June 2 nd, 2016 Security Awareness Security is the degree of resistance to, or protection from, harm. if security breaks down, technology breaks down
Protecting People, Property and Business Assets Goal for Today Current Security Landscape The Impact of Data Breach or Data Loss Raise everyone s overall awareness Security risks Techniques to reduce risk Changes in Strategy What we should and can be doing?
Security is a Growing Concern The AV-TEST Institute registers over 390,000 new malicious programs every day https://www.av-test.org
Then Organizational Risk Now Malware has Changed Then Low Business Impact Less Sophisticated Targeted PC s Now High Business Impact High Sophistication Targets Data High Visibility Low
Active malware trends over the last 10 years Security is a Growing Concern
The Impact of Data Breach or Data Loss Organizational ability recover Brand damage Associated Costs
The Impact of Data Breach or Data Loss
In 2015 FBI Received 2,500 Ransomware attack complaints costing victims $24M The first 3 months of 2016 Ransomware Attacks have cost victims $209M Source NBC News
Attackers Evolve, Adapt and Accelerate Dark markets and services grow New targets emerge (IoT, Cars etc.) Attacks will drive down the technology stack Data Apps Operating Systems Firmware Hardware Ransomware and CEO email fraud rises
Phishing 80% of Infections stem from massive e- mail attacks Phishing vs Spear Phishing Attackers are aware of 3 rd party relationships between large targets and smaller service providers
Spear Phishing
Spear Phishing
Phishing
Phishing
Phishing 5/12/2016
Services for sale
Need a credit card?
Cyber Criminals Offer Custom Built Ransomware and Hacking Services
Another Scary Fact
Background Security goes back as far a man kind.
The Traditional Approach to Security Antivirus Firewall Internet
Early Defense in Depth
Defense in Depth Example Antivirus & Antimalware Firewall Antivirus Antispyware Intrusion Prevention Internet
Defense in Depth The idea behind Defense in Depth is to defend your data and systems against any particular attack, using several independent methods Perimeter Internal Network Endpoint Firewall CGSS IPS Policies Access Rights Monitoring Antivirus Anti Malware Cloud Security
Why is all this important?
The United States is the most targeted country in the world. Fireeye Cyber Threat Map
Who are we trying to protect from? Nation States Insiders Organized Crime Other Companies Thrill Seekers Notoriety Political Activists
How do they do it? Poorly configured systems using default passwords and settings which are weak Exploit known vulnerabilities which are easy to find Metasploit CGE (Cisco Global Exploiter) Password cracking tools to break weak passwords Social engineering / Email Planting infection in web sites Real examples
Tools and Techniques Summary Train Network Users to have a healthy level of skepticism Keep Software up to date Least privileged access Encrypt Data in transit & on mobile devices Segment & Isolate Networks Documented and Tested DR Plan Regular tests/auditing to ensure measures are effective Data Loss Protection tools
Summary Seek an optimal balance of Risk/Cost Understand what we are protecting Treat security as on going concern Not a set it and forget it Ongoing Security Awareness Training
Will Anyone Out There Take on the Rest of My Risk?
Why Cyber/Privacy Breach Liability Insurance? Both the federal government, and each of the 50 states, impose certain actions upon persons/entities/businesses/agencies who maintain personal information on systems or computers in the event of a breach or suspected breach. Certain actions could include written notice to all impacted individuals, purchase of individual identification protection for 1 year ( Lifelock ), credit report monitoring for each impacted individual, and monetary responsibility for financial losses to the impacted individuals. There is NO insurance coverage for any of these items absent a cyber/privacy breach liability policy. The existence of statute and the absence of insurance creates an unfunded potential liability.
What Perils Will Cyber/Privacy Breach Liability imposed by statute Regulatory defense and penalties PCI fines and expenses Insure For? Notification of Individuals expenses Legal services/crisis management/public relations services. Cyber extortion Specific coverage parts can be bought ala carte or are offered as a bundle depending on specific need.
What Perils will Cyber/Privacy breach NOT Insure for? Failure to perform professional duties in a satisfactory manner. (Ex: systems designs, software build). Loss of digital assets (data). Loss of revenue (unless specifically added to the cyber policy). First party theft of money/securities.
THANK YOU TO OUR SPONSORS!