Cyber Security for PSNTs John Burger, Colonel, U.S. Army (Retired) VP Strategy and Threat Management, Reliaquest

Similar documents
Personal Cybersecurity

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

June 2 nd, 2016 Security Awareness

Governance Ideas Exchange

Combating Cyber Risk in the Supply Chain

Cybersecurity and Nonprofit

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Cyber (In)Security. What Business Leaders Need To Know. Roy Luebke Innovation and Growth Consultant. Presented by:

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

Welcome. ScrogginsGrear clients. to Cybersecurity Education Series. Password Management & Public Wi-Fi Security

Cyber-Threats and Countermeasures in Financial Sector

Cybersecurity and Hospitals: A Board Perspective

Defending Our Digital Density.

Teradata and Protegrity High-Value Protection for High-Value Data

DeMystifying Data Breaches and Information Security Compliance

Whitepaper on AuthShield Two Factor Authentication with SAP

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

The Cyber War on Small Business

Legal Aspects of Cybersecurity

CYBER SECURITY AND THE PENSIONS INDUSTRY Karen Tasker 1 February 2018

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Cyber Attack: Is Your Business at Risk?

How Cyber-Criminals Steal and Profit from your Data

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Altitude Software. Data Protection Heading 2018

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

Securing the SMB Cloud Generation

Introduction to Information Security Dr. Rick Jerz

Welcome. Password Management & Public Wi-Fi Security. Hosted by: Content by:

Recognizing Fraud Staying Safe 2018 Information/Cyber Security Training

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Mobile Security / Mobile Payments

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

The emerging battle between Cyber Defense and Cybercrime: How Technology is changing to keep Company and HR data safe

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

CLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

Cybersecurity The Evolving Landscape

Cybersecurity Auditing in an Unsecure World

How NOT To Get Hacked

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

STEVE GOODING JUNE 15, 2018

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Cyber Security Panel Discussion Gary Hayes, SVP & CIO Technology Operations. Arkansas Joint Committee on Energy March 16, 2016

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

Changing the Game: An HPR Approach to Cyber CRM007

2017 Varonis Data Risk Report. 47% of organizations have at least 1,000 sensitive files open to every employee.

Building a Business Case for Cyber Threat Intelligence. 5Reasons Your. Organization Needs a Risk-Based 5Approach to Cybersecurity

Building an Effective Threat Intelligence Capability. Haider Pasha, CISSP, C EH Director, Security Strategy Emerging Markets Office of the CTO

Cyber Defense Operations Center

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

mhealth SECURITY: STATS AND SOLUTIONS

Service Provider View of Cyber Security. July 2017

Hacking and Cyber Espionage

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

6 Vulnerabilities of the Retail Payment Ecosystem

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Security and networks

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

2017 THALES DATA THREAT REPORT

IT SECURITY FOR LIBRARIES PART 1: SECURING YOUR LIBRARY BRIAN PICHMAN EVOLVE PROJECT

Cyber Security. The Question of the Day. Sylint Group, Inc. How did we come up with the company name Sylint and what does it mean?

Cyber Threat Landscape April 2013

CYBER INSURANCE: MANAGING THE RISK


2017 Annual Meeting of Members and Board of Directors Meeting

How Breaches Really Happen

Legal Considerations and Case Studies

Dissecting Data Breaches. What Keeps Going Wrong?

Identity Theft and Data Breach. How to protect yourself?

Cyber (In)Security, The Internet of Things, and Risk Management

Have breaches declined since the massive Heartland Payments leak in 2008? What proportion of breaches are the result of hacking?

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Are you safe? Your business growth strategies are at the heart of the cyber risks your organization faces

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Information Security in Corporation

How technology changed fraud investigations. Jean-François Legault Senior Manager Analytic & Forensic Technology June 13, 2011

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

10 easy steps to secure your retail network

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

RSA NetWitness Suite Respond in Minutes, Not Months

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Cyber Security Updates and Trends Affecting the Real Estate Industry

Cyber Security Incident Response Fighting Fire with Fire

CipherCloud CASB+ Connector for ServiceNow

10 FOCUS AREAS FOR BREACH PREVENTION

Exposing The Misuse of The Foundation of Online Security

Evolution of Cyber Security. Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

2017 RIMS CYBER SURVEY

PCI Compliance. What is it? Who uses it? Why is it important?

