Simplifying Cyber Security and Today's Growing Regulatory Compliance

Similar documents
Cybersecurity The Evolving Landscape

2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT

NYDFS Cybersecurity Regulations

Incident Response Services

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Protect Your Data the Way Banks Protect Your Money

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

to Enhance Your Cyber Security Needs

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Cybersecurity in Higher Ed

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

Putting security first for critical online brand assets. cscdigitalbrand.services

MITIGATE CYBER ATTACK RISK

CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

Escaping PCI purgatory.

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

FOR FINANCIAL SERVICES ORGANIZATIONS

Combating Cyber Risk in the Supply Chain

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Cybersecurity and Nonprofit

CYBER INSURANCE: MANAGING THE RISK

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

THE POWER OF TECH-SAVVY BOARDS:

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Cybersecurity and the Board of Directors

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Cybersecurity Auditing in an Unsecure World

Rethinking Information Security Risk Management CRM002

How will cyber risk management affect tomorrow's business?

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

GDPR COMPLIANCE REPORT

Executive Insights. Protecting data, securing systems

The Impact of Cybersecurity, Data Privacy and Social Media

Nine Steps to Smart Security for Small Businesses

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Background FAST FACTS

Jeff Wilbur VP Marketing Iconix

Are we breached? Deloitte's Cyber Threat Hunting

Protecting your next investment: The importance of cybersecurity due diligence

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

DIGITAL TRUST AT THE CORE

2017 RIMS CYBER SURVEY

Defense in Depth Security in the Enterprise

Cyber Security. The Question of the Day. Sylint Group, Inc. How did we come up with the company name Sylint and what does it mean?

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

The Risk-Based Approach in the GDPR, Interpretation and Implications. Gabriel Maldoff, CIPP/US, IAPP Westin Fellow.

Cyber Security Incident Response Fighting Fire with Fire

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

SWIFT Customer Security Programme

NCSF Foundation Certification

What is ISO ISMS? Business Beam

90% of data breaches are caused by software vulnerabilities.

Les joies et les peines de la transformation numérique

Security Awareness Training Courses

INTELLIGENCE DRIVEN GRC FOR SECURITY

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

IBM Cloud Internet Services: Optimizing security to protect your web applications

To Audit Your IAM Program

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

REPORT. proofpoint.com

Building a Threat Intelligence Program

DeMystifying Data Breaches and Information Security Compliance

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Must Have Items for Your Cybersecurity or IT Budget in 2018

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

CISO as Change Agent: Getting to Yes

Building a Resilient Security Posture for Effective Breach Prevention

OPERATIONS CENTER. Keep your client s data safe and business going & growing with SOC continuous protection

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification

8 Must Have. Features for Risk-Based Vulnerability Management and More

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Cybersecurity Today Avoid Becoming a News Headline

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Lessons Learned from 4,000 Security Assessments. Sadik Al-Abdulla Security Practice Director, CDW

The Business Value of including Cybersecurity and Vendor Risk in ERM

HOSTED SECURITY SERVICES

ForeScout Extended Module for Splunk

GDPR: The Day After. Pierre-Luc REFALO

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

CISO Success Strategies: On Becoming a Security Business Leader

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

TRUE SECURITY-AS-A-SERVICE

Transcription:

Simplifying Cyber Security and Today's Growing Regulatory Compliance Tuesday, February 13, 2018 Andrew Hay, CTO, LEO Cyber Security +1.415.940.9660 andrew.hay@leocybersecurity.com https:// https://twitter.com/andrewsmhay 1

About Andrew Hay Co-Founder and Chief Technology Officer (CTO) Security @ LEO Cyber Former: CISO @ DataGravity Director of Research @ OpenDNS Chief Evangelist & Director of Research @ CloudPassage Senior Security (Industry) Analyst @ 451 Research Information Security Officer in higher education and financial services Blogger, author, and rugby coach 2

About LEO Cyber Security LEO is a seasoned team of cyber trailblazers and creative practitioners who have the deep experience and operational knowledge to combat the cyber skills gap. Through creative solutions we help our customers build and manage security programs. 3

Agenda Introduction The CU Threat & Compliance Landscape The Incident Response Life Cycle Protecting Both The CU & Members Summary 4

