IT Security Update on Practical Risk Mitigation Strategies

Similar documents
IT Security Update on Practical Risk Mitigation Strategies

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Understanding the Changing Cybersecurity Problem

Easy IT Audit Engagements

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

How Cyber-Criminals Steal and Profit from your Data

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Assessing Your Incident Response Capabilities Do You Have What it Takes?

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

SOLUTIONS BRIEFS. ADMINISTRATION (Solutions Brief) KEY SERVICES:

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Cyber Risks in the Boardroom Conference

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

CYBER SOLUTIONS & THREAT INTELLIGENCE

Cybersecurity The Evolving Landscape

Emerging Issues: Cybersecurity. Directors College 2015

CYBER SECURITY AND MITIGATING RISKS

Effective Strategies for Managing Cybersecurity Risks

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

Building Resilience in a Digital Enterprise

New Zealand National Cyber Security Centre Incident Summary

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

with Advanced Protection

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

CYBERSECURITY SAVE YOUR BOTTOM LINE IBC Annual Convention Anne Benigsen, Bankers Bank of the West

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Office 365 Buyers Guide: Best Practices for Securing Office 365

Healthcare HIPAA and Cybersecurity Update

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Cybersecurity and the Board of Directors

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Cybersecurity Today Avoid Becoming a News Headline

2017 Annual Meeting of Members and Board of Directors Meeting

MODERN MALWARE, MODERN DEFENSES AND PROTECTION

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Department of Management Services REQUEST FOR INFORMATION

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Cybersecurity and Data Protection Developments

Governance Ideas Exchange

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

FDIC InTREx What Documentation Are You Expected to Have?

Cybersecurity Session IIA Conference 2018

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

Panda Security 2010 Page 1

BUSINESS CONTINUITY MANAGEMENT

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Automated Context and Incident Response

Defending Our Digital Density.

Penetration Testing! The Nitty Gritty. Jeremy Conway Partner/CTO

To Audit Your IAM Program

Cybersecurity Guidance for Small Firms Thursday, November 8 9:00 a.m. 10:00 a.m.

Business continuity management and cyber resiliency

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

Cybersecurity Survey Results

Cyber Security Incident Response Fighting Fire with Fire

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Combating Cyber Risk in the Supply Chain

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

Information Technology General Control Review

A CFO s Guide to Cyber Security in the Coming Year

falanx Cyber Falanx Phishing: Measure your resilience

Interpreting the FFIEC Cybersecurity Assessment Tool

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

Cybersecurity for Health Care Providers

Cyber fraud and its impact on the NHS: How organisations can manage the risk

2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT

Effective Cyber Incident Response in Insurance Companies

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

2018 Edition. Security and Compliance for Office 365

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Cybersecurity Update State and Local Governments and Related Entities

Evolution of Spear Phishing. White Paper

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

Cyber Insurance: What is your bank doing to manage risk? presented by

Information Governance, the Next Evolution of Privacy and Security

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

Brussels. Cyber Resiliency Minimizing the impact of breaches on business continuity. Jean-Michel Lamby Associate Partner - IBM Security

Incident Response Table Tops

CAGFO Conference September 2018

Building a Resilient Security Posture for Effective Breach Prevention

Deliver Strong Mobile App Security and the Ultimate User Experience

Transcription:

IT Security Update on Practical Risk Mitigation Strategies Bonnie Bastow, CIA, CISA, CISM Director May 2016

This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo. 2

IT Security Update on Practical Risk Mitigation Strategies Learning Objectives/Knowledge Gained IT Security Update on 2016 Threats McAfee Labs 2016 Threat Predictions PwC 2016 Forecast Cybersecurity events - what they have in common Practical Risk Mitigation Strategies Increased knowledge of cybersecurity risk assessment processes and tools IT controls to mitigate risks 3

McAfee Labs 2016 Threat Predictions Threat Hardware Ransomware Vulnerabilities Payment Systems Comments Operating System level attacks As a service hosted on the Tor Network Financial and Government sectors targets Targeting cloud services and mobile devices Adobe Flash, Unix Credential stealing and attacking payment card devices (skimmers, etc) 4

McAfee Labs 2016 Threat Predictions Threat Attacks through Employee Systems Cloud Services Integrity Comments Increase expected in Android devices. Securing home networks for employees remote access. Users have little insight into the provider s security measures Compromise the integrity of the systems and data. Stealth, selective, attacks appearing to be operational problems, accounting errors, or dumb mistakes 5

PwC Survey - Top 3 Challenges - Financial Services 2016 1. Financial services respondents ranked assessment of security capabilities of third-party vendors as the top challenge to their information security efforts. More than half said they would increase spending to better monitor third-party security in the coming 12 months. Average information security spending is up 15% 2. Rapidly evolving, sophisticated, and complex technologies 3. Increased use of mobile technologies by customers 6

Cyber Security Events What They Have in Common Social Engineering 7

Social Engineering Defined Social Engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. 8

Common Data Breaches/Threats Phishing is a form of social engineering Phishing is the most common threat Usually accomplished through email or phone call schemes Our employees are our weakest link Continuous/annual employee training is a must in this area to assist with prevention 9

Spear Phishing Unlike traditional spam, spear phishing is by no means random it is a highly-targeted operation. Sender impersonates a friend or colleague of potential victims in order to trick them into opening malware-ridden files or into visiting malicious websites, or do some action for the phishers benefit Has a high success rate 10