Keep the Door Open for Users and Closed to Hackers

Data Security Essentials

Who We Are! Natalie Timpone

Cybersecurity in Higher Ed

Transcription:

Cyber Security for PSNTs John Burger, Colonel, U.S. Army (Retired) VP Strategy and Threat Management, Reliaquest

Agenda Overview Basic Controls for PSNTs Third Party Risk Liability Insurance Summary

Cyberspace is growing at an Exponential Rate 4.7 Library of Congress = 10 Terabytes At best transmission line speed: 1998 = 16.5 days 2017 =.00008 seconds 22 Billion Connected Devices Projected by 2020 3 per person on the planet) Facebook Launch, 2004 Reaches 2 Billion Users 2017 Current 2012 2008 47% 34% 20% Billion 4 Billion 3.5 Billion 1 Billion 634 Million 187 Million 5% 740 2000 Million 15.6 Million 7 Billion 5 Billion 758 Million 42 Million 3

Massive Technology Cycle Relentless Threats Nation State and Criminal Growing unmanaged risk Device Proliferation Growing Attack Surface Hybrid infrastructure Bare metal, Virtual, Cloud Dissolution of the Perimeter

Threat Actors and Exploits NATION STATES SUPPLY CHAIN VULNERABILITY PHISHING SOCIAL ENGINEERING HACKTIVISTS WIRELESS ACCESS POINTS TERRORISTS TECHNICAL EXPLOITATION CRIMINAL ELEMENTS INSIDER THREATS

Humans Bad at Judging Risk Humans underestimate risk we cannot visualize and in situations where we feel we are in control 1 in 251,800,000 1 in 112,000,000

Cyberspace Risks Financial Loss (Cyber Crime) Credit Cards, Bank Accounts, Ransom, Health Care Records Loss of Valuable Information (Cyber Espionage) Theft of Intellectual Property/US Technology Theft of Trade Secrets/International Commerce or Acquisition plans Loss (Disrupt, Degrade, Destroy) Critical Infrastructure (Cyber Warfare) Typically Perpetrated by Nation State actors in support of economic, political, or military objectives Loss of the Narrative (Cyber Hacktivism) Deny adversary use of the Internet or social media Retribution for a political, economic, or religious position

Russia Romania Cyber Crime In US, Cyber Crime surpassed drug related crime in 2009 Global cybercrime was $3 trillion in 2015; it s expected to double to $6 trillion by 2021 Russian Cyber underground is considered the pioneer Current Market Rates for stolen credentials/identity: Credit Cards: $.5-$20.00 1 (depending on brand, country of origin, credit score, timeliness, volume discounts) Personal Identifying Information (PII) $1-$8 2 (date of birth, drivers license, home address etc.) Personal Identifying Information with Financial Account information $20-$75 2 (date of birth, drivers license, Health Insurance Information: $20.00-$40.00 Will Cyber Crime be stopped? Not likely Still safe havens; no international approach In near term, risks will have to be managed just like retail theft based on loss thresholds Good news: Cyber criminals are opportunistic; typically do not target an organization 1 Underground black market: Thriving trade in stolen data, malware, and attack services, Symantic 2 Flashpoint Threat Intelligence Pricing of Goods in the Deep and Dark Web 5 Oct 2017

Cyber Security Controls for PNSTs

The Infrastructure Basics Upgrade to Windows 10 (Windows Server 2016) many improvements in security built in Enable Data Encryption with Bit locker Enable Windows Firewall and Windows Defender if you cannot afford an antivirus or endpoint protection solution e.g. Symantec Endpoint Protection; McAfe; Malwarebytes; Implement an Ad Blocker (Adblock Plus is free); Make sure all updates are automatically applied for windows and loaded software that allows it Don t Advertise your Wireless Network SSID and use Wi-Fi Protected Access version 2 (WPA2)

