Protecting Your Business From Security Threats. Carl Cadregari, CISA, Executive Vice President Enterprise Risk Management Division The Bonadio Group

Transcription

1 Protecting Your Business From Security Threats Carl Cadregari, CISA, Executive Vice President Enterprise Risk Management Division The Bonadio Group

2 Carl Cadregari, CISA, MCF - EVP, Practice Lead for Enterprise Risk Management Division, The Bonadio Group o o o Over 28 years of experience in information technology industry with a 16+ years of detailed IT/IS and regulatory compliance audit experience in FFIEC, NCUA, PCI DSS, SOX, SSAE16, FTC-314 (Gramm-Leach Bliley), HIPAA, HITECH, FISMA, FERPA, COSO, COBIT, ISO 17799/27002, and International Data Security and Privacy laws for companies ranging from $25M to $100B. Extensive background in controls auditing, practices definition, implementation of core audit services. Experienced in vulnerability and penetration assessment and auditing. Certified Information Systems Auditor (CISA), certified HIPAA Privacy and Security compliance assessor, IEEE Certified in Computer Forensics. Published articles on technology and information security including topics such as: The CIA Triad, Ethical Hacking, Document Retention, Cloud Computing and Data Breach Avoidance. 2

3 We Will Cover Why You Need Information Security 2015 Emerging Information Security Threats Cyber Fraud and the Insider Risk Management Role in Information Security What You Should Do Do It Now! What You Should Do Best Practices 3

4 Why Information Security 2015 Internet Security Report Savvy attackers are using increased levels of deception and, in some cases, hijacking companies own infrastructure and turning it against them 60 percent of all targeted attacks struck small- and medium-sized organizations Organizations are still not adopting basic best practices like blocking executable files and screensaver attachments 4

5 Why Information Security 2015 Internet Security Report More than 317 million new pieces of malware created in 2014 In 2014, up to 28 percent of all malware was virtual machine aware. While advanced targeted attacks may grab the headlines, nontargeted attacks still make up the majority of malware, which increased by 26 percent in Firms reported that they had 205,175,846 data records compromised in 2014 Large resurgence in Ransomware 5

6 Why Information Security To Stay Out of the News HSBC insider breach Donors credit card and banking info in breach after third-party service provider hacked Mahwah Businessman s Bank, hackers obtained enough personal information on one individual to convince his bank to wire $240,000 overseas Heartland Payment Systems (payroll division) reports another breach stolen laptops and computers Skimmers Found at Two Bank of Colorado Branches Former Bank Teller in Orange County Bank Fraud and Identity-Theft Scheme Re-Arrested 6

7 Why Information Security To Stay Open for Business 51% of consumers will take business elsewhere post breach Jumps to 60% in age range 45.6% said that the companies and individuals involved in such a breach should be considered criminally negligent 7

8 Emerging Threats With the Internet s pervasive reach into business, government, and private life, it is unsurprising that cybercrime and cyber espionage not only continue to evolve, but that new techniques are quickly adopted. Source: Georgia Tech Cyber Security Summit

9 Emerging Threats Cloud Data Losses Highly sensitive, confidential and regulatory personal, controlled data is regularly stored in the cloud. Increasing use of cloud services can increase the probability of a $20 million data breach by as much as 3x 36 percent of business-critical applications are housed in the cloud, yet IT isn t aware of nearly half of them 30 percent of business information is stored in the cloud, yet 35 percent of it isn t visible to IT Cybercriminals are regularly using many cloud services to exfiltrate data from inside your business or to gain access using trusted online services, websites or file-sharing sites 9

10 Emerging Threats Forget BYOD how about BYODB Bring Your Own Data Breach As sensors, and not just computing platforms mobile devices bring a new set of threats, including allowing malicious software an unparalleled look into victims lives. As of the end of 2014, there are more Internetconnected mobile devices than people on the planet, with four out of five workers using their personal mobile devices to do work. 10

11 Cyber Fraud Concerns 11

12 Cyber Fraud Concerns Cyber Fraud concerns include Man-In-The-Middle attacks on ACH Malware attacks on systems Keystroke loggers Improper user access Un-audited privileged access Cloud Computing 12

13 Cyber Fraud Concerns Malware attacks on systems Designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. Malware includes worms, Trojan horses, spyware, adware, most rootkits, and other malicious programs. 13

14 Cyber Fraud Concerns Keystroke Loggers / Keylogger Hardware and software based Are used to capture all keystrokes typed and then sent to an external attacker Hardware keystroke logger 14

15 Cyber Fraud Concerns Improper User Access Users with unknown or un-approved access to systems, files, folders, data. Account for the majority of all internal breaches User accounts compromised by external attackers regularly used to steal information 15

16 Cyber Fraud Concerns User with too Much Access Users need to have appropriate access to data and information to perform their job duties; the organization and IT need to be in sync with: Who has access to what data What do they do with it day to day Where can data be shared How do personnel share responsibilities What do you do when someone leaves 16

17 Cyber Fraud Concerns Technologies Upgrades No infrastructure is static whether adding a new application, speeding up the ability to process data, or revamping the user experience, IT should be part of a cross-functional team defining compliance expectations as part of the life cycle management 17

18 Management Role Management should approve: o Processes with information security/risk assessment and monitoring responsibilities (e.g., system evaluators, penetration tester, security control assessments, risk assessments, independent verifiers/validators, inspectors general auditors); and o Individuals with risk assessment and monitoring responsibilities (e.g., operations evaluators, physical security control assessors, actuarial risk assessors, independent verifiers/validators, inspectors general, internal and external auditors, regulatory experts). 18

19 Management Role Management review to make certain that there is an approved: o Explicit IT Security risk model, defining key terms and assessable risk factors and the relationships among the factors o Assessment approach, provided by the data owners/application owners specifying the range of values those risk factors can assume during the assessment o Analysis approach, specifying how values of those factors are functionally combined to evaluate risk o Consistent monitoring and reporting approach. 19

20 Management Role Overall, Management should perform efforts in: o Approving and regularly reviewing the controls associated with governing risks and threat mitigation scenarios so you can protect physical, electronic and IP assets that create value for your stakeholders, including external, employees, regulators, and society overall. 20

21 Do It Now! 21

22 Do It Now! Plug Known Holes Turn complexity on for passwords and identify if multi-factor authentication needed Anti-Virus/Anti-Malware out-of-date or not sufficient Patch Workstations and Servers Is your Firewall configured properly? Review and account for all allowed inbound and outbound connections. Turn it on alerting from Firewall or Intrusion Detection System (IDS) Using a third-party IT support company- Have them detail all the controls and settings they have in place. 22

23 Do It Now! Conduct A Comprehensive Risk Assessment Identify and rank where ALL sensitive data is stored, processed, transmitted, maintained, for clients and employees Evaluate existing and potential missing controls Test the Cyber Controls Based on data type found list all regulatory, legal and expected standards Consider more than annual assessments You cannot protect against a risk you do not know exists 23

24 Best Practices Set Routine Audits they are Necessary to Validate controls are working Review Anti-Virus/Anti-Malware status Review Update and Security Patch status Review Firewall Configurations Review User Access, especially those with privileges Review all vendors and third parties 24

25 Best Practices IT Segregation of Duties Assess who has what level access What is absolutely needed Minimum Necessary Conduct careful analysis of job function to identify both internal and external conflicts of interest A determination needs to be made for the extent to which any known or suspected circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur. 25

26 Best Practices Vendor Management Outsourced Services Ask for SSAE16 SOC 1 and SOC 2 Has Three Different Reports and each report has differing communication and controls requirements for a Service Organization Controls (SOC) SOC 2: Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy Follow OCC BULLETIN

27 Best Practices Security Training and Awareness is Critical Have everyone review and acknowledge acceptable and computer use policies at least annually. Regularly communicate reminders about confidentiality and protection and any known threats such as phishing s. Have IT staff attend specific training relating to security your data environment Join FS-ISAC and other publications Train on regulatory/data security/privacy laws requirements quarterly 27

28 Hot Topics In Cyberlaw New York Bankers Association Senior Management Conference June 17, 2015 Joseph V. DeMarco, Esq. DeVore & DeMarco LLP 99 Park Avenue, Suite 330 New York, New York

