10 Smart Ideas for. Keeping Data Safe. From Hackers

Similar documents
Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Agenda , Palo Alto Networks. Confidential and Proprietary.

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

How to Secure Your Environment

Cyber Security. John Leek Chief Strategist

NATIONAL CYBER SECURITY AWARENESS MONTH

Internet threats: steps to security for your small business

Cybercrime: risks, penalties and prevention

PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO

The SMB Cyber Security Survival Guide

Hot Topics in IT Security PREP#28 May 1, David Woska, Ph.D. OCIO Security

Defending Against Data Beaches: Internal Controls for Cybersecurity

FINAL May Guideline on Security Systems for Safeguarding Customer Information

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Cybersecurity Risks, Regulation, Remorse, and Ruin

HIPAA Compliance Evaluation Report

2012 Endpoint Security Best Practices Survey

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

2012 Bit9 Cyber Security Research Report

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Network Security & Privacy Landscape

F G F O A A N N U A L C O N F E R E N C E

How-To Guide: Cyber Security. Content Provided by

Top Five Ways to Protect Your Network. A MainNerve Whitepaper

Information Security Addressing Your Advanced Threats

RETHINKING CYBER SECURITY Changing the Business Conversation

Information Security and Risk Management

CYBER SECURITY THREAT REPORT Q1

Data Breach Response Planning: Laying the Right Foundation

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Secure Your Mobile Workplace

Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

PCI Data Security Standards (DSS)

Managing Web Security in an Increasingly Challenging Threat Landscape

Data Breaches and Cyber Risks

How To Protect Yourself From A Hacker Attack

Endpoint & Server Protection. Brent Biernat First Vice President Network Services May 13, 2014

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

2012 Data Breach Investigations Report

Simplifying Security & Compliance Innovating IT Managed Services. Data Security Threat Landscape and IT General Controls

Security Practices for Online Collaboration and Social Media

How are we keeping Hackers away from our UCD networks and computer systems?

Malware & Botnets. Botnets

How to Practice Safely in an era of Cybercrime and Privacy Fears

Cyber Self Assessment

Cyber Threats: Exposures and Breach Costs

Security and Privacy

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Reducing Cyber Risk in Your Organization

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

I ve been breached! Now what?

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com

Security Best Practices for Mobile Devices

Top five strategies for combating modern threats Is anti-virus dead?

Managing IT Security with Penetration Testing

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Best Practices in Incident Response. SF ISACA April 1 st Kieran Norton, Senior Manager Deloitte & Touch LLP

Data Security Incident Response Plan. [Insert Organization Name]

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Cyber Security Threats: What s Next and How Do We Reduce the Risks?

Data Breach and Senior Living Communities May 29, 2015

CYBER INFORMATION SECURITY AWARENESS AND PROTECTION PRACTICES. Strengthening Your Community at the Organizational Level

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Hengtian Information Security White Paper

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

Ibrahim Yusuf Presales Engineer at Sophos Smartphones and BYOD: what are the risks and how do you manage them?

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

The Top 7 Ways to Protect Your Data in the New World of

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

INVESTIGATIONS REPORT

White Paper. Data Security. The Top Threat Facing Enterprises Today

Board Portal Security: How to keep one step ahead in an ever-evolving game

Protecting Sensitive Data Reducing Risk with Oracle Database Security

Preemptive security solutions for healthcare

An Independent Member of Baker Tilly International

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

Information Security It s Everyone s Responsibility

A Case for Managed Security

IBM Security Strategy

My CEO wants an ipad now what? Mobile Security for the Enterprise

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Third Party Security Requirements Policy

Marble & MobileIron Mobile App Risk Mitigation

Medical Information Breaches: Are Your Records Safe?

Intel Enhanced Data Security Assessment Form

Introduction to Computer Security

Data Loss Prevention Program

Utica College. Information Security Plan

Transcription:

0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 10 Smart Ideas for 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 Keeping Data Safe 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 From Hackers 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100 HAVE YOU BEEN HACKED? 01010000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000

Agenda Introduction Background Ten Smart Ideas Conclusions Q&A

Recent Healthcare Data Breaches Institution Numbers Affected What Happened? Utah Department of Health 780,000 A weak password policy was in effect on a network server. Emory Healthcare 315,000 10 backup disks went missing due to an unlocked storage facility door. South Carolina Department of Health and Human Services 230,000 17 Excel spreadsheets were illegally copied. Multiple Incidents 55,600 Laptops stolen

Healthcare Data Breaches Summary Total breaches: 495 Total records: 21.12 million Total cost: $4.1 billion Average size: 42,659 records Average cost: $8.27 million Average time to identify: 84.78 days Average time to notify: 68.31 days Source: Recent report from the Health Information Trust Alliance (HITRUST)

Key Patterns - Healthcare Industry Physical Theft and Loss (46%) Insider Misuse (15%) Miscellaneous Errors (12%) Others (10%) Point-of-Sale Intrusions (9%) Crimeware (3%) Web App Attacks (3%) Denial of Service Attacks (2%) Cyberespionage (< 1%) Payment Card Skimmers (< 1%) Source: Verizon Data Breach & Incident Report 2014

The Ramifications The Announcement: Once a breach is identified, if the breach involves more than 500 individuals, the organization must make the announcement and alert the media. The Coverage: This is not good PR. No hospital or healthcare organization wants to be in the news because of a data breach; unless it directly helped prevent one. The Fallout: Depending on the size of the breach, the reporting, analysis and review of the situation can be quite damaging. Remediation: Once a breach happens, healthcare organizations must scramble to ensure that this doesn t happen again.

Who Gains From Cyberespionage? Cybercriminals readily understand the value of corporate information. There are opportunities to gain from extortion and ransom campaigns as well as selling stolen data on the black market. Hacktivists focus on causing reputation damage and disruption to organizations that the hacktivists have issues with. They realize that a leak of confidential information about customers, suppliers or employees could lead to severe embarrassment and/or significant legal penalties. Cybermercenaries seek payment from anyone who will hire them including governments, protest groups, or businesses to steal specific information. Nation states (government agencies) or their contractors focus on collecting strategic information or disrupting industrial facilities in hostile countries.

Healthcare Vendors Scorecard Majority of healthcare vendors lack minimum security; illuminated by the fact that for their culture of security: 4% scored in the A high confidence grade range 16% scored in the B moderate confidence grade range 14% scored in the C indeterminate confidence grade range >58% scoring in the D grade range Including 8% scoring in the F grade range

Healthcare Vendors Scorecard Only 32% of vendors have security certifications such as FedRAMP, HITRUST, ISO 27001, SOC 1 (SSAE-16), SOC 2 and 3 Over 50% of vendors providing services to an average healthcare organization are small to medium sized businesses with <1,000 employees

Background Healthcare Vendors Healthcare and industry organizations don t hold vendors accountable for minimum levels of security, these vendors establish an unlocked backdoor to sensitive healthcare data An average hospital s data is accessible by hundreds to thousands of vendors providing a wide range of services: from business services, consulting, claims processing and education to Electronic Health Record (EHR), healthcare and medical supplies technologies and products to network and security software Growing number of security incidents at companies attributed to partners and vendors which increased from 20% in 2010 to 28% in 2012

Background Healthcare Vendors Only 44% of organizations have a process for evaluating third parties before launch of business operations Only 31% include security provisions in contracts with external vendors and suppliers Vendor due diligence by healthcare organizations is not aligned with risks Effective third-party security risk management is expensive, time consuming, and resource intensive

Definitions Vulnerabilities aspects of IT infrastructure that can be potentially exploited, leading to unauthorized access, loss or exposure of sensitive data, disruption of services, failure to comply with regulatory requirements or other unwanted outcomes Malware malicious software or scripts designed to access or harm IT resources without owner s authorization Hacking intentional attempts to access or harm IT resources without authorization by thwarting logical security mechanisms

Blended Threats Phishing refers to seemingly in a course email that contains links to malicious executables or websites Spear Phishing refers to phishing that is directed at specific companies or individuals Vishing a combination of voice and phishing Smishing - a combination of SMS and phishing Pharmaceutical Phishing - Rise in spam concerning health issues (including promotions for online pharmacies and counterfeit drugs) containing malware

Drive-by Downloads End-users visiting infected websites or installing what they mistakenly believe to be legitimate software Attackers are using search engine optimization (SEO) techniques to drive end-users to websites that are infected with malicious code Shortened URLs these guys malicious links and to exploit end-user trust through social engineering Anonymous proxy servers access Internet resources on behalf of the original requester International domain names opportunity to exploit malicious, mixed-character URLs that are visually indistinguishable

APTs Advanced Persistent Threats(APTs), which may involve any of the blended threats and/or drive-by downloads. The main implication of this term is that they involve human command-and-control, specific objectives, and skilled, well-funded attackers.

Data Classification Level Commercial Government Lowest Highest Not sensitive Not classified Non proprietary Public Proprietary Internal use only Confidential Restricted Highly confidential Unclassified Confidential Secret Top secret

#1: Encryption of Data Is a Must Data encryption is a key defense against breaches. That includes all information, whether it's stored digitally, on tape or on employees' mobile devices.

#2: Mobile Devices Are a Challenge In this era of bring-your-own-device (BYOD), with more people using mobile devices for work, the amount of sensitive data on these smartphones and tablets is increasing. Organizations need a strong mobile device management policy to protect these devices, whether they're corporateor employee-owned.

#3: Getting Rid of Old Information There is always some outdated and sensitive data whether related to the company, employees or customers that needs to be shed. Companies need a corporate policy that takes in account the secure destruction of such data.

#4: Keep an Eye on the Stored Data Regardless of where the data is stored locally, in the data center or in the cloud the company s IT professionals should always know how the information is being secured. 01010010101010010101010100101010100100101000101001010010010101010010101001010100101000101010010 10100101001010010101010010101010100101010100100101000101001010010010101010010101001010100101000 10101001010100101001010010101010010101010100101010100100101000101001010010010101010010101001010 10010100010101001010100101001010010101010010101010100101010100100101000101001010010010101010010 10100101010010100010101001010100101001010010101010010101010100101010100100101000101001010010010 101010010101001010100101000101010010101001010

#5: Disposing of IT Assets Just as with data, organizations need to have an end-of-life plan for assets that might hold sensitive information, to ensure that the information on the assets remains secure.

#6: Pay Attention to Passwords Weak passwords continue to be an easy avenue for cyber-thieves looking for information. Organizations must use complex passwords that are changed frequently. They also should use two-factor authentication when possible.

#7: Protect Against Viruses Companies need to ensure that their virus protection software is kept up-to-date.

#8: Don't Forget Firewalls Both firewalls and intrusion-detection software (possibly even intrusion prevention software) are key elements to the larger data protection effort.

#9: Privacy Should Be a Primary Concern An enterprise-wide policy aimed at protecting private information from unauthorized access or inadvertent disclosure is the best policy for keeping the data safe.

#10: Keeping a Focus on Employee Education Employees can be a source of problems and a key line of defense. Businesses need to ensure that workers are properly trained to treat information appropriately, and that all employees are up-to-date on the latest corporate policies and procedures.

Conclusions

Strategic Program Governance & Oversight The changing cybercrimes landscape and evolving threats and risk now calls for nimble, strategic, riskbased and methodical approaches to protecting data and responding to breaches The privacy and protection of PII is not only an issue of regulatory compliance. It is also a factor in competitive advantage, business positioning and strategy and requires oversight Privacy and Security regulations should influence business strategy, as the mismanagement of PII and weak privacy and security control can cripple an organization

Data Protection Conceptual Architecture Set Policy Deploy Controls Enforce & Monitor Controls

Deploy A Comprehensive IT Security Solution Vulnerability assessment Patch management Application controls that also include whitelisting and default deny functionality Device controls that help you to manage which devices are allowed to be connected to your systems/network Web controls that make it easy to manage, restrict, and audit access to web resources Zero-day defenses Data encryption Mobile security with mobile device management (MDM)

Contact Sumit Pal (609) 520-1188 spal@

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information