38
Presented by: Carly Devlin Ryan Peters Moderated by: Deidra Wiley

Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

  • Upload
    others

  • View
    1

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

Presented by:

Carly Devlin

Ryan Peters

Moderated by:

Deidra Wiley

Page 2: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

TODAY’S PRESENTERS

Carly DevlinManaging Director, Columbus Office

Clark Schaefer Consulting

Ryan PetersPractice Manager, Healthcare

Clark Schaefer Hackett

Page 3: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

Presented by:

Carly Devlin

Ryan Peters

Moderated by:

Deidra Wiley

Page 4: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

AGENDA

• Understanding Cyber Risk

• Cyber Threats

• Case Studies

• Managing Cyber Risk

• Cybersecurity Tools

• Questions

Page 5: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

UNDERSTANDINGCYBER RISK

Page 6: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

What is Cyber Risk

▪ Failure to mitigate this risk may cause:

- Disruption of systems/business processes

- Loss of confidential data

- Financial loss

- Fraudulent reporting and metrics

- Damage to reputation

Any risk of financial loss, disruption, or damage to the reputation of an organization from a failure of its information technology systems.

Source: The Institute of Risk Management

Page 7: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

Cybersecurity Industry Facts

Cyber Crime Damage:

$6 trillion annually by 2021

Cybersecurity Spending:

Will exceed $124 billion in 2019

Unfilled Cybersecurity

Jobs:

3.5 million by 2021

Human Attack Surface:

6 billion people by 2022

Global Ransomware

Damage Costs:

Will reach $11.5 billion in 2019

Source: CSO

Page 8: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

Cybersecurity Definitions

Threat:

Circumstance or event with the

potential to adversely impact

organizational operations,

organizational assets, and/or

individuals, through an information

system via unauthorized access,

destruction, disclosure,

modification of information, and/or

denial of service.

Threat Actors Actor Motives

National Governments Cyber warfare/espionage

Terrorist Groups Spread terror

Organized Crime Financial gain

Hacktivists Political agenda

Hackers Notoriety/financial gain

Insider Threats Revenge/financial gain

Page 9: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

CYBER THREATS

Page 10: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

Security Incident Survey

2018 Verizon Data Breach Report: Healthcare

Frequency 750 incidents, 536 with confirmed data disclosure

Top 3 PatternsMiscellaneous Errors, Crimeware, and Privilege Misuse represent 63% of

incidents within Healthcare

Threat Actors 43% External, 56% Internal, 4% Partner, 2% Multiple Parties (breaches)

Actor Motives 75% Financial, 13% Fun, 5% Convenience, 5% Espionage (all incidents)

Data Compromised Medical (79%), Personal (37%), Payment (4%)

Page 11: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

Our Clients: Most Common Cyber Threats

Phishing

Ransomware

Human Error

Software Vulnerabilities

Internet of Things (IoT)

Page 12: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

Threat Horizon and Industry Outlook

▪ Ransomware continues to plague the Healthcare industry (accounts for 85% of all malware).

▪ Social attacks (phishing and pretexting) will continue to be a matter of concern for the healthcare industry.

▪ Laptops, other portable devices, and paper documents continue to consistently go missing from healthcare organizations each year.

Page 13: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

CASE STUDIES

Page 14: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

Attack #1 – HealthEquity

Attack Victim HealthEquity

Attack Date October 2018

Description

The data of about 190,000 customers was breached

for about a month after a hack on two employee email

accounts.

Cost Unknown – class action lawsuit filed

Page 15: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

Attack #2 – UnityPoint Health

Attack Victim UnityPoint Health

Attack Date March 2018

Description

A phishing attack on the health system’s business

email system breached the data of 1.4 million patients.

The email system was hit with a series of highly

targeted phishing emails that looked as if they were

sent from an executive within the organization.

Cost Unknown – class action lawsuit filed

Page 16: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

Attack #3 – Health Management Concepts

Attack Victim Health Management Concepts

Attack Date July 2018

Description A ransomware attack on HMC quickly turned into a data

breach, when hackers were inadvertently provided a file

containing personal data of 502,416 members.

Cost Unknown

Page 17: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

Attack #4 – LifeBridge Health

Attack Victim LifeBridge Health

Attack Date September 2016

Description

The health system learned of the data breach of

500,000 patients in March 2018 after discovering

malware on a server that hosts EMR data for the

system’s affiliated physician group and the shared

registration and billing system for other LifeBridge

providers.

Cost Unknown – class action lawsuit filed

Page 18: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

MANAGING CYBER RISK

Page 19: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

Managing Cyber Risk

Mitigation vs. Elimination of Risk

Page 20: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

New Healthcare Cybersecurity Guidance

▪ December 28, 2018 – HHS announced the release of the “Health Industry

Cybersecurity Practices: Managing Threats and Protecting Patients” guidance.

▪ Focuses on 5 primary cyber threats to the healthcare industry and identifies best

practices to address each:

▪ Includes suggested practices for small, medium, and large organizations

Phishing AttacksRansomware

Attacks

Loss or Theft of Equipment or

Data

Insider, Accidental or

Intentional Data Loss

Attacks Against Medical Devices That May Affect Patient Safety

Page 21: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

Use of a Security Framework

A series of documented processes that are used to define policies and procedures

around the implementation and ongoing management of information security controls

in an enterprise environment.

