It Only takes one click

© John Nieto

THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE

IT ONLY TAKES ONE CLICK!ARE YOU CYBER-SECURE?

Achieving CyberHealth

Jennifer Moreno, CISA

Don’t forget to scan your badge if you want to earn CPE credit for this session!

AGENDA

• Cyber-Risk – Mitigating the Risk

• Business Email Compromise

• Ransomware

• Security Awareness Education

• Multi-factor Authentication

• Payment Card Industry (PCI DSS)

THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 2

WHAT IS CYBER-RISK?

Cyber-Risk means any risk of financial loss, disruption, or damage to the reputation of an organization from some sort of failure of its information technology systems.

-Institute of Risk Management



Cyber-Risk = Business Risk

Hacked or System Failure? = Business Interruption

Breached? = Reputational Loss, Liability Claims

Non-Compliant? = Fines & Legal Action

VERIZON’S 2019 DATA BREACH INVESTIGATION REPORT

• 71% of breaches were financially motivated

• 43% of breaches involved small businesses

• 29% involved stolen credentials

• 32% involved phishing

• 69% of breaches perpetrated by outsiders

• 56% of breaches took months or longer to discover

• Social engineering targeting personal information remains high


TO ERR IS HUMAN

95% of all data breaches

result from human error

“Amateurs hack systems.

Professionals hack people.”-Bruce Schneier


BECOME RESILIENT!

OLD

Data: On Premise

Computers: On Premise

Perimeter: Local Internet Connection

Firewall: Digital Gateway

Prevention

NEW

Data: Cloud

Computers: Anywhere

Perimeter: Everywhere

Firewall: People

Resilience


© John Nieto

CYBERHEALTH

Our ability and willingness to

protect ourselves and

others from imminent

harm, and stay safe

from those who would exploit

our families and community.


A COMMON, & COSTLY, MISUNDERSTANDING

• CyberHealth is no longer a technology issue.

• It’s now a cultural & behavioral issue.


MITIGATE THE RISK


IncidentResponse

Cyber-Security Technology

Security Education & Awareness

Policies & Procedures

Monitoring & Assessment

Insurance Coverage

Recovery

Governance & Compliance

STEP 1: IT GOVERNANCE REVIEW

• How have IT strategy and planning been formulated?

• Is there an established, executive-level IT oversight committee involved with major decisions?

• Is there a formal IT vendor qualification and approval process?

• Who is responsible for executing IT strategy?

• What regulatory requirements are applicable?

• Is all software licensed and documented?


© John Nieto

STEP 2: POLICY & PROCEDURE REVIEWInventory and evaluate current policies and procedures Approved Regulatory policy requirements

(Privacy and Security) Separate set of standard IT policies

Are policies approved?

Review and update at least annually


STEP 3: CYBER-TECHNOLOGY REVIEW Assess overall security technology & architecture Annual IT Risk Assessment / Regulatory Assessments

or Audit Vulnerability Scans / Penetration testing Backup / Recovery procedures Firewalls / IDS / IPS / Content blocking / Endpoint protection Asset inventory and destruction process Third party vendor review

• SOC Review• Confidentiality Agreement • What are their security controls?


STEP 4: SECURITY EDUCATION & AWARENESS REVIEW Assess current & past security education & awareness efforts Training modules Quizzes Phishing assessments Current events / videos Posters / infographics

Identify regulatory requirements for security education & awareness


© John Nieto

STEP 5: MONITORING & ASSESSMENT REVIEW• Assess existing monitoring systems

• Assess existing assessment methods of technology systems

• Assess existing assessment methods of employee behavior


STEP 6: CYBER-LIABILITY INSURANCE REVIEW

• Look for complementary pre-breach services – a cyber-policy should not be an upsell opportunity.

• Insist on post-breach services, such as a breach coach, and check them out.

• Ask if you can use your own forensic/recovery specialists or you are required to use insurer’s choice.

• Is there coverage for Business Interruption?

