Embed Size (px)
Citation preview
2/2/2018
1
BKD National Governmental Group
Protecting State & Local Governments from Critical CyberthreatsFebruary 6, 2018
2/2/2018
2
TO RECEIVE CPE CREDIT
• Participate in entire webinar
• Answer polls when they are provided
• If you are viewing this webinar in a group• Complete group attendance form with
• Your printed name, signature & email address
• All group attendance sheets must be submitted to [email protected] within 24 hours of live webinar
• Answer polls when they are provided
• If all eligibility requirements are met, each participant will be emailed their CPE certificates within 15 business days of live webinar
INTRODUCTIONS
Lanny MorrowManaging Consultant
Jan HertzbergDirector
• Cybersecurity practice leader• More than 30 years of experience providing IT audit, risk,
cybersecurity & privacy compliance services
• Senior data scientist & senior digital forensics examiner• More than 21 years of experience in forensic
investigations, digital forensics & risk management
2/2/2018
3
1 Evolving Cyberthreat Landscape
Email Compromise
Ransomware
Cyber Risk Oversight
2
3
4
OUR GOALS FOR TODAY
RAPIDLY EVOLVING CYBERTHREATS MOTIVATIONAL SHIFTS
2/2/2018
4
TOP CYBERCRIMES
Business email compromise
Ransomware
Corporate account takeover
Identity theft
Theft of sensitive data
Theft of intellectual property
Denial of service
2017
DATA BREACHES IN THE NEWS
2015
Affected 700 computers across all public libraries
2016
2014
Affected 309,000 individuals
Ransomware attack caused over $100k in damage & took months to recover
Lansing-owned Water & Light experienced a ransomware attack which cost the city $2.4m
2/2/2018
5
WHAT MAKES THE PUBLIC SECTOR SO
VULNERABLE?
• Breadth of staff skills
• Broad regulatory exposure
• Shared infrastructure, specific needs
• Budgetary challenges
• Technology-focused
Potential Breach Impacts
Negative publicity
Regulatorysanctions
Refusal to share personal
information
Damage to brand
Regulatorscrutiny
Legal liability
Fines
Damaged employee
relationships
Deceptive orunfair tradecharges
!
Diversion of resources
Lost productivity
Damaged donor
relationships
2/2/2018
6
COST OF DATA BREACHES
DARK WEB PRICING
Credit Cards Price (2012–2014) Current PriceVisa & Mastercard $4 $7
Visa & Mastercard with Track 1 & Track 2 Data
$23 (V); $35 (MC) $30
Premium American Express $28 $30
Bank Account Credentials $15,000 for 500 $15,000 for 500
Email Accounts Price (2012–2014) Current PricePopular Email (Gmail, Hotmail, Yahoo)
$100 per 100,000 $100 per 100,000
Corporate Email N/A $500 per Mailbox
IP Address of Email User $90 $90
2/2/2018
7
DARK WEB PRICING
Identities & Health Records Price (2012–2014) Current PriceSocial Security Number $15 $15
SSN, Full Name, DOB, Address $30 $20–$50
Patient Health Records $50–$100 $20–$50
Tools & Services Price (2012–2014) Current PriceRemote Access Trojan $20–$250 $5–$10
Crypters $50–$150 $80–$440
DDoS Per Hour: $3–$5 Per Hour: $5–$10
Stealth Transfers 6%–8% of Value 6%–8% of Value
Cash Out Service 50%–60% of Value 50%–60% of Value
WHAT DRIVES COST OF BREACHES?
