0 CYBER SECURITY WORKSHOP NOVEMBER 2, 2016 Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services
VIDEO: CAN IT HAPPEN TO ME? 1
2 AGENDA CYBERSECURITY WHY SUCH A BIG DEAL?
INFORMATION IS THE NEW OIL! 3 Companies are collecting and storing large amounts of data on a regular basis. This data may include information about employees, customers, intellectual property/trade secrets and business operations. This data has value to the companies producing/collecting it, to their competitors and to unknown third parties.
BREACH STATISTICS 4
BREACH STATISTICS 5 Source: BreachLevelIndex.com Source: BreachLevelIndex.com
NEWS WORTHY DATA BREACHES 6
NEWS WORTHY DATA BREACHES 7
NEWS WORTHY DATA BREACHES 8
NEWS WORTHY DATA BREACHES 9
NEWS WORTHY DATA BREACHES 10
COST OF BREACHES 11 Source: BreachLevelIndex.com
SMALL & MEDIUM BUSINESS MYTH 12 I am too insignificant to attract the interest of cyber criminals!!
SMALL & MEDIUM BUSINESS MYTH 13 It is the data that makes a business attractive, not the size especially if it is delicious data, such as lots of customer contact info, credit card data, health data, or valuable intellectual property
SMB AN ATTRACTIVE TARGET.. WHY? 14 Lack of time, budget and expertise No dedicated IT security specialist Lack of risk awareness Lack of employee training Failure to keep security defenses up Outsourcing security to unqualified contractors
SMB AN ATTRACTIVE TARGET.. WHY? 15 Automation allows modern cyber criminals to mass produce attacks with little investment! It s easier to rob a house than a museum
IMPACT OF BREACHES - SMB 16 Direct costs.. Just the tip of the Iceberg!
COSTS HIDDEN UNDERWATER 17 Litigation Costs Costs of investigation Rebuild or replacement of Network Damage to your reputation Public relations costs Increase in Insurance premiums Increase in borrowing cost
18 AGENDA HOW TO DEAL WITH CYBER RISKS?
FRAMEWORK LANDSCAPE 19 The different Cybersecurity Frameworks ISO 27001 COBIT NIST SP 800 Series PCI DSS ITIL & ISO 20000 ISO 22301 & BS 25999-2 NFPA 1600 ISO 27032, etc.
NIST CYBERSECURITY FRAMEWORK 20 01010101010101010101010101110110101011010100000001111010101101010101110101010101010101010 10101010101110010101010101010101010101011101101010110101000000011110101011010101011101110 10101101010000000111101010110101010111010101010101010101010101010111011010101101010000000 11110101011010101011101010101010101010101010101011101101010110101000000011110101011010101 In 2014, the National Institute of Standards and Technology (NIST) released the comprehensive NIST Cybersecurity Framework. This NIST Framework: Allows organizations regardless of size, degree of cyber risk or cybersecurity sophistication to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.
FOCUS: 5 FUNCTIONAL AREAS 21 WHAT ASSETS NEED PROTECTION? IDENTIFY Cyber Risk Assessment Systems Data
FOCUS: 5 FUNCTIONAL AREAS 22 WHAT SAFEGUARDS ARE AVAILABLE? IDENTIFY PROTECT Security Training Access & Network Security Encryption & Backup
FOCUS: 5 FUNCTIONAL AREAS 23 WHAT TECHNIQUES CAN DETECT INCIDENTS? Monitoring tools IDENTIFY PROTECT DETECT Security Monitoring services Look for visible signs
FOCUS: 5 FUNCTIONAL AREAS 24 WHAT TECHNIQUES CAN CONTAIN IMPACT OF INCIDENTS? IDENTIFY PROTECT DETECT RESPOND Quarantine Breach Response Plan Perform Forensic
FOCUS: 5 FUNCTIONAL AREAS WHAT TECHNIQUES CAN RESTORE CAPABILITIES? 25 IDENTIFY PROTECT DETECT RESPOND RECOVER
FOCUS: 5 FUNCTIONAL AREAS 26 IDENTIFY PROTECT DETECT RESPOND RECOVER CYBERSECURITY
NIST CYBERSECURITY ASSESSMENT 27 INDENTIFY (ID) RECOVER (RC) PROTECT (PR) RESPOND (RS) DETECT (DE)
28 AGENDA REGULATORY ENVIRONMENT
REGULATIONS HEALTHCARE SECTOR 29 HIPAA Compliance HHS Clarification on Ransomware - 2016 Ransomware Security Incidence Demonstrate low probability of compromise Was ephi encrypted by ransomware? Yes! BREACH HAS OCCURED Incidence Response & Reporting Proc. BREACH notification provisions
NY STATE DEPT. OF FINANCIAL SERVICES 30 23 NYCRR 500
CURRENT STATUS OF THIS REGULATION? 31 Proposed Regulation as of Sep 28, 2016. 45 day public comment period. In each of the last 3 years: < 1000 Customers & < $5 million in gross revenue & < $10 million in total assets If finalized, effective from Jan 1, 2017. 180 days from 1/1/17 to comply. Certification of Compliance Jan 15, 2018 Limited exemptions WAIT & WATCH NOT A PRUDENT STRATEGY!!
THANK YOU 32 PRINCIPAL asharma@withum.com 609.945.7985