29 My Background Partner, DeVore & DeMarco LLP Boutique law firm in New York City Cyberlaw Practice, 2008-present Previously, Assistant U.S. Attorney, Southern District of New York, Founder, Computer Hacking and Intellectual Property Program Significant experience in government and private practice with law firm cyber-incidents

30 Criminal Laws Federal Computer Fraud and Abuse Act, 18. U.S.C (and state analogues, e.g., NY Penal Law 156) Federal Wiretap Act, 18 U.S.C Electronic Communications Privacy Act Federal Theft of Trade Secrets Act, 18 U.S.C (and state analogue)

31 Wiretap Act Creates civil and criminal cause of action for intercepting communications Federal and New York are one-party consent states But some states require two-party consent Special challenges of International and Interstate transmission Employee monitoring is all the rage but is it legal?

32 Electronic Communication Privacy Act Electronic Communications Privacy Act ( ECPA ) and Stored Communications Act ( SCA ) Articulates mechanisms the government and private parties must use to compel providers to disclose details of stored wire or electronic communications Appropriate mechanism driven by type of data: Basic subscriber records Transactional and other account records (in electronic storage 180 days or less) (in electronic storage more than 180 days) Also governs when a provider, in a civil case, may disclose details of customer data to authorities

33 Threats to Trade Secrets The Center for Strategic and International Studies estimated the annual cost of cybercrime and economic espionage at more than $445 billion. (Washington Post, June 9, 2014.) Law Firms and Other Service Providers: As data aggregators, an especially inviting target (FBI 2012, 2013, 2014 )

34 Digital Tools for Stealing Trade Secrets Technological advances makes it increasingly easy to steal large quantities of valuable trade secrets and client information and to get away with it! Tools for stealing trade secrets today include: External drives Laptops Mobile devices Digital cameras and recorders Printers and scanners FTP Transfers Remote access Hacking and keylogging software

35 Economic Espionage Act: 18 U.S.C Passed by Congress in 1996 in recognition of the threat posed to American economic competitiveness in a global economy by the theft of intellectual property and trade secrets. Sen. Arlen Specter Two key parts: 18 U.S.C Economic espionage directed by foreign governments or government controlled entities Very rare only eight prosecutions since 1996 Highest level of penalties for violations of this part of the statute Increased focus on this section in light of recent activities by China 18 U.S.C Theft of trade secrets Only applies if (1) the trade secret relates to a product placed in interstate commerce; or (2) if it involves the acts of foreign entities Amended December 2012 to correct Second Circuit ruling in U.S. v. Aleynikov

36 Legal and Regulatory Drivers: Other Sources State Breach Notification Laws California Security Standards Law Massachusetts Encryption/Security Policy Law Nevada Encryption Law SSN Protection Laws HIPPA Breach Laws and HI-TECH Act amendments FTC Identity Theft Red Flags Rule Local Wireless Security Laws NIST Cyber Framework (2014) FINRA, PCI DSS, ISO 27002, and similar standards

37 Legal and Regulatory Drivers: Other Sources Failure to abide by any of these standards can be used to support claims of negligence and other torts in addition to regulatory fines and penalties

38 Practical Advice Know What Data You Have Know Where That Data Is Know Who Has Access to That Data Protect most critical data to maximum degree Assess, Test and Evaluate Your Clients Policies Under Counsel Protection Have an Information Security Policy and Incident Response Plan Conduct Tabletop Exercises

39 A Final Word: Hacking Back For private Companies, hacking back is not legal in the U.S. or the EU. In the U.S., the general rule has been that private entities maintain a defensive posture, while the government hunts down the culprits Hacking Back is not Ethical Hacking Hacking Back presents significant consequences: Violations of US and International law May give signals to attackers before coordinated mitigation efforts can be made Can bring about retaliation and further damage. May cause unintended spoliation or inhibit preservation of digital evidence. Can bring about unintended consequences, such as damaging computers belonging to innocent individuals but hijacked by attackers. In short, any proactive measure in response to a cyber threat that can be regarded as revenge or retaliation should be taken off the table.

40 For Further Information Joseph V. DeMarco DeVore & DeMarco LLP 99 Park Avenue, Suite 1100 New York, New York Phone: (212) Fax: (212)