Ponemon 2016 Cost of Data Breach Study
2/2/2018
8
INTERESTING STATISTICS
Timing• In 93% of breaches, it took attackers minutes
or less to compromise systems (Adobe products easiest to hack; Mozilla the most difficult)
• In 83% of cases, it took weeks or more to discover an incident occurred
• Attackers take easiest route (63% leveraged weak, default or stolen passwords)
• 95% of breaches were made possible by nine patterns including poor IT support processes, employee error & insider/privilege misuse of access
Source: Verizon Data Breach Report, 2016
REGULATORY RESPONSE OVER TIME
1934SEC Act
1996HIPAA
2000CFR17 Part 248 Brokers Consumer
Protection
2003California
Data Breach Law
2017Executive Order Strengthening the Cybersecurity of Federal Networks &
Critical Infrastructure
2006Indiana Breach
Notification Law
1974Family
Educational Rights & Privacy
Act(FERPA)
1999Gramm Leach Bliley
Act
2001Cybersecurity
Enhancement Act
2006PCI DSS
2009HITECH
2018General Data Protection Regulation
(GDPR)
2013HIPAA
(Omnibus)
2/2/2018
9
HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA)
Covers
• Health care providers/payors
• Health care clearinghouses
• Employers who administer their own health plans
• Business process outsourcers/cloud providers that serve the health care market
Protected health information (PHI)
• Covered entities may only use or disclose PHI as permitted
Enforced by
• State attorneys general
Introduced
• HITECH (2009) & The Omnibus Rule (2013)
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)
Covers
• Businesses accepting credit & debit card payments
• “Card Present” transactions (card swipes)
• “Card Not Present” transactions (e-commerce)
Cardholder data
• Storage, processing & transmission by “merchants”
Enforced by
• Credit card brands
• “Acquiring Bank” responsible for processing payment transactions
Introduced
• PCI Security Standards Council (PCI SSC), consisting of five credit card brands (Visa, Mastercard, Discover, American Express, JCB), created the PCI DSS in 2006; updated on three-year cycle
2/2/2018
10
GRAMM-LEACH-BLILEY ACT (GLBA)
Covers
• Financial services organizations including postsecondary educational institutions
Financial aid records
• Develop, implement & maintain a written information security program
• Designate employee responsible for coordinating the security program
• Identify & assess risks to student information
• Select appropriate service providers capable of maintaining appropriate safeguards
• Periodically evaluate & update their security program
Enforced by
• Federal Trade Commission (FTC)
Introduced
• Dear Colleague Letter GEN-15-18 (July 29, 2015)
EMAIL COMPROMISE
2/2/2018
11
FIRST EXAMPLE OF CYBERATTACKWIRE FRAUD
Product
Vendor Bank Your Bank
Vendor Institution
Vendor Bank
Vendor Institution
Your Bank
Product
Offshore Bank
Impostor
Where is my money?!? Sent it, I thought??
What money??
Got it
FIRST EXAMPLE OF CYBERATTACKWIRE FRAUD
2/2/2018
12
ANATOMY OF THE INCIDENT
• Total loss almost $400,000
• One email from the impostor came 15 minutes after legitimate retailer sent purchase order, with same purchase order information (in different format)
• Numerous grammatical & spelling errors in email communications from impostor, including first name of retailer representative
• Impostor email was through a Yahoo account, yet initial communication between vendor & retailer representative was via company-specific email address
UBIQUITI NETWORKS – 2015
• Accounting department receives emails requesting wire transfers
• Emails came from an impersonator, acting as an executive
• Transfer of funds requested held by company subsidiary in Hong Kong to accounts held by impersonator(s)
• Potentially more than $40 million loss
• Around $14 million currently expected to be recovered through legal proceedings in foreign jurisdictions
• No insurance recovery available
2/2/2018
13
ANOTHER EXAMPLE
• University admin receives email from “CFO” requesting all employee W-2s pursuant to an IRS inquiry
• Needs it today (received in the afternoon)
• Admin puts it all together into one PDF, alphabetized
• Hacker responds, telling her “this is more than I had hoped for”
• Compromised W-2 information sold on the underground market
• Numerous employees contacted by real IRS about issues with their returns or why they submitted two returns
2/2/2018
14
… & ANOTHER
• University employee routinely sends wire transfer request to another employee, with routing & account number info
• One day, recipient notices the routing number “looks funny” & questions it
• Sender becomes a suspect, agrees to turn over her personal computer & phone for investigation
• Investigation reveals a keylogging tool was installed on her home computer
• Boyfriend had installed it, used info to log in to her account & fake a wire transfer request to his account
WHY IT SUCCEEDS
“The state is screaming at me & I need to send them all employee W-2s. I need this ASAP!”– the Boss
“You don’t want to be the one to hold up shipment of those parts – I need that wire sent immediately!”
Sense of urgency“Weakest link” attributesSimilarity in tone &
wording
2/2/2018
15
MITIGATING EMAIL COMPROMISE
• Increase training & awareness
• Have some form of verification process• For example, call the customer/vendor to verify change in account info or wire
transfer instructions
• Double check email addresses
• In previous examples, email instructions involved or came from a different email provider or domain than legitimate emails
• Do not open email messages or attachments from unknown individuals
• Especially “zip” files
• Or links embedded in suspicious looking emails
Know the habits of your customers, including the details of, reasons behind & amount of payments
Maintain a file, preferably in nonelectronic form, of vendor contact information for those who are authorized to approve changes in payment instructions
Limit the number of employees within a business who have the authority to approve &/or conduct wire transfers
Slow it down – does it really have to go out now?
MITIGATING EMAIL COMPROMISE
2/2/2018
16
RANSOMWARE
RANSOMWARE
Considerations
• Entry point – often phishing or back doors
• Encrypts all data on a system
• Decryption only after paying ransom –in bitcoin
• Can propagate to whole organization
• More recently, ransomware is used as a diversion for a bigger purpose like theft/exfiltration
2/2/2018
17
RANSOMWARE
Best Practices
• Education is key to preventing the “fatal click”
• In lieu of payment, can restore from backups
• Backup policy should include special class of “essential operating items.” These should be backed up daily
• Restoring from a smaller set of essential files saves lots of time & money, reduces downtime
• Notify local law enforcement. Paying the ransom will only encourage future attempts
• But … many organizations stockpiling some bitcoin, just in case. Banks also holding as a service to their customers
RANSOMWARE
2/2/2018
18
CYBER RISK OVERSIGHT
WHAT DO BOARDS WANT TO KNOW?
What do we consider our most valuable assets? How does our IT system interact with those assets? Do we believe we can fully protect those assets?
Do we think there is adequate protection in place if someone wanted to get at or damage our corporate ‘crown jewels’? If not, what would it take to feel comfortable that our assets were protected?
Are we investing enough so our corporate operating & network systems are not easy targets by a determined hacker?
Are we considering cybersecurity aspects of our major business decisions, such as mergers & acquisitions, partnerships, new product launches, etc., in a timely fashion?
2/2/2018
19
FIVE PRINCIPLES OF CYBER RISK OVERSIGHT TO CONSIDER
1 Organizations need to understand & approach cybersecurity as enterprisewide risk management issue, not just IT issue
FIVE PRINCIPLES OF CYBER RISK OVERSIGHT TO CONSIDER
2 Understand legal implications of cyber risks as they relate to their organization’s specific circumstances
2/2/2018
20
FIVE PRINCIPLES OF CYBER RISK OVERSIGHT TO CONSIDER
3Have adequate access to cybersecurity expertise & discussions about cyber risk management should be given regular & adequate time on the board meeting agenda
FIVE PRINCIPLES OF CYBER RISK OVERSIGHT TO CONSIDER
4 Set expectation management will establish an enterprisewide cyber risk management framework with adequate staffing & budget
2/2/2018
21
FIVE PRINCIPLES OF CYBER RISK OVERSIGHT TO CONSIDER
5Include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach
ASSESSING YOUR CYBERSECURITY PROGRAM
2/2/2018
22
NIST CYBERSECURITY
FRAMEWORK
Background• Published February 12, 2014, by the National
Institute of Standards & Technology (NIST)
• Voluntary federal framework (not a set of standards) for critical infrastructure services
• Provides common language for organizations to assess, communicate & measure improvement security posture
Controls• High-level controls provide framework of “what” but
not “how”
• Five functions, 22 control categories, 98 key controls derived from industry best practice & standards
• Contains four maturity tier ratings
NIST CYBERSECURITY FRAMEWORK
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
Access Control
Awareness & Training
Data Security
Information Protection Processes
Maintenance
Protective Technology
Anomalies & Events
Security Continuous Monitoring
Response Planning
Detection Processes
Communications
Analysis
Mitigation
Improvements
Recovery Planning
Improvements
Communications
2/2/2018
23
FRAMEWORK BENEFITS
Comprehensive in scope
Intuitive
Risk-based – allows the organization to prioritize remediation activities depending on the organization’s risk appetite & cybersecurity control maturity desired
Commonly accepted standard –provides basis of consistent assessment in the future
OVERALL APPROACH
Phase 1 – Discovery
• Determine business & compliance requirements for cybersecurity• Review documentation related to cybersecurity infrastructure, e.g., network diagrams, asset inventory• Identify systems & data repositories containing personally identifiable information (PII), electronic protected health information
(ePHI), etc.
Phase 2 – Analysis
• Conduct on-site interviews with key stakeholders to …• Document processes that identify cyber risk, protect key information assets, detect/respond to threats & recover should a breach
occur• Evaluate process/control maturity & determine risk
Phase 3 – Remediation Planning
• Identify recommendations & action plans addressing …• Remediation activities to be completed• Identify type of investment, e.g., resources, hardware/software
2/2/2018
24
CALL TO ACTION
1. Perform a framework-based,cybersecurity assessment that allowsorganization to determine theorganization’s assets to protect, compliance requirements & cyber readiness of current protections
2. Remediation activities should beprioritized & scheduled over time,based on level of risk
3. Build a robust breach response plan thatis practiced & updated regularly
Questions?Questions?Sign up for BKD Thoughtware®: bkd.com/thoughtware
Follow us on Twitter: @bkdgov
2/2/2018
25
CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS
BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org
The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered
CPE CREDIT
• CPE credit may be awarded upon verification of participant attendance
• For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at [email protected]
