Cybersecurity The Evolving Landscape

Similar documents
DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Jeff Wilbur VP Marketing Iconix

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

What It Takes to be a CISO in 2017

Cybersecurity and Nonprofit

Cybersecurity Auditing in an Unsecure World

Cyber Insurance: What is your bank doing to manage risk? presented by

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Agenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.

ID Theft and Data Breach Mitigation

Background FAST FACTS

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

University of Pittsburgh Security Assessment Questionnaire (v1.7)

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

Nine Steps to Smart Security for Small Businesses

SECURITY & PRIVACY DOCUMENTATION

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

10 FOCUS AREAS FOR BREACH PREVENTION

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Cybersecurity Today Avoid Becoming a News Headline

Cyber Risks in the Boardroom Conference

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Guide to Cyber Security Compliance with GDPR

HIPAA 2017 Compliancy Group, LLC

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Juniper Vendor Security Requirements

June 2 nd, 2016 Security Awareness

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Preparing for a Breach October 14, 2016

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Cyber security tips and self-assessment for business

The Impact of Cybersecurity, Data Privacy and Social Media

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

CCISO Blueprint v1. EC-Council

CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Cyber Security. The Question of the Day. Sylint Group, Inc. How did we come up with the company name Sylint and what does it mean?

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

Effective Strategies for Managing Cybersecurity Risks

Personal Cybersecurity

CYBER SECURITY AIR TRANSPORT IT SUMMIT

2017 Annual Meeting of Members and Board of Directors Meeting

Security Breaches: How to Prepare and Respond

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

How to Prepare a Response to Cyber Attack for a Multinational Company.

What is Penetration Testing?

TRUE SECURITY-AS-A-SERVICE

Information Governance, the Next Evolution of Privacy and Security

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Cyber Security Stress Test SUMMARY REPORT

Sage Data Security Services Directory

The Cyber War on Small Business

BHConsulting. Your trusted cybersecurity partner

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Exploring Emerging Cyber Attest Requirements

Take Risks in Life, Not with Your Security

Cyber Attack: Is Your Business at Risk?

Incident Response Services

Unified Communications Phase 2 Presentation to IT Services Users Group

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

Business continuity management and cyber resiliency

Assessing Your Incident Response Capabilities Do You Have What it Takes?

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

CyberEdge. End-to-End Cyber Risk Management Solutions

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Privacy Implications Guide. for. the CIS Critical Security Controls (Version 6)

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

locuz.com SOC Services

A practical guide to IT security

Ransomware A case study of the impact, recovery and remediation events

Healthcare HIPAA and Cybersecurity Update

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

ACM Retreat - Today s Topics:

All 3 Billion Yahoo Accounts Were Affected by 2013 Attack NY Times 10/3/17

Building a Business Case for Cyber Threat Intelligence. 5Reasons Your. Organization Needs a Risk-Based 5Approach to Cybersecurity

NYDFS Cybersecurity Regulations

SOC for cybersecurity

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

DeMystifying Data Breaches and Information Security Compliance

ACHIEVING FIFTH GENERATION CYBER SECURITY

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Are we breached? Deloitte's Cyber Threat Hunting

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Cyber Security Program

Transcription:

Cybersecurity The Evolving Landscape 1

Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG IT Advisory Industry Focuses: Financial Institutions Loan Sub-Servicers SaaS / Technology companies Insurance Companies Healthcare Providers Manufacturing Service Focus: Sarbanes-Oxley compliance SOC 1 (SSAE 18) and SOC 2 attestation Internal Audit / IT Audit Co-Sourcing & Staff Augmentation 2

Cybersecurity Fatigue 3

Cybersecurity Fatigue I get tired of remembering my usernames and passwords. I never remember the PIN numbers, there are too many things for me to remember. It also bothers me when I have to go through even more security measures to access my things, or get locked out of my account because I accidentally typed in my password incorrectly. Exhausting yet VERY important to maintain a strong cybersecurity posture. 4

Data Breach Trends 5

Breach Methods Mistakes +Accidental mis-delivery Physical theft Malware Malvertising (Advertising) Deliberate cyber attack +Industrial espionage (Sony Studios) 6

Laws and Regulations (Recent updates) 7

Careful With the Word Breach Breach has legal meaning Suggests you may have legal liability Security teams should use Security Incident until it s determined a breach has occurred 8

Federal Laws and National Regulations GDPR +General Data Privacy Regulation +Use and retention of EU personal information +May 25, 2018 deadline +4% of global revenue or 20 million euros US Impacts? 9

