copyright © 2014 k2 enterprises, llc. reproduction or reuse for purposes other than a k2...
TRANSCRIPT
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Best Practices For Cyber Security
November 3, 2014
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Tommy Stephens
• CPA from Woodstock, Georgia• Twenty-nine years public accounting & private
industry experience– Nineteen years CPE discussion leader
• BSBA (Accounting) Auburn University• MS (Finance) Georgia State University• Please contact me: [email protected]• Follow me on Twitter: @TommyStephens
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
WHAT ARE THE BIGGEST CYBER THREATS?
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Top Cybersecurity Threats
1. Social Engineering2. Advanced Persistent
Threats3. Internal Threats4. Bring Your Own Device
5. Cloud Security6. HTML 7. Botnets8. Precision Targeted
Malware
Source: Forbes
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Social Engineering
• Using social networks such as Facebook and LinkedIn to obtain information directly from the networks or by misleading others– Should you really post your vacation plans
Facebook before you go?– Do you really know all of your “friends”?
• Also includes phishing, baiting, and computer virus hoaxes
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Advanced Persistent Threats
• Advanced Persistent Threats (APTs) take a “low and slow” approach
• Intention is to gain access to a network and take information quietly
• Likely executed by a government or very sophisticated entity as most individuals and small organizations lack the resources to execute
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Internal Threats
• Most data losses and breaches are committed by insiders
• Who’s guarding your server while you are participating in this session?
• CERT Insider Threat Center found that malicious insiders within the financial industry get away with their fraud for approximately 32 months before discovery
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Bring Your Own Device
• Bring Your Own Device (BYOD) is a relatively new phenomenon where team members acquire their own technology and use it for corporate purposes
• Though well-meaning team members can be more productive in a BYOD environment and save the organization money, the problem is that they don’t secure the technology– What happens to the corporate data when the
smartphone or tablet is lost, stolen, or hacked?
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Cloud Security
• Cloud computing is the most significant trend in information technology today
• The cloud offers potentially huge benefits, but the risks can be great as well because you surrender control of your data
• Do your due diligence before engaging a vendor to provide cloud services!
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
HTML5
• HTML5 is a relatively new markup language being used to develop web applications– Provides better support for multimedia and
communications with a server• A big advantage of HTML5 over its
predecessors is cross-platform support• However, because of its newness, many are
concerned about its security
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Botnets
• A botnet is a network created with malicious software that exploits the computing power of multiple private computer, without the knowledge of the owners of those computers
• Cybercriminals often use botnets to send spam, spread viruses, and attack other computers and servers
• Is your computer running slowly?
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Precision Targeted Malware
• The attackers are getting smarter!• With Precision Targeted Malware (PTM), they
are developing code that doesn’t execute unless it is in the environment for which its’ developers designed it
• This makes it harder to detect malware in testing environments
• “Gauss” is an example of PTM
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
What Are The Crooks After?
• Anything they can sell for a profit or hold hostage in return for a ransom
• In other words, sensitive information!
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Two Specific Areas Of Concern For Carolinas HealthCare System
• Credit card information– To reduce the risk of credit card fraud, CHS is
implementing EMV readers instead of card swipes– This should be completed by October 2015– EMV uses PIN codes and encryption algorithms to
reduce the risk of fraud• Vendors with weak internal controls– “A chain is only as strong as its weakest link”
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
WHAT ARE THE COSTS OF THESE THREATS?
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Cost Of Cyber Crime Study
• The time it takes to resolve a cyber attack has increased by 130% in four years
• The average cost to resolve a single attack is more than $1 million
• Organizations in defense, financial services, and energy suffered the highest cybercrime costs
• $188 per record breached, on average, to respond/resolve a cyber attack
Source: Ponemon Institute
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Cost Of Cyber Crime Study
• Data theft caused major costs, 43% of the total external costs,
• Business disruption, or lost productivity accounts for 36% of external costs
• The average time to resolve a cyber attack was 32 days, with an average cost of $1,035,769– $32,469 per day!
