Cyber Security for PSNTs John Burger, Colonel, U.S. Army (Retired) VP Strategy and Threat Management, Reliaquest
Agenda Overview Basic Controls for PSNTs Third Party Risk Liability Insurance Summary
Cyberspace is growing at an Exponential Rate 4.7 Library of Congress = 10 Terabytes At best transmission line speed: 1998 = 16.5 days 2017 =.00008 seconds 22 Billion Connected Devices Projected by 2020 3 per person on the planet) Facebook Launch, 2004 Reaches 2 Billion Users 2017 Current 2012 2008 47% 34% 20% Billion 4 Billion 3.5 Billion 1 Billion 634 Million 187 Million 5% 740 2000 Million 15.6 Million 7 Billion 5 Billion 758 Million 42 Million 3
Massive Technology Cycle Relentless Threats Nation State and Criminal Growing unmanaged risk Device Proliferation Growing Attack Surface Hybrid infrastructure Bare metal, Virtual, Cloud Dissolution of the Perimeter
Threat Actors and Exploits NATION STATES SUPPLY CHAIN VULNERABILITY PHISHING SOCIAL ENGINEERING HACKTIVISTS WIRELESS ACCESS POINTS TERRORISTS TECHNICAL EXPLOITATION CRIMINAL ELEMENTS INSIDER THREATS
Humans Bad at Judging Risk Humans underestimate risk we cannot visualize and in situations where we feel we are in control 1 in 251,800,000 1 in 112,000,000
Cyberspace Risks Financial Loss (Cyber Crime) Credit Cards, Bank Accounts, Ransom, Health Care Records Loss of Valuable Information (Cyber Espionage) Theft of Intellectual Property/US Technology Theft of Trade Secrets/International Commerce or Acquisition plans Loss (Disrupt, Degrade, Destroy) Critical Infrastructure (Cyber Warfare) Typically Perpetrated by Nation State actors in support of economic, political, or military objectives Loss of the Narrative (Cyber Hacktivism) Deny adversary use of the Internet or social media Retribution for a political, economic, or religious position
Russia Romania Cyber Crime In US, Cyber Crime surpassed drug related crime in 2009 Global cybercrime was $3 trillion in 2015; it s expected to double to $6 trillion by 2021 Russian Cyber underground is considered the pioneer Current Market Rates for stolen credentials/identity: Credit Cards: $.5-$20.00 1 (depending on brand, country of origin, credit score, timeliness, volume discounts) Personal Identifying Information (PII) $1-$8 2 (date of birth, drivers license, home address etc.) Personal Identifying Information with Financial Account information $20-$75 2 (date of birth, drivers license, Health Insurance Information: $20.00-$40.00 Will Cyber Crime be stopped? Not likely Still safe havens; no international approach In near term, risks will have to be managed just like retail theft based on loss thresholds Good news: Cyber criminals are opportunistic; typically do not target an organization 1 Underground black market: Thriving trade in stolen data, malware, and attack services, Symantic 2 Flashpoint Threat Intelligence Pricing of Goods in the Deep and Dark Web 5 Oct 2017
Cyber Security Controls for PNSTs
The Infrastructure Basics Upgrade to Windows 10 (Windows Server 2016) many improvements in security built in Enable Data Encryption with Bit locker Enable Windows Firewall and Windows Defender if you cannot afford an antivirus or endpoint protection solution e.g. Symantec Endpoint Protection; McAfe; Malwarebytes; Implement an Ad Blocker (Adblock Plus is free); Make sure all updates are automatically applied for windows and loaded software that allows it Don t Advertise your Wireless Network SSID and use Wi-Fi Protected Access version 2 (WPA2)
Data Backups and Recovery Most loss of data is not the result of hackers Know where your sensitive data is stored and who has access to it 3-2-1 is the saying for enterprise backups Three separate backups (Windows Internal, USB Drive, Cloud Backup) Two different media types (Internal Drive, External Drive, Cloud Storage) One off site (Cloud Storage) Use a cloud back up service for your sensitive data Encryption, Unlimited storage, File Versioning Recovery as a Service vendors are emerging for Small/Medium businesses (Pax8) Your mobile device likely has cloud backups occurring even if you do not know it (Or maybe you do because it keeps telling you the cloud is full!)
Passwords and Password Managers Bad passwords are easy for an attacker to figure out they are subject to brute force and dictionary attacks Your pet s or your children's names are not good choices Neither is Fall2017 Choose a passphrase that ends up being 20 characters or longer (Upper/Lower Case, Number, Special Character) Never share passwords between sites and services; wait, that sounds hard! A password vault uses a master password to access the rest of your passwords (Examples are LastPass, KeePass2, dashlane, Octa etc) Pros Separate passwords for each site Mitigates sticky note password management Encrypted repository Cons Have vulnerabilities like other software If master password is compromised all passwords can be stolen
Enable Two-Factor Authentication Uses another piece of information along with your password A Web site or application sends you a onetime-code via email or text A bank site or application specific feature A Physical token or hardware device Yubikey; RSA Token An application on your phone that generates a code that rotates on a time interval Google Authenticator (free), Twilio Authy (free), Duo, Lastpass (recent) Ensure to Pair two-factor authentication with critical accounts such as password vault, email, workstation or office network
General Security Awareness Be suspicious of any link sent to you in email or posted on social media Do not believe any too good to be true offers or outrageous claims that press for urgency Do not open any attachment unless you were expecting it; Call the sender to validate if necessary Unless specially designed for encryption, consider all communications unprotected and subject to monitoring VPN Encryption for network connections, use Signal or WhatsApp for Phone and Texting Encryption; No SMS text messages are not protected Pretty Good Privacy (PGP) for email encryption
Other Must Do s
Third Party Risk Management Cyber Security Third Party Risk arises when another entity (supplier, service provider, partner etc.) meets one or more of the following conditions: Exchanges and/or stores sensitive information essential to your business (cloud providers) Accesses business essential systems or data within your internal network (service Providers) Provides an information service or application essential to your business continuity (cloud apps) Step 1: For each risk entity, ask for any independent third party assessments or compliance certifications (Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPPA), The Health Information Trust Alliance (HITRUST); Service Organization s Controls 2 Type 2 (SOC 2, Type 2) Step 2: For each risk entity ask for their internal cyber risk assessment and any security program assessments (SANS Top 20; NIST Cyber Security Framework) Step 3: Develop your own assessment questionnaire and update interval
More than half (57%) have experienced an attack in the past year 40% have cyber insurance; 28% intend to purchase in the coming year; 32% have no plans or interest; US is the biggest market Smaller firms hit the hardest, have more significant impacts, and struggle to keep up; 62% of cyber breach victims are small to mid-sized businesses Coverage can include: plaintiff lawsuits, Public Relations, forensics investigations, breach notification mailings, credit monitoring, regulatory defense, penalties and fines, attorney fees etc. Insurance Industry Cyber Risk Models are very immature and there are significant differences in underwriting and assessment approaches shop around and find an experienced cyber liability insurance broker beware of exclusions Everyone should have (or at least explore) Cyber Liability Insurance 1 The Hiscox Cyber Readiness Report 2017 is compiled from a survey of more than 3,000 executives, departmental leads, IT managers and other key professionals in the UK, US and Germany Cyber Liability Insurance Hilcox Insurance Co Cyber Readiness Report
Summary The attack surface within the cyber domain is growing at the same exponential rate as the domain itself The threats, particularly criminal, will not likely abate Basic Security Controls go a long, long way implement them Don t forget about the security of your third parties; you are only as secure as your weakest partner Everyone should have (or at least explore) Cyber Liability Insurance