Cyber Security One of the Most Critical Risk Mitigation Efforts to Bridge the Gap Between Compliance and Ethics Charly Shugg, Brigadier General, USAF, Retired Partner Chief Operating Officer Sylint Group, Incorporated The Question of the Day How did we come up with the company name Sylint and what does it mean? Sylint (si-lent): from the Greek variant Syl- meaning together and the suffix -int comes from the variant meaning information, usually associated with secret information regarding the enemy or about hostile activities, or intelligence Sylint Group, Inc Incident Response, Cyber Security, Digital Data Forensics (SRQ 1999) Clients - Fortune 500, Gov t, Public, Private, Regional, LEO 1 of 15 Companies Accredited by National Security Agency (NSA) and NSCAP for Cyber Incident Response Assistance (CIRA) 1 of 13 Companies Authorized to Investigate Card Breaches (PCI) in USA for VISA, MasterCard, AMEX: PCI Forensic Investigators (PFI) Criminal Civil Cases Expert Witnesses, Special Master of the Court NSA, DoD/Air Force Intelligence Centric Methodologies 1
Unique Traits of Compliance & Ethics Officers Holistic View of Organization s Enterprise Risks Safeguarding organization s most valuable asset: Reputation Brings Hidden Conflicts of Interest to Light Ability to influence organizational culture & behavior Access to Senior Executives and Board of Directors Solid Grounding in Public Relations Tactics 2
Compliance & Ethics Officer s Domain Prevent Harm and Protect All Stakeholders (Board of Directors, Senior Executives, Employees and Shareholders) Assist in Managing Risks to the Organization Reduce Cyber Security Disruption Risks and Potential Costs Cyber Security Breach (Cost of Failure)* Home Depot - $10B (Forbes Magazine s estimate) Sony - $1.25B (Mizuho Investors estimate) Target - $252M+ (Mintz Levin estimate) Anthem - $100M+ Average Organizational Cost in U.S. -$7.35M (Ponemon Institute) *Cost includes: Recurring expenses include investigation, remediation, notification, identity theft and credit monitoring, disruption in normal business operations, lost business and law suits 3
Organization s Breach Costs Cost of Direct Damages Incident Response Services, Forensics and Notification Hardware/Software/Network Repair & Remediation Potential Down Time /Loss of Productivity Cost of Resultant Damages Direct Financial Loss Regulatory Compliance Fines Litigation Cost and Potential Penalties Cost to Organization s Reputation Intangible Customer Cost Public Relations ($ Expenses) Brand Reputation 66%of IT practitioners think brand protection is not their responsibility 45%of IT practitioners and 42% of CMOs believe brand protection is not taken seriously by the C-Suite 71%of CMOs believe the biggest cost of a cyber security incident is the loss of brand value 31%of consumers will discontinue a relationship due to a data breach 65% of consumers will lose trust in the company Results from Ponemon and Centrify Study 4
More Perspective on Cost NEWS HEADLINES Is Your Organization a Potential Target? Not Us! 5
Current Cyber Security Environment Nearly 50% of organizations have been hit by ransomware 95% of phishing attacks let to a breach followed by installation of software 60% of SMB companies go out of business within 6 months of cyber attack Humans have moved ahead of machines as the top target for cyber criminals 27% breachesdiscovered by 3 rd parties 2017 Verizon DBIR Current Cyber Security Environment (Continued) Yearly victim count 18 victims per second More than 232.4 million identities exposed (326 million people in USA) More than 600,000 Facebook accounts compromised every day 59% of ex-employees admitted to stealing company data when leaving previous job 80% of hacking related breaches leveraged stolen/weak passwords Of organizations that suffered a cyber attack in 2016: Only 31% are making changes to their security 52% are expecting their security budget to remain the same or decrease 2017 Verizon DBIR Understanding the Full Range of Cyber Security Disruptive Risk Just as Compliance Ethics Compliance Security 6
Compliance Requirement for Protection Network Firewall Compliance Requirement for securing assets Encrypting Data Compliance Requirement for monitoring critical assets Collect and Analyze Network Security Logs 7
Ask the Right Questions Who is responsible for cyber security risk? What are the cyber security s reportable Key Performance Indicators (KPIs)? How is cyber risk posture communicated to senior executives and board of directors? Risk vs Resources Magic Box/Product Centric approach Fundamentals Approach 8
Organization Reality Check Holistic View of Cybersecurity Realist Rapid Resilient Protection --- Detection & Response --- Remediation & Recovery Cyber Protection Issues Optimal Focus & Use of Current Security Assets/Resources Awareness Regarding Organization s Crown Jewels Segregation Access Control Encryption Endpoint Awareness 9
Cyber Detection & Response Issues Normal Baseline Network Activity Basic Abnormal Activity Alerts** Security Device Log Capture, Storage or Analysis Data Backups / Backup Systems Validated / Backup Systems Air Gapped Comprehensive Incident Response Plan* *Have you seen it? Does everyone know where it is? Are you part of the plan? 10
Examples of Abnormal Activity Criteria Focus on Detection of Threats with an Organization s Network Queries on systems that may exceed authorized roles or do not correlate with normal operations Unusual search patterns that demonstrate a lack of familiarity with data or files that authentic user would not typically need to accomplish Transfer of extremely large amounts of data or files Unwarranted change to authentic information or data Modification of a system s audit or log files Network access during unusual or non-business days/hours Remote access from atypical geographic locations such as foreign countries Multiple log on sessions with simultaneous activities occurring Additional Focus Areas FBI list of Suspicious Activity Indications Remote access to network while user is on vacation, sick or at odd times Network access during odd hours without prior permission or authorization Unnecessarily copying materials, especially proprietary or sensitive information Displaying interest in matters outside the scope of their duties, access or authorization. Bottom Line: Increased Monitoring Attention Around Organization s Crown Jewels Cyber Remediation & Recovery Issues Legal, Compliance and Ethical Issues/Options Adequately Addressed with Senior Executives and Board of Directors Prior to an Event Difficult Issues Must be Addressed Cyber Insurance Deductible vs Potential Cost Communications Plan (Customers vs Employees vs Law Enforcement) Conflicts between legal and/or regulatory interpretation and Ethics Consider Wargaming/ Table Top Exercises at Senior Level 11
Assessing Information Compromise Compromise Categories: Confidentiality Privacy Issue and/or Loss of Competitive Advantage Integrity Loss of Trust and High Liability Accessibility Shutdown Operations Proactive & Forward Thinking Measure Potential Cyber Security Reputational Risk Scenarios: Loss of Data Confidentiality & Public Exposure of Sensitive Email Communication from Senior Executives Organization s Network Assets Used by Criminals or Terrorist BOTNET or Proxy Loss of Data Confidentiality of Employee Personal Healthcare Information (PHI) and/or Personal Identity Information (PII) Loss of Data Confidentiality of Customer Credit Card Information Loss of Data Confidentiality of Organization s Intellectual Property (IP) Denied Access to Organization s Data/Ransomware Unauthorized Modification of Organization s Data Points to Ponder Goal of Compliance & Ethics Officers Making Employees Proud & their Companies Great Get Involved in your Organization s Cyber Security Risk Assessment to Assist Senior Executives and Board of Directors Better Understand Your Cyber Security Posture and Way Ahead 12
Questions and Comments 13