It Only takes one click
Transcript of It Only takes one click
© John Nieto
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE
IT ONLY TAKES ONE CLICK!ARE YOU CYBER-SECURE?
Achieving CyberHealth
Jennifer Moreno, CISA
Don’t forget to scan your badge if you want to earn CPE credit for this session!
AGENDA
• Cyber-Risk – Mitigating the Risk
• Business Email Compromise
• Ransomware
• Security Awareness Education
• Multi-factor Authentication
• Payment Card Industry (PCI DSS)
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 2
WHAT IS CYBER-RISK?
Cyber-Risk means any risk of financial loss, disruption, or damage to the reputation of an organization from some sort of failure of its information technology systems.
-Institute of Risk Management
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 3
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 4
Cyber-Risk = Business Risk
Hacked or System Failure? = Business Interruption
Breached? = Reputational Loss, Liability Claims
Non-Compliant? = Fines & Legal Action
VERIZON’S 2019 DATA BREACH INVESTIGATION REPORT
• 71% of breaches were financially motivated
• 43% of breaches involved small businesses
• 29% involved stolen credentials
• 32% involved phishing
• 69% of breaches perpetrated by outsiders
• 56% of breaches took months or longer to discover
• Social engineering targeting personal information remains high
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 5
VERIZON’S 2019 DATA BREACH INVESTIGATION REPORT
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 6
VERIZON’S 2019 DATA BREACH INVESTIGATION REPORT
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 7
TO ERR IS HUMAN
95% of all data breaches
result from human error
“Amateurs hack systems.
Professionals hack people.”-Bruce Schneier
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 8
BECOME RESILIENT!
OLD
Data: On Premise
Computers: On Premise
Perimeter: Local Internet Connection
Firewall: Digital Gateway
Prevention
NEW
Data: Cloud
Computers: Anywhere
Perimeter: Everywhere
Firewall: People
Resilience
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 9
© John Nieto
CYBERHEALTH
Our ability and willingness to
protect ourselves and
others from imminent
harm, and stay safe
from those who would exploit
our families and community.
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 10
A COMMON, & COSTLY, MISUNDERSTANDING
• CyberHealth is no longer a technology issue.
• It’s now a cultural & behavioral issue.
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 11
MITIGATE THE RISK
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 12
IncidentResponse
Cyber-Security Technology
Security Education & Awareness
Policies & Procedures
Monitoring & Assessment
Insurance Coverage
Recovery
Governance & Compliance
STEP 1: IT GOVERNANCE REVIEW
• How have IT strategy and planning been formulated?
• Is there an established, executive-level IT oversight committee involved with major decisions?
• Is there a formal IT vendor qualification and approval process?
• Who is responsible for executing IT strategy?
• What regulatory requirements are applicable?
• Is all software licensed and documented?
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 13
© John Nieto
STEP 2: POLICY & PROCEDURE REVIEWInventory and evaluate current policies and procedures Approved Regulatory policy requirements
(Privacy and Security) Separate set of standard IT policies
Are policies approved?
Review and update at least annually
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 14
STEP 3: CYBER-TECHNOLOGY REVIEW Assess overall security technology & architecture Annual IT Risk Assessment / Regulatory Assessments
or Audit Vulnerability Scans / Penetration testing Backup / Recovery procedures Firewalls / IDS / IPS / Content blocking / Endpoint protection Asset inventory and destruction process Third party vendor review
• SOC Review• Confidentiality Agreement • What are their security controls?
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 15
STEP 4: SECURITY EDUCATION & AWARENESS REVIEW Assess current & past security education & awareness efforts Training modules Quizzes Phishing assessments Current events / videos Posters / infographics
Identify regulatory requirements for security education & awareness
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 16
© John Nieto
STEP 5: MONITORING & ASSESSMENT REVIEW• Assess existing monitoring systems
• Assess existing assessment methods of technology systems
• Assess existing assessment methods of employee behavior
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 17
STEP 6: CYBER-LIABILITY INSURANCE REVIEW
• Look for complementary pre-breach services – a cyber-policy should not be an upsell opportunity.
• Insist on post-breach services, such as a breach coach, and check them out.
• Ask if you can use your own forensic/recovery specialists or you are required to use insurer’s choice.
• Is there coverage for Business Interruption?
