Webinar: Creating a Culture of Cybersecurity at Work Thursday, Oct. 8, 2105 stopthinkconnect.org
Agenda Welcome/NCSA Landscape Start With Security: Federal Trade Commission NIST Framework: Better Business Bureaus Critical Infrastructure Cyber Community Voluntary Program (C 3 ): U.S. Department of Homeland Security Q&A stopthinkconnect.org
About National Cyber Security Awareness Month (NCSAM) NCSAM, recognized every October, provides a platform for industry, government, nonprofits, schools and the public to raise awareness about using the Internet and connected devices safely and securely. NCSAM is led by NCSA and the U.S. Department of Homeland Security (DHS). The overarching theme of NCSAM is Our Shared Responsibility. All businesses face cybersecurity challenges. This week will encourage businesses to proactively establish cultures of cybersecurity through employee education, risk management, planning and tools. stopthinkconnect.org
Webinar Speakers Michael Kaiser, Executive Director, National Cyber Security Alliance Jessica Lyon, Attorney, Division of Privacy and Identity Protection, Federal Trade Commission Bill Fanelli, Chief Security Officer, Council of Better Business Bureaus Kelvin Coleman, Branch Chief, Government Engagement, Cybersecurity & Communications, U.S. Department of Homeland Security stopthinkconnect.org
Don t collect personal informa1on you don t need. Hold on to informa1on only as long as you have a legi1mate business need. Don t use personal informa1on when it s not necessary.
Restrict access to sensi1ve data. Limit administra1ve access.
Insist on complex and unique passwords. Store passwords securely. Guard against brute force acacks. Protect against authen1ca1on bypass.
Keep sensi1ve informa1on secure throughout its lifecycle. Use industry- tested and accepted methods. Ensure proper configura1on.
Segment your network. Monitor ac1vity on your network.
Ensure endpoint security. Put sensible access limits in place.
Train your engineers in secure coding. Follow planorm guidelines for security. Verify that privacy and security features work. Test for common vulnerabili1es.
Put it in wri1ng. Verify compliance.
Update and patch third- party sopware. Heed credible security warnings and move quickly to fix them.
Securely store sensi1ve files. Protect devices that process personal informa1on. Keep safety standards in place when data is en route. Dispose of sensi1ve data securely.
business.ftc.gov
5 STEPS TO BETTER BUSINESS CYBER SECURITY IN PARTNERSHIP WITH 17 CYBER $3CUR1TY CYBER $3CUR1TY
A New Cybersecurity Workshop Collaboration between the Better Business Bureaus and National Cyber Security Alliance * Coming soon to your local BBB! 18 CYBER $3CUR1TY
Workshop Outcomes Identify the key business assets to protect Recognize the value of having protections in place before a cyber incident occurs Realize the need to detect cyber security problems, and tools to help with detection Develop a rudimentary plan of what to do immediately when a cyber incident occurs * Understand the need for an incident recovery plan and how to develop one Learn what employees need to know, and policies they need to follow, to execute the above 19 CYBER $3CUR1TY
Verizon: Top Cyber Security Risks in 2014 Physical Theft and Loss Payment Card Skimmers Point-of-Sale Intrusions Crimeware Web App Attacks * Denial of Service Attacks Cyber-espionage Insider and Privilege Misuse Miscellaneous Errors Verizon 2015 Data Breach Investigations Report 20 CYBER $3CUR1TY
* Physical Theft and Loss Most thefts occur in victim s work area (55% ) Employee-owned vehicles (22%) are common targets for device theft Higher amount of data on a device means higher amount of protection 21 CYBER $3CUR1TY
* Payment Card Skimmers and Point-of-Sale Intrusions Card readers/skimmers fit inside ATMs and card readers (in stores, at gas pumps) to skim card data, capture PCI card and PIN numbers Liability shift October 2015 for EMV chip and pin cards merchants now may be liable if their technology is deemed at fault Multi-step attacks involve POS systems PLUS attacks on other systems, e.g. vendors with access to networks Social engineering used to trick employees into providing passwords over the phone Verizon 2015 Data Breach Investigations Report 22 CYBER $3CUR1TY
* Malicious Software (Crimeware) and Web App Attacks Malware infections used to steal or compromise: Bank records (using stolen credentials) Trade secrets System data Ransomware can encrypt entire hard disk drive until a fee is paid for restoration Phish customer è Get credentials è Log in to account è Empty bank account Verizon 2015 Data Breach Investigations Report 23 CYBER $3CUR1TY
* 55% of breach incidents caused by privilege abuse Insider Misuse and Miscellaneous Errors Individuals given access take advantage and cause harm Intentionally for financial gain via sale or use of stolen data Unintentionally for convenience (unapproved workarounds) Three main categories: Sensitive information reaching the wrong recipient (30%) Publishing nonpublic data to public web servers (17%) Insecure disposal of personal and medical data (12%) Verizon 2015 Data Breach Investigations Report 24 CYBER $3CUR1TY
* A Structured Approach to Managing Risks The core intent is to present the NIST Cyber Security Framework in a form that is accessible to small and medium sized businesses. 25 CYBER $3CUR1TY
* The NIST Cyber Security Framework A collaborative effort between the government and private sector to develop a voluntary framework based on existing standards, guidelines and practices for reducing cyber risks to critical infrastructure. 26 CYBER $3CUR1TY
* NIST 5-Step Approach Identify assets you need to protect Protect assets beforehand to limit impact of an incident Be able to detect security problems quickly Be ready to respond immediately to an incident to keep the business running Prepare to recover and get back to normal operations IDENTIFY PROTECT DETECT RESPOND RECOVER 27 CYBER $3CUR1TY
* Leaky Faucet Plumbing Scenario: Ransomware As Dave comes back from lunch, he sees this on his computer screen. What now?? 28 CYBER $3CUR1TY
* 5-Step Approach: Ransomware IDENTIFY PROTECT DETECT RESPOND RECOVER Data Warehouse System Contains Inventory data required to run the business Device Dave s Desktop Daily backup on external drive Ransomware message Owner determines that system will be down for several days Track transactions on paper Takes computer for repair Wipe the drive Reload Windows Reload warehouse application Load data from backup Load paper transactions 29 CYBER $3CUR1TY
* Resources Available for National Cyber Security Awareness Month NCSA and BBB are creating collateral for businesses to supplement the workshop including: Technology Checklist 5-Step Guide to Protect Your Business Online Resource Index Available at: http://www.bbb.org/council/cybersecurity/ 30 CYBER $3CUR1TY
#ccubedvp Welcome to the community.
