ARE YOU CYBER SECURE?

0 ARE YOU CYBER SECURE? SIMPLE WAYS TO IMPROVE YOUR CYBER HEALTH & WELLNESS MASSACHUSETTS LEAGUE OF COMMUNITY HEALTH CENTERS MAY 3, 2017

Presented by:

Sumit Pal, CISA, CGEIT, CRISC, MBA, Principal and

Team Leader, Cyber Secure Services

1 AGENDA

Cybersecurity – Why such a big deal?

Impact of Breaches

Types of Attacks & Safeguards

How to deal with cyber risks, security requirements & leverage commitment to security practices?

Recommendations

2 VIDEO: CAN IT HAPPEN TO ME?

3

AGENDA

CYBERSECURITY – WHY SUCH A BIG DEAL?

4 “INFORMATION IS THE NEW OIL!”

Companies are collecting and storing large amounts of data on a regular basis.

This data may include information about employees, customers, intellectual property/trade secrets and business operations.

This data has value to the companies producing/collecting it, to their competitors and to unknown third parties.

5 BREACH STATISTICS

Source: BreachLevelIndex.com

6


2016: BREACH INCIDENTS BY TYPE

7


2016: BREACHES BY INDUSTRY

8 MEDICAL CENTERS WITH CYBER INCIDENTS

• Great Falls Clinic, MT • Renville County Hospital & Clinics, MN • Brandywine Pediatrics. P.A., DE • Desert Care Family and Sports Medicine,

AZ • 4D Sound Diagnostics, TX • Office of Dr. Melissa D. Selke, MD • Berkshire Medical Center / Ambucor, MA • Wentworth-Douglass Hospital / Ambucor,

NH • HeartCare Consultants, FL • Remedi SeniorCare, MD • Rainbow Children's Clinic, TX • Seven Hills Foundation, MA

• Thomasville Eye Center, GA • Codman Square Health Center, MA • KidsPeace, PA • Athens Orthopedic Clinic, GA • My Pediatrician, PA / Bizmatics, FL • Patterson Dental Surgery, MA • Massachusetts Eye and Ear Infirmary,

Inc., MA • Singh and Arora Oncology

Hematology, PC, MI • You and Your Health Family Care, Inc.,

FL • Saint Agnes Medical Center, CA • Clinton Health Access Initiative, MA

9


2016: BREACHES BY REGION

10 NEWS WORTHY DATA BREACHES






16

AGENDA

IMPACT OF BREACHES

17


COST OF BREACHES

18 SMALL & MEDIUM BUSINESS MYTH

I am too insignificant to attract the interest of cyber criminals!!

19

“It is the data that makes a business attractive, not the size…

especially if it is delicious data, such as lots of customer contact

info, credit card data, health data, or valuable intellectual property”

SMALL & MEDIUM BUSINESS MYTH

20 SMB AN ATTRACTIVE TARGET.. WHY?

Automation allows modern cyber criminals to mass produce attacks with little investment!

“It’s easier to rob a house than a museum…”

The “porous” networks provide easy access.

21 IMPACT OF BREACHES - SMB

Direct costs.. Just the tip of the Iceberg!

22 IMPACT OF BREACHES

23

AGENDA

TYPES OF ATTACKS & SAFEGUARDS

24 1. PASSWORD ATTACKS

Attacker gains access to your systems by cracking a user’s password.

1. Dictionary Attacks 2. Brute Force 3. Rainbow Tables

25 1. PASSWORD ATTACKS

Works because of use of weak passwords

26 CYBER SECURITY TIP# 1

Easy to remember.. Complex passwords! Password should be: • Long and complex • Easy to remember • Different for each website/application


Pick your favorite song: “I drive your truck, I roll every window down”

i w e d y t i r d 9 Characters

i w e d y t i r d 1 Num, 1 Special 7 *

Base Password

i w e d y t i r d 7 * G M Site specific Prefix

13 Character long unique complex password



• What is your Mother’s maiden name? • What was the name of your first pet? • What was the make of your first car?

Security Questions… Thou shall not answer them correctly!!

30 2. SOCIAL ENGINEERING ATTACK

31 2. PHISHING

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details, by masquerading

as a trustworthy entity in an electronic communication

32 2. PHISHING: SAMPLE EMAIL

Sender Unknown

Looks like SPAM

Generic Emails




“Think before you Click” Never click a link or attachment you did not expect to receive. How may of us wouldn't be swayed to click on at least one of these? ADP (payroll processor) themed email Voicemail (Virtual PBX systems & Softphones) eFax Invoices Package Delivery (UPS, FedEx especially during Holiday Season) Social Networking (Facebook, LinkedIn Invitation) IRS Sports (NFL, NBA, Baseball, World Cup Soccer, etc.)

36 3. SPEAR PHISHING: “CEO FRAUD”

37 3. SPEAR PHISHING: “CEO FRAUD”

The largest known case of wire fraud from spear phishing to date.

$46.7 Million Attacker impersonated the CEO and authorized a wire transfer via

email to the Chief Accounting Officer. $46.7 Million wired out of their Hong Kong Subsidiary The Chief Accounting Officer resigned. This category of theft is also sometimes known as a “CEO fraud” or “business email compromise” scam.


Between Oct 2013 and Feb 2016: $2.3 Billion in losses (17,642 victims). 270 % increase in instances since Jan 2015. Average loss per scam is between $25,000 and $75,000.

Be wary of e-mail-only wire transfer requests and requests involving urgency. Pick up the phone and verify legitimate business partners. Be cautious of mimicked e-mail addresses.

39 4. RANSOMWARE

Ransomware (e.g CryptoLocker)


• Perform daily data backup • Ensure offsite storage of

backup • Use a reputable anti-malware

/anti-virus • Educate your employees


Enable “automated installation” of “Important updates” from Microsoft

Make your Laptop/Desktop less vulnerable to attacks!


If you don’t trust the source, don’t plug the USB drive!

Disable USB Ports


EDUCATE YOUR STAFF Phishing, spear-phishing, social engineering and other human-

based attacks are increasingly popular and highly effective attack vectors

Turn on your “Human Firewall” Poorly trained staff can be your greatest weakness Well trained staff can be your greatest asset, watching for issues across you

network

Training topics Why Employees Need To Protect Your Organization Password Security Securely Sending and Storing Data Social Engineering Malware

44

45 CYBER SECURITY TIP# 9 .. FINALLY

MONITOR YOUR THIRD PARTY RELATIONSHIPS A business is only as strong as the chain of third parties it works

with to run their businesses. Leaders must recognize and understand the factors that promote strong third-party monitoring. Ensuring that your products/services are provided on time is only a piece of the puzzle.

Third party monitoring must cover all activities related to your third parties, including risk ranking, screening, data collection, documentation and ongoing monitoring.

Third Parties include: Consultants / Contractors Agents Vendors Suppliers / Distributors Joint Ventures

46 LEVERAGING COMMITMENT TO SECURITY PRACTICES TO ATTRACT NEW CUSTOMERS

• Have a third party audit conducted: • Service Organization Control (SOC) 2 Type II Audit

performed covering a selection one or more of the following Trust Principles:

• ISO 27001 Certification

Security Availability Processing Integrity Confidentiality Privacy

47 LEVERAGING COMMITMENT TO SECURITY PRACTICES TO ATTRACT NEW CUSTOMERS

• Such third party reports can assist with: • Meeting frequently required clauses for major

customers / contractual requirements

• Complying with Contractual Service Level Agreements (SLAs)

• Providing significant competitive advantages in the market place vis-à-vis your competitors

48

AGENDA

HOW TO DEAL WITH CYBER RISKS?

49 NIST CYBERSECURITY FRAMEWORK

In 2014, the National Institute of Standards and Technology (NIST) released

the comprehensive NIST Cybersecurity Framework.

This NIST Framework: Allows organizations- regardless of size, degree of cyber risk or

cybersecurity sophistication - to apply the principles and

best practices of risk management to improve the

security and resilience of critical infrastructure.

01010101010101010101010101110110101011010100000001111010101101010101110101010101010101010 10101010101110010101010101010101010101011101101010110101000000011110101011010101011101110 10101101010000000111101010110101010111010101010101010101010101010111011010101101010000000 11110101011010101011101010101010101010101010101011101101010110101000000011110101011010101

50 FOCUS: 5 FUNCTIONAL AREAS ID

ENTI

FY

PRO

TECT

DETE

CT

RESP

ON

D

RECO

VER

CYBERSECURITY

51

Do you have a plan to restore capabilities and your reputation? • Digital Forensic Services • Cyber Insurance Services • Litigation Support • Valuation of Damages • Asset Impairment

Do you have a plan to contain the impact of an attack? • Information Security Services • Digital Forensic Services • Incident Response Plan & Assistance

Would you know if you are being attacked? •Security Monitoring Services (Intrusion Detection Service) •Network Vulnerability Assessment •Ethical Hacking & Penetration Testing Services •Phishing as a Service

Do you have adequate safeguards in place to protect your assets? • Security Awareness and Training • Outsources CISO (Certified Information Security Officer) • Information Security Services • Cyber Insurance Services • Business Continuity & Disaster Recovery Plan

Do you know your “crown jewels”? • NIST Cybersecurity Assessment • IT Applications Controls Assessment • Information Security Assessment • Third Party Provider Risk Assessment

CYBER SECURE ECO SYSTEMS

Cyber Secure

Services

IDENTIFY PROTECT

DETECT

RESPOND

RECOVER

52

PROFILE EXAMPLE

Tiers Tier 1: Partial Tier 2: Risk-Informed Tier 3: Repeatable Tier 4: Adaptive

GAPS

NIST CYBERSECURITY ASSESSMENT

53 NIST CYBERSECURITY ASSESSMENT

INDENTIFY (ID)

RECOVER (RC)

RESPOND (RS) DETECT (DE)

PROTECT (PR)

54

AGENDA

RECOMMENDATIONS

55 RECOMMENDATIONS

Laptops should be encrypted Security awareness training Password change periodically Consider Cyber Insurance Policy Network Penetration Testing Backup recovery testing Monitor Third party providers

56

QUESTIONS?

Sumit Pal, CISA, CGEIT, CRISC Principal Cyber Secure Team Leader Practice Leader, Risk Advisory 609.514.5595 [email protected]

ARE YOU CYBER SECURE?

Documents