• Evaluate current coverage of existing policies Consider an independent professional review of your current or proposed policy
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 18
STEP 7: INCIDENT RESPONSE (CSIRP)
Assess existing incident response policy & documentation Identify key players and their roles Training and testing (table-top exercises) Incident classification (systems down, malware infection, breach) Investigative process Containment, eradication & recovery Reporting process
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 19
© John Nieto
STEP 8: RECOVERY
• The Disaster Recovery and Business Continuity Plans need to be tested at least annually
• Ensure that recovery from a loss of operation and/or data can be assured
• Business Impact Analysis to identify RPOs and RTOs
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 20
© John Nieto
DON’T GET HOOKED –PHISHING & SOCIAL ENGINEERINGSocial Engineering The use of deception to trick individuals into providing
confidential information
Phishing A form of social engineering using email and fake
websites as the method of deception
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 21
© John Nieto
EMAIL RED FLAGS:STOP, LOOK, THINK! Recognize the sender (verify email address) Message recipients Date and time of the message Subject – is it relevant Inspect the email content
• Tone• Grammar, punctuation and spelling• Attachments• Asked to click a link• Asking for personal information, credentials
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 25
© John Nieto
EMAIL RED FLAGSSTOP, LOOK, THINK! Sense of urgency or threatening Hyperlinks
• http vs https• Hover over link to verify website redirection• Scrutinize the link
» https://www.bankofamerica.com» https://www.bankofannerica.com» https://wwwbankofamerica.community.com » https://143.127.22.13/bankofamerica.com
• Tiny URL – http://goo.gl/3akWbr
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 26
RANSOMWARE - $11.5 BILLION IN 2019 … THE COST OF NOT EDUCATING OUR EMPLOYEES
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 30
© John Nieto
…AND BY 2021?
Damage related to cybercrime is projected to hit $6 trillion annually by 2021. -Cybersecurity Ventures
Cyber-attacks and security breaches willhappen, and will adversely impact your organization.
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 31
© John Nieto
RANSOMWARE
• Malicious software (malware) that encrypts all of the victim’s data then demands payment to restore access
• Delivered by harmful email attachments, websites, outdated browser plug-ins, text messages
• Holds your files hostage instead of corrupting them like other traditional viruses
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 32
A VERY SUCCESSFUL “BUSINESS”
• FBI does not recommend paying the ransom
• Cyber criminals don’t have to keep their side of the bargain
• If you receive the decryption key, keep in mind… Data may be permanently unrecoverable if there is a flaw in the code Files may not function appropriately after decryption
• Targeted again for a future attack
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 33
RANSOMWARE INFECTION VECTORS
• Most commonly spread through phishing emails with attachments disguised as an invoice, PDF, ZIP or even an audio file such as a fake voice message
• Pirated or Free software / games
• Malicious websites
• Legitimate websites taken over by cyber criminals
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 34
RANSOMWARE MITIGATION
Security Awareness Training on email safety and phishing When in doubt, contact IT Team for assistance Have documented and regularly tested backup and restore procedures Regularly install software updates and patches Updated End-Point protection on all systems Keep browser plug-ins up to date (Java, Flash, Adobe) Disable web browser pop-up windows Disable or set browser plug-ins to prompt you to run
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 35
SECURITY AWARENESS TRAINING –CONTINUOUS EDUCATION FOR YOUR TEAM Email security and phishing Protecting and destroying
sensitive data Internet safety (pop-ups, URL
addresses) Safe Social Networking
(Facebook, Twitter, LinkedIn etc.) Mobile device & mobile app
safety Smishing / Vishing
Multifactor Authentication (aka MFA) / Passwords & PINs
Physical Security – protect people and property
Social Engineering Insider threats (malicious and
unintentional) Regulatory compliance training (PCI,
GLBA, GDPR, HIPAA)
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 36
IMPLEMENTATION TIPS
Understand the prevailing culture Educate leadership on the risk of uneducated workers Sell the program by reminding workers that this will help them personally Stand firm on what you believe your organization minimally needs Have an approved policy in place
• Plan early to deal with non-compliance with meaningful sanctions• Zero tolerance for those who fail to complete remedial programs
Accept that no software is perfect, and clearly understand limitations Measure and report success as well as failure
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 39
MULTI-FACTOR AUTHENTICATION (MFA)
• MFA is a security feature that requires more than one method of authentication before granting access to a system or account
• Additional layer of security to prevent hackers from gaining access to your organization, even if credentials are compromised
• Without MFA, all of your layers of protection can easily be compromised
• Comes in different forms… One-time PIN or passcode Biometrics
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 40
© John Nieto
MFA PRIORITIES
• Email (Office 365)
• Social Media
• Financial Accounts
• Password Managers
• Mobile Devices
• Key Fobs
• USB drives
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 42
NOT USING MFA…
• Approved and communicated Password Policy
• Password complexity enforce using Group Policy Consider pass phrases
• Change passwords regularly
• Don’t use the same password for all your accounts
• Password Manager Software (LastPass, Dashlane, many others)
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 43
© John Nieto
PAYMENT CARD INDUSTRY (PCI)
Payment Card Security Standards Council is governing body
Formed by: American Express Discover Financial Services Japan Credit Bureau International MasterCard Worldwide Visa, Inc.
