Cybersecurity Demystified: Information Technology Security Trends Joe Oleksak, Plante Moran
Agenda Data Security Trends Example Attacks Industry Examples An Answer 1
Who Are The Victims? Targets - victims of opportunity: Some will be a target regardless of what they do, but most become a target because of what they don t do related to security. Verizon Data Breach Investigations Report 2
Could This Be Prevented? Breaches not rocket science: Most victims weren t overpowered by unknowable and unstoppable attacks. we know them well enough and we also know how to stop them. 3
How Are They Hacking? Most Common Attack - Social: Most attacks began socially. Employees are your greatest asset, but often your weakest link to security. Hackers know this, and have Annual Launched Phishing Attacks developed social scams by the thousands, hoping but one will fall victim. 4
Why Can t We Stop Them? Breaches in 2014 went unnoticed: Prevention is crucial, but we must accept the fact that no barrier is Detection/response impenetrable. an extremely critical represents Breach Undiscovered for 1 Month or More line of defense. Ignorance is NOT bliss what you don t know can hurt you! 5
97% of Breaches Were Avoidable Most victims aren t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them. Verizon Data Breach Investigations Report Weak Infrastructure Weak design (firewalls, wireless routers) Weak user authentication (users, passwords) Encryption (VPN, secure portals) Out-dated (patch management / anti-virus) Lack of periodic testing User Ignorance Weak user passwords Poor judgment Social media Phishing attacks Third Party Vendors Weak due diligence Breach notification Annual breach confirmation Technology Advances Mobile devices Cloud computing / public portals 6
9 7 % o f B r e a c h e s W e r e Av o i d a b l e Most victims aren t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them. Verizon Data Breach Investigations Report 7
Example Attack: Victim 8
Example Attack: Attacker 9
Can Anything Prevent This? HIPAA GLBA Sarbanes Oxley 95/46/ EU DPD State Privacy FISMA FERPA PCI NIST Canada - PIPEDA 21 CRF Part 11 ISO 2700x 10
Industry Breaches 11
Not Always Hackers! 12
But Often Times Hackers 13
What Might it Cost? 14
Start with a Framework. Different organizations view information security differently. Some of the differences are related to varied risk and threat profiles impacting an organization based on factors such as industry, location, products/services, etc. Other differences are related to management s view of security based on their experience with prior security incidents. 15
Assess Risk. 16
Secure the Network. 1. Data Classification Public and Confidential (Sensitive/Private) 2. Perimeter Security - Firewalls, IDS/IPS 3. Wireless Security SSID, Encryption, Default Password 4. Authentication Users & Passwords 5. Encryption - Connectivity & Storage 6. Anti-virus 7. Patch Management 8. Remote Access 9. Network Monitoring 10. Annual Testing External & Internal Penetration Testing 17
Secure the User. Full-time employees Part-time employees and contractors Consultants and vendors Customers Visitors Ad hoc vs. formal repeatable process Single sign-on User IDs/passwords Use of technology (tokens, firewalls, access points, encryption, etc.) Need to know basis/able to perform job responsibilities Segregation of duties Administrative access Super-user access Internet vs. corporate system access Only when an issue is noted User access logs Annual review of access Proactive review of user activity Real-time monitoring of unauthorized access or use of information systems 18
Teach the User. 19
Passwords Died in the 90s. 20
Secure the Vendor. Due Diligence Existence and corporate history, strategy, and reputation References, qualifications, backgrounds, and reputations of company principals, including criminal background checks Financial status, including reviews of audited financial statements Internal controls environment, security history, and audit coverage (SOC Reports) Policies vs. procedures Legal complaints, litigation, or regulatory actions Insurance coverage Ability to meet disaster recovery and business continuity requirements 21
Secure the Vendor. Remote Access Deploy a single central remote access solution for employees and vendors to remotely access your network Company should manage remote access tool and not the third-party vendor Block access from any unapproved remote access tools used by third-party vendors Require each third-party vendor to use unique credentials to access your network Log and review third-party activities on your network Breach Notification Contract language should include breach notification requirement Annual confirmation of breaches by CEO or other C-level executive at the vendor 22
In Summary It s Complicated. 23
In Summary Simplified. 24
Thank you! Information Technology Security Trends Joe Oleksak CISSP, QSA, CRISC, Partner 847.628.8860 25