Cybersecurity The Evolving Landscape 1
Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG IT Advisory Industry Focuses: Financial Institutions Loan Sub-Servicers SaaS / Technology companies Insurance Companies Healthcare Providers Manufacturing Service Focus: Sarbanes-Oxley compliance SOC 1 (SSAE 18) and SOC 2 attestation Internal Audit / IT Audit Co-Sourcing & Staff Augmentation 2
Cybersecurity Fatigue 3
Cybersecurity Fatigue I get tired of remembering my usernames and passwords. I never remember the PIN numbers, there are too many things for me to remember. It also bothers me when I have to go through even more security measures to access my things, or get locked out of my account because I accidentally typed in my password incorrectly. Exhausting yet VERY important to maintain a strong cybersecurity posture. 4
Data Breach Trends 5
Breach Methods Mistakes +Accidental mis-delivery Physical theft Malware Malvertising (Advertising) Deliberate cyber attack +Industrial espionage (Sony Studios) 6
Laws and Regulations (Recent updates) 7
Careful With the Word Breach Breach has legal meaning Suggests you may have legal liability Security teams should use Security Incident until it s determined a breach has occurred 8
Federal Laws and National Regulations GDPR +General Data Privacy Regulation +Use and retention of EU personal information +May 25, 2018 deadline +4% of global revenue or 20 million euros US Impacts? 9
State Laws Data Breaches 48 different state laws +All vary in timing, method, and extent of notice required Notification Obligation(s) +There are timing requirements 10
Assessing and Mitigating Risk 11
Information Security Lifestyle 12
SOC Report for Cybersecurity Risk Management Purpose SOC 1 SOC 2 SOC 3 Report on controls relevant to financial reporting Report on Controls related to Trusted Service Principles (TSP) Use of Report Restricted Restricted Report Detail Testing Detail Included Guidance SSAE 18 Testing Detail Included AT 101, Trust Service Principles Report on Controls related to compliance and operations General Users Testing Detail Not Included AT 101, Trust Service Principles SOC for CRMF Report on Controls related to enterprise cyber risk management Restricted Testing Detail Not Included SSAE 18, Description criteria 13
SOC Report for Cybersecurity Risk Management WHAT New guidance for examination and reporting of an organization s cybersecurity risk management program WHY AICPA is responding to requests for an independent, industry agnostic assessments of how cybersecurity risk is handled by an organization WHO +Boards of directors +Investors +Key stakeholders 14
SOC Report for Cybersecurity Risk Management Clarifications How does it differ from other SOC reports? Does it replace other frameworks? Integration of other compliance requirements? Structure Description Assertion Opinion Description Criteria 9 control categories addressing key risk areas 15
Cybersecurity Threat Environment 16
Cost of a Breach 60% of attacks target small and medium-sized organizations In over half of successful breaches, attackers can compromise an organization within minutes Average time to discover a breach: > 266 days 1 Average cost of a data breach: $3.86 million 1 1 IBM 2018 Cost of Data Breach Study - United States 17
Cost of a Breach Mega Breach 1 breaches of more than 1 million records The amount of these breaches has doubled in the past 5 years. 1 Average time to discover a breach: > 365 days 1 50 1 Million Records cost of a data breach: $350 $40 million 11 1 IBM 2018 Cost of Data Breach Study - United States 18
Costs of a Breach 1. 2. Forensic Investigation Brand Damage 6. What s on the Line? Regulatory or Industry Fines / Penalties 3. Fraudulent Transactions 5. Vulnerability 4. Remediation (Capital Cost) Civil Litigation 19
Top Vulnerabilities Limited monitoring / alerting Poorly configured devices Missing security patches / antimalware Weak and default passwords Poor user awareness The initial Security Incident - or - Data Breach exploit is typically simple and easy to avoid. 20
Top Vulnerabilities End-user Awareness Phishing email + impersonating CIO requesting Controller s credit card information 21
Top Vulnerabilities Weak and Default Passwords Password commonality on network grants admin access to firewalls 22
Evolving Modes of Attack Ransomware Social engineering IoT (Internet of Things) Vendor Compromise Anti-forensic tools and techniques 23
Ransomware TOP CYBER THREAT TO BUSINESSES Simple business model Extortion Easy to acquire and deploy Multiple variants difficult to trace and block Becoming more sophisticated 24
Case Studies 25
case study social engineering Sophisticated email phishing attack deceives authorized finance manager into wiring over $50,000 Example of lack of threat awareness by critical personnel Virtually impossible to recover lost funds 26
case study social engineering (data theft) Source: krebsonsecurity.com Phishing attempts to steal employee W-2s during tax filing season Sophisticated tactics make the attacks appear innocuous 27
Takeaways 28
To-do s Easy Wins 1. Block Malware Keep Windows patches up-to-date Ensure consistent antimalware is installed on all systems/kept up-to-date 2. Use Strong Passwords Change periodically Use long passwords (or phrases) with complexity Don t reuse passwords Use a password manager 29
To-do s Easy Wins 4. Consistent System Configurations Remove administrative privileges White-list authorized applications 5. Encrypt and Back Up Sensitive Data Especially laptops and removable media Know what and where your valuable data is 6. End-User Awareness Training On-going training for all users Periodic testing 30
DHG DHG IT ADVISORY Cybersecurity SERVICES Services Cybersecurity Risk Assessments Payment Card Industry (PCI) Assessments SOC 1 and 2 Examinations & SOC for Cyber Penetration Testing and Vulnerability Scanning Security Policy Development Assistance Social Engineering Assessments Digital Forensics & Incident Response 31
Contacts Zach Shelton, CISA Principal DHG IT Advisory zach.shelton@dhg.com 919.912.9224 32
33