C3 VOLUNTARY PROGRAM OVERVIEW Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. - White House Executive Order 13636 Directives in Executive Order 13636: NIST to develop a Cybersecurity Framework A voluntary program for critical infrastructure cybersecurity to promote use of the Framework A whole of community approach to risk management, security and resilience. Joint action by all levels of government and the owners and operators of critical infrastructure #ccubedvp
GOALS FOR 2015 1. Harmonizing Cybersecurity Risk Management Strategies 2. Building Relationships among Cybersecurity Stakeholders 010110110001 110100110110 001110100101 #ccubedvp 3. Creating a National Cybersecurity Culture
2015 ACTIVITIES 1 Harmonizing Cybersecurity Risk Management Practices Sector-Specific Plans Sector Outreach and Partnership Division (SOPD) Framework Guidance 2 Building Relationships among Cybersecurity Stakeholders Monthly Webinar series Small and mid-sized business (SMB) Roadshow 3 Creating a National Cybersecurity Culture Promoting industry resources Knowledge sharing and collaboration Enhancing the C3 Voluntary Program s website #ccubedvp
CENTRAL WEBSITE FOR RESOURCES Over 40 resources currently featured, including the Cyber Resilience Review (CRR) Pages are organized by stakeholder group Academia; Business; Federal; State, Local, Tribal, and Territorial (SLTT) New Stakeholder Page: Small and Midsize Business (SMB) Resources are aligned to Framework core function Identify, Protect, Detect, Respond, Recover www.us-cert.gov/ccubedvp ccubedvp@hq.dhs.gov #ccubedvp
RESOURCES & EVENTS for BUSINESS The C3 Voluntary Program is focusing in on assisting small and midsize businesses (SMB) with their cybersecurity practices through: A nationwide SMB Roadshow A dedicated 2016 regional event for SMB, startups, accelerators, and venture capital firms The creation and promotion of a SMB Cybersecurity Toolkit Objective: Increase awareness, identify industry needs, and support the creation of self-sustaining resilient communities among the SMB community around cybersecurity and risk management. #ccubedvp
SMB TOOLKIT 1. Table of Contents 2. Begin the Conversation: Understanding the Threat Environment 3. Getting Started: Top Resources for SMB 4. Cybersecurity for Startups 5. C³ Voluntary Program Outreach and Messaging Kit 6. SMB Leadership Agenda 7. Hands-On Resource Guide #ccubedvp
THIRD PARTY RESOURCES FOR SMB Stop.Think.Connect. Toolkit Online toolkit with information specific to SMBs Small Business Administration (SBA) Training 30-minute introduction to small business cybersecurity Federal Small Biz Cyber Planner Tool to help business create custom cybersecurity plans Internet Essentials for Business 2.0 Guide to common risks, best practices, and incident response #ccubedvp
RESOURCES FOR SMB LEADERSHIP Leadership Team Agenda Outreach & Messaging Kit Sample Leadership Message Sample Newsletter Article Sample messaging for blogs and social media #ccubedvp
HOW TO GET INVOLVED Take advantage of C3 Voluntary Program resources: Visit the C3 Voluntary Program website at www.us-cert.gov/ccubedvp Familiarize yourself with the Cybersecurity Framework Download the Cyber Resilience Review (CRR), or contact DHS for an on-site assessment Spread the word across your community Connect with the C3 Voluntary Program: CCubedVP@hq.dhs.gov #ccubedvp
dhs.gov/ccubedvp #ccubedvp
Questions? stopthinkconnect.org
Resources https://staysafeonline.org/ncsam http://www.dhs.gov/ccubedvp https://www.bbb.org/data-security https://ftc.gov/datasecurity stopthinkconnect.org