Data Backups and Recovery Most loss of data is not the result of hackers Know where your sensitive data is stored and who has access to it 3-2-1 is the saying for enterprise backups Three separate backups (Windows Internal, USB Drive, Cloud Backup) Two different media types (Internal Drive, External Drive, Cloud Storage) One off site (Cloud Storage) Use a cloud back up service for your sensitive data Encryption, Unlimited storage, File Versioning Recovery as a Service vendors are emerging for Small/Medium businesses (Pax8) Your mobile device likely has cloud backups occurring even if you do not know it (Or maybe you do because it keeps telling you the cloud is full!)

Passwords and Password Managers Bad passwords are easy for an attacker to figure out they are subject to brute force and dictionary attacks Your pet s or your children's names are not good choices Neither is Fall2017 Choose a passphrase that ends up being 20 characters or longer (Upper/Lower Case, Number, Special Character) Never share passwords between sites and services; wait, that sounds hard! A password vault uses a master password to access the rest of your passwords (Examples are LastPass, KeePass2, dashlane, Octa etc) Pros Separate passwords for each site Mitigates sticky note password management Encrypted repository Cons Have vulnerabilities like other software If master password is compromised all passwords can be stolen

Enable Two-Factor Authentication Uses another piece of information along with your password A Web site or application sends you a onetime-code via email or text A bank site or application specific feature A Physical token or hardware device Yubikey; RSA Token An application on your phone that generates a code that rotates on a time interval Google Authenticator (free), Twilio Authy (free), Duo, Lastpass (recent) Ensure to Pair two-factor authentication with critical accounts such as password vault, email, workstation or office network

General Security Awareness Be suspicious of any link sent to you in email or posted on social media Do not believe any too good to be true offers or outrageous claims that press for urgency Do not open any attachment unless you were expecting it; Call the sender to validate if necessary Unless specially designed for encryption, consider all communications unprotected and subject to monitoring VPN Encryption for network connections, use Signal or WhatsApp for Phone and Texting Encryption; No SMS text messages are not protected Pretty Good Privacy (PGP) for email encryption

Other Must Do s

Third Party Risk Management Cyber Security Third Party Risk arises when another entity (supplier, service provider, partner etc.) meets one or more of the following conditions: Exchanges and/or stores sensitive information essential to your business (cloud providers) Accesses business essential systems or data within your internal network (service Providers) Provides an information service or application essential to your business continuity (cloud apps) Step 1: For each risk entity, ask for any independent third party assessments or compliance certifications (Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPPA), The Health Information Trust Alliance (HITRUST); Service Organization s Controls 2 Type 2 (SOC 2, Type 2) Step 2: For each risk entity ask for their internal cyber risk assessment and any security program assessments (SANS Top 20; NIST Cyber Security Framework) Step 3: Develop your own assessment questionnaire and update interval

More than half (57%) have experienced an attack in the past year 40% have cyber insurance; 28% intend to purchase in the coming year; 32% have no plans or interest; US is the biggest market Smaller firms hit the hardest, have more significant impacts, and struggle to keep up; 62% of cyber breach victims are small to mid-sized businesses Coverage can include: plaintiff lawsuits, Public Relations, forensics investigations, breach notification mailings, credit monitoring, regulatory defense, penalties and fines, attorney fees etc. Insurance Industry Cyber Risk Models are very immature and there are significant differences in underwriting and assessment approaches shop around and find an experienced cyber liability insurance broker beware of exclusions Everyone should have (or at least explore) Cyber Liability Insurance 1 The Hiscox Cyber Readiness Report 2017 is compiled from a survey of more than 3,000 executives, departmental leads, IT managers and other key professionals in the UK, US and Germany Cyber Liability Insurance Hilcox Insurance Co Cyber Readiness Report

Summary The attack surface within the cyber domain is growing at the same exponential rate as the domain itself The threats, particularly criminal, will not likely abate Basic Security Controls go a long, long way implement them Don t forget about the security of your third parties; you are only as secure as your weakest partner Everyone should have (or at least explore) Cyber Liability Insurance

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback