3. Other SDA’s have learned that…
1. We are never as safe or secure as we think we are
2. Nobody’s defenses can protect against a determined hacker
3. Networks and data systems are inherently insecure
There are always vulnerabilities that can be exploited
4. Your Response is More important than your security Software
5. Individuals Enable Hacking
People make mistakes by:
•Sharing passwords
•Using outdated software
•Losing or improperly discarding files
•Mishandling personal information
•Storing unencrypted personal information on laptops or easily lost mobile devices
•Circumventing information security controls
oIntentionally for their purposes;
oIn the mistaken belief that they can improve efficiency;
oIn narrow mindedly thinking that they “just need to get the job done” regardless of risk
6. What to Do?
1. Expect a breach & establish a response plan (Link to resources)
2. Purchase cyber insurance (A team to help you) (Link to resources)
3. Develop, implement, & document policies and procedures (Now)
4. Consider outsourcing some security aspects (e.g. 24/7 monitoring)
5. Have backups, backups of backups and backups where people can’t
find them (Link to Backup resources)
6. Discover then Restrict access to any system or report that contains
sensitive information (Link to sensitive data resource)
7. Use an out of band communication method (signal, telegram)
7. What to Do?
8. Establish a password manager (Link to resources)
9. Limit local Admin accounts
10. Patch systems and applications
11. Use Multi-Factor authentication
12. Verify all 3rd party vendors (Link to Resources)
13. Risk Management is everyone’s responsibility (Train Engage them)
14. Secure your Data Systems (Link to resources)
8. Reduce reliance
and burden on
people
Start with People
Policies Set the Framework to align People, Processes and Technology
Policy without enforcement is a suggestion
Processes
Reflect need of
People in relation to
policies
& Technology
Success Relies On:
Technology
Process
People
10. Cyber Incident Response Plan
Key elements to have in place before a cyber incident occurs include:
A cyber incident response plan customized for the
organization’s specific Data Systems- (including cloud apps).
Well-defined and assigned roles to ensure appropriate
individuals understand their duties.
Communications plans so the organization can efficiently
communicate and explain reportable incidents.
Link to IR Resources
12. Colonial Pipeline & SDA Organizations
Gov issued Executive Order Requiring:
1. Multifactor Authentication (Limit Local Admin Accounts)
2. Zero Trust (Contain legacy systems) `
3. Use Risk based Governance & Compliance
4. Documented IR & communication plans
5. Vendor vetting (Link to template)
Colonial Pipeline SDA Orgs
Access VIA VPN Access VIA RDP or VPN
Some multifactor Password Multifactor Passwords – Some – to NONE
Access through a Legacy System Access through Legacy Systems
14. Governance Terminology
Policies: Formal statements produced and supported by senior
management (Approved by your board)
Standards: Mandatory courses of action or rules that give formal
policies support and direction (Approved by leadership team)
Procedures: Detailed step-by-step technical instructions to achieve a
goal or mandate. (Managed by tech team)
15. •Data Integrity Procedures (Backups, retention, restore (overwrite) authorization, etc.) (Link to templates)
•Data Governance Procedures (DATA handling, lifecycle, deletion, access control & authentication, etc.)
•Data Classification Procedures (PII, PCI, PHI, and how the entity stores, accesses and manages that data)
•Email Retention Policy and Procedures (email is one of our significant internal liabilities)
•Incident Response Plan (Policies & Procedures) (Link to templates)
•Cyber Security (Policies and Procedures)
Document Policies and Procedures
16. Mobile Issues /Demo
Deep Fakes: Spoofed Voice
https://www.zdnet.com/article/forget-email-scammers-use-
ceo-voice-deepfakes-to-con-workers-into-wiring-cash/
USE A Code Word
Identify Caller
Use Code Words
PIN security – 6 digit code no Pattern
Camera and mic can be turned on without
permission
18. Ransomware Response
1. Start a log of all actions taken by who (Link to template)
2. Determine what is encrypted
3. Contain system pull network cable & disconnect wireless
4. Call Cyber Insurance team ….
5. (Ransomware Check Lists)
6. Know if you are willing to pay
7. See if Ransomware has an unlock key www.nomoreransom.org
8. Determine if you need to report a breach
9. Consider contacting local and federal law www.ic3.gov
19. Monitor your Ministry & Life (Demo)
Google alerts: https://www.google.com/alerts
Hacked Account: https://haveibeenpwned.com/
Dark Web Scan: https://try.idx.us/cyberscan/
Public Records: http://publicrecords.searchsystems.net/
Image Search: https://yandex.com/images/
Metadata Viewer: http://exif.regex.info/exif.cgi
Take Control – Data Detox: https://datadetox.myshadow.org/en/home
20. Common Pitfalls to Avoid
•Emphasizing highly publicized but rare threats over basic cyber hygiene
•Treating cybersecurity as a one-off project instead of a key
organizational component
•Not sustaining budget and human resources for cyber defenses
•Lack of vendor governance and oversight
21. More Common Pitfalls to Avoid
•Implementing the latest cybersecurity tools and technology instead of
addressing critical security controls (Link to CIS v7 template)
•Have independent security reports that are not (captain obvious)
•No written information security program with supporting policies,
processes, and procedures
•Lack of governance and oversight
22. Legal Data Privacy Resources
Data Protection Laws of the World
https://www.dlapiperdataprotection.com/
US State Breach Notification Law Interactive Map
https://www.bakerlaw.com/BreachNotificationLawMap
State Laws Related to Internet Privacy
http://www.ncsl.org/research/telecommunications-and-information-
technology/state-laws-related-to-internet-privacy.aspx
US state comprehensive privacy law comparison:
https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
https://emtemp.gcom.cloud/ngw/globalassets/en/legal-compliance/documents/trends/gdpr-compliance-audit-checklist.pdf