A Hacker's Playground - Cyber Risks During COVID-19

David Roath / Partner
New York, NY
203.707.9788
droath@citrincooperman.com
Kevin Ricci / Principal
Providence, RI
401.421.4800
kricci@citrincooperman.com
CITRIN COOPERMAN’S TRAC PRACTICE
OCTOBER 14, 2020
A HACKER’S PLAYGROUND
CYBER RISKS DURING COVID-19
UNDERSTANDING YOUR RISKS DURING
UNCERTAIN TIMES

citrincooperman.com2
MEETING OBJECTIVE / AGENDA
SECTION 1
SECTION 2
SECTION 3
A LOOK AT THE FACTS
HACKING DEMOS
WHERE DO WE GO FROM
HERE?
INTRO AGENDA / ABOUT US
Q&A QUESTIONS FROM THE
AUDIENCE

PRESENTERS
Michael Camacho, CPA, CIA
Partner, Citrin Cooperman
TRAC Practice
mcamacho@Citrincooperman.com
401.567.2126
Matt Wagenknecht, CISSP, CEH, CREA
Director, Citrin Cooperman
TRAC Practice
mattw@Citrincooperman.com
401.421.4800

ABOUT CITRIN COOPERMAN
We are a top-25 nationally
recognized full-service assurance,
tax, and advisory firm with offices
conveniently located throughout the
United States, in addition to
locations in the United Kingdom,
India, and the Cayman Islands. Since
1979, we have steadily built our
business by helping companies and
high net worth individuals find smart
solutions. Whether your operations
and assets are located around the
corner or across the globe, we can
provide new perspectives on
strategies that will help you achieve
your short- and long-term goals.
Michael Camacho (mcamacho@citrincooperman.com)● Matt Wagenknecht (mattw@citrincooperman.com)

ABOUT OUR TRAC PRACTICE
TRAC Overview
In today’s environment, companies are exposed to mounting
risks associated with increased business complexity, technology
challenges, the growing regulatory environment, and
cybersecurity threats and breaches.
Business walks a fine line between risk and reward. Citrin
Cooperman’s Technology, Risk Advisory, and Cybersecurity
Practice (TRAC) offers integrated services in the areas of:
• IT Risk
• Risk Advisory including internal audits, SOX, and compliance
• Cybersecurity and privacy
We help focus on risk, so you can focus on what counts – your
business. Let us help you stay OnTRAC!
TECHNOLOGY, RISK ADVISORY, AND CYBERSECURITY (TRAC)

TRACOn Business walks a fine line between risk and reward
Let us help you stay OnTRAC
OnTRACBusiness walks a fine line between risk and reward
A LOOK AT THE FACTS
UNDERSTANDING
THE CYBERSECURITY
AND PRIVACY
LANDSCAPE

2020 – A Hacker’s Playground
The First Three Months of 2020
➢ Disruption, innovation, and change were common cybersecurity and privacy themes
➢ Cyber risk awareness was on the rise
Enter COVID-19
➢ Focus switched to remote workforce and ensuring connectivity and sustained operations
• VPN networks set-up recently “in a rush” to allow employees to work from home
• Vulnerabilities from the usage of unsecured personal computers and home networks
• A remote workforce can make it more difficult for IT staff to monitor and contain threats
➢ Social Engineering on the rise
• Attacks are up over 600% since February 2020
• Potential distractions increase likelihood of successful spear-phishing and malware attacks
➢ Other Risks
• Workforce reductions could lead to disgruntled employees
• Privacy concerns (e.g., Family, Amazon Echo, Unsecured video conferencing, Ad hoc remote access)

THE STATISTICS - CYBER THREAT LANDSCAPE
Global Average Cost per Breach:
$3.86M
Average Cost per Record
Compromised: $146
• Detection & Escalation: 28.8%
• Notification: 6.2%
• Ex-post Response: 25.6%
• Lost business cost: 39.4%
15.1 Billion Records Were Lost,
Stolen, or Exposed In 2019
Increase In the Number of Breaches
in 2019 vs 2018: 284%
Average Cost of a Breach Is 39.5%
Higher When Unprepared
Sources: Ponemon Institute/IBM Cost of a Data Breach Report -2020 & Verizon2020 Data Breach InvestigationReport

THE STATISTICS - CYBER THREAT LANDSCAPE (continued)
There Is a Cyber Attack Every 39
Seconds
43% of Cyber Attacks Target Small
Businesses
91% of Breaches Are the Result of
Phishing Attacks
Average Days to Detect a Breach:
207
Average Days to Contain a Breach:
73
Sources: Ponemon institute/IBM Cost of a Data Breach Report -2020 & Verizon2020 Data Breach Investigation Report

2019
THE FACTS - CYBER THREAT LANDSCAPE
➢ Hackers are industry agnostic
➢ COVID increases the likelihood of a data
breach at a time when companies are ill-
equipped to deal with the repercussions
➢ WFH distractions combined with
18,000,000 spear-phishing emails per day
is creating a perfect storm
➢ The recession created by COVID makes it
more difficult for companies to recover
from an attack
2016
2017
2008
2009
2010
2011
2012
2013
2014
2007
2015
HackingTeam
2018
2020

TRAC EXPERIENCE- CYBER THREAT LANDSCAPE
Incidents/Breaches TRAC has been involved with by year:
➢ Compared to 3 in 2017 and 2018 combined
➢ 17 in 2019
➢ 15 in 2020 (through October 10th)
Breaches are more sophisticated, on a large scale, and have greater impact
Average business downtime during a breach:
➢ One to two weeks (longest just over a month)
Average cost of breach response:
➢ Incident/breach response for small business range from $10,000 - $100,000+
➢ Exponentially higher for downtime, legal fees, tech expenditures, etc.