• Evaluate current coverage of existing policies Consider an independent professional review of your current or proposed policy


STEP 7: INCIDENT RESPONSE (CSIRP)

Assess existing incident response policy & documentation Identify key players and their roles Training and testing (table-top exercises) Incident classification (systems down, malware infection, breach) Investigative process Containment, eradication & recovery Reporting process


© John Nieto

STEP 8: RECOVERY

• The Disaster Recovery and Business Continuity Plans need to be tested at least annually

• Ensure that recovery from a loss of operation and/or data can be assured

• Business Impact Analysis to identify RPOs and RTOs


© John Nieto

DON’T GET HOOKED –PHISHING & SOCIAL ENGINEERINGSocial Engineering The use of deception to trick individuals into providing

confidential information

Phishing A form of social engineering using email and fake

websites as the method of deception


BUSINESS EMAIL COMPROMISE (BEC)


SPEAR PHISHING


© John Nieto

EMAIL RED FLAGS:STOP, LOOK, THINK! Recognize the sender (verify email address) Message recipients Date and time of the message Subject – is it relevant Inspect the email content

• Tone• Grammar, punctuation and spelling• Attachments• Asked to click a link• Asking for personal information, credentials


© John Nieto

EMAIL RED FLAGSSTOP, LOOK, THINK! Sense of urgency or threatening Hyperlinks

• http vs https• Hover over link to verify website redirection• Scrutinize the link

» https://www.bankofamerica.com» https://www.bankofannerica.com» https://wwwbankofamerica.community.com » https://143.127.22.13/bankofamerica.com

• Tiny URL – http://goo.gl/3akWbr


RANSOMWARE - $11.5 BILLION IN 2019 … THE COST OF NOT EDUCATING OUR EMPLOYEES


© John Nieto

…AND BY 2021?

Damage related to cybercrime is projected to hit $6 trillion annually by 2021. -Cybersecurity Ventures

Cyber-attacks and security breaches willhappen, and will adversely impact your organization.


© John Nieto

RANSOMWARE

• Malicious software (malware) that encrypts all of the victim’s data then demands payment to restore access

• Delivered by harmful email attachments, websites, outdated browser plug-ins, text messages

• Holds your files hostage instead of corrupting them like other traditional viruses


A VERY SUCCESSFUL “BUSINESS”

• FBI does not recommend paying the ransom

• Cyber criminals don’t have to keep their side of the bargain

• If you receive the decryption key, keep in mind… Data may be permanently unrecoverable if there is a flaw in the code Files may not function appropriately after decryption

• Targeted again for a future attack


RANSOMWARE INFECTION VECTORS

• Most commonly spread through phishing emails with attachments disguised as an invoice, PDF, ZIP or even an audio file such as a fake voice message

• Pirated or Free software / games

• Malicious websites

• Legitimate websites taken over by cyber criminals


RANSOMWARE MITIGATION

Security Awareness Training on email safety and phishing When in doubt, contact IT Team for assistance Have documented and regularly tested backup and restore procedures Regularly install software updates and patches Updated End-Point protection on all systems Keep browser plug-ins up to date (Java, Flash, Adobe) Disable web browser pop-up windows Disable or set browser plug-ins to prompt you to run


SECURITY AWARENESS TRAINING –CONTINUOUS EDUCATION FOR YOUR TEAM Email security and phishing Protecting and destroying

sensitive data Internet safety (pop-ups, URL

addresses) Safe Social Networking

(Facebook, Twitter, LinkedIn etc.) Mobile device & mobile app

safety Smishing / Vishing

Multifactor Authentication (aka MFA) / Passwords & PINs

Physical Security – protect people and property

Social Engineering Insider threats (malicious and

unintentional) Regulatory compliance training (PCI,

GLBA, GDPR, HIPAA)


SECURITY AWARENESS TRAINING –ONLINE CONTENT


IMPLEMENTATION TIPS

Understand the prevailing culture Educate leadership on the risk of uneducated workers Sell the program by reminding workers that this will help them personally Stand firm on what you believe your organization minimally needs Have an approved policy in place

• Plan early to deal with non-compliance with meaningful sanctions• Zero tolerance for those who fail to complete remedial programs

Accept that no software is perfect, and clearly understand limitations Measure and report success as well as failure


MULTI-FACTOR AUTHENTICATION (MFA)

• MFA is a security feature that requires more than one method of authentication before granting access to a system or account

• Additional layer of security to prevent hackers from gaining access to your organization, even if credentials are compromised

