Simplifying Cyber Security and Today's Growing Regulatory Compliance Tuesday, February 13, 2018 Andrew Hay, CTO, LEO Cyber Security +1.415.940.9660 andrew.hay@leocybersecurity.com https:// https://twitter.com/andrewsmhay 1
About Andrew Hay Co-Founder and Chief Technology Officer (CTO) Security @ LEO Cyber Former: CISO @ DataGravity Director of Research @ OpenDNS Chief Evangelist & Director of Research @ CloudPassage Senior Security (Industry) Analyst @ 451 Research Information Security Officer in higher education and financial services Blogger, author, and rugby coach 2
About LEO Cyber Security LEO is a seasoned team of cyber trailblazers and creative practitioners who have the deep experience and operational knowledge to combat the cyber skills gap. Through creative solutions we help our customers build and manage security programs. 3
Agenda Introduction The CU Threat & Compliance Landscape The Incident Response Life Cycle Protecting Both The CU & Members Summary 4
Introduction There is often a disconnect between the CU leadership and the IT and security staff in the trenches Though the CU may not have experienced a damaging breach in the past, data shows that many CUs may be incapable of effectively mitigating such an event So how does a credit union, that is increasingly responsible for the security and privacy of customer and employee information, mitigate a serious and perhaps business-ending data breach? 5
How Many Times Have You Heard (or Said) We ve never been breached before Nobody cares about attacking our CU We have nothing that an attacker would want We can t afford to invest in 6
Agenda Introduction The CU Threat & Compliance Landscape The Incident Response Life Cycle Protecting Both The CU & Members Summary 7
The CU Threat Landscape 8
The CU Threat Landscape 9
The CU Threat Landscape 10
The CU Threat Landscape Verizon DBIR 2017 Financial Services Frequency Top 3 patterns Threat actors Actor motives Data compromised Summary 998 Incidents, 471 with confirmed data disclosure Denial of Service, Web Application Attacks and Payment Card Skimming represent 88% of all security incidents within Financial Services 94% External, 6% Internal, <1% Partner (all incidents) 96% Financial, 1% Espionage (all incidents) 71% Credentials, 12% Payment, 9% Personal DoS attacks were the most common incident type. Confirmed data breaches were often associated with banking Trojans stealing and reusing customer passwords, along with ATM skimming operations. 11
The CU Threat Landscape Reported CU breaches: 44 (2005 to Present) Total records exposed: ~331,476 Repeat offenders: 3 CUs 12
The CU Compliance Landscape Payment Card Industry Data Security Standard (PCI DSS) 1.0 was released on December 15, 2004 (current version is 3.2) If a merchant experiences a security breach and is found to be non-compliant with PCI rules, they may be subject to steep fines Depending on the circumstances, merchants might have to pay anywhere from $5,000 to $100,000 every month until they address all identified compliance issues If they don t resolve the problem satisfactorily, they may even have their ability to accept cards revoked 13
The CU Compliance Landscape New York's Cybersecurity Regulation (23 NYCRR Part 500) Enacted on March 1, 2017 Applies to all individuals and organizations that are regulated by New York State Department of Financial Services (NYS DFS) Impacting any individual or organization that operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] banking law, the insurance law, or the financial services law Penalties could include: License revoked $250,000 fine OR 1% of the total assets of such banking organization OR 1% of the total assets of the banking subsidiaries 14
The CU Compliance Landscape European Union s General Data Protection Regulation (GDPR) Goes into effect on May 25, 2018 The fines for not complying with GDPR are up to 20 million Euros (~$22 million USD) per violation or up to 4% of the organization's annual revenue, whichever is higher In terms of breach reporting: If a company experiences a data breach, it must report it within 72 hours of the company becoming aware of the incident Keep in mind: If breach activity is caught early enough that it can be eradicated before any protected data is compromised, it may not need to be reported at all 15
Agenda Introduction The CU Threat & Compliance Landscape The Incident Response Life Cycle Protecting Both The CU & Members Summary 16
Understanding Incident Response Incident response is an organized approach to addressing and managing of a security breach or cyberattack Also known as an IT incident, computer incident, or security incident The goal is to handle the situation in a way that limits damage and reduces recovery time and costs 17
NIST Incident Response Life Cycle NIST SP 800-61 - Computer Incident Security Handling Guide Used to collect, analyze, contain, and document any incident-related data or findings Also used to determine the appropriate response to each incident https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final 18
Preparation Keeping the number of incidents reasonably low is very important If security controls are insufficient, higher volumes of incidents may occur, overwhelming the incident response team This can lead to slow and incomplete responses, which translate to a larger negative business impact e.g., more extensive damage, longer periods of service and data unavailability 19
