RISK MANAGEMENT APPROACH TO CYBER SECURITY: WHAT YOU NEED TO KNOW ERNEST STAATS MSIA, CISSP, CEH… General Conference of SDA (South Pacific Division) Security can no longer be outsourced to the security team. Instead, the security team should be providing the resources and expertise to help others become as security self-sufficient as possible.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
RISK MANAGEMENT APPROACH TO CYBER SECURITY: WHAT YOU NEED TO KNOW
ERNEST STAATS MSIA, CISSP, CEH…
General Conference of SDA (South Pacific Division)
Security can no longer be outsourced to the security team. Instead, the security team should be providing the resources and expertise to help others become as security self-sufficient as possible.
LEGAL DISCLAIMER:
Nothing in this handout or presentation constitutes legal advice.
The information in this presentation was compiled from sources
believed to be reliable for informational purposes only. Any and
all information contained herein is not intended to constitute
legal advice. You should consult with your own attorneys when
developing programs and policies.
We do not guarantee the accuracy of this information or any
results and further assume no liability in connection with this
publication including any information, methods or safety
suggestions contained herein.
FEAR FACTOR – OR IS THIS REAL?
• 70% of the US population has been affected by at least 1 data breach
• Total cost of data breaches and data theft to date (2016) exceeds the GDP of Sweden ($450B)
• 99.9% of data breaches due to technology over 1 year old – patches are not being applied and unsupported technology still in use
• 60% of all data losses occur within 5 minutes of the breach of
systems
• 80% of emails are spam; 56% of Internet-based email traffic is sent
by mailbots
• AVERAGE time between viewing the contaminated email and
clicking on the attachment is approximately 2 seconds
CYBER RISK – THE “INTERNET OF THINGS”
• Wearable and other connected devices allow detailed tracking
of location.
• Trading security for convenience
• Open Table, Lyft, Waze, Netflix, Amazon
• Average adult spends 2.5 hours daily on a smartphone
doing something other than talking
•Average teenager spends 27 hours daily on a
smartphone
•Most wearable device makers do NOT have a security
plan for data exchange
GROWTH OF THE ATTACK SURFACE
• 23 billion devices (estimated) are connected to the Internet as
of 2018
• By 2025, that number is expected to grow to 75 billion
• Industrial application risks have grown – from 10 vulnerabilities
in 2010 to an average of 100 by 2013
• Power grid, hydroelectric dams, etc.
• 7 out of 10 domestic devices have vulnerabilities that can be
exploited (HP survey)
• Door locks, thermostats, smart TVs, Internet security systems
CYBER RISK – HEALTH CARE AS A TARGET
• Healthcare environment has unique risks because of patient
care –need for 24/7 accessibility, integrity of data for diagnosis
and treatment
• November 2015 – 7 vulnerable device types, including drug
infusion pumps, Bluetooth – enabled defibrillators, blood
refrigeration units, and CT scanners
• Hollywood Presbyterian information systems held hostage for
$3.6 million
• Merge Hemo tool shut down because operating software was
incompatible with malware search engine
• If any of these devices transmit PHI to your EHR, they should
have been included in your HIPAA security risk assessment
RETHINK HOW WE APPROACH CYBERSECURITY
• Check List Compliance & Security Doesn't Work
• It doesn’t meet OCR Phase 2 audits
• Attacks are cross departmental
• Can not protect what you do no know (DATA MAP- Where is
PHI?)
• Without Active Ownership and Management Cyber Security is a
joke
• Without a comprehensive Plan it becomes incomprehensible
• If not Corporate Culture -- it inculcates company to true Cyber
Has your organization implemented scanning tools (active & passive) to identify all the devices attached to the network?
Has your organization implemented a Network Access Control (NAC) solution, which requires certificates, to authenticate devices before they can connect to the network?
Has your organization implemented scanning tools to identify all software applications installed in the organization?
Has your organization implemented a software whitelisting tool that only allows authorized software program to execute on the organization's systems?
Has your organization implemented scanning tools to identify any mis-configured security settings on systems in the organization?
Has your organization implemented a security setting configuration enforcement system on the organization's systems?
Has your organization implemented scanning tools to identify any software vulnerabilities on systems in the organization?
Has your organization implemented an automated patch management system to continuously update the organization's systems?