View
228
Download
2
Category
Tags:
Preview:
Citation preview
Cyber Risk ManagementThreats, Recent Cases, Real Risks, and a strategy for managing them
Presented by:Doug Selix, MBA, CISSP, CISM, PMP
IT Security Consultant
2
The Bottom LineCyber Risks are Increasing
• State and Local Government Organizations are targets and are not well defended– Traditional defenses are no longer effective– Probability of successful attack increasing– IT security is not well managed at the enterprise
level– Workstations are the frontline, they are not well
defended– IT Security mistakes are happening too often– We have too much old insecure technology in use
3
Why is This Happening?
• You have things the bad people want– Money– Information that is worth money– You have things that can be damaged to make a political statement
• Because it is easy to attack you– Too much information in the public– Your IT environment is not well defended– Our people are not well trained in this topic– The Bad Guys are Good– We do not have an effective defense– We are not good at detecting and responding to attack– We have a lot of outdated technology that needs replaced
4
The Threat Is Growing
Source: McAfee – State of Malware 2013
5
Recent Cyber Liability Incidents
• City of Burlington WA – 2012– $400K Stolen from City Bank Account
• Skagit County Transit – 2012– Failed Attack on Bank Account
• Chelan County Hospital District - 2013– $1 Million Stolen from Bank Account
• State of South Carolina – 2012– 3.6 Million SSN’s and 387,000 Credit Card
Numbers Stolen
6
The State Has Had Issues Too
• Department of Revenue – 1/15/2013• USB Drive with Virus• No Data Breach
• Department of Enterprise Services - 2/12/2013• User went to infected web site• No Data Breach
• Administrator of the Courts – 5/9/2013• Web Site Hacked• Data Breach - 1 Million WDL and 160K SSN’s
7
Mistakes Happen Too
• Skagit County Data Security Breach– Cause – Human Error– Medical Records posted to public web site– Discovered by Citizen, Reported to Fed’s.– Result• HIPAA Violation• State Data Breach Notification Event
– Press Release
8
How Attackers are Succeeding
• Advanced Persistent Attack (APT) Approach is working because:– People are taken by Phishing Email– Workstations are vulnerable
• Elevated User Permissions• Poor security maintenance practices for patching and current end-
point defensive systems
– Network defense is not well done• Bad guys are good - Malware detects defense and morphs• Complacent Leaders - People don’t believe it “will happen
to them”• Government IT is not fully staffed or funded
10
It is easy to attack you, you are not well defended
79% of victims were targets of opportunity 96% of attacks were not highly difficult 94% of all data was compromised from servers 85% of breaches took 2 weeks or more to detect92% were discovered by a third party 97% of breaches were avoidable through simple or
intermediate controls 96% of victims subject to PCI-DSS had not achieved
compliance
• US Secret Service Banking Data
Source: 2012 Verizon Data Breach Investigation Report2013 Verizon Data Breach Investigation Report
11
Cost of a Data Security Breach
• Costs associated with Regulatory Compliance– RCW 42.56.590 Personal information — Notice of security breaches.
$3/Record Minimum Cost to Notify
• Regulatory Fines – HIPAA, FERPA, Etc.• Harm to persons – Banking Information• Cost of recovery and mitigation if harm occurs
– ~$134 – Estimated Public Sector cost per record in data breach (Ponemon Institute 2011 US Cost of a Data Security Breach Report )
• Unplanned Cost Impact to budget planning– Cost to fix the cause of the problem
• Loss of Reputation – Cost to regain trust
12
So What? Why Do I Care?
• You only care if:– You have large amounts of money in online
managed bank accounts– You have large amounts of protected data in your
computing environment– The availability and integrity of your systems is
important to your customers
13
Approach to the Problem
• Choices for dealing with Risk– Eliminate the Risk (Mitigation)– Plan to do something if the Risk happens
(Response)– Transfer the Risk (Insurance)– Accept the Risk
14
Risk Manager Action Plan
• Partner with IT leadership – You can’t do this alone and neither can they – Then:
1. Measure your risk• Do you know what protected data you have?• Do you know how well your IT Dept. is doing?• Has IT perform vulnerability assessments• Does IT have an incident detection & response plan
2. Implement Secure On-Line Banking3. Adopt a standard for IT Security - Recommend the
SANS 20 Critical Controls as a Framework.4. Eliminate Old Risky Technology
15
Action Item No. 1Measure Potential Impact
• Answer these questions:1. How many records about people do you have in
your computing environment?2. How many of these include protected data?
a. State Privacy Lawsb. Federal Privacy/Security Laws (e.g. HIPAA)c. Credit Card information
3. Where are they?
16
Action Item No. 2Implement Secure Banking Procedures
• Use a dedicated computer (physical or virtual) for on-line banking
• Physical dedicated PC is most secure– Use Secure OS (Nothing Microsoft)
• Lightweight Portable Security OS
– Lockdown the PC to only do one thing• Run from CD only, disable everything else• Assign static IP• Firewall rule to only allow this IP to go to bank portal IP/ports• Use sneaker net to move ACH data to this PC
17
Action Item No. 3Achieve “Minimum” Security Controls
• Framework for “MINIMUM” IT Security Controls is the SANS 20 Critical Controls– Free– 20 Categories– 197 Control Recommendations– 77 “Quick-Wins” –• These should already be in place• If not - Focus for Incremental Improvement
19
Where to Start Implementing SANS 20
1. Boundary Defense2. Controlled Use of Administrative Privilege3. Continuous Vulnerability Assessment 4. Data Recovery Capability5. Malware Defense6. Audit Logging7. Account Monitoring and Control8. Inventory of Software9. Secure Configurations for hardware and software10. Inventory of Devices
20
Action Item No. 4Eliminate Obsolete Technology
• Old Technology Causes Elevated Risk– Old Versions of Windows Operating Systems– Old Software that requires Administrator Privilege
to run– Old firewall technology that only does one thing– Old anti-virus software that is not effective
21
Example - Windows XP
• Windows XP should go away – 34% of Installed Desktops• No longer supported by Microsoft after April 2014• 21 times more likely to be successfully attacked than Windows 8
Netmarketshare.com
August 2013
22
How Much Will It Cost?
• It will cost more if you have a Fraud or Data Security Breach incident than it will to fix the problems
23
Next Steps to Solve this Business Problem
1. Partner with your IT Manger to quantify your Cyber Risks and fix the problems
2. Assess the quality of your defense • Use SANS 20 as a risk assessment Baseline – Be Realistic• Perform Vulnerability Scanning to Measure• Do you have old technology that should be replaced?
3. Help IT Prioritize what is needed4. Become the champion to senior leadership
• Help them see the business risk• Help find loss prevention funding to reduce Cyber Liability Risk
5. Hold IT accountable for a good defense, detection, and response
24
Handouts
• I am providing the following tools and reference materials to help you get started:
1. Verizon DBIR Executive Summary Report2. McAfee State of Malware Report3. SANS 20 Controls Worksheet4. WCIA Provided – SANS 20 Controls Prioritized with
product recommendations.5. SANS – Write-up on Phishing Email
Available at Prima Web Site.
25
Reference Material
– NIST SP 800-39 – Managing Information Technology Security Risk– 2013 Verizon Data Breach Investigations Report
(http://www.verizonenterprise.com/DBIR/2013/)– 2013 Symantec Internet Security Threat Report
(http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf)
– McAfee Threats Report – Fourth Quarter 2012 (http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2012.pdf)
– Ponemon Institute 2012 Cost of a Cyber Crime Study (http://www.ponemon.org/library/2012-cost-of-cyber-crime-study)
– Privacy Rights Clearinghouse – Chronology of Data Breaches 2005 - Present (http://www.privacyrights.org/data-breach)
27
Instructor Information
Doug Selix, MBA, CISM,
CISSP, PMP
Worked in IT Field from 1971 to Present Current Job
1) IT Security and Disaster Recovery Architect, Washington State Department of Enterprise Services
2) IT Security Consultant Education BS – Management, City University, 1993 MBA – IS Management, City University, 1995 Project Management Certificate, U of W, 2001
Consulting Clients – 2012 & 2013 WSTIP (Transit Risk Pool) WCIA (City Risk Pool) Enduris (City Risk Pool) WCRP (County Risk Pool) Clark County Skagit County
Contact Information
Phone: 253-951-4825email: dselix@comcast.net
Recommended