Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Best Practices For Cyber Security

advertisement 
Best Practices For Cyber Security
November 3, 2014
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Tommy Stephens
• CPA from Woodstock, Georgia
• Twenty-nine years public accounting & private
industry experience
– Nineteen years CPE discussion leader
•
•
•
•
BSBA (Accounting) Auburn University
MS (Finance) Georgia State University
Please contact me: tommy@k2e.com
Follow me on Twitter: @TommyStephens
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
WHAT ARE THE BIGGEST CYBER
THREATS?
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Top Cybersecurity Threats
1. Social Engineering
2. Advanced Persistent
Threats
3. Internal Threats
4. Bring Your Own Device
5.
6.
7.
8.
Cloud Security
HTML
Botnets
Precision Targeted
Malware
Source: Forbes
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Social Engineering
• Using social networks such as Facebook and
LinkedIn to obtain information directly from
the networks or by misleading others
– Should you really post your vacation plans
Facebook before you go?
– Do you really know all of your “friends”?
• Also includes phishing, baiting, and computer
virus hoaxes
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Advanced Persistent Threats
• Advanced Persistent Threats (APTs) take a
“low and slow” approach
• Intention is to gain access to a network and
take information quietly
• Likely executed by a government or very
sophisticated entity as most individuals and
small organizations lack the resources to
execute
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Internal Threats
• Most data losses and breaches are committed
by insiders
• Who’s guarding your server while you are
participating in this session?
• CERT Insider Threat Center found that
malicious insiders within the financial industry
get away with their fraud for approximately 32
months before discovery
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Bring Your Own Device
• Bring Your Own Device (BYOD) is a relatively new
phenomenon where team members acquire their
own technology and use it for corporate purposes
• Though well-meaning team members can be
more productive in a BYOD environment and save
the organization money, the problem is that they
don’t secure the technology
– What happens to the corporate data when the
smartphone or tablet is lost, stolen, or hacked?
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Cloud Security
• Cloud computing is the most significant trend
in information technology today
• The cloud offers potentially huge benefits, but
the risks can be great as well because you
surrender control of your data
• Do your due diligence before engaging a
vendor to provide cloud services!
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
HTML5
• HTML5 is a relatively new markup language
being used to develop web applications
– Provides better support for multimedia and
communications with a server
• A big advantage of HTML5 over its
predecessors is cross-platform support
• However, because of its newness, many are
concerned about its security
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Botnets
• A botnet is a network created with malicious
software that exploits the computing power of
multiple private computer, without the
knowledge of the owners of those computers
• Cybercriminals often use botnets to send
spam, spread viruses, and attack other
computers and servers
• Is your computer running slowly?
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Precision Targeted Malware
• The attackers are getting smarter!
• With Precision Targeted Malware (PTM), they
are developing code that doesn’t execute
unless it is in the environment for which its’
developers designed it
• This makes it harder to detect malware in
testing environments
• “Gauss” is an example of PTM
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
What Are The Crooks After?
• Anything they can sell for a profit or hold
hostage in return for a ransom
• In other words, sensitive information!
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Two Specific Areas Of Concern For
Carolinas HealthCare System
• Credit card information
– To reduce the risk of credit card fraud, CHS is
implementing EMV readers instead of card swipes
– This should be completed by October 2015
– EMV uses PIN codes and encryption algorithms to
reduce the risk of fraud
• Vendors with weak internal controls
– “A chain is only as strong as its weakest link”
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
WHAT ARE THE COSTS OF THESE
THREATS?
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Cost Of Cyber Crime Study
• The time it takes to resolve a cyber attack has
increased by 130% in four years
• The average cost to resolve a single attack is
more than $1 million
• Organizations in defense, financial
services, and energy suffered the highest
cybercrime costs
• $188 per record breached, on average, to
respond/resolve a cyber attack
Source: Ponemon Institute
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Cost Of Cyber Crime Study
• Data theft caused major costs, 43% of the
total external costs,
• Business disruption, or lost productivity
accounts for 36% of external costs
• The average time to resolve a cyber attack was
32 days, with an average cost of $1,035,769
– $32,469 per day!
• Smaller organizations incur significantly higher
per capita costs
Source: Ponemon Institute
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Cost Of Cyber Crime
• McAfee: Malicious cyber attacks could cost
the U.S. $100 billion annually
– $300 billion worldwide
• U.S. Congressional report: Nearly 20% of all
cyber attacks are aimed at companies with
fewer than 20 employees
• Experian: Only 31% of U.S. companies have
cyber insurance policies
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Cost Of Cyber Crime
• McAfee: Malicious cyber attacks could cost
the U.S. $100 billion annually
– $300 billion worldwide
• U.S. Congressional report: Nearly 20% of all
cyber attacks are aimed at companies with
fewer than 20 employees
• Experian: Only 31% of U.S. companies have
cyber insurance policies
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
SOME SPECIFIC EXAMPLES…
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Target Debit/Credit Card Breach
• Actually, two incidents
– 40 million customers names, debit/credit card
numbers, PIN codes, expiration dates, security
code, and phone numbers were compromised
from November 27 to December 15, 2013
– Up to 70 million names, addresses, phone
numbers, and email addresses may have also
been compromised
• Cost to Target: TBD, but a similar hack at TJ
Maxx cost $256 million
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Adobe
• 38 million records, including credit card
numbers and username/password
combinations were compromised from
products and services, including Adobe
Acrobat and ColdFusion
• Notification costs alone would approximate
$17.5 million
• Assuming $188 per record, total costs could
exceed $700 million
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Republic Services
• In August 2013, laptop was stolen from
employees’ home
• The laptop contained personal information on
82,160 current and former employees
• Of course, the laptop’s hard disk was not
encrypted or otherwise protected
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Palm Beach County
Health Department
• A senior clerk was arrested and charged with
using her job to steal identity information on
more than 2,800 patients
• The clerk then shared the information,
including Social Security numbers, with
accomplices to file fraudulent income tax
returns seeking refunds
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
TEN COMMON SENSE APPROACHES
TO REDUCING CYBER THREATS
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Education Is Critical
• Most team members truly want to do the right
thing, but they often don’t know what the right
thing is
• Educate on the risks associated with cyber attacks
• Create a “culture of security and personal
accountability” across the organization
– Like all internal controls, this starts at the top of
the organization
• Includes developing and implementing policies
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Use “Long And Strong” Passwords
• Passwords can be a good first line of defense,
but are rarely as effective as they should be
• According to The SANS Institute, a “strong”
password now consists of fifteen
alphanumeric characters
• Want to test your password?
– Try https://www.grc.com/haystack.htm
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Use “Long And Strong” Passwords
• In reality, can we really expect to use different
long and strong passwords on all of our
devices, applications, and web sites?
– After all we are only human
• Consider using password management
software such as RoboForm, Password Depot,
KeepPass, and others to ease the burdens
associated with long and strong passwords
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Consider Alternative
Authentication Measures
• Fingerprint swipes instead of passwords, for
example, might prove to be more secure in
many organizations
• Multi-factor authentication is also an excellent
internal control for mitigating cyber risk
– Something you know – password, for example –
plus something you have – key fob, for example
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Limit Administrative Rights
• Most end users should not have
administrative rights on their PCs
– Yet many of them do
• Without administrative rights, end users
cannot change settings that might
compromise the security of their device
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Get A Grip On BYOD
• Bring Your Own Device, Bring Your Own Cloud,
Bring Your Own Technology are all significant
risks to every organization
• Get policies in place today
– www.tinyurl.com/k2byodpolicies
• Consider forcing security measures onto team
members’ devices as a condition of accessing
and storing personal data
– iPhone/iPad Configuration Utility, for instance
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Disable USB Ports For Storage
• USB flash drives, external hard disks, etc. are
rarely encrypted by end users
• Therefore, security risks are huge!
• You can disable USB ports for storage with an
edit to the Windows Registry
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Disabling USB Ports For Storage
Registry edit to prevent USB access to external storage
devices…IMPORTANT, backup registry first!
• Click Start, and then click Run
• In the Open box, type regedit, and then click OK
• Locate and then click the following registry
key:HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\UsbStor
• In the details pane, double-click Start
• In the Value data box, type 4, click Hexadecimal (if it is
not already selected), and then click OK
• Exit Registry Editor
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Thoroughly Vet All Cloud Vendors
• Though many have resisted and continue to
resist, the Cloud tsunami continues to grow
• For many smaller organizations, it is entirely
likely that moving to the cloud offers
improved security
• However, thoroughly vet any cloud vendor
before signing a contract or moving data
• Look for SSAE 16, ISO 27001, SOC 1, SOC 2,
SOC 3, etc. certifications
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Configure Firewalls Properly
• Firewalls serve as a “buffer” between two
networks – LAN and Internet, for example
• You can configure your firewalls to block
unwanted inbound as well as outbound traffic
• Ensure that both corporate level and
computer level firewalls are configured to
block intruders, as well as access to
undesirable web sites
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
“White List” Software Titles
• Instead of trying to block all “bad”
applications – which is virtually impossible,
because that list is ever-changing – consider
using a “white list” approach for approved
applications on each computer
• Windows supports this control
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
“White List” Software Titles
• In “Run” dialog box, enter “gpedit.msc”
• Navigate to “User Configuration,
Administrative Templates, System”
• Scroll to “Run only specified Windows
applications”
• Specify the applications allowed to run on
the computer
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Implement Monitoring Tools
• According to EY, anti-virus software is not very
effective against new forms of attack because
it is reactive, rather than proactive
• Rather, monitoring and analytical tools that
seek out unusual patterns in traffic should be
used as early-warning mechanisms
• Such tools may have, for example, detected
that Edward Snowden was downloading more
files than what his job duties required
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
ADVANCED CYBER SECURITY
MEASURES TO CONSIDER
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
SANS Institute
Twenty Critical Security Controls
• Based on a consortium of US and international
agencies, including US National Security Agency
(NSA)
• Prioritizes security functions that are effective
against some of the more advanced threats
• The US State Department has demonstrated a
94% decline in risk as a result of adopting these
twenty controls
• http://www.sans.org/critical-security-controls/
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Twenty Critical Security Controls
1. Inventory of authorized and
unauthorized devices
2. Inventory of authorized and
unauthorized software
3. Secure configurations for hardware
and software
4. Continuous vulnerability assessments
and remediation
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Twenty Critical Security Controls
5.
6.
7.
8.
9.
Malware defenses
Application security software
Wireless device controls
Data recovery capability
Security skills assessment and training to
fill gaps
10.Secure configurations for network devices
such as firewalls, routers, and switches
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Twenty Critical Security Controls
11.Limitation and control of network ports,
protocols, and services
12.Controlled use of administrative privileges
13.Boundary defense
14.Maintenance, monitoring, and analysis of
audit logs
15.Controlled access based on need to know
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Twenty Critical Security Controls
16.Account monitoring and control
17.Data loss prevention
18.Incident response and management
19.Secure network engineering
20.Penetration tests and red team exercises
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
WE’VE BEEN HACKED!
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
What To Do When An Attack Occurs
• Create your response plan in advance
– This is not something that should be done in the heat
of battle!
• Include on response team appropriate personnel
from IT, PR, Customer Service, Legal and all other
relevant departments in organization
• As part of the response plan, carefully consider
legal and regulatory requirements
– State security breach notification laws
– HIPAA
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
In The First 24 Hours…
1. Record date and time
of notification
2. Alert and activate
response team
3. Secure the premises
4. Stop additional data
loss
5. Document everything
6. Interview those
involved
7. Review protocols
8. Assess priorities and
risks
9. Bring in forensics team
10. Notify law
enforcement, if
necessary
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Next, And In No Particular Order
•
•
•
•
•
•
Fix the issue that caused the breach
Continue working with forensics
Identify legal obligations
Report to senior management
Identify and resolve conflicting initiatives
Alert your data breach resolution vendor
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
The preceding responses are summarized from
“Data Breach Response Guide” produced and
published by Experian Data Breach Resolution.
You may download the guide from
http://www.experian.com/assets/databreach/brochures/response-guide.pdf.
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
SUMMARY
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Summary
• The numbers aren’t pretty, as the threats
associated with cyber attacks continue to
escalate, seemingly on a daily basis
• However, by understanding where the threats
originate, we can position ourselves better to
take appropriate cyber security measures
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Summary
• When implementing cyber security measures,
look for the low-hanging fruit first…you will
get the biggest bang for your buck here
• Then, turn your attention to the more
advanced security controls found in the SANS
Institute’s Twenty Critical Security Controls
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Summary
• Despite your efforts, it is likely impossible to
completely insulate your organization from
attack and eliminate all cyber risk
• Therefore, develop, put into place, and
continually update a response plan in case
your organization is attacked
• As part of this plan, ensure that you carefully
consider all relevant legal and regulatory
requirements
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
THANKS!
Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Related documents
How Successful Leaders Influence Others copy
How Successful Leaders Influence Others copy
Introduction to International Management
Introduction to International Management
How were the Five Year Plans organised?
How were the Five Year Plans organised?
Response rate
Response rate
Tower Hamlets - Inclusion London
Tower Hamlets - Inclusion London
C&F Enterprises, Inc. Title : Marketing Coordinator Company : C & F
C&F Enterprises, Inc. Title : Marketing Coordinator Company : C & F
Challenges of Developing an Enterprise Application
Challenges of Developing an Enterprise Application
There Is Another way: The Social Economy
There Is Another way: The Social Economy
Download
advertisement