• Smaller organizations incur significantly higher per capita costs
Source: Ponemon Institute
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Cost Of Cyber Crime
• McAfee: Malicious cyber attacks could cost the U.S. $100 billion annually– $300 billion worldwide
• U.S. Congressional report: Nearly 20% of all cyber attacks are aimed at companies with fewer than 20 employees
• Experian: Only 31% of U.S. companies have cyber insurance policies
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Cost Of Cyber Crime
• McAfee: Malicious cyber attacks could cost the U.S. $100 billion annually– $300 billion worldwide
• U.S. Congressional report: Nearly 20% of all cyber attacks are aimed at companies with fewer than 20 employees
• Experian: Only 31% of U.S. companies have cyber insurance policies
Don’t ignore the cost associated with a
damaged reputation and lost business!
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
SOME SPECIFIC EXAMPLES…
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Target Debit/Credit Card Breach
• Actually, two incidents– 40 million customers names, debit/credit card
numbers, PIN codes, expiration dates, security code, and phone numbers were compromised from November 27 to December 15, 2013
– Up to 70 million names, addresses, phone numbers, and email addresses may have also been compromised
• Cost to Target: TBD, but a similar hack at TJ Maxx cost $256 million
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Adobe
• 38 million records, including credit card numbers and username/password combinations were compromised from products and services, including Adobe Acrobat and ColdFusion
• Notification costs alone would approximate $17.5 million
• Assuming $188 per record, total costs could exceed $700 million
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Republic Services
• In August 2013, laptop was stolen from employees’ home
• The laptop contained personal information on 82,160 current and former employees
• Of course, the laptop’s hard disk was not encrypted or otherwise protected
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Palm Beach CountyHealth Department
• A senior clerk was arrested and charged with using her job to steal identity information on more than 2,800 patients
• The clerk then shared the information, including Social Security numbers, with accomplices to file fraudulent income tax returns seeking refunds
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
TEN COMMON SENSE APPROACHES TO REDUCING CYBER THREATS
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Education Is Critical
• Most team members truly want to do the right thing, but they often don’t know what the right thing is
• Educate on the risks associated with cyber attacks• Create a “culture of security and personal
accountability” across the organization– Like all internal controls, this starts at the top of
the organization• Includes developing and implementing policies
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Use “Long And Strong” Passwords
• Passwords can be a good first line of defense, but are rarely as effective as they should be
• According to The SANS Institute, a “strong” password now consists of fifteen alphanumeric characters
• Want to test your password?– Try https://www.grc.com/haystack.htm
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Use “Long And Strong” Passwords
• In reality, can we really expect to use different long and strong passwords on all of our devices, applications, and web sites?– After all we are only human
• Consider using password management software such as RoboForm, Password Depot, KeepPass, and others to ease the burdens associated with long and strong passwords
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Consider AlternativeAuthentication Measures
• Fingerprint swipes instead of passwords, for example, might prove to be more secure in many organizations
• Multi-factor authentication is also an excellent internal control for mitigating cyber risk– Something you know – password, for example –
plus something you have – key fob, for example
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Limit Administrative Rights
• Most end users should not have administrative rights on their PCs– Yet many of them do
• Without administrative rights, end users cannot change settings that might compromise the security of their device
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Get A Grip On BYOD
• Bring Your Own Device, Bring Your Own Cloud, Bring Your Own Technology are all significant risks to every organization
• Get policies in place today– www.tinyurl.com/k2byodpolicies
• Consider forcing security measures onto team members’ devices as a condition of accessing and storing personal data– iPhone/iPad Configuration Utility, for instance
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Disable USB Ports For Storage
• USB flash drives, external hard disks, etc. are rarely encrypted by end users
• Therefore, security risks are huge!• You can disable USB ports for storage with an
edit to the Windows Registry
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Disabling USB Ports For Storage
Registry edit to prevent USB access to external storage devices…IMPORTANT, backup registry first!• Click Start, and then click Run• In the Open box, type regedit, and then click OK• Locate and then click the following registry
key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
• In the details pane, double-click Start• In the Value data box, type 4, click Hexadecimal (if it is not
already selected), and then click OK• Exit Registry Editor
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Thoroughly Vet All Cloud Vendors
• Though many have resisted and continue to resist, the Cloud tsunami continues to grow
• For many smaller organizations, it is entirely likely that moving to the cloud offers improved security
• However, thoroughly vet any cloud vendor before signing a contract or moving data
