threats to nonprofits - schneider downs cpas · 2014-08-20 · verizon data breach report –other...
TRANSCRIPT
Cybersecurity Threats to Nonprofits
Chris Debo Senior Manager, IT Audit August 14, 2014
What is Cybersecurity?
• NIST definition: – “The process of protecting information by preventing,
detecting, and responding to attacks. “ – Key: PROTECTING INFORMATION ---------->
• Threats not limited to Internet hackers – Social engineering – Phishing – Disgruntled employees – Human error
2
• Theft • Misuse • Manipulation • Damage • Loss
Learning Objectives
1. Understand Cybersecurity 2. Assess Current State of Cybersecurity Threats 3. Effectively Assess Risk 4. Build an Execute a Plan to Mitigate Risk 5. Navigate Barriers to Success 6. How to Monitor and Evolve 7. Evaluate Need for Cybersecurity Insurance
3
What Cybercrimals Steal – And Why
• Bank credentials – Theft of funds
• Personally Identifiable Information (PII) – Identity theft
• Debit/credit card data – Access to credit, sale of data
• Intellectual property, data, other content – Blackmail, sale of data, avoid paying IP royalties, sabotage
4
Verizon Data Breach Report
Verizon Data Breach Report – Biggest Takeaways
• Employees at core of most attacks – Stolen credentials primary cause 80% of time – 78% of intrusions “relatively easy”
• Social engineering most common attack vector – Phishing – Gaining unauthrorized physical access (“tailgating”) – Targeted telephone calls – Personal solicitation attempts – Distribution of rogue devices – “Dumpster diving”
Verizon Data Breach Report – Other Takeaways
• 92% of breaches came from outside the organization – 55% from organized crime – 19% affiliated with other state agencies
• 75% of breaches driven by financial motives • 76% exploited weak or stolen credentials • 69% discovered by external parties • 66% took months or more to discover • 75% of attacks were opportunistic (companies not
targeted directly)
7
Verizon Data Breach Report – Industry Dispersion
8
Verizon Data Breach Report – Attack Origin
9
Verizon Data Breach Report – Malware Sources
10
Attackers Time to Exploit Vulnerability versus…
Source: Verizon Risk
11
…Organization’s Ability to Defend
Source: Verizon Risk
12
Notable Data Breaches in US History
• 2013 Target – 110 million customers (40 million credit cards)
• 2013 Adobe Systems – 130 million customers • 2011 Sony – 77 million customers • 2008 Heartland Payment Systems – 130 million
customers • 2007 TJX Companies – 94 million customers (46 million
credit card) • 1984 TRW/Sears – 90 million customers
Source: CNN Money
Target Breach
14
Target Response to Hack • Target had already deployed $1.6 million malware detection tool (FireEye).
– Round-the-clock monitoring from security specialists in Bangalore • November 30: FireEye detects loading of exfiltration software.
– Target security team in Minneapolis notified – No action taken
• Mid-December: Security experts monitoring underground markets for stolen data detect large influx of credit card information. – US Department of Justice notified
• December 12: Target notified by Department of Justice of potential breach.
• December 15: Target confirms breach. • December 19: Target releases public statement confirming breach. • March 5: Target CIO Beth Jacob resigns
15
Target Control Failures
16
Target Breach – Inherent Flaws
17
• Flaws in system design – Lack of network segmentation – Lack of encryption of credit card data while stored
in RAM • Flaws in internal control
– Lack of third-party oversight and compliance – Lack of monitoring and reaction
Is Your Organization Prepared?
Source: IIA Tone at the Top; April 2014
Information Security’s Role in Combatting Threats
• Design and implement security plan • Respond to threats • Maintain vigilance and level of knowledge • Identify, understand and respond to changes in the
operating environment • Provide timely, accurate and complete information to
Internal Audit
19
Management’s Role in Combatting Cyber Threats
• Set tone at the top • Evaluate and approve strategy • Assess and evaluate the functioning of plan • Communicate findings and monitor remediation
activities • Build advisory relationship with IS • Maintain frequent collaboration and interaction with IS • Maintain level of diligence and knowledge about cyber
security
20
Steps for an Effective Cybersecurity Strategy
1. Adopt a Framework 2. Understand the Environment 3. Assess Risk 4. Build and Implement a Cybersecurity Plan 5. Audit the Environment - Planning and Scoping 6. Audit the Environment – Execute the Audit 7. Identify/Remediate Vulnerabilities 8. Monitor/Refresh
21
1. Adopt a Framework - Examples • ISO 27000 Series • Department of Energy
– Cybersecurity Capability Maturity Model (C2M2) • Electronic Subsector (ES-C2M2) • Oil and Gas Subsector (ONG-C2M2)
• National Institute of Standards and Technology (NIST) – Cybersecurity Framework – Roadmap for Improving Critical Infrastructure Cybersecurity
• National Initiative for Cybersecurity Education (NICE) – Capability Maturity Model (CMM)
• ISACA - Transforming Cybersecurity Using COBIT 5
1. C2M2 Maturity Levels
23
1. C2M2 – Recommended Approach
24
1. Areas Covered in C2M2
• Risk Management • Asset, change, and configuration management • Identity and access management • Threat and vulnerability management • Situational Awareness • Information sharing and communications • Event and incident response, continuity of operations • Supply chain and external dependencies management • Workforce management • Cybersecurity program management
25
1. NIST Framework Objectives
1. NIST Framework Objectives - Continued
• Identify – Asset Management – Governance – Risk Assessment
• Protect – ITGCs (Access Control) – Awareness and Training – Data Security – Information/Asset Protection – Maintenance – Protective Technology
27
• Detect – Monitoring
• Respond – Planning – Communications – Analysis – Mitigation
• Recover – Improvement
1. NIST Framework Implementation
2. Understand the Environment
• Operating environment • Hardware type and location • Applications • Databases • File systems • Security • Network architecture • Third-parties • Middleware
29
2. Start with Asset Identification • Identify all assets:
– Databases – Files – Servers – Applications – Hardware – Web sites
• Asset classification – Location – Owner – Usage – Type – Status – Risk level
30
3. Assess Risk • Identify risks (interviews, artifact review) • Assign risk ranking • Determine risk tolerance • Address areas at or above threshold • Isolate/note threats covered by standard ITGCs • Look at external and internal threats, and differentiate
between them • Added emphasis on areas inherent to cybersecurity (see
CSC) • Identify recent/ongoing changes in the environment
3. Assessing Risk: Common Mistakes
• Not understanding the environment (see step 2) • Avoiding unfamiliar technical content • Underestimating the complexity of cybersecurity
threats and/or overestimating internal audit’s knowledge of network architectures
• Not allocating sufficient time for a comprehensive review
• Making assumptions about IS’s level of knowledge/proficiency (taking them at their word)
3. Technical Proficiency: What’s Wrong With This Picture?
33
3. Typical Network Security Questions
• Security policy?
• Network diagram?
• Firewall and intrusion detection/prevention?
• DMZ?
• Anti-virus/malware?
• Server hardening standards?
• Vulnerability scan and penetration test performed?
• Logging and monitoring?
34
3. Enlisting the Help of Security Professionals • Benefits of Utilizing External Specialists
– Cost – Expertise – Independence – Ability to focus – Benchmarking relative to other organizations
• Assessing Specialist Ability – Certifications – Examples – Experience – References 35
4. Build a Plan - Utilize Existing Control Frameworks as a Guide Council on Cybersecurity Top 20 Critical Security Controls (v5)
Area Critical Security Control Asset Management
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
Monitoring and Response
3. Maintenance, Monitoring, and Analysis of Audit Logs
4. Incident Response and Management Wireless/BYOD 5. Wireless Device Control
4. Utilize Existing Control Frameworks as a Guide (cont) Council on Cybersecurity Top 20 Critical Security Controls (v5)
Area Critical Security Control Logical Access 6. Limitation and Control of Network Ports,
Protocols, and Services 7. Controlled Use of Administrative
Privileges 8. Controlled Access Based on the Need to
Know 9. Account Monitoring and Control
Network Design 10. Boundary Defense 11. Secure Network Engineering
4. Utilize Existing Control Frameworks as a Guide (cont) Council on Cybersecurity Top 20 Critical Security Controls (v5)
Area Critical Security Control Server and Device Hardening
12. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
13. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Human Resources 14. Security Skills Assessment and Appropriate Training to Fill Gaps
Area Critical Security Control Vulnerability and Pen Testing
15. Continuous Vulnerability Assessment and Remediation
16. Penetration Tests and Red Team Exercises
Application Security
17. Malware Defenses 18. Application Software Security
Data Management 19. Data Recovery Capability 20. Data Protection
4. Utilize Existing Control Frameworks as a Guide (cont) Council on Cybersecurity Top 20 Critical Security Controls (v5)
4. Align Control Objectives with Controls
40
Control Objective Controls Attacks and breaches are identified and treated in a timely and appropriate manner.
• Confirm monitoring and specific technical attack recognition solutions.
• Assess interfaces to security incident management and crisis management processes and plans.
• Evaluate the timeliness and adequacy of attack response.
4. Categorize Controls Based on Type of Risk
41
Source: ISACA
4. Categorize Controls Further (Org. Example)
42
Source: ISACA
5. Audit - Planning and Scoping
• Define the scope and clear boundaries – Vulnerability and penetration testing?
• Elaborate on audit objectives by adding audit activities
• Break down into manageable audits and reviews • Allocate resources responsible for audit execution
– Align skills/experience to risk and activity – Allot sufficient time to perform a comprehensive
review based on risk 43
6. Perform the Audit
• Communicate high/critical findings immediately • Look for changes/deviations from the expected
state • Collaborate with IS but don’t let them know exactly
when certain tests will be performed • Review with IS as-you-go
44
6. Useful Network Assessment Tools • Netcraft.com (website IP address and configuration) • NMAP (network address and port scanner) • Nipper (firewall/appliance configuration scan) • Vulnerability Scanners
– PCAT – Nessus – Nexpose – OpenVAS
• Penetration Test – Metasploit – w3af
• Iasa.disa.mil/stigs (Security Technical Implementation Guides) • Nist.gov
– Security Configuration Checklists Program – National Vulnerability Database
45
7. Identify/Remediate Vulnerabilities
• Review with IS and validate finding • Assign risk rating • Development a remediation plan with IS
– Establish action plan – Assign responsibility – Assign timeline
• Update documentation/communication as necessary • Review findings with management
46
8. Monitor/Refresh
• Evaluate IS compliance with established action plans
• Communicate deviations from action plans with management
• Monitor existing IS and business activities that may impact action plans or inherent risks
• Strive for continuous monitoring to ensure rapid communication and remediation cycles
47
8. Static Compliance Model
48
8. Continuous Compliance
49
Recommendations - Tone at the top
Create and reinforce the perception/understanding of cybersecurity threats
• Established, supported and communicated by senior management
• Establish awareness that controls and processes have been specifically designed to prevent attacks – New hire orientation – Ongoing awareness and communication – Visible to the organization
50
Recommendations - Protecting Your Network
• Restrict Remote Access • Enforce Password and Lockout Policies • Block Malicious Web Content • Deploy Anti-Virus Software • Monitor Network Activity • Educate Employees • Restrict and Review User Access
51
Protecting Your Network - Continued
• Encrypt Devices • Harden Your Servers and Workstations • Network Security Best Practices
– Firewall – Segmentation
• Perform Independent Assessment of Network Vulnerabilities
• Monitor and Evaluate Third-Party Service Providers
52
Other Recommendations
• Educate and involve the audit committee • Integrate cyber risk strategy into the organization’s
strategic plan • Have a team dedicated to managing cyber threats • Automate as much as possible • Collaborate internally AND externally • Evaluate the need for insurance as a “safety net” to
other internal and external safeguards
53
54
What is a privacy incident going to cost me? Summary of Ponemon Institute’s 2012 Annual Cost of a Data Breach Report:
• Average cost and per record cost declined for the first time but remain significant, $5.5 million and $194, respectively.
• Direct costs are estimated at $59 per record. (legal counsel, notification letters, credit monitoring, etc.) The primary driver is legal defense costs.
Cost by industry class Per record
Average $194
Education $112
Retail $185
Healthcare $301
Financial Institutions $353
55
Type of Breach Expense Estimated Expense Amounts Estimated Total Cost
eDiscovery Litigation $100,000 + $1 per Record $1,100,000
Forensics Investigation $20,000 + $20 per Record $220,000
Public Relations $20,000 Flat Rate Estimate $20,000
Call Center 1M * $0.50 per person * 15% $75,000
Attorney Review of State Notification laws and State AG’s Flat Rate Estimate $10,000
Notification of 1M persons 1M * $1 per person $1,000,000
Optional Credit Monitoring 1M * $10 per person * 15% (Avg. of only 10%-20% accept it) $1,500,000
ID Fraud Remediation 1M * $1 per person $1,000,000
AG Fines & Penalties Average $100 to $300 per Record with a Cap. of $500,000 $500,000
FTC Fines and Penalties Estimate based upon required audits for 10 years at $75k per Audit $750,000
PCI Fines $1.62 per Record $1.620.000
Legal Defense/Damages $5 per Record $5,000,000
Total Cost - $12,795,000
Data Breach Calculator/Cat. Modeling Tool Number of Records Lost/Stolen: 1,000,000 in States Requiring Notification Data Taken: Social Security Numbers Number of Years of Credit Monitoring: 1 Year
56
Unplanned Cash Flows & Insurability
• State and/or federally mandated notification costs • Brand preservation:
– Voluntary notification, credit monitoring, public relations expense
• Defense and indemnity expense from 3rd party allegations • Regulatory defense costs • Regulatory & PCI fines and penalties • Forensic investigation, data restoration expenses, assets
damage • Business income loss & extra expense
57
Cyber/Privacy Liability Insurance Can Protect Against:
• Privacy violations – electronic and non-electronic • Intellectual property infringement • Security breaches • Internet, network programming errors and omissions • Business interruption causing loss of revenue and extra expense • Destruction, disclosure and theft of electronic data • Fines and penalties and punitive damages • Post-Event crisis management expenses • Regulatory defense, fines and penalties coverage • Cyber extortion
Questions
58
Chris Debo, CISA [email protected] 614-586-7108 Steven Earley, CISA, CISSP, CRISC, CFSA, ITILv3, MCP [email protected] 614-586-7115