State Laws Data Breaches 48 different state laws +All vary in timing, method, and extent of notice required Notification Obligation(s) +There are timing requirements 10

Assessing and Mitigating Risk 11

Information Security Lifestyle 12

SOC Report for Cybersecurity Risk Management Purpose SOC 1 SOC 2 SOC 3 Report on controls relevant to financial reporting Report on Controls related to Trusted Service Principles (TSP) Use of Report Restricted Restricted Report Detail Testing Detail Included Guidance SSAE 18 Testing Detail Included AT 101, Trust Service Principles Report on Controls related to compliance and operations General Users Testing Detail Not Included AT 101, Trust Service Principles SOC for CRMF Report on Controls related to enterprise cyber risk management Restricted Testing Detail Not Included SSAE 18, Description criteria 13

SOC Report for Cybersecurity Risk Management WHAT New guidance for examination and reporting of an organization s cybersecurity risk management program WHY AICPA is responding to requests for an independent, industry agnostic assessments of how cybersecurity risk is handled by an organization WHO +Boards of directors +Investors +Key stakeholders 14

SOC Report for Cybersecurity Risk Management Clarifications How does it differ from other SOC reports? Does it replace other frameworks? Integration of other compliance requirements? Structure Description Assertion Opinion Description Criteria 9 control categories addressing key risk areas 15

Cybersecurity Threat Environment 16

Cost of a Breach 60% of attacks target small and medium-sized organizations In over half of successful breaches, attackers can compromise an organization within minutes Average time to discover a breach: > 266 days 1 Average cost of a data breach: $3.86 million 1 1 IBM 2018 Cost of Data Breach Study - United States 17

Cost of a Breach Mega Breach 1 breaches of more than 1 million records The amount of these breaches has doubled in the past 5 years. 1 Average time to discover a breach: > 365 days 1 50 1 Million Records cost of a data breach: $350 $40 million 11 1 IBM 2018 Cost of Data Breach Study - United States 18

Costs of a Breach 1. 2. Forensic Investigation Brand Damage 6. What s on the Line? Regulatory or Industry Fines / Penalties 3. Fraudulent Transactions 5. Vulnerability 4. Remediation (Capital Cost) Civil Litigation 19

Top Vulnerabilities Limited monitoring / alerting Poorly configured devices Missing security patches / antimalware Weak and default passwords Poor user awareness The initial Security Incident - or - Data Breach exploit is typically simple and easy to avoid. 20

Top Vulnerabilities End-user Awareness Phishing email + impersonating CIO requesting Controller s credit card information 21

Top Vulnerabilities Weak and Default Passwords Password commonality on network grants admin access to firewalls 22

Evolving Modes of Attack Ransomware Social engineering IoT (Internet of Things) Vendor Compromise Anti-forensic tools and techniques 23

Ransomware TOP CYBER THREAT TO BUSINESSES Simple business model Extortion Easy to acquire and deploy Multiple variants difficult to trace and block Becoming more sophisticated 24

Case Studies 25

case study social engineering Sophisticated email phishing attack deceives authorized finance manager into wiring over $50,000 Example of lack of threat awareness by critical personnel Virtually impossible to recover lost funds 26

case study social engineering (data theft) Source: krebsonsecurity.com Phishing attempts to steal employee W-2s during tax filing season Sophisticated tactics make the attacks appear innocuous 27

Takeaways 28

To-do s Easy Wins 1. Block Malware Keep Windows patches up-to-date Ensure consistent antimalware is installed on all systems/kept up-to-date 2. Use Strong Passwords Change periodically Use long passwords (or phrases) with complexity Don t reuse passwords Use a password manager 29

To-do s Easy Wins 4. Consistent System Configurations Remove administrative privileges White-list authorized applications 5. Encrypt and Back Up Sensitive Data Especially laptops and removable media Know what and where your valuable data is 6. End-User Awareness Training On-going training for all users Periodic testing 30

DHG DHG IT ADVISORY Cybersecurity SERVICES Services Cybersecurity Risk Assessments Payment Card Industry (PCI) Assessments SOC 1 and 2 Examinations & SOC for Cyber Penetration Testing and Vulnerability Scanning Security Policy Development Assistance Social Engineering Assessments Digital Forensics & Incident Response 31

Contacts Zach Shelton, CISA Principal DHG IT Advisory zach.shelton@dhg.com 919.912.9224 32

33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback