Presented by:

Date:

Danny Timmins, National Leader Cyber Security

September 26, 2016

MNP Cyber SecuritySudbury

Page 2

• What’s happening in Cyber today.

• Are organizations at Risk?

• Critical Areas of focus for Cyber

Security.

• Strategy to tackle Cyber Security.

Page 3

Page 4

Internet of things is, and will be a

organization Challenge.

Source: Intel.com

Page 5

Cyber Security is a Hot Topic

80% of respondents in a

recent survey discuss cyber

security at most or all

boardroom meetings

Source: 2015 Veracode Cyber Security in the Boardroom

Page 6

It’s increasing yearly?

Page 7

Cyber Security

7

Page 8

• Who does Cyber Attacks?

Page 9

Threat Communities

• Nation States

• Organized Hackers

• Non-Organized Hacker

• Employee: Technical

• Employee: Business

• Malicious former employee

Page 10

• What is the cost per record stolen in Canada?

Page 11

Cost of a Data Breach

Canada at Glance

• 24 Companies (Study conducted by the Ponemon Institute, June 2016)

– Number of exposed or compromised records – Global average size is 23,834

and Canada is 21,200.

– Per Capita cost average for all industries was $158US / $211 CDN - For the

Industrial sector it was $156US – as a side note Health Services was $355US

– The average total organizational cost of a data breach over three years for

Canada was $4.98M US.

Page 12

• What percentage (out of 100) of all malware is Crypto-Ransomware?

Page 13

What’s your risk threshold?

• What if your computers, servers were locked out?

Page 14

What's happening in the world of Cyber Security?

• Nearly 60% of all malware infections are Crypto-ransomware

– CryptoWall3 malware cost victims more than $325 Million and the number is

growing.

• Root Cause: In Canada 54% caused by Malicious and or Criminal Attack.

• Probability of a data breach involving a minimum of 10,000 records is 17% in

Canada vs 25% Globally.

• Privacy of Personal Information – Do you store, save and or send any?

– What does Mandatory Breach Notification Mean in Canada?

Page 15

• What are the odds of success for a phishing attack (x/y)?

Page 16

What's happening in the world of Cyber Security?

• Could the Cyber Enemy be ourselves?

– 1 in 5 phishing emails are clicked on – why?...mostly curiosity.

– A research team dropped 300 USB’s in various locations on a campus, 98% of

them were picked up, 50% plugged them in and accessed the files.

– Passwords…enough said!

• 75% of attacks spread from Victim 0 to victim 1 within one day (24 hrs.)

• In 60% of the breach cases in the Verizon report, attackers are able to compromise an

organization within minutes.

Page 17

Would you click on this?

Phishing Campaigns

Page 18

Maybe this…?

Page 19

Network Cyber Security Check Up

Page 20

Page 21

What’s your risk threshold?

• What if your systems were compromised?

Page 22

What’s your risk threshold?

• Do you have any Intellectual Property(IP)?

Page 23

What’s your risk threshold?

• What if someone was looking at your proposal, bids, RFP’s?

Page 24

What’s your risk threshold?

• Personal Identifiable Information?

Page 25

What’s your risk threshold?

• Supply Chain?

Page 26

Other Notable Risks.

• Research.

• Brand.

• Enrollment for Post Secondary, Municapaties, etc.

• Strategic plans, engineering drawings.

• Life Safety Systems – Command & Control.

• Payment Systems.

Page 27

How do you determine and define what the

Cyber Security Priorities Are?

Threats

Risk Loss

Controls

Page 28

MNPs Approach to Cyber

MNP Suggests:

• Understanding the strength of your controls.

• Assessing your risk based on what threats are acting

against you & what industry sector you are part of.

• Reviewing and understanding the monetary impacts to

your organization, including financial loss, brand loss, etc.

Page 29

+ Endorsed + Pragmatic + Measurable

Critical Security Controls

“The adoption of the 20 Critical Controls is a good foundation for effective cybersecurity, and

that they are a excellent example of how public and private sector organizations can voluntarily

come together to improve security”

- Commander of the US Cyber Command and Director of NSA

Page 30

What are CSC guiding principles?

1. Defenses should focus on addressing the attack activities occurring today.

2. Enterprises must ensure consistent controls across the enterprise to effectively negate attacks.

3. Defenses should be automated where possible.

4. Specific technical activities should be undertaken to produce a more consistent defense.

5. Root cause problems must be fixed in order to ensure the prevention or timely detection of

attacks.

6. Metrics should be established that facilitate common ground for measuring the effectiveness of

security measures.

Page 31

Inventory of Authorized and Unauthorized Devices

Inventory of Authorized and Unauthorized Software

Secure Configurations for Hardware and Software on

Mobile Devices, Laptops, Workstations, and Servers

Continuous Vulnerability Assessment and Remediation

Malware Defenses

Application Software Security

Wireless Access Control

Data Recovery Capability

Security Skills Assessment

Application Software Security10

9

8

7

6

5

4

3

2

1 Limitation and Control of Network Ports, Protocols, and

Services

Controlled Use of Administrative Privileges

Boundary Defense

Maintenance, Monitoring, and Analysis of Audit Logs

Controlled Access Based on the Need to Know

Account Monitoring and Control

Data Protection

Incident Response and Management

Secure Network Engineering

Penetration Tests and Red Team Exercises20

19

18

17

16

15

14

13

12

11

Critical Security Controls

Page 32

Generic Attack Methodology

Every cyber attack follows a standard attack methodology

“Kill” Chain

Lockheed Martin est. 2011

Reconnaissance Exploitation PersistenceActions on the

Objective

generic attack methodology

Why these controls?

Page 33

Base Line Data can show improvement over time.

Page 34

Risk Methodology

Measure Analyze Plan Maintain

Control

Strength

Threat

Capability

Control

Strength

Threat Event

Frequency

Quantify the Loss

Page 35

Threat AnalysisConsiderations for risk analysis

CSC Results Nation States

Non-organized

Hacker

Destructive Malware

Control Strength

What Safeguards are

currently in place?

Threat Capability

What is the capability

of the threat agents?

Verizon DBIR

statistics

Threat Event Frequency

What are your industry

specific statistics?

Fines / Reputation

OpenFair

Quantify the Loss

What are the primary and

secondary loss magnitudes?

Page 36

Page 37

Page 38

Example of Prioritization

Control

• Medium

• Low

• Medium

Risk Loss

• High

• Medium

• Medium

Threat Landscape

• Low

• Medium

• High

Priority

• 3

• 2

• 1

Page 39

Goal Based and Measurable

Maturity averages from similar organization

An all-encompassing maturity dashboard with key

analytics

Focused allocation of budget and resources

Immediate and prioritized risk reduction

strategies

A prioritized & risk based roadmap customized to

your unique organization

Page 40

Center for Internet Security states that if you implement

these 5 strategies you will reduce your risk by 85%

• Inventory of Authorized and Unauthorized Devices

• Inventory of Authorized and Unauthorized Software

• Secure Configurations for Hardware and Software

• Continuous Vulnerability Assessment and Remediation

• Controlled Use of Administrative Privileges

CIS Critical Security Controls

Page 41

Inventory of Authorized and Unauthorized Devices

• Some of the Controls needed:

– Deploy an automated asset inventory discovery tool.

– Ensure that all equipment acquisitions automatically update the

inventory system.

– Maintain an asset inventory of all systems connected to the network.

– Use client certificates to validate and authenticate systems.

Page 42

Inventory of Authorized and Unauthorized Software

• Some of the Controls needed:

– Devise a list of authorized software and version.

– Deploy application whitelisting technology.

– Deploy software inventory tools throughout the organization.

Page 43

Secure Configurations for Hardware and Software

• Some of the Controls needed:

– Establish standard secure configurations of your operating systems

and software applications.

– Store the master images on securely configured servers.

– Perform all remote administration secure channels.

– Use file integrity checking tools to ensure that critical system files

have not been altered.

Page 44

Continuous Vulnerability Assessment and Remediation

• Some of the Controls needed:

– Run automated vulnerability scanning tools against all systems on

the network.

– Correlate event logs with information from vulnerability scans.

– Perform manual vulnerability scanning .

– Deploy automated patch management tools and software update

tools.

– Establish a process to risk-rate vulnerabilities.

Page 45

Controlled Use of Administrative Privileges

• Some of the Controls needed:

– Minimize administrative privileges.

– Use automated tools to inventory all administrative accounts.

– Before deploying any new devices in a network, change all default

passwords.

– Use multifactor authentication for all administrative access.

– Administrators should be required to access a system using a fully

logged and non-administrative account.

Page 46

Other Important Strategies

• Incident & Crisis Management.

• Education.

• Increase early detection and alerting.

Page 47

Education

• Do your team’s have awareness of Cyber Security and the potential harm to the

organization?

• Does the organization have policies & practices?

• Do you practice simulations to drive awareness?

Page 48

Are you prepared for Cyber Incident?

• Do you have a policy in place if a Cyber Attack happens?

• Have you tested this policy during the past year?

• Are various groups within the organization participating?

• Do you have a spoke person primed to speak to the Cyber Attack?

Page 49

Increase early detection and alerting

• Does your alerting and detection do the following:

– Detect emerging threats.

– Help contain and mitigate losses and further exploitation.

– Automate and correlate large amounts of inputs and data.

– Monitor 24/7 with the ability to respond.

Page 50

• Over 50 Cyber Security Professionals across the Country and growing.

• Our team of Cybersecurity specialists hold extensive industry specific

certifications including: CISSP, CISA, OSCP (Penetration testing), GPEN,

CEH, Payment Card Industry (PCI QSA and PCI ASV), CCSK (Cloud

Security), OpenFAIR (risk analysis), Critical Security Controls (CSC).

• Strong niche/vertical orientation – Government, Municipalities, Public

Safety, Health Services, Financial Services, Resource Sector, Education,

Retail, Public Sector, Real-estate, etc.

• Our focus area’s Technology Installation, Configuration, Management, PCI,

Pen-Testing, Maturity Health Check, Security Risk Review, and much more.

Who are we…MNP’s Cyber Security Team

50

Page 51

How we help our clients

Service Area Context

Cyber Security Defensive Controls

(Products)

We help architect through dialog & white boarding then install & configure

Defensive Security Controls – Once completed we hand off for Customer to

Manage.

Managed Cyber Security Services We manage the clients Cyber Security Defensive Controls. We are

basically an extension to their team, with dedicated Cyber Security Admin’s

& VCISO’s, we know your network inside & out.

Red Team (Offensive Cyber Security

Services)

We assess an organization’s resiliency to a cyber attack. We use some or

all of the following to test the resiliency: Penetration Testing (Application,

Mobile & Perimeter), Phishing, Vishing, Physical, Wireless, USB Keys, etc.

Cyber Security Health Check - MTA Our Health Check is called a MTA (Maturity & Threat Analysis) provides a

clear picture of your overall cyber maturity score, identifies key risks and

outlines where resources & budget should be allocated, helping guide your

organization in its risk reduction strategies.

Page 52

How we help your clients

Service Area Context

PCI – Payment Card Industry ANY organization that stores, processes or transmits credit card data MUST be

PCI Compliant. If your client is doing more than 1 million transactions using

and payment method and or more than 250K through e-commerce they could

use our help.

Executive Level Cyber Security

Training

Customized security awareness program designed with a focus on

specific threats, geared towards C-level and Executive level members

of the organization, as well as board level members.

Incident Response Under Cyber Attack? Incident response is what organizations require

should they fall victim of a cyber attack. It best to prepare before it

happens and we can help either way.

Cyber Security Policy Development A comprehensive review evaluating your organizations current policy

framework against a number of controls such as the ISO27002, CSC

20 and PCI DSS.

Page 53

53

Page 54

Case Study: Building Operator – Penetration

TestingServices we provided:

1. Project Management

2. Report that includes the findings

of the testing, including

vulnerabilities discovered and

recommendations for further

security measures.

3. Both external and internal

environments’ tested

4. One Web Application tested

Problem: Can the building & applications

be exploited externally & what type of

vulnerabilities exist.

Service: Engaged MNP to perform an

internal and external network/OS layer

penetration test on a building network

systems in order to identify vulnerabilities.

The test will attempt to exploit identified

vulnerabilities in order to gain access to

network devices, applications, accounts,

and information in a manner other than

intended.

Page 55

Case Study: PCI – Post Secondary

Services we provided:

1. Project Management

2. Report that includes the findings of

each phase. Including discovery

and recommendations for further

PCI measures.

3. Report which is sent to PCI

Problem: They were looking to meet PCI

Compliancy.

Service: Engaged MNP to perform 1)

Scope Discovery and Reduction, 2)

Readiness Assessment & Gap Analysis, 3)

Remediation (if need), 4) Assessment to

perform a full PCI DSS assessment and

provide a Report on Compliance (RoC) or

Self Assessment Questionnaire (SAQ).

Page 56

Case Study: Health Sector – SIEM

Win Factors: Our depth of

experience with SIEMs, our past

engagements with the client,

and our positive relationship with

them

Problem: Needed a system to alert them of

improper activity

What: Implement and install an AlienVault

Security Information & Event Management

(SIEM). A SIEM monitors and alerts the

client when activity on the network is not

right

Page 57

Case Study: Retail – Firewall Solution

Win Factors:

Our existing relationship with the client

who fought to keep the engagement

with MNP versus transferring to a US

competitor and our strong relationship

and support from our partner -

Checkpoint

Problem: Looking to refresh their older

Firewalls

What: Implement a Checkpoint Firewall

solution and provide professional services

for installation and migration of the client’s

aging firewall infrastructure

Page 58

Case Study: Technology – MTA

Win Factors: Our strong presentation

of the MTA to the client and how it

could address and support their future

IT security strategies, MNP’s

understanding of the Innovapost

infrastructure, and our pricing model

that addresses the client’s growing

cost-sensitivities

Problem: Wanted to understand how to

better allocate resources and budget better

for Cyber Security

What: Complete an MTA for the client. A

Maturity and Threat Analysis provides a

clear picture of your overall cyber maturity

score, identifies key risks and outlines

where resources should be allocated,

helping guide your organization in its risk

reduction strategies.

Page 59

Case Study: Post Secondary – Defensive Controls

Services we provided:

1. Project Management

2. Suggestions through dialog and white

boarding to upgrade their technology

3. Procurement & Delivery of the Product

4. Install, configuration and hand off of

working technology in their

environment

Problem:They needed to refresh some of

their existing Cyber Security Defensive

Controls (Products) and build in new

technology to make their business safer.

Service: We first helped them look at what

they had through dialog & white boarding

and suggested some changes. We were

asked to bid on the products and services

for Next Generation Firewalls, Web

Application Firewall and Vulnerability

Scanning.

Page 60

Case Study: Retail – Managed Services

Services we provided:

1. Project Management

2. 24/7 Support, upgrades,

patches, license tracking, real-

time incident response

3. Cyber Security Administration &

Virtual Chief Information

Security Officer (vCISO)

Problem: Managing all of their Internal

Wireless Systems for all Malls in Canada

Service: MNP Provides Managed Wireless

Cyber Security Services which are an

extension to their Team. We do this across

all Malls Nationally. We preform all

add/moves/changes to the devices,

monitor all alerts, respond and manage any

incidents and help develop the Security

Policy Management for the devices.

Page 61

Personal Cyber Security Check List

Create strong PW – use a minimum of 8 characters(Capitals, numbers,

special characters).

Use Two step verification where ever able.

Keep you systems updated with latest software.

Run Anti-Virus, Anti-Malware.

Back Up your systems (local, cloud..)

Have your computer or mobile set to auto lock out.

Never click on something you don’t know.

Don’t add people to your profiles that you don’t know.

Sensitive browsing should only be done from a trusted device or WIFI.

Page 62

Contact Us:

Tel: 905.607.9777

Tel Toll Free: 866.370.8575

Email: mississaugatechinfo@mnp.ca

Website: www.nci.ca

95 Topflight Drive

Mississauga, ON

L5S 1Y1

Danny Timmins

National Leader

CyberSecurity

T: 905.607.9777 ext.230C: 647.202.6243

danny.timmins@mnp.ca