• Without MFA, all of your layers of protection can easily be compromised

• Comes in different forms… One-time PIN or passcode Biometrics


© John Nieto

MFA PRIORITIES

• Email (Office 365)

• Social Media

• Financial Accounts

• Password Managers

• Mobile Devices

• Key Fobs

• USB drives


NOT USING MFA…

• Approved and communicated Password Policy

• Password complexity enforce using Group Policy Consider pass phrases

• Change passwords regularly

• Don’t use the same password for all your accounts

• Password Manager Software (LastPass, Dashlane, many others)


© John Nieto

PAYMENT CARD INDUSTRY (PCI)

Payment Card Security Standards Council is governing body

Formed by: American Express Discover Financial Services Japan Credit Bureau International MasterCard Worldwide Visa, Inc.


PCI DSS – DATA SECURITY STANDARDS

• Each of the 5 major payment card companies had their own security standards

• In 2004 they combined to form the PCI – Data Security Standards

• New version PCI DSS 3.2.1 (2018) includes over 250 different security controls

• PCI-DSS was developed to help protect cardholder data from payment card fraud

• Not a federal law, but mandated by payment card companies


SOBERING STATISTICS

• 1.1 billion payment cards in the US in 2016

• Payment card fraud is the most common form of identity theft (38.7%)

• 15.4 million victims of credit/debt card identity theft in 2016

• Total annual loss from payment card fraud - $22 billion in 2016


CARD PROCESSING ECO-SYSTEM VULNERABILITIES

• Point-of-sale devices

• Computers and servers

• Wireless hotspots

• Web shopping applications

• Paper storage systems

• Unsecured transmission of cardholder data to service providers



What cardholder data are you storing?

PCI DSS - DATA PROTECTION

Data Primary account numbers Cardholder names Expiration dates Service codes

Protective measures identified with PCI DSS Technical/non-technical policies and procedures to ensure data and

equipment security Security management training Network architecture and software design safeguards


© John Nieto

PCI DATA SECURITY STANDARD:WHO NEEDS TO COMPLY?• Any organization that accepts card payments

and stores, processes or transmits payment card information – regardless of the number of transactions.

• Compliance comes in many flavors – there are different levels of compliance requirements.


PCI COMPLIANCE IS A CONTINUOUS PROCESS

Assess Identify cardholder data Take inventory of your IT assets and business processes for payment card

processing Analyze for vulnerabilities that could expose cardholder data

Remediate by fixing vulnerabilities Only store necessary cardholder data


PCI COMPLIANCE IS A CONTINUOUS PROCESS

Report Compile and submit required remediation validation records Submit compliance reports to the acquiring bank and/or credit card

brands you do business with

-PCI SCC Quick Reference Guide


PCI DSS COMPLIANCE VALIDATION

• Depends on the merchant level (based on number of transactions) and what the acquiring bank requires

• Compliance Validation may be: Annual security audit by qualified security assessor (QSA) Quarterly network scans by qualified vendor Annual PCI Self-Assessment Questionnaire Submit these reports to acquirer


CONSEQUENCES FOR NON-COMPLIANCE

• Loss of customer confidence

• Lawsuits and insurance claims

• Accept 100% of cardholder losses

• Card brand fines ($500,000)

• Forensic investigation expenses ($100,000)

• Cancelled merchant account (cannot accept payment cards) or increased fees


ACTION STEPS TO ACHIEVE CYBERHEALTH Create a culture of security awareness to achieve CyberHealth: Leadership matters;

set the right tone at the top. Find out where you really stand. Perform or contract an assessment of your cyber-resilience. The most valuable investment is the security awareness and education of employees,

contractors & partners. Create / update your IT policies and procedures. Classify your data – know where your confidential data is stored and who has access to it. Ensure data backups are working; test recovery procedures. Regularly practice and update your Cyber-Security Incident Response Plan. Secure sufficient Cyber-Liability insurance coverage. Continuous monitoring & assessment of systems and employees is vital.


THANK YOU!


[email protected] |505.998.3239

Jennifer Moreno, CISASenior Manager of CyberHealth GRC

Please open your Expo Pass app to give us your feedback

on this session!

mailto:[email protected]

mailto:[email protected]

It Only takes one click

Documents

Transcript of It Only takes one click