Detection & Analysis For many CUs, the most challenging part of the incident response process is accurately detecting and assessing possible incidents Determining whether an incident has occurred and, if so, the type, extent, and magnitude of the problem Signs of an incident fall into one of two categories: precursors and indicators A precursor is a sign that an incident may occur in the future An indicator is a sign that an incident may have occurred or may be occurring now Most attacks do not have any identifiable or detectable precursors from the target s perspective 20
Detection & Analysis If precursors are detected, the CU may have an opportunity to prevent the incident from occurring Indicators of Compromise (IOCs) are often used to identify prevalent precursors IOCs are derived from: Threat intelligence feeds or groups Past investigations Proprietary/tribal knowledge of analysts 21
Containment, Eradication, and Recovery Containment is important before an incident overwhelms resources or increases damage Most incidents require some measure of containment Containment provides time for developing a tailored remediation strategy Containment strategies vary based on the type of incident 22
Post-Incident Activity Often called the lessons learned portion A study of incident characteristics may indicate systemic security weaknesses and threats As well as changes in incident trends This data can be put back into the risk assessment process Ultimately leading to the selection and implementation of additional controls 23
The Full Life Cycle 24
Agenda Introduction The CU Threat & Compliance Landscape The Incident Response Life Cycle Protecting Both The CU & Members Summary 25
Revisiting How Many Times Have You Heard (or Said) We ve never been breached before Nobody cares about attacking our CU We have nothing that an attacker would want We can t afford to invest in 26
Counterpoints We ve never been breached before Do you currently have the visibility or capability to discern this? Or has the organization simply been oblivious? Has the CU industry been targeted as of late? Have your partners or supply chain ever suffered a breach? 27
Counterpoints Nobody cares about attacking our CU Upon what assumptions are these statements based? Perhaps the previous slide? If compute resources are connected to the Internet you must always assume that at least ONE person wants to exploit or gain access to them The survival time is currently around 4 minutes for unpatched systems on the Internet 28
Counterpoints We have nothing that an attacker would want The answer to this is almost always Yes, we do Money isn t the only asset an attacker would want Other assets include: Compute resources (a.k.a. Bots) Intellectual property Financial information Intangibles are tangible in an online world 29
We can t afford to invest in Counterpoints What is the business tolerance for pain vs. expense? How much do the following cost the business: Bad press Downtime Public breach disclosure? Opportunistic attack recovery (e.g. Ransomware) 30
Some Unanticipated Costs To Consider Brand Damage Can your CU brand navigate a highly publicized and damning breach? Will your partners return? Will your customers? Technology Will a breach cause a knee-jerk purchasing reaction within your CU to prevent the same thing from happening again? Productivity How long can you tolerate the disruption to the operational state of your CU? IP Loss Lost future earnings by having your CU s intellectual property sold/used on the open market by competitors Innovation Will innovation suffer because your CU is spending all of its time trying to recover from a breach? Perception Will your CU have a permanent black mark in the eyes of potential employees, investors, and partners? 31
Quick Wins So how can you make incremental improvements without Rocking the boat Ripping-and-replacing existing tools... Spending a fortune... 32
Quick Wins The easiest way to evoke change is by taking small bites NIST ISO COBIT ITIL Large Bites CIS CSA Small Bites 33
CIS Controls for Effective Cyber Defense The CIS Controls are a set of internationally recognized measures developed, refined, and validated by leading IT security experts from around the world Represent the most important cyber hygiene actions every organization should implement to protect their IT networks Study by the Australian government indicates that 85% of known vulnerabilities can be stopped by deploying the Top 5 CIS Controls 34
35
36
37
38
Agenda Introduction The CU Threat & Compliance Landscape The Incident Response Life Cycle Protecting Both The CU & Members Summary 39
Summary The threat and compliance landscape continues to evolve As do the capabilities and prevalence of attackers A well documented and executed incident response program will help limit the damage of a breach or cyber incident Your members rely on you to proactively protect their interests And it doesn t have to cost a fortune (or, in some cases, anything!) 40
Further Reading LEO Cyber Security Blog http://leocybersecurity.com/blog/ Yes, EU Data Regs Will Impact Credit Unions http://www.cutimes.com/2017/05/05/yes-eu-data-regs-will-impact-credit-unions Cost of Data Breach Study https://www.ibm.com/security/data-breach Verizon s 2017 Data Breach Investigations Report http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ Privacy Rights Clearinghouse https://www.privacyrights.org Center for Internet Security https://www.cisecurity.org 41
Andrew Hay, CTO +1.415.940.9660 andrew.hay@leocybersecurity.com Thank You! https:// https://twitter.com/andrewsmhay Questions? Visit Us At: https:// LEO Cyber Security 1612 Summit Avenue, Suite 415, Ft. Worth, TX 76102 info@leocybersecurity.com @LeoCyberSec 42