Introduction There is often a disconnect between the CU leadership and the IT and security staff in the trenches Though the CU may not have experienced a damaging breach in the past, data shows that many CUs may be incapable of effectively mitigating such an event So how does a credit union, that is increasingly responsible for the security and privacy of customer and employee information, mitigate a serious and perhaps business-ending data breach? 5

How Many Times Have You Heard (or Said) We ve never been breached before Nobody cares about attacking our CU We have nothing that an attacker would want We can t afford to invest in 6

Agenda Introduction The CU Threat & Compliance Landscape The Incident Response Life Cycle Protecting Both The CU & Members Summary 7

The CU Threat Landscape 8

The CU Threat Landscape 9

The CU Threat Landscape 10

The CU Threat Landscape Verizon DBIR 2017 Financial Services Frequency Top 3 patterns Threat actors Actor motives Data compromised Summary 998 Incidents, 471 with confirmed data disclosure Denial of Service, Web Application Attacks and Payment Card Skimming represent 88% of all security incidents within Financial Services 94% External, 6% Internal, <1% Partner (all incidents) 96% Financial, 1% Espionage (all incidents) 71% Credentials, 12% Payment, 9% Personal DoS attacks were the most common incident type. Confirmed data breaches were often associated with banking Trojans stealing and reusing customer passwords, along with ATM skimming operations. 11

The CU Threat Landscape Reported CU breaches: 44 (2005 to Present) Total records exposed: ~331,476 Repeat offenders: 3 CUs 12

The CU Compliance Landscape Payment Card Industry Data Security Standard (PCI DSS) 1.0 was released on December 15, 2004 (current version is 3.2) If a merchant experiences a security breach and is found to be non-compliant with PCI rules, they may be subject to steep fines Depending on the circumstances, merchants might have to pay anywhere from $5,000 to $100,000 every month until they address all identified compliance issues If they don t resolve the problem satisfactorily, they may even have their ability to accept cards revoked 13

The CU Compliance Landscape New York's Cybersecurity Regulation (23 NYCRR Part 500) Enacted on March 1, 2017 Applies to all individuals and organizations that are regulated by New York State Department of Financial Services (NYS DFS) Impacting any individual or organization that operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] banking law, the insurance law, or the financial services law Penalties could include: License revoked $250,000 fine OR 1% of the total assets of such banking organization OR 1% of the total assets of the banking subsidiaries 14

The CU Compliance Landscape European Union s General Data Protection Regulation (GDPR) Goes into effect on May 25, 2018 The fines for not complying with GDPR are up to 20 million Euros (~$22 million USD) per violation or up to 4% of the organization's annual revenue, whichever is higher In terms of breach reporting: If a company experiences a data breach, it must report it within 72 hours of the company becoming aware of the incident Keep in mind: If breach activity is caught early enough that it can be eradicated before any protected data is compromised, it may not need to be reported at all 15

Agenda Introduction The CU Threat & Compliance Landscape The Incident Response Life Cycle Protecting Both The CU & Members Summary 16

Understanding Incident Response Incident response is an organized approach to addressing and managing of a security breach or cyberattack Also known as an IT incident, computer incident, or security incident The goal is to handle the situation in a way that limits damage and reduces recovery time and costs 17

NIST Incident Response Life Cycle NIST SP 800-61 - Computer Incident Security Handling Guide Used to collect, analyze, contain, and document any incident-related data or findings Also used to determine the appropriate response to each incident https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final 18

Preparation Keeping the number of incidents reasonably low is very important If security controls are insufficient, higher volumes of incidents may occur, overwhelming the incident response team This can lead to slow and incomplete responses, which translate to a larger negative business impact e.g., more extensive damage, longer periods of service and data unavailability 19

Detection & Analysis For many CUs, the most challenging part of the incident response process is accurately detecting and assessing possible incidents Determining whether an incident has occurred and, if so, the type, extent, and magnitude of the problem Signs of an incident fall into one of two categories: precursors and indicators A precursor is a sign that an incident may occur in the future An indicator is a sign that an incident may have occurred or may be occurring now Most attacks do not have any identifiable or detectable precursors from the target s perspective 20

Detection & Analysis If precursors are detected, the CU may have an opportunity to prevent the incident from occurring Indicators of Compromise (IOCs) are often used to identify prevalent precursors IOCs are derived from: Threat intelligence feeds or groups Past investigations Proprietary/tribal knowledge of analysts 21