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 44
PCI DSS – DATA SECURITY STANDARDS
• Each of the 5 major payment card companies had their own security standards
• In 2004 they combined to form the PCI – Data Security Standards
• New version PCI DSS 3.2.1 (2018) includes over 250 different security controls
• PCI-DSS was developed to help protect cardholder data from payment card fraud
• Not a federal law, but mandated by payment card companies
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 45
SOBERING STATISTICS
• 1.1 billion payment cards in the US in 2016
• Payment card fraud is the most common form of identity theft (38.7%)
• 15.4 million victims of credit/debt card identity theft in 2016
• Total annual loss from payment card fraud - $22 billion in 2016
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 46
CARD PROCESSING ECO-SYSTEM VULNERABILITIES
• Point-of-sale devices
• Computers and servers
• Wireless hotspots
• Web shopping applications
• Paper storage systems
• Unsecured transmission of cardholder data to service providers
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 47
PCI DSS - DATA PROTECTION
Data Primary account numbers Cardholder names Expiration dates Service codes
Protective measures identified with PCI DSS Technical/non-technical policies and procedures to ensure data and
equipment security Security management training Network architecture and software design safeguards
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 49
© John Nieto
PCI DATA SECURITY STANDARD:WHO NEEDS TO COMPLY?• Any organization that accepts card payments
and stores, processes or transmits payment card information – regardless of the number of transactions.
• Compliance comes in many flavors – there are different levels of compliance requirements.
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 50
PCI COMPLIANCE IS A CONTINUOUS PROCESS
Assess Identify cardholder data Take inventory of your IT assets and business processes for payment card
processing Analyze for vulnerabilities that could expose cardholder data
Remediate by fixing vulnerabilities Only store necessary cardholder data
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 51
PCI COMPLIANCE IS A CONTINUOUS PROCESS
Report Compile and submit required remediation validation records Submit compliance reports to the acquiring bank and/or credit card
brands you do business with
-PCI SCC Quick Reference Guide
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 52
PCI DSS COMPLIANCE VALIDATION
• Depends on the merchant level (based on number of transactions) and what the acquiring bank requires
• Compliance Validation may be: Annual security audit by qualified security assessor (QSA) Quarterly network scans by qualified vendor Annual PCI Self-Assessment Questionnaire Submit these reports to acquirer
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 53
CONSEQUENCES FOR NON-COMPLIANCE
• Loss of customer confidence
• Lawsuits and insurance claims
• Accept 100% of cardholder losses
• Card brand fines ($500,000)
• Forensic investigation expenses ($100,000)
• Cancelled merchant account (cannot accept payment cards) or increased fees
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 54
ACTION STEPS TO ACHIEVE CYBERHEALTH Create a culture of security awareness to achieve CyberHealth: Leadership matters;
set the right tone at the top. Find out where you really stand. Perform or contract an assessment of your cyber-resilience. The most valuable investment is the security awareness and education of employees,
contractors & partners. Create / update your IT policies and procedures. Classify your data – know where your confidential data is stored and who has access to it. Ensure data backups are working; test recovery procedures. Regularly practice and update your Cyber-Security Incident Response Plan. Secure sufficient Cyber-Liability insurance coverage. Continuous monitoring & assessment of systems and employees is vital.
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 55
THANK YOU!
THE 2019 REDW TRIBAL FINANCE & LEADERSHIP CONFERENCE 56
[email protected] |505.998.3239
Jennifer Moreno, CISASenior Manager of CyberHealth GRC
Please open your Expo Pass app to give us your feedback
on this session!