WHO ARE THE PLAYERS

WHAT DO THEY WANT
Defense, National
Security, Critical
Infrastructure

2020 – A Hacker’s Playground
The Path Forward
➢ Preparation, planning, and strong leadership is crucial to address the new cybersecurity and privacy
landscape
➢ Developing a comprehensive playbook to navigate change will be necessary
It all starts with understanding your risk!

A HACKER’S PLAYGROUND
HACKING DEMOS

HACKING IN THE COVID ERA

PHISHING IN THE COVID ERA

DEMO #1
PASSWORD HACKING DEMO

How password hashing works
Business walks a fine line between riskand reward. This set of services helps you manage uncertainty around IT Risk, Cybersecurity & Privacy,so you can focus on what
counts – your business. Let us help you stay OnTRAC!
Shared drive
Ub3rc00lPa$svvord1
186bf85b2b979e777628edabb5869929
Employee using a
shared drive
Hash algorithm
Can I have
access?
Yes!

How password stealing works
Business walks a fine line between riskand reward. This set of services helps you manage uncertainty around IT Risk, Cybersecurity & Privacy,so you can focus on what
Shared drive
Ub3rc00lPa$svvord1
186bf85b2b979e777628edabb5869929
Employee using a
shared drive
Hash algorithm
Can I have
access?
Yes!
186bf85b2b979e777628edabb5869929
Yes, also!

DEMO #2
RANSOMWARE DEMO

PARTING TIPS FROM THE HACKER
➢ Rapidly deployed solutions are rarely secure solutions
➢ Solutions that were good a year ago may no longer viable
➢ Daily monitoring of activity logs is required to detect initial malicious activity
➢ Your security is only as strong as your third-party service providers security

CLOSING REMARKS
WHERE DO WE GO
FROM HERE?

WHERE DO I START?
➢ UNDERSTAND your cyber-risk profile

WHERE DO I START?
➢ Be PROACTIVE in your approach to data security

6
Vulnerability Management Services
• Simulated “Bad-guy”
• Test your network and system controls before the
Hackers do
• Search for vulnerabilities which can allow for
potential attack vectors (penetration testing and
vulnerability assessments)
• Average rate per hour: $150 - $300
• Incident or breach response:
▪ Detection, forensics and analysis
▪ Containment, eradication and recovery
▪ Post incident remediation
▪ Average rate per hour: $350 - $500+

WHERE DO I START?
➢ Be PROACTIVE in your approach to data security
➢ Trust, but VERIFY
➢ Don’t forget COMPLIANCE
➢ EDUCATE your employees and clients

Q&A
QUESTIONS?

IT RISK, CYBERSECURITY & PRIVACY SERVICES
IT Risk and Cybersecurity Programs
• Virtual Chief Information Security Officer
(vCISO)
• IT Policy and Procedure Development
• Third-Party Risk Management
• Disaster Recovery / BCP
• IT / Cybersecurity Due Diligence
Cybersecurity & Privacy Business Risk and
Maturity Assessment
• SCORE Report
• Cybersecurity & Privacy Business Risk and
Maturity Assessment
• IT Risk Assessment
Threat and Vulnerability Management
• External and InternalNetwork Attack and
PenetrationTesting
• Spear-Phishing Campaign
• PhysicalSecurity Assessment
• Wireless Network Security Assessment
• Server Security Assessment
• Web ApplicationSecurity Assessment
• Network Device ConfigurationReviews
Incident Breach Preparedness and Response
• Incident Response Preparedness
• CyberSecure Incident Response and Forensics
Business walks a fine line between riskand reward. This set of services helps you manage uncertainty around IT risk, cybersecurity,and privacy, so you can focus on what
Compliance and Frameworks
• Cyber ComplianceServices
▪ PCI, HIPAA, GDPR, NIST, GLBA, CMMC
• Third-Party Assurance
▪ SSAE18 (SOC 1, 2, 3, Cybersecurity)
Data Mapping and Other Data Services
• Data Mapping
• DatabaseCreation and Other Data Services
• Data Analytics

CONTACT US
Michael Camacho, CPA, CIA
Partner, Citrin Cooperman
TRAC Practice
mcamacho@Citrincooperman.com
401.567.2126
Matt Wagenknecht, CISSP, CEH, CREA
Director, Citrin Cooperman
TRAC Practice
mattw@Citrincooperman.com
401.421.4800
WOULD YOU LIKE ADDITIONAL INFORMATION ON HOW CITRIN
COOPERMAN CAN HELP PROTECT THE PEOPLE, DATA, AND TECHNOLOGY
AT YOUR COMPANY?

A Hacker's Playground - Cyber Risks During COVID-19

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie A Hacker's Playground - Cyber Risks During COVID-19

Ähnlich wie A Hacker's Playground - Cyber Risks During COVID-19 (20)

Mehr von Citrin Cooperman

Mehr von Citrin Cooperman (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

A Hacker's Playground - Cyber Risks During COVID-19