Spear Phishing Example https://www.youtube.com/watch?v=bjyhmx_ouq Q&feature=youtu.be&t=2m13s..\The Edit.mp4 11

Common Data Breaches/Threats Malware threats Malware is software designed to infiltrate, damage or obtain information from a computer system without the owner s consent (as defined by ISACA) Spyware/Key logger (records users key strokes can obtain user names and passwords) 75% of cases Backdoor (Ex. Malware creates backdoor access for cyber criminal) 66% Captured Stored Data (Ex. Ransomware) 55% http://us.norton.com/yoursecurityresource/detail.jsp?aid=rise_in_ransomware 12

Keylogger Example Hacker builds wireless Microsoft keyboard keylogger disguised as USB wall charger 13

Risk Mitigation Strategies 1 - IT General Controls 2- Cyber Security Assessments 3- Training Employee and IT Specific 4- Risk Assessments and Information Sharing 14

1 - IT General Controls Security Administration Logical Security Change Management Operations User provisioning Password controls Authorization and Approval Backups User removal Privilege User review User Testing Restore test User Access Reviews/with SoD Security Monitoring Access to Production Vendor Management Physical Segregation of Duties Job Monitoring 15

2 - Cyber Security Assessments Internal Network Vulnerability Scans Patching is largest category System configuration External Network Vulnerability Scans External Penetration Testing Wireless Scans Social Engineering Assessments Social Engineering Training 16

2 - Cyber Security Assessments Reporting Categories Category Patch Management System Configuration Trust Application Vulnerabilities Resulting from. Failure to apply patches provided by vendors to address security weaknesses. Software / firmware patches are primarily an administrative detail. Identified configuration settings on devices that may not be set in an optimal manner for security consideration. Identification of insecure authentication methods or configurations on workstations/servers. Discovery of applications with known vulnerabilities found on the network. Examples include the discovery of software such as Dropbox, Skype, and Coupons Printer. 17

3 - Training - Employee and IT Specific Training, training, training (employees as well as clients/customers) Technical training for key employees and management Set the appropriate tone at the top make security a priority and not just an IT initiative 18

Training Aids Cisco (DNS) Launched an online quiz to show how easy it is to get people hooked on a social engineering phishing email. https://www.opendns.com/phishing-quiz/ Can you pass the quiz (can also be used for training purposes)? 19

4 Information Sharing FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors sharing of physical and cybersecurity threat and vulnerability information. 20

4 - Information Sharing 21

4 - Risk Assessment Reduction Solutions FFIEC Nov. 3, 2014 Press Release: https://www.ffiec.gov/press/pr110314.htm FFIEC released observations from the recent cybersecurity assessment and recommended regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC). https://www.fsisac.com/ The assessment included more than 500 community banks. FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors sharing of physical and cybersecurity threat and vulnerability information. 22

4 Risk Assessment Reduction Solutions FFIEC Cybersecurity Assessment General Observations (Summer 2014) https://www.ffiec.gov/press/pdf/ffiec_cybersecurity_asse ssment_observations.pdf - This document presents general observations from the Cybersecurity Assessment about the range of inherent risks and the varied risk management practices among financial institutions and suggests questions for chief executive officers and boards of directors to consider when assessing their financial institutions cybersecurity and preparedness. 23

McAfee Labs 2016 Threat Predictions Threat Hardware Ransomware Vulnerabilities Payment Systems Attacks through Employee Systems Cloud Services Integrity Risk Mitigation Strategy Patching, Vulnerability Scans Risk Assessment/Vendor Management & Cyber Insurance Patching Programs Physical controls, scans, basic controls Social engineering, remote access controls Risk Assessments, Vendor Management Monitoring controls, Social engineering Basic IT General Controls and Assessments 24

PwC Survey - Top Challenges - Financial Services 2016 Challenges Third Party Security Risk Mitigation Rapidly evolving, sophisticated & complex technologies Increased use of mobile technologies by customers Deeper Vendor Management practices More thorough Risk Assessments and Vendor Due Diligence Cyber Insurance 25

PwC- The State of Security 2016 Survey PwC proposed Risk Mitigation Approaches 1. Risk-Based Frameworks 91% adoption rate for cybersecurity framework Frameworks provide for better identification and prioritization of security risks. ISO 27001 NIST / SAN Critical Controls / COBIT 2. Cloud-Based Security 69% use cloud-based cybersecurity services Real time monitoring 26

PwC- The State of Security 2016 Survey 3. The Impact of Big Data Trending, looking for patterns 4. Threat Intelligence Sharing 65% of respondents collaborate to improve security and reduce cyber risks (up from 50% in previous year) Information Sharing and Analysis Centers (ISACs) 5. Executive Involvement 45% of respondents stated their boards now participate in the overall security strategy Resulted in boost in security spending by 24% - http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/key-findings.html 27

Did you know? The biggest violators of IT Security are the senior members of the IT/IS team (via controls override) the team that is responsible for securing the enterprise (and CEOs/Presidents) 28

Questions 29

Bonnie Bastow, CIA, CISA, CISM Email: bonnie.bastow@elliottdavis.com Phone: 704.808.5275 Website: www.elliottdavis.com Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With seventeen offices across six states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com. 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback