Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

Transcription

1 Cyber Security: Potential Threats Impacting Organizations January 10, 2015 Scott Petree Agenda 2 Data Security Trends Root Causes of Cyber Attacks How Can We Fix This? Secure Infrastructure User Awareness Client Assurance/Vendor Management Cloud Computing Mobile Devices 1

2 Web Site New Communications Verizon Data Breach Investigations Report 4 Verizon Data Breach Investigations Report 2

3 2014 Verizon Data Breach Investigations Report 5 Verizon Data Breach Investigations Report 2014 Verizon Data Breach Investigations Report 6 # of incidents by industry # of incidents with confirmed data loss Verizon Data Breach Investigations Report 3

4 2014 Verizon Data Breach Investigations Report 7 Verizon Data Breach Investigations Report Real-Life Examples 8 June 30, 2014 Butler University Indianapolis, Indiana Butler University in Indianapolis Indiana informed students, staff and alumni of a data breach to their system. Over 160,000 individuals may have been affected when hackers may have accessed their personal information. The school officials have discovered that the information exposed included birthdates, Social Security numbers and bank account information of approximately 163,000 students, faculty and staff, alumni, and prospective students who never enrolled in classes at Butler. In a letter sent to those affected, the university has said that "someone hacked the school's network sometime between November 2013 and May 2014" 4

5 Real-Life Examples 9 July 11, 2014 University of Illinois, Chicago Chicago, Illinois The University Illinois Chicago (UIC) notified former students of a data breach. "A website security breach made two College of Business Administration documents a roster from a Special Topics in Accounting course and an advising list for all junior and senior accounting majors". Personal information was exposed, including Social Security numbers. The university has not stated how many students were affected, and the breach is currently under investigation. Real-Life Examples 10 October 1, 2014 Provo City School District Provo, Utah The Provo City School District notified employees of a "phishing" attack Monday September 29, 2014 which allowed access to employees accounts. Some employee accounts contained files that may have had personally identifiable information. Currently the school district is investigating the breach and notifying those affected. 5

6 97% of Breaches Were Avoidable* 11 Most victims aren t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them. *Verizon Data Breach Investigations Report WHAT CAUSES A BREACH? Weak Infrastructure Weak design (firewalls, wireless routers) Weak user authentication (users, passwords) Encryption (VPN, secure portals) Out-dated (patch management/anti-virus) Lack of periodic testing User Ignorance/Poor Judgment Weak user passwords Social media Phishing attacks Not staying current with security trends Third-Party Vendors Weak due diligence Ongoing breach notification Annual breach confirmation Technology Advances Mobile devices Cloud computing/public portals 12 Secure Network Infrastructure Best Practices to Help Prevent a Breach 1. Data Classification Public and Confidential (Sensitive/Private) 2. Perimeter Security - Firewalls, IDS/IPS 3. Wireless Security SSID, Encryption, Default Password 4. Authentication Users & Passwords 5. Encryption - Connectivity & Storage 6. Anti-virus 7. Patch Management 8. Remote Access 9. Network Monitoring 10.Annual Testing External & Internal Penetration Testing 6

7 User Access Management 13 Full-time employees Part-time employees and contractors Consultants and vendors Customers Visitors Ad hoc vs. formal repeatable process Single sign-on User IDs/passwords Use of technology (tokens, firewalls, access points, encryption, etc.) Need to know basis/able to perform job responsibilities Segregation of duties Administrative access Super-user access Internet vs. corporate system access Only when an issue is noted User access logs Annual review of access Proactive review of user activity Real-time monitoring of unauthorized access or use of information systems User Security Awareness 14 Strong password practices Device security Accessing from public places Sharing data to outside parties Use of mobile technology Use of online portals Security awareness training I m flattered, really I am. But you probably shouldn t use my name as your password. Example: DATA BREACH 7

8 Security Awareness Training 15 Timing Content Information security policies/procedures Understanding passwords Detecting phishing s Recognizing unauthorized visitors Wireless hotspots Reporting Security Awareness Posters 16 8

9 Vendor Due Diligence 17 Due Diligence Existence and corporate history, strategy, and reputation References, qualifications, backgrounds, and reputations of company principals, including criminal background checks Financial status, including reviews of audited financial statements Technology and systems architecture Internal controls environment, security history, and audit coverage (SOC Reports) Policies vs. procedures Legal complaints, litigation, or regulatory actions Insurance coverage Ability to meet disaster recovery and business continuity requirements Breach Notification Contract language should include breach notification requirement (i.e. if there is a breach at the third-party, it needs to notify the organization within 48 hours) Annual confirmation of breaches by CEO or other C-level executive at the vendor Cloud Computing 18 Choosing a Cloud Vendor Internal controls at cloud provider Secure connections/encryption User account management Segregated rooms/storage Shared servers vs. dedicated servers Locations of your data Data ownership Cost of switch vendors Other third-parties involved Service Organization Controls (SOC) reports Independent network security/ penetration testing (ask for summary report) Web application testing (if applicable) Mobile Applications Network Infrastructure 9

10 Mobile Devices 19 Device Security Physical security of device Passwords not pins Enable auto lock Secure /calendar (including sync) Keep Bluetooth devices to nondiscoverable (will not impact authenticated connections) Remote wipe Failed attempts lock/wipe Secure backup data on mobile device Keep all system/applications patches up-to-date Keep apps version current Encryption Passwords enable native encryption Encrypted transmission Memory encryption Encrypted transmission Mobile Device Management Great way to manage company owned devices 20 Plante Moran s Information Security Framework Different organizations view information security differently. Some of the differences are related to varied risk and threat profiles impacting an organization based on factors such as industry, location, products/services, etc. Other differences are related to management s view of security based on its experience with prior security incidents. 10

11 Top 5 Take Aways 21 Breaches Occur Across all Industries Losses Financial and Non Financial (IP, Data Privacy, and Compliance) Security in Layers End User Security Awareness & Training Vendor Management Data Breaches Thank You! 22 SCOTT PETREE Manager Network Security Management Consulting Services Southfield, Michigan [email protected] 11