Security Frameworks

ISO

NIST

Page 22: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

ISO/IEC 27001: 2013

▪ Established by:

The International Organization for Standardization (ISO) and the International

Electrotechnical Commission (IEC)

▪ Designed to:

Provide requirements for an information security management system (ISMS)

▪ Overview:

Specifies the requirements for establishing, implementing, maintaining, and continually

improving an information security management system within the context of an

organization. It also includes requirements for the assessment and treatment of

information security risks tailored to the needs of the organization. The requirements are

intended to be applicable to all organizations, regardless of type, size, or nature.

Page 23: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

NIST Cybersecurity Framework

▪ Established by:

The National Institute of Standards and Technology (NIST)

▪ Designed to:

Be a US government-ordered, cybersecurity framework

▪ Overview:

A structure for the nation’s financial, energy, healthcare, and other critical systems to

better protect their information and physical assets from cyber attack. NIST provides a

common language with which to address and manage cyber risk in a cost-effective way

based on business needs, without additional regulatory requirements.

Page 24: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

NIST Cybersecurity Framework (CSF)

▪ Three Parts:

– Framework Core

– Framework Implementation Tiers

– Framework Profiles

Allows organizations to:

▪ Describe current cybersecurity posture

▪ Describe target state for cybersecurity

▪ Identify and prioritize opportunities for improvement

▪ Assess progress towards target state

▪ Communicate using common language among internal and external

stakeholders about cybersecurity risk

Page 25: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

CSF Core

Page 26: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

CSF Core

Page 27: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

CSF Tiers/Profiles

▪ Tiers

–Tier 1: Partial

–Tier 2: Risk Informed

–Tier 3: Repeatable

–Tier 4: Adaptive

▪ Profiles

–Current profile (“as is”)

–Target profile (“to be”)

Page 28: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

CSF – Applying the Framework

1. Prioritize & scope

2. Orient

3. Create a current profile

4. Conduct a risk assessment

5. Create a target profile

6. Determine, analyze &

prioritize gaps

7. Implement action plans

Rep

eata

ble

Page 29: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

CSF – Benefits and Challenges

▪ Benefits:

–Voluntary

–Expose new risks

–Sharing, collaboration

–Layered approach

▪ Challenges:

–Not “set it and forget it”

–Requires “buy-in”

–Communicating risks

–Large, complex organizations

–Lack of quantifiable metrics

Page 30: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

OTHER CYBERSECURITY TOOLS

Page 31: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

NIST 800-53

▪ Security and Privacy Controls for Federal Information Systems

and Organizations

▪ 18 security areas

–Management/enterprise

–Operational

–Technical

▪ 8 privacy areas

Page 32: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

NIST 800-53: Example Control

Page 33: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

NIST 800-53: Benefits and Challenges

▪ Benefits:

–Comprehensive

–Supplemental guidance useful

–Baselines allow risk-based approach

–Supported by 53A, allowing for corresponding assessment

–Cross references throughout and to other NIST SPs

▪ Challenges:

–Comprehensive! (Complex)

–Focus on Federal systems

• Private entities? State/Local government?

–Focus on information systems

• IoT devices, industrial control systems, weapons systems

Page 34: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

NIST 800-61: Computer Security Incident Handling Guide

▪ Organizing a Computer Security Incident Response Capability

-Understanding Events and Incidents

-Incident Response Policy, Plan, Procedures

-Incident Response Team Structure

▪ Handling an Incident

-Preparation

-Detection and Analysis

-Containment, Eradication, and Recovery

-Post-Incident Activity

Page 35: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

NIST 800-61: Benefits and Challenges

▪ Benefits:

-Easy to understand for detection, analyzing, prioritizing, handling

incidents

-Provides checklists, scenarios, examples, recommendations

▪ Challenges:

-Less focus on establishing incident response program

-Doesn’t provide specific template for Incident Response Policy or

Plan

Page 36: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

1800 Series: Cybersecurity Practice Guides

SP 1800-1 July 2015 Securing Electronic Health Records on Mobile Devices

SP 1800-2 August 2015 Identity and Access Management for Electric Utilities

SP 1800-3 September 2015 Attribute Based Access Control

SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds

SP 1800-5 October 2015 IT Asset Management: Financial Services

SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security

SP 1800-7 February 2017 Situational Awareness for Electric Utilities

SP 1800-8 May 2017 Securing Wireless Infusion Pumps in Healthcare Delivery Organizations

SP 1800-9 August 2017 Access Rights Management for the Financial Services Sector

SP 1800-10 Not yet released Identity and Access Management

SP 1800-11 September 2017 Data Integrity: Recovering from Ransomware and Other Destructive Events

SP 1800-12 September 2017 Derived Personal Identity Verification (PIV) Credentials

Page 37: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

QUESTIONS?

Carly DevlinManaging Director

Clark Schaefer Consulting

[email protected]

Ryan PetersPractice Manager, Healthcare

Clark Schaefer Hackett

[email protected]

Page 38: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain

THANK YOU!

Carly DevlinManaging Director

Clark Schaefer Consulting

[email protected]

Ryan PetersPractice Manager, Healthcare

Clark Schaefer Hackett

[email protected]