• Look for SSAE 16, ISO 27001, SOC 1, SOC 2, SOC 3, etc. certifications
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Configure Firewalls Properly
• Firewalls serve as a “buffer” between two networks – LAN and Internet, for example
• You can configure your firewalls to block unwanted inbound as well as outbound traffic
• Ensure that both corporate level and computer level firewalls are configured to block intruders, as well as access to undesirable web sites
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
“White List” Software Titles
• Instead of trying to block all “bad” applications – which is virtually impossible, because that list is ever-changing – consider using a “white list” approach for approved applications on each computer
• Windows supports this control
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
“White List” Software Titles
• In “Run” dialog box, enter “gpedit.msc”• Navigate to “User Configuration,
Administrative Templates, System”• Scroll to “Run only specified Windows
applications”• Specify the applications allowed to run on
the computer
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Implement Monitoring Tools
• According to EY, anti-virus software is not very effective against new forms of attack because it is reactive, rather than proactive
• Rather, monitoring and analytical tools that seek out unusual patterns in traffic should be used as early-warning mechanisms
• Such tools may have, for example, detected that Edward Snowden was downloading more files than what his job duties required
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
ADVANCED CYBER SECURITY MEASURES TO CONSIDER
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
SANS InstituteTwenty Critical Security Controls
• Based on a consortium of US and international agencies, including US National Security Agency (NSA)
• Prioritizes security functions that are effective against some of the more advanced threats
• The US State Department has demonstrated a 94% decline in risk as a result of adopting these twenty controls
• http://www.sans.org/critical-security-controls/
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Twenty Critical Security Controls
1. Inventory of authorized and unauthorized devices
2. Inventory of authorized and unauthorized software
3. Secure configurations for hardware and software
4. Continuous vulnerability assessments and remediation
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Twenty Critical Security Controls
5. Malware defenses6. Application security software7. Wireless device controls8. Data recovery capability9. Security skills assessment and training to
fill gaps10.Secure configurations for network devices
such as firewalls, routers, and switches
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Twenty Critical Security Controls
11.Limitation and control of network ports, protocols, and services
12.Controlled use of administrative privileges13.Boundary defense14.Maintenance, monitoring, and analysis of
audit logs15.Controlled access based on need to know
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Twenty Critical Security Controls
16.Account monitoring and control17.Data loss prevention18.Incident response and management19.Secure network engineering20.Penetration tests and red team exercises
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
WE’VE BEEN HACKED!
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
What To Do When An Attack Occurs
• Create your response plan in advance– This is not something that should be done in the heat of
battle!• Include on response team appropriate personnel
from IT, PR, Customer Service, Legal and all other relevant departments in organization
• As part of the response plan, carefully consider legal and regulatory requirements– State security breach notification laws– HIPAA
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
In The First 24 Hours…
1. Record date and time of notification
2. Alert and activate response team
3. Secure the premises4. Stop additional data
loss5. Document everything
6. Interview those involved
7. Review protocols8. Assess priorities and
risks9. Bring in forensics team10. Notify law
enforcement, if necessary
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Next, And In No Particular Order
• Fix the issue that caused the breach• Continue working with forensics• Identify legal obligations• Report to senior management• Identify and resolve conflicting initiatives• Alert your data breach resolution vendor
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
The preceding responses are summarized from “Data Breach Response Guide” produced and
published by Experian Data Breach Resolution. You may download the guide from http://
www.experian.com/assets/data-breach/brochures/response-guide.pdf
.
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
SUMMARY
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Summary
• The numbers aren’t pretty, as the threats associated with cyber attacks continue to escalate, seemingly on a daily basis
• However, by understanding where the threats originate, we can position ourselves better to take appropriate cyber security measures
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Summary
• When implementing cyber security measures, look for the low-hanging fruit first…you will get the biggest bang for your buck here
• Then, turn your attention to the more advanced security controls found in the SANS Institute’s Twenty Critical Security Controls
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Summary
• Despite your efforts, it is likely impossible to completely insulate your organization from attack and eliminate all cyber risk
• Therefore, develop, put into place, and continually update a response plan in case your organization is attacked
• As part of this plan, ensure that you carefully consider all relevant legal and regulatory requirements