Containment, Eradication, and Recovery Containment is important before an incident overwhelms resources or increases damage Most incidents require some measure of containment Containment provides time for developing a tailored remediation strategy Containment strategies vary based on the type of incident 22

Post-Incident Activity Often called the lessons learned portion A study of incident characteristics may indicate systemic security weaknesses and threats As well as changes in incident trends This data can be put back into the risk assessment process Ultimately leading to the selection and implementation of additional controls 23

The Full Life Cycle 24

Agenda Introduction The CU Threat & Compliance Landscape The Incident Response Life Cycle Protecting Both The CU & Members Summary 25

Revisiting How Many Times Have You Heard (or Said) We ve never been breached before Nobody cares about attacking our CU We have nothing that an attacker would want We can t afford to invest in 26

Counterpoints We ve never been breached before Do you currently have the visibility or capability to discern this? Or has the organization simply been oblivious? Has the CU industry been targeted as of late? Have your partners or supply chain ever suffered a breach? 27

Counterpoints Nobody cares about attacking our CU Upon what assumptions are these statements based? Perhaps the previous slide? If compute resources are connected to the Internet you must always assume that at least ONE person wants to exploit or gain access to them The survival time is currently around 4 minutes for unpatched systems on the Internet 28

Counterpoints We have nothing that an attacker would want The answer to this is almost always Yes, we do Money isn t the only asset an attacker would want Other assets include: Compute resources (a.k.a. Bots) Intellectual property Financial information Intangibles are tangible in an online world 29

We can t afford to invest in Counterpoints What is the business tolerance for pain vs. expense? How much do the following cost the business: Bad press Downtime Public breach disclosure? Opportunistic attack recovery (e.g. Ransomware) 30

Some Unanticipated Costs To Consider Brand Damage Can your CU brand navigate a highly publicized and damning breach? Will your partners return? Will your customers? Technology Will a breach cause a knee-jerk purchasing reaction within your CU to prevent the same thing from happening again? Productivity How long can you tolerate the disruption to the operational state of your CU? IP Loss Lost future earnings by having your CU s intellectual property sold/used on the open market by competitors Innovation Will innovation suffer because your CU is spending all of its time trying to recover from a breach? Perception Will your CU have a permanent black mark in the eyes of potential employees, investors, and partners? 31

Quick Wins So how can you make incremental improvements without Rocking the boat Ripping-and-replacing existing tools... Spending a fortune... 32

Quick Wins The easiest way to evoke change is by taking small bites NIST ISO COBIT ITIL Large Bites CIS CSA Small Bites 33

CIS Controls for Effective Cyber Defense The CIS Controls are a set of internationally recognized measures developed, refined, and validated by leading IT security experts from around the world Represent the most important cyber hygiene actions every organization should implement to protect their IT networks Study by the Australian government indicates that 85% of known vulnerabilities can be stopped by deploying the Top 5 CIS Controls 34

35

36

37

38

Agenda Introduction The CU Threat & Compliance Landscape The Incident Response Life Cycle Protecting Both The CU & Members Summary 39

Summary The threat and compliance landscape continues to evolve As do the capabilities and prevalence of attackers A well documented and executed incident response program will help limit the damage of a breach or cyber incident Your members rely on you to proactively protect their interests And it doesn t have to cost a fortune (or, in some cases, anything!) 40

Further Reading LEO Cyber Security Blog http://leocybersecurity.com/blog/ Yes, EU Data Regs Will Impact Credit Unions http://www.cutimes.com/2017/05/05/yes-eu-data-regs-will-impact-credit-unions Cost of Data Breach Study https://www.ibm.com/security/data-breach Verizon s 2017 Data Breach Investigations Report http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ Privacy Rights Clearinghouse https://www.privacyrights.org Center for Internet Security https://www.cisecurity.org 41

Andrew Hay, CTO +1.415.940.9660 andrew.hay@leocybersecurity.com Thank You! https:// https://twitter.com/andrewsmhay Questions? Visit Us At: https:// LEO Cyber Security 1612 Summit Avenue, Suite 415, Ft. Worth, TX 76102 info@leocybersecurity.com @LeoCyberSec 42

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback