Cyber Risk ManagementThreats, Recent Cases, Real Risks, and a strategy for managing them

Presented by:Doug Selix, MBA, CISSP, CISM, PMP

IT Security Consultant

2

The Bottom LineCyber Risks are Increasing

• State and Local Government Organizations are targets and are not well defended– Traditional defenses are no longer effective– Probability of successful attack increasing– IT security is not well managed at the enterprise

level– Workstations are the frontline, they are not well

defended– IT Security mistakes are happening too often– We have too much old insecure technology in use

3

Why is This Happening?

• You have things the bad people want– Money– Information that is worth money– You have things that can be damaged to make a political statement

• Because it is easy to attack you– Too much information in the public– Your IT environment is not well defended– Our people are not well trained in this topic– The Bad Guys are Good– We do not have an effective defense– We are not good at detecting and responding to attack– We have a lot of outdated technology that needs replaced

4

The Threat Is Growing

Source: McAfee – State of Malware 2013

5

Recent Cyber Liability Incidents

• City of Burlington WA – 2012– $400K Stolen from City Bank Account

• Skagit County Transit – 2012– Failed Attack on Bank Account

• Chelan County Hospital District - 2013– $1 Million Stolen from Bank Account

• State of South Carolina – 2012– 3.6 Million SSN’s and 387,000 Credit Card

Numbers Stolen

6

The State Has Had Issues Too

• Department of Revenue – 1/15/2013• USB Drive with Virus• No Data Breach

• Department of Enterprise Services - 2/12/2013• User went to infected web site• No Data Breach

• Administrator of the Courts – 5/9/2013• Web Site Hacked• Data Breach - 1 Million WDL and 160K SSN’s

7

Mistakes Happen Too

• Skagit County Data Security Breach– Cause – Human Error– Medical Records posted to public web site– Discovered by Citizen, Reported to Fed’s.– Result• HIPAA Violation• State Data Breach Notification Event

– Press Release

8

How Attackers are Succeeding

• Advanced Persistent Attack (APT) Approach is working because:– People are taken by Phishing Email– Workstations are vulnerable

• Elevated User Permissions• Poor security maintenance practices for patching and current end-

point defensive systems

– Network defense is not well done• Bad guys are good - Malware detects defense and morphs• Complacent Leaders - People don’t believe it “will happen

to them”• Government IT is not fully staffed or funded

9

How a “Phishing” Attack Works

10

It is easy to attack you, you are not well defended

79% of victims were targets of opportunity 96% of attacks were not highly difficult 94% of all data was compromised from servers 85% of breaches took 2 weeks or more to detect92% were discovered by a third party 97% of breaches were avoidable through simple or

intermediate controls 96% of victims subject to PCI-DSS had not achieved

compliance

• US Secret Service Banking Data

Source: 2012 Verizon Data Breach Investigation Report2013 Verizon Data Breach Investigation Report

11

Cost of a Data Security Breach

• Costs associated with Regulatory Compliance– RCW 42.56.590 Personal information — Notice of security breaches.

$3/Record Minimum Cost to Notify

• Regulatory Fines – HIPAA, FERPA, Etc.• Harm to persons – Banking Information• Cost of recovery and mitigation if harm occurs

– ~$134 – Estimated Public Sector cost per record in data breach (Ponemon Institute 2011 US Cost of a Data Security Breach Report )

• Unplanned Cost Impact to budget planning– Cost to fix the cause of the problem

• Loss of Reputation – Cost to regain trust

12

So What? Why Do I Care?

• You only care if:– You have large amounts of money in online

managed bank accounts– You have large amounts of protected data in your

computing environment– The availability and integrity of your systems is

important to your customers

13

Approach to the Problem

• Choices for dealing with Risk– Eliminate the Risk (Mitigation)– Plan to do something if the Risk happens

(Response)– Transfer the Risk (Insurance)– Accept the Risk

14

Risk Manager Action Plan

• Partner with IT leadership – You can’t do this alone and neither can they – Then:

1. Measure your risk• Do you know what protected data you have?• Do you know how well your IT Dept. is doing?• Has IT perform vulnerability assessments• Does IT have an incident detection & response plan

2. Implement Secure On-Line Banking3. Adopt a standard for IT Security - Recommend the

SANS 20 Critical Controls as a Framework.4. Eliminate Old Risky Technology

15

Action Item No. 1Measure Potential Impact

• Answer these questions:1. How many records about people do you have in

your computing environment?2. How many of these include protected data?

a. State Privacy Lawsb. Federal Privacy/Security Laws (e.g. HIPAA)c. Credit Card information

3. Where are they?

16

Action Item No. 2Implement Secure Banking Procedures

• Use a dedicated computer (physical or virtual) for on-line banking

• Physical dedicated PC is most secure– Use Secure OS (Nothing Microsoft)

• Lightweight Portable Security OS

– Lockdown the PC to only do one thing• Run from CD only, disable everything else• Assign static IP• Firewall rule to only allow this IP to go to bank portal IP/ports• Use sneaker net to move ACH data to this PC

17

Action Item No. 3Achieve “Minimum” Security Controls

• Framework for “MINIMUM” IT Security Controls is the SANS 20 Critical Controls– Free– 20 Categories– 197 Control Recommendations– 77 “Quick-Wins” –• These should already be in place• If not - Focus for Incremental Improvement

18

Download the Guide

19

Where to Start Implementing SANS 20

1. Boundary Defense2. Controlled Use of Administrative Privilege3. Continuous Vulnerability Assessment 4. Data Recovery Capability5. Malware Defense6. Audit Logging7. Account Monitoring and Control8. Inventory of Software9. Secure Configurations for hardware and software10. Inventory of Devices

20

Action Item No. 4Eliminate Obsolete Technology

• Old Technology Causes Elevated Risk– Old Versions of Windows Operating Systems– Old Software that requires Administrator Privilege

to run– Old firewall technology that only does one thing– Old anti-virus software that is not effective

21

Example - Windows XP

• Windows XP should go away – 34% of Installed Desktops• No longer supported by Microsoft after April 2014• 21 times more likely to be successfully attacked than Windows 8

Netmarketshare.com

August 2013

22

How Much Will It Cost?

• It will cost more if you have a Fraud or Data Security Breach incident than it will to fix the problems

23

Next Steps to Solve this Business Problem

1. Partner with your IT Manger to quantify your Cyber Risks and fix the problems

2. Assess the quality of your defense • Use SANS 20 as a risk assessment Baseline – Be Realistic• Perform Vulnerability Scanning to Measure• Do you have old technology that should be replaced?

3. Help IT Prioritize what is needed4. Become the champion to senior leadership

• Help them see the business risk• Help find loss prevention funding to reduce Cyber Liability Risk

5. Hold IT accountable for a good defense, detection, and response

24

Handouts

• I am providing the following tools and reference materials to help you get started:

1. Verizon DBIR Executive Summary Report2. McAfee State of Malware Report3. SANS 20 Controls Worksheet4. WCIA Provided – SANS 20 Controls Prioritized with

product recommendations.5. SANS – Write-up on Phishing Email

Available at Prima Web Site.

25

Reference Material

– NIST SP 800-39 – Managing Information Technology Security Risk– 2013 Verizon Data Breach Investigations Report

(http://www.verizonenterprise.com/DBIR/2013/)– 2013 Symantec Internet Security Threat Report

(http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf)

– McAfee Threats Report – Fourth Quarter 2012 (http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2012.pdf)

– Ponemon Institute 2012 Cost of a Cyber Crime Study (http://www.ponemon.org/library/2012-cost-of-cyber-crime-study)

– Privacy Rights Clearinghouse – Chronology of Data Breaches 2005 - Present (http://www.privacyrights.org/data-breach)

26

Thank You

27

Instructor Information

Doug Selix, MBA, CISM,

CISSP, PMP

Worked in IT Field from 1971 to Present Current Job

1) IT Security and Disaster Recovery Architect, Washington State Department of Enterprise Services

2) IT Security Consultant Education BS – Management, City University, 1993 MBA – IS Management, City University, 1995 Project Management Certificate, U of W, 2001

Consulting Clients – 2012 & 2013 WSTIP (Transit Risk Pool) WCIA (City Risk Pool) Enduris (City Risk Pool) WCRP (County Risk Pool) Clark County Skagit County

Contact Information

Phone: 253-951-4825email: dselix@comcast.net