Webinar: Creating a Culture of Cybersecurity at Work

Transcription

1 Webinar: Creating a Culture of Cybersecurity at Work Thursday, Oct. 8, 2105 stopthinkconnect.org

2 Agenda Welcome/NCSA Landscape Start With Security: Federal Trade Commission NIST Framework: Better Business Bureaus Critical Infrastructure Cyber Community Voluntary Program (C 3 ): U.S. Department of Homeland Security Q&A stopthinkconnect.org

3 About National Cyber Security Awareness Month (NCSAM) NCSAM, recognized every October, provides a platform for industry, government, nonprofits, schools and the public to raise awareness about using the Internet and connected devices safely and securely. NCSAM is led by NCSA and the U.S. Department of Homeland Security (DHS). The overarching theme of NCSAM is Our Shared Responsibility. All businesses face cybersecurity challenges. This week will encourage businesses to proactively establish cultures of cybersecurity through employee education, risk management, planning and tools. stopthinkconnect.org

4 Webinar Speakers Michael Kaiser, Executive Director, National Cyber Security Alliance Jessica Lyon, Attorney, Division of Privacy and Identity Protection, Federal Trade Commission Bill Fanelli, Chief Security Officer, Council of Better Business Bureaus Kelvin Coleman, Branch Chief, Government Engagement, Cybersecurity & Communications, U.S. Department of Homeland Security stopthinkconnect.org

5

6 Don t collect personal informa1on you don t need. Hold on to informa1on only as long as you have a legi1mate business need. Don t use personal informa1on when it s not necessary.

7 Restrict access to sensi1ve data. Limit administra1ve access.

8 Insist on complex and unique passwords. Store passwords securely. Guard against brute force acacks. Protect against authen1ca1on bypass.

9 Keep sensi1ve informa1on secure throughout its lifecycle. Use industry- tested and accepted methods. Ensure proper configura1on.

10 Segment your network. Monitor ac1vity on your network.

11 Ensure endpoint security. Put sensible access limits in place.

12 Train your engineers in secure coding. Follow planorm guidelines for security. Verify that privacy and security features work. Test for common vulnerabili1es.

13 Put it in wri1ng. Verify compliance.

14 Update and patch third- party sopware. Heed credible security warnings and move quickly to fix them.

15 Securely store sensi1ve files. Protect devices that process personal informa1on. Keep safety standards in place when data is en route. Dispose of sensi1ve data securely.

16 business.ftc.gov

17 5 STEPS TO BETTER BUSINESS CYBER SECURITY IN PARTNERSHIP WITH 17 CYBER $3CUR1TY CYBER $3CUR1TY

18 A New Cybersecurity Workshop Collaboration between the Better Business Bureaus and National Cyber Security Alliance * Coming soon to your local BBB! 18 CYBER $3CUR1TY

19 Workshop Outcomes Identify the key business assets to protect Recognize the value of having protections in place before a cyber incident occurs Realize the need to detect cyber security problems, and tools to help with detection Develop a rudimentary plan of what to do immediately when a cyber incident occurs * Understand the need for an incident recovery plan and how to develop one Learn what employees need to know, and policies they need to follow, to execute the above 19 CYBER $3CUR1TY

20 Verizon: Top Cyber Security Risks in 2014 Physical Theft and Loss Payment Card Skimmers Point-of-Sale Intrusions Crimeware Web App Attacks * Denial of Service Attacks Cyber-espionage Insider and Privilege Misuse Miscellaneous Errors Verizon 2015 Data Breach Investigations Report 20 CYBER $3CUR1TY

21 * Physical Theft and Loss Most thefts occur in victim s work area (55% ) Employee-owned vehicles (22%) are common targets for device theft Higher amount of data on a device means higher amount of protection 21 CYBER $3CUR1TY

22 * Payment Card Skimmers and Point-of-Sale Intrusions Card readers/skimmers fit inside ATMs and card readers (in stores, at gas pumps) to skim card data, capture PCI card and PIN numbers Liability shift October 2015 for EMV chip and pin cards merchants now may be liable if their technology is deemed at fault Multi-step attacks involve POS systems PLUS attacks on other systems, e.g. vendors with access to networks Social engineering used to trick employees into providing passwords over the phone Verizon 2015 Data Breach Investigations Report 22 CYBER $3CUR1TY

23 * Malicious Software (Crimeware) and Web App Attacks Malware infections used to steal or compromise: Bank records (using stolen credentials) Trade secrets System data Ransomware can encrypt entire hard disk drive until a fee is paid for restoration Phish customer è Get credentials è Log in to account è Empty bank account Verizon 2015 Data Breach Investigations Report 23 CYBER $3CUR1TY

24 * 55% of breach incidents caused by privilege abuse Insider Misuse and Miscellaneous Errors Individuals given access take advantage and cause harm Intentionally for financial gain via sale or use of stolen data Unintentionally for convenience (unapproved workarounds) Three main categories: Sensitive information reaching the wrong recipient (30%) Publishing nonpublic data to public web servers (17%) Insecure disposal of personal and medical data (12%) Verizon 2015 Data Breach Investigations Report 24 CYBER $3CUR1TY

25 * A Structured Approach to Managing Risks The core intent is to present the NIST Cyber Security Framework in a form that is accessible to small and medium sized businesses. 25 CYBER $3CUR1TY

26 * The NIST Cyber Security Framework A collaborative effort between the government and private sector to develop a voluntary framework based on existing standards, guidelines and practices for reducing cyber risks to critical infrastructure. 26 CYBER $3CUR1TY

27 * NIST 5-Step Approach Identify assets you need to protect Protect assets beforehand to limit impact of an incident Be able to detect security problems quickly Be ready to respond immediately to an incident to keep the business running Prepare to recover and get back to normal operations IDENTIFY PROTECT DETECT RESPOND RECOVER 27 CYBER $3CUR1TY

28 * Leaky Faucet Plumbing Scenario: Ransomware As Dave comes back from lunch, he sees this on his computer screen. What now?? 28 CYBER $3CUR1TY

29 * 5-Step Approach: Ransomware IDENTIFY PROTECT DETECT RESPOND RECOVER Data Warehouse System Contains Inventory data required to run the business Device Dave s Desktop Daily backup on external drive Ransomware message Owner determines that system will be down for several days Track transactions on paper Takes computer for repair Wipe the drive Reload Windows Reload warehouse application Load data from backup Load paper transactions 29 CYBER $3CUR1TY

30 * Resources Available for National Cyber Security Awareness Month NCSA and BBB are creating collateral for businesses to supplement the workshop including: Technology Checklist 5-Step Guide to Protect Your Business Online Resource Index Available at: 30 CYBER $3CUR1TY

31 #ccubedvp Welcome to the community.

32 C3 VOLUNTARY PROGRAM OVERVIEW Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. - White House Executive Order Directives in Executive Order 13636: NIST to develop a Cybersecurity Framework A voluntary program for critical infrastructure cybersecurity to promote use of the Framework A whole of community approach to risk management, security and resilience. Joint action by all levels of government and the owners and operators of critical infrastructure #ccubedvp

33 GOALS FOR Harmonizing Cybersecurity Risk Management Strategies 2. Building Relationships among Cybersecurity Stakeholders #ccubedvp 3. Creating a National Cybersecurity Culture

34 2015 ACTIVITIES 1 Harmonizing Cybersecurity Risk Management Practices Sector-Specific Plans Sector Outreach and Partnership Division (SOPD) Framework Guidance 2 Building Relationships among Cybersecurity Stakeholders Monthly Webinar series Small and mid-sized business (SMB) Roadshow 3 Creating a National Cybersecurity Culture Promoting industry resources Knowledge sharing and collaboration Enhancing the C3 Voluntary Program s website #ccubedvp

35 CENTRAL WEBSITE FOR RESOURCES Over 40 resources currently featured, including the Cyber Resilience Review (CRR) Pages are organized by stakeholder group Academia; Business; Federal; State, Local, Tribal, and Territorial (SLTT) New Stakeholder Page: Small and Midsize Business (SMB) Resources are aligned to Framework core function Identify, Protect, Detect, Respond, Recover #ccubedvp

36 RESOURCES & EVENTS for BUSINESS The C3 Voluntary Program is focusing in on assisting small and midsize businesses (SMB) with their cybersecurity practices through: A nationwide SMB Roadshow A dedicated 2016 regional event for SMB, startups, accelerators, and venture capital firms The creation and promotion of a SMB Cybersecurity Toolkit Objective: Increase awareness, identify industry needs, and support the creation of self-sustaining resilient communities among the SMB community around cybersecurity and risk management. #ccubedvp

37 SMB TOOLKIT 1. Table of Contents 2. Begin the Conversation: Understanding the Threat Environment 3. Getting Started: Top Resources for SMB 4. Cybersecurity for Startups 5. C³ Voluntary Program Outreach and Messaging Kit 6. SMB Leadership Agenda 7. Hands-On Resource Guide #ccubedvp

38 THIRD PARTY RESOURCES FOR SMB Stop.Think.Connect. Toolkit Online toolkit with information specific to SMBs Small Business Administration (SBA) Training 30-minute introduction to small business cybersecurity Federal Small Biz Cyber Planner Tool to help business create custom cybersecurity plans Internet Essentials for Business 2.0 Guide to common risks, best practices, and incident response #ccubedvp

39 RESOURCES FOR SMB LEADERSHIP Leadership Team Agenda Outreach & Messaging Kit Sample Leadership Message Sample Newsletter Article Sample messaging for blogs and social media #ccubedvp

40 HOW TO GET INVOLVED Take advantage of C3 Voluntary Program resources: Visit the C3 Voluntary Program website at Familiarize yourself with the Cybersecurity Framework Download the Cyber Resilience Review (CRR), or contact DHS for an on-site assessment Spread the word across your community Connect with the C3 Voluntary Program: #ccubedvp

41 dhs.gov/ccubedvp #ccubedvp

42 Questions? stopthinkconnect.org

43 Resources stopthinkconnect.org