The document discusses security awareness and the growing threat of cyber attacks and data breaches. It notes that malware has become more sophisticated, targeting data and businesses rather than just PCs. The impacts of data breaches can include high costs for businesses. It recommends practicing defense in depth across networks, endpoints, and security tools to balance risk and costs. Cyber/privacy breach insurance can help cover liabilities and costs imposed by laws and regulations in the event of a security incident.
1. April 26th, 2016
Security Awareness
Security is the degree of resistance to, or protection from, harm.
…if security breaks down, technology breaks down
2.
3. • Current Security Landscape
• The Impact of Data Breach or Data Loss
• Raise everyone’s overall awareness
• Security risks
• Techniques to reduce risk
• Changes in Strategy
• What we should and can be doing?
Goal for Today
Protecting People, Property and Business Assets
4. “The AV-TEST Institute registers over 390,000 new
malicious programs every day”
Security is a Growing Concern
https://www.av-test.org
5. Malware has Changed
Then
• Low Business Impact
• Less Sophisticated
• Targeted PC’s
Now
• High Business Impact
• High Sophistication
• Targets Data
High Visibility Low
ThenOrganizationalRiskNow
10. Attackers Evolve, Adapt and Accelerate
• Attackers are nimble, opportunistic,
cooperative, skilled and relentless
• Their motivation, resiliency, and creativity
drives great adaptability
• Acceleration in their methods, tools, and
targets (technology, people, processes)
11. Attackers Evolve, Adapt and Accelerate
• Dark markets and services grow
• New data breach targets emerge
• Attacks will drive down the technology stack
• Data
• Apps
• Operating Systems
• Firmware
• Hardware
• Ransomware and “CEO email” fraud rises
12. • 80% of Infections stem from massive e-
mail attacks
• Phishing vs Spear Phishing
• Attackers are aware of 3rd party
relationships between large targets and
smaller service providers
Phishing
25. Defense in Depth Example
Internet
Firewall
Antivirus
Antispyware
Intrusion Prevention
Antivirus &
Antimalware
26. Defense in Depth
The idea behind “Defense in
Depth” is to defend your data
and systems against any
particular attack, using several
independent methods
Perimeter
Internal
Network
Endpoint
•Firewall
•CGSS
•IPS
•Policies
•Access Rights
•Monitoring
•Antivirus
•Anti Malware
•Cloud Security
28. The United States
is the most
targeted country
in the world.
Fireeye Cyber Threat Map
29. Who are we trying to
protect from?
• Nation States
• Insiders
• Organized Crime
• Other Companies
• Thrill Seekers
• Notoriety
• Political Activists
30. How do they do it?
• Poorly configured systems using default passwords
and settings which are weak
• Exploit known vulnerabilities which are easy to find
• Metasploit
• CGE (Cisco Global Exploiter)
• Password cracking tools to break weak passwords
• Social engineering / Email
• Planting infection in web sites
• Real examples
31. • Train Network Users to have a healthy level of skepticism
• Keep Software up to date
• Least privileged access
• Encrypt Data in transit & on mobile devices
• Segment & Isolate Networks
• Documented and Tested DR Plan
• Regular tests/auditing to ensure measures are effective
• Data Loss Protection tools
Tools and Techniques Summary
32. • Seek an optimal balance of Risk/Cost for your business
• Understand what we are protecting
• Treat security as on going concern
• Not a set it and forget it
• Ongoing Security Awareness Training
Summary
34. Why Cyber/Privacy Breach Liability
Insurance?
• Both the federal government, and each of the 50 states, impose certain actions upon
persons/entities/businesses/agencies who maintain personal information on systems or
computers in the event of a breach or suspected breach.
• “Certain actions” could include written notice to all impacted individuals, purchase of individual
identification protection for 1 year (“Lifelock”), credit report monitoring for each impacted
individual, and monetary responsibility for financial losses to the impacted individuals.
• There is NO insurance coverage for any of these items absent a cyber/privacy breach liability
policy.
• The existence of statute and the absence of insurance creates an unfunded potential liability.
35. What Perils Will Cyber/Privacy Breach
Insure For?
• Liability imposed by statute
• Regulatory defense and penalties
• PCI fines and expenses
• Notification of Individuals expenses
• Legal services/crisis management/public relations services.
• Cyber extortion
• Specific coverage parts can be bought “ala carte” or are offered as a
“bundle” depending on specific need.
36. What Perils will Cyber/Privacy breach
NOT Insure for?
• Failure to perform professional duties in a satisfactory
manner. (Ex: systems designs, software build).
• Loss of digital assets (data).
• Loss of revenue (unless specifically added to the cyber policy).
• First party theft of money/securities.
37. Premium Drivers
• Revenues/Size of the organization or business.
• # of records/contacts in the possession of the entity.
• Past claim history.
• Industry group (low risk versus high risk).
• Limits of insurance purchased/deductibles taken.
• Specific coverage parts purchased.
• Presence of systems safeguards/professional handling of IT exposures.
38. Availability of Insurance
• Evolving market…some new entrants, some have left the market.
Some names you will recognize (AIG), some you will not (Beazley).
• Insurance policy, generally, has been adding more coverage in
recent years.
• Insurance pricing, generally, has declined a bit in recent years.
• Application process remains fairly simple: complete a written
application (2 to 10 pages), and provide any requested
documentation.
• If application is denied, carriers will tell you why.
39. Claim Examples
• Accounting firms: Systems are hacked…private info stolen.
• Ad Agency: Disgruntled employee provides ‘per click’ data to a
competitor of the firm’s client. Client sues for breach of
contract/confidentiality.
• Not For Profit Group: Loss of a donor list.
• Country club/golf course: Credit card transactions are hacked.
Loss of cash and private information.
• Hacking from outside/”inside job”/carelessness.
40. Cyber/Privacy Breach Insurance Impacts
• In 2011, 35% of all Zurich Ins. Co. survey respondents bought cyber
insurance; by 2015, the figure was 61%.
• Of cyber attacks experienced by 252 sample employers, 99% were
viruses/worms/trojans (high end) with 35% caused by malicious
insiders (low end). (Poneman Institute 2015 Study)
• Average claim cost due to cyber events were $1,388 per capita for
small firms; $431 per capita for large firms. (Poneman Institute 2015 Study)
Jim….. Beside making everyone as paranoid as me, my goal here today is to….
Buddy
Buddy
Buddy …. We focus a little more on malware because it can create back doors, exfiltrate data, slow systems down and more
Buddy…..Comparison from 2012 thru today from a strategy standpoint and how we address
Jim ….
A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property etc.
Costs of fines
Insurance
Jim….
Lots of statistics which vary somewhat but all convey the same message.
Companies that experience an outage lasting more the 10 day days will have financial challenges
50% of those companies will be out of business in 5 years
The National Cyber Security Alliance indicates 60% of small firms go out of business within 6 months of a breach
25% will never reopen after a major data loss
70% of small firms that experience a major data loss will go out of business in a year
85% of all breaches happen to small businesses
In a 2015 study by IBM, they report the average cost for each record of lost or stolen records contain sensitive information and confidential information rose from 145 to $154 per record. The JP Morgan data breach in 2014 affected 76 million households and 7 million small businesses Now JPMorgan never announced the exact cost but they did announce a $250 million dollar a year spend on security. Now the math would indicate that breach cost them over 12.7 Billion dollars.
Buddy
Buddy…
Malware for rent
Customer support for malware
Firmware/Hardware attacks are up in coming – lack of security on IoT devices – updates are required
----Shodan
Buddy
Buddy…
Targeted or spear phishing example
Automated vs manual
Buddy
Buddy
We know stolen credit cards are a sought after commodity. What if you wanted to buy them? Here is a site that sells the stolen cards. They even guarantee that 80% of them will work!
Here is a hacker for hire that does some messed up stuff:
Jim….
Anybody want to guess the amount a time it took for a company to realize they have been breached…
According to the same IBM study a malicious attack on average took 256 before it was discovered and breach…..
Before anything was known
Most of the time the detection is provided by a third party, like the FBI,
Jim…
Security is nothing new. It dates all the way back to the beginning of man kind when our friendly caveman carried a club to simply protect his cave.
Jim or Buddy
Jim
As man developed so did the methods of protection that were required during whatever period we’re talking about. In medieval times there was armor and moots around castles. This may have been considered the beginning of defense in depth. You’d have to get through the armored guard outside the castle and somehow cross the alligator infested waters and then no doubt be met inside with additional resistance or protection before ever getting to the crown jewels. Its really this concept that we try to establish today when architecting IT security. No more is it simply the caveman at the gate.
So we have in this example
Jim or Buddy
Jim
It adds context to different methods of protecting the crown jewels of organizations
Jim
Jim
Jim
Example: recently I was working on a client that was having constant account lockouts and we quickly determined it was coming from outside. I ran a scan from my home and with 1 minute determined the domain name, computer name and I could have easily determined vulnerability and attempted to exploit them…
Another example, performed a scan on a internal network and discovered a undocumented device which had port 53 and 80 open and listening. Not being sure what it is, pull up browser and discover it’s a wireless router. So I identify the model, on a hunch go to my friendly google to get the default uid/pwd, and bingo I’m in. Now the SSID did have a “strong” password for WPA2 security, but it didn’t make any difference… again a poorly configured system..
A third recent example, I was performing an assessment and as part of the process I like to interview people. So I asked if there was any sensitive data on the network and if so where. I wanted to check permissions on the folder. The crown jewel folder had full open access to all users and it did contain sensitive data, like w-2’s workers comp data, etc.
So what are we to do….
Jim or Buddy
Wireless guest access
Crypto
Passwords vs pass phrases