOUS 5

WHY NOW? Big Data Connectivity/Internet of Things (IoT) System Complexity Interconnectivity with Vendors, Business Partners, and Other Third Parties Ability to Steal from Many Quickly and in Many Ways 6

REGULATORY CONSIDERATIONS BY INDUSTRY GROUPS Regulation Health Insurance Portability and Accountability Act of 1996 (HIPAA) Federal Financial Institutions Examination Council (FFIEC) Gramm-Leach-Bliley Act (GLBA) Industry Group Health Care Financial Institutions Sarbanes-Oxley (SOX) Publically traded companies Federal Information Security Management Act of 2002 (FISMA) Cybersecurity Act of 2015 Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act Homeland Security Act 2002 Federal Family Educational Rights and Privacy Act (FERPA) Education Payment Card Industry Data Security Standards (PCI DSS) Critical infrastructure Any organization that processes, transmits, or stores payment card data 7

STATE CYBER-REGULATIONS As of April 2016, 25 states have introduced changes or new cybersecurity regulations The District of Columbia, Guam, Puerto Rico, the Virgin Islands, and 47 states have enacted legislation requiring entities to notify individuals of security breaches of information involving personally identifiable information (PII) A number of states have expanded their definition of PII to include medical insurance data, biometric data, and online account usernames and passwords 8

STATE CYBER-REGULATIONS (CONT.) 2015-16 Breach Law Firsts Connecticut (2015) o Provide free credit monitoring for one year Washington (2015) o Exemption from notification if NIST cybersecurity framework is followed Tennessee (2016) o Notification required even if information was encrypted 9

STATE CYBER-REGULATIONS (CONT.) 2015-16 Data Security Law Firsts Nevada (2016) o Information sent regarding online accounts must be encrypted New Jersey (2015) o Health insurers must encrypt PI they store electronically 10

EXAMPLES OF STATE CYBER- REGULATIONS State Regulation Purpose California Notice of Security Breach Act California Assembly Bill 1950 Massachusetts Data Security Law 201 CMR 17.00 Any company that owns or maintains personal information of California citizens and has a security breach must disclose the details of the event Establishes minimum standards that any person, agency, or entity that owns or licenses personal information of Massachusetts residents must meet to safeguard personal information 11

TYPES OF ATTACKS Attackers are more sophisticated Multi-faceted Social engineering attacks o Spear phishing o Phone-based impersonation Why hack a system (lower probability) when you can hack people? Ransomware Mobile devices/iot 12

INFRASTRUCTURE SECURITY How do we best identify the people threats education and outside assistance? Real security personnel often look down at audit efforts, but they cannot do their job if auditors are not doing their job. Auditors need to ask themselves, What are we actually trying to do? Only compliance? o Compliance Security Audits set the foundation for security teams to build on. o Don t ask the security team to build the walls and roof until you ve laid the foundation. 13

INFRASTRUCTURE SECURITY (CONT.) The old threat models no longer apply Historically attackers went after big targets because the payday justified their investment, while small targets consumed similar resources for minimal return That model has flipped big targets are often hard targets while new methods reduce the resource costs for small, soft targets We re too small for anyone to bother with us. 14

INFRASTRUCTURE SECURITY (CONT.) Smaller companies often: o Use off-the-shelf software with many basic, default settings o Do not invest in advanced security technologies o Do not have security specialists on staff o DO contain highly valuable information, just not in the quantities of a large target o Attackers now use a variety of automation techniques to lower the resources necessary to handle large numbers of small hacks o Congratulations, you ve been monetized 15

PROTECTING AGAINST INFRASTRUCTURE SECURITY FAILURES You can t buy security o Tools are tools, not solutions o You can absolutely do security on the cheap if it is done correctly o Security cannot be successful unless it is embedded in a variety of enterprise policies and processes 16

PROTECTING AGAINST INFRASTRUCTURE SECURITY FAILURES (CONT.) Design infrastructure security from the outside-in o Start with proper perimeter security, including firewalls, intruder prevention systems (IPS), and intrusion detection systems (IDS) o Ensure that any systems that need to be accessed from the Internet are in a proper demilitarized zone (DMZ), separate from the internal network o All external devices should have active monitoring for threat remediation o Internal network security should not be overlooked, and should be invested in as funds allow 17

PROTECTING AGAINST INFRASTRUCTURE SECURITY FAILURES (CONT.) Design infrastructure security from the outside-in o Ensuring that users have only the access they need for their job function is a free yet powerful protection method many companies overlook o Internal IPS/IDS scanners to help detect infections from the inside should be deployed if financially possible o Proper anti-virus, malware, and e-mail security should always be kept up to date and leveraged throughout the enterprise o Understand the impact BYOD (bring your own device) might have on your environment, and ensure that adequate mobile device management is in place 18

QUESTIONS? 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback