Cybersecurity Threats to Nonprofits

Chris Debo Senior Manager, IT Audit August 14, 2014

What is Cybersecurity?

• NIST definition: – “The process of protecting information by preventing,

detecting, and responding to attacks. “ – Key: PROTECTING INFORMATION ---------->

• Threats not limited to Internet hackers – Social engineering – Phishing – Disgruntled employees – Human error

2

• Theft • Misuse • Manipulation • Damage • Loss

Learning Objectives

1. Understand Cybersecurity 2. Assess Current State of Cybersecurity Threats 3. Effectively Assess Risk 4. Build an Execute a Plan to Mitigate Risk 5. Navigate Barriers to Success 6. How to Monitor and Evolve 7. Evaluate Need for Cybersecurity Insurance

3

What Cybercrimals Steal – And Why

• Bank credentials – Theft of funds

• Personally Identifiable Information (PII) – Identity theft

• Debit/credit card data – Access to credit, sale of data

• Intellectual property, data, other content – Blackmail, sale of data, avoid paying IP royalties, sabotage

4

Verizon Data Breach Report

Verizon Data Breach Report – Biggest Takeaways

• Employees at core of most attacks – Stolen credentials primary cause 80% of time – 78% of intrusions “relatively easy”

• Social engineering most common attack vector – Phishing – Gaining unauthrorized physical access (“tailgating”) – Targeted telephone calls – Personal solicitation attempts – Distribution of rogue devices – “Dumpster diving”

Verizon Data Breach Report – Other Takeaways

• 92% of breaches came from outside the organization – 55% from organized crime – 19% affiliated with other state agencies

• 75% of breaches driven by financial motives • 76% exploited weak or stolen credentials • 69% discovered by external parties • 66% took months or more to discover • 75% of attacks were opportunistic (companies not

targeted directly)

7

Verizon Data Breach Report – Industry Dispersion

8

Verizon Data Breach Report – Attack Origin

9

Verizon Data Breach Report – Malware Sources

10

Attackers Time to Exploit Vulnerability versus…

Source: Verizon Risk

11

…Organization’s Ability to Defend

Source: Verizon Risk

12

Notable Data Breaches in US History

• 2013 Target – 110 million customers (40 million credit cards)

• 2013 Adobe Systems – 130 million customers • 2011 Sony – 77 million customers • 2008 Heartland Payment Systems – 130 million

customers • 2007 TJX Companies – 94 million customers (46 million

credit card) • 1984 TRW/Sears – 90 million customers

Source: CNN Money

Target Breach

14

Target Response to Hack • Target had already deployed $1.6 million malware detection tool (FireEye).

– Round-the-clock monitoring from security specialists in Bangalore • November 30: FireEye detects loading of exfiltration software.

– Target security team in Minneapolis notified – No action taken

• Mid-December: Security experts monitoring underground markets for stolen data detect large influx of credit card information. – US Department of Justice notified

• December 12: Target notified by Department of Justice of potential breach.

• December 15: Target confirms breach. • December 19: Target releases public statement confirming breach. • March 5: Target CIO Beth Jacob resigns

15

Target Control Failures

16

Target Breach – Inherent Flaws

17

• Flaws in system design – Lack of network segmentation – Lack of encryption of credit card data while stored

in RAM • Flaws in internal control

– Lack of third-party oversight and compliance – Lack of monitoring and reaction

Is Your Organization Prepared?

Source: IIA Tone at the Top; April 2014

Information Security’s Role in Combatting Threats

• Design and implement security plan • Respond to threats • Maintain vigilance and level of knowledge • Identify, understand and respond to changes in the

operating environment • Provide timely, accurate and complete information to

Internal Audit

19

Management’s Role in Combatting Cyber Threats

• Set tone at the top • Evaluate and approve strategy • Assess and evaluate the functioning of plan • Communicate findings and monitor remediation

activities • Build advisory relationship with IS • Maintain frequent collaboration and interaction with IS • Maintain level of diligence and knowledge about cyber

security

20

Steps for an Effective Cybersecurity Strategy

1. Adopt a Framework 2. Understand the Environment 3. Assess Risk 4. Build and Implement a Cybersecurity Plan 5. Audit the Environment - Planning and Scoping 6. Audit the Environment – Execute the Audit 7. Identify/Remediate Vulnerabilities 8. Monitor/Refresh

21

1. Adopt a Framework - Examples • ISO 27000 Series • Department of Energy

– Cybersecurity Capability Maturity Model (C2M2) • Electronic Subsector (ES-C2M2) • Oil and Gas Subsector (ONG-C2M2)

• National Institute of Standards and Technology (NIST) – Cybersecurity Framework – Roadmap for Improving Critical Infrastructure Cybersecurity

• National Initiative for Cybersecurity Education (NICE) – Capability Maturity Model (CMM)

• ISACA - Transforming Cybersecurity Using COBIT 5

1. C2M2 Maturity Levels

23

1. C2M2 – Recommended Approach

24

1. Areas Covered in C2M2

• Risk Management • Asset, change, and configuration management • Identity and access management • Threat and vulnerability management • Situational Awareness • Information sharing and communications • Event and incident response, continuity of operations • Supply chain and external dependencies management • Workforce management • Cybersecurity program management

25

1. NIST Framework Objectives

1. NIST Framework Objectives - Continued

• Identify – Asset Management – Governance – Risk Assessment

• Protect – ITGCs (Access Control) – Awareness and Training – Data Security – Information/Asset Protection – Maintenance – Protective Technology

27

• Detect – Monitoring

• Respond – Planning – Communications – Analysis – Mitigation

• Recover – Improvement

1. NIST Framework Implementation

2. Understand the Environment

• Operating environment • Hardware type and location • Applications • Databases • File systems • Security • Network architecture • Third-parties • Middleware

29

2. Start with Asset Identification • Identify all assets:

– Databases – Files – Servers – Applications – Hardware – Web sites

• Asset classification – Location – Owner – Usage – Type – Status – Risk level

30

3. Assess Risk • Identify risks (interviews, artifact review) • Assign risk ranking • Determine risk tolerance • Address areas at or above threshold • Isolate/note threats covered by standard ITGCs • Look at external and internal threats, and differentiate

between them • Added emphasis on areas inherent to cybersecurity (see

CSC) • Identify recent/ongoing changes in the environment

3. Assessing Risk: Common Mistakes

• Not understanding the environment (see step 2) • Avoiding unfamiliar technical content • Underestimating the complexity of cybersecurity

threats and/or overestimating internal audit’s knowledge of network architectures

• Not allocating sufficient time for a comprehensive review

• Making assumptions about IS’s level of knowledge/proficiency (taking them at their word)

3. Technical Proficiency: What’s Wrong With This Picture?

33

3. Typical Network Security Questions

• Security policy?

• Network diagram?

• Firewall and intrusion detection/prevention?

• DMZ?

• Anti-virus/malware?

• Server hardening standards?

• Vulnerability scan and penetration test performed?

• Logging and monitoring?

34

3. Enlisting the Help of Security Professionals • Benefits of Utilizing External Specialists

– Cost – Expertise – Independence – Ability to focus – Benchmarking relative to other organizations

• Assessing Specialist Ability – Certifications – Examples – Experience – References 35

4. Build a Plan - Utilize Existing Control Frameworks as a Guide Council on Cybersecurity Top 20 Critical Security Controls (v5)

Area Critical Security Control Asset Management

1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

Monitoring and Response

3. Maintenance, Monitoring, and Analysis of Audit Logs

4. Incident Response and Management Wireless/BYOD 5. Wireless Device Control

4. Utilize Existing Control Frameworks as a Guide (cont) Council on Cybersecurity Top 20 Critical Security Controls (v5)

Area Critical Security Control Logical Access 6. Limitation and Control of Network Ports,

Protocols, and Services 7. Controlled Use of Administrative

Privileges 8. Controlled Access Based on the Need to

Know 9. Account Monitoring and Control

Network Design 10. Boundary Defense 11. Secure Network Engineering

4. Utilize Existing Control Frameworks as a Guide (cont) Council on Cybersecurity Top 20 Critical Security Controls (v5)

Area Critical Security Control Server and Device Hardening

12. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

13. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Human Resources 14. Security Skills Assessment and Appropriate Training to Fill Gaps

Area Critical Security Control Vulnerability and Pen Testing

15. Continuous Vulnerability Assessment and Remediation

16. Penetration Tests and Red Team Exercises

Application Security

17. Malware Defenses 18. Application Software Security

Data Management 19. Data Recovery Capability 20. Data Protection

4. Utilize Existing Control Frameworks as a Guide (cont) Council on Cybersecurity Top 20 Critical Security Controls (v5)

4. Align Control Objectives with Controls

40

Control Objective Controls Attacks and breaches are identified and treated in a timely and appropriate manner.

• Confirm monitoring and specific technical attack recognition solutions.

• Assess interfaces to security incident management and crisis management processes and plans.

• Evaluate the timeliness and adequacy of attack response.

4. Categorize Controls Based on Type of Risk

41

Source: ISACA

4. Categorize Controls Further (Org. Example)

42

Source: ISACA

5. Audit - Planning and Scoping

• Define the scope and clear boundaries – Vulnerability and penetration testing?

• Elaborate on audit objectives by adding audit activities

• Break down into manageable audits and reviews • Allocate resources responsible for audit execution

– Align skills/experience to risk and activity – Allot sufficient time to perform a comprehensive

review based on risk 43

6. Perform the Audit

• Communicate high/critical findings immediately • Look for changes/deviations from the expected

state • Collaborate with IS but don’t let them know exactly

when certain tests will be performed • Review with IS as-you-go

44

6. Useful Network Assessment Tools • Netcraft.com (website IP address and configuration) • NMAP (network address and port scanner) • Nipper (firewall/appliance configuration scan) • Vulnerability Scanners

– PCAT – Nessus – Nexpose – OpenVAS

• Penetration Test – Metasploit – w3af

• Iasa.disa.mil/stigs (Security Technical Implementation Guides) • Nist.gov

– Security Configuration Checklists Program – National Vulnerability Database

45

7. Identify/Remediate Vulnerabilities

• Review with IS and validate finding • Assign risk rating • Development a remediation plan with IS

– Establish action plan – Assign responsibility – Assign timeline

• Update documentation/communication as necessary • Review findings with management

46

8. Monitor/Refresh

• Evaluate IS compliance with established action plans

• Communicate deviations from action plans with management

• Monitor existing IS and business activities that may impact action plans or inherent risks

• Strive for continuous monitoring to ensure rapid communication and remediation cycles

47

8. Static Compliance Model

48

8. Continuous Compliance

49

Recommendations - Tone at the top

Create and reinforce the perception/understanding of cybersecurity threats

• Established, supported and communicated by senior management

• Establish awareness that controls and processes have been specifically designed to prevent attacks – New hire orientation – Ongoing awareness and communication – Visible to the organization

50

Recommendations - Protecting Your Network

• Restrict Remote Access • Enforce Password and Lockout Policies • Block Malicious Web Content • Deploy Anti-Virus Software • Monitor Network Activity • Educate Employees • Restrict and Review User Access

51

Protecting Your Network - Continued

• Encrypt Devices • Harden Your Servers and Workstations • Network Security Best Practices

– Firewall – Segmentation

• Perform Independent Assessment of Network Vulnerabilities

• Monitor and Evaluate Third-Party Service Providers

52

Other Recommendations

• Educate and involve the audit committee • Integrate cyber risk strategy into the organization’s

strategic plan • Have a team dedicated to managing cyber threats • Automate as much as possible • Collaborate internally AND externally • Evaluate the need for insurance as a “safety net” to

other internal and external safeguards

53

54

What is a privacy incident going to cost me? Summary of Ponemon Institute’s 2012 Annual Cost of a Data Breach Report:

• Average cost and per record cost declined for the first time but remain significant, $5.5 million and $194, respectively.

• Direct costs are estimated at $59 per record. (legal counsel, notification letters, credit monitoring, etc.) The primary driver is legal defense costs.

Cost by industry class Per record

Average $194

Education $112

Retail $185

Healthcare $301

Financial Institutions $353

55

Type of Breach Expense Estimated Expense Amounts Estimated Total Cost

eDiscovery Litigation $100,000 + $1 per Record $1,100,000

Forensics Investigation $20,000 + $20 per Record $220,000

Public Relations $20,000 Flat Rate Estimate $20,000

Call Center 1M * $0.50 per person * 15% $75,000

Attorney Review of State Notification laws and State AG’s Flat Rate Estimate $10,000

Notification of 1M persons 1M * $1 per person $1,000,000

Optional Credit Monitoring 1M * $10 per person * 15% (Avg. of only 10%-20% accept it) $1,500,000

ID Fraud Remediation 1M * $1 per person $1,000,000

AG Fines & Penalties Average $100 to $300 per Record with a Cap. of $500,000 $500,000

FTC Fines and Penalties Estimate based upon required audits for 10 years at $75k per Audit $750,000

PCI Fines $1.62 per Record $1.620.000

Legal Defense/Damages $5 per Record $5,000,000

Total Cost - $12,795,000

Data Breach Calculator/Cat. Modeling Tool Number of Records Lost/Stolen: 1,000,000 in States Requiring Notification Data Taken: Social Security Numbers Number of Years of Credit Monitoring: 1 Year

56

Unplanned Cash Flows & Insurability

• State and/or federally mandated notification costs • Brand preservation:

– Voluntary notification, credit monitoring, public relations expense

• Defense and indemnity expense from 3rd party allegations • Regulatory defense costs • Regulatory & PCI fines and penalties • Forensic investigation, data restoration expenses, assets

damage • Business income loss & extra expense

57

Cyber/Privacy Liability Insurance Can Protect Against:

• Privacy violations – electronic and non-electronic • Intellectual property infringement • Security breaches • Internet, network programming errors and omissions • Business interruption causing loss of revenue and extra expense • Destruction, disclosure and theft of electronic data • Fines and penalties and punitive damages • Post-Event crisis management expenses • Regulatory defense, fines and penalties coverage • Cyber extortion

Questions

58

Chris Debo, CISA cdebo@schneiderdowns.com 614-586-7108 Steven Earley, CISA, CISSP, CRISC, CFSA, ITILv3, MCP searley@schneiderdowns.com 614-586-7115