April 26th, 2016 Security Awareness
Security is the degree of resistance to, or protection from, harm.…if security breaks down, technology breaks down
• Current Security Landscape• The Impact of Data Breach or Data Loss• Raise everyone’s overall awareness
• Security risks • Techniques to reduce risk
• Changes in Strategy• What we should and can be doing?
Goal for Today
Protecting People, Property and Business Assets
“The AV-TEST Institute registers over 390,000 new malicious programs every day”
Security is a Growing Concern
https://www.av-test.org
Malware has ChangedThen
• Low Business Impact• Less Sophisticated• Targeted PC’s
Now• High Business Impact• High Sophistication• Targets Data
High Visibility Low
Then
O
rgan
izatio
nal R
isk
Now
Active malware trends over the last 10 years
Security is a Growing Concern
Malware development trends over the last 10 years
Security is a Growing Concern
• Businesses ability recover• Brand damage• Associated Costs
The Impact of Data Breach or Data Loss
Cost of Breaches
32% of organizations have reported cyber-crime
Attackers Evolve, Adapt and Accelerate• Attackers are nimble, opportunistic,
cooperative, skilled and relentless• Their motivation, resiliency, and creativity
drives great adaptability• Acceleration in their methods, tools, and
targets (technology, people, processes)
Attackers Evolve, Adapt and Accelerate
• Dark markets and services grow• New data breach targets emerge• Attacks will drive down the technology stack
• Data• Apps• Operating Systems• Firmware• Hardware
• Ransomware and “CEO email” fraud rises
• 80% of Infections stem from massive e-mail attacks
• Phishing vs Spear Phishing • Attackers are aware of 3rd party
relationships between large targets and smaller service providers
Phishing
Phis
hing
Phis
hing
Phis
hing
Phis
hing
Services for sale
Need a credit card ?
Another Scary Fact
Background
Security goes back as far a man kind.
The Traditional Approach to Security
Internetx FirewallAntivirus
Early Defense in Depth
Defense in Depth Example
Internet
x FirewallAntivirus AntispywareIntrusion Prevention
Outgoing
Requests Filtered x
xAntivirus &Antimalware
x
Defense in Depth
The idea behind “Defense in Depth” is to defend your data and systems against any particular attack, using several independent methods
Perimeter
Internal Network
Endpoint
• Firewall• CGSS• IPS
• Policies• Access Rights• Monitoring
• Antivirus• Anti Malware• Cloud Security
Why is all this important?
The United States is the most targeted country in the world.
Fireeye Cyber Threat Map
USA #1
Who are we trying to protect from?• Nation States• Insiders• Organized Crime• Other Companies• Thrill Seekers• Notoriety • Political Activists
How do they do it?• Poorly configured systems using default passwords
and settings which are weak• Exploit known vulnerabilities which are easy to find
• Metasploit• CGE (Cisco Global Exploiter)
• Password cracking tools to break weak passwords• Social engineering / Email• Planting infection in web sites • Real examples
• Train Network Users to have a healthy level of skepticism• Keep Software up to date• Least privileged access• Encrypt Data in transit & on mobile devices• Segment & Isolate Networks• Documented and Tested DR Plan• Regular tests/auditing to ensure measures are effective• Data Loss Protection tools
Tools and Techniques Summary
• Seek an optimal balance of Risk/Cost for your business
• Understand what we are protecting
• Treat security as on going concern
• Not a set it and forget it
• Ongoing Security Awareness Training
Summary
Will Anyone Out There Take on the Rest of My Risk?
Why Cyber/Privacy Breach Liability Insurance?
• Both the federal government, and each of the 50 states, impose certain actions upon persons/entities/businesses/agencies who maintain personal information on systems or computers in the event of a breach or suspected breach.
• “Certain actions” could include written notice to all impacted individuals, purchase of individual identification protection for 1 year (“Lifelock”), credit report monitoring for each impacted individual, and monetary responsibility for financial losses to the impacted individuals.
• There is NO insurance coverage for any of these items absent a cyber/privacy breach liability policy.
• The existence of statute and the absence of insurance creates an unfunded potential liability.
What Perils Will Cyber/Privacy Breach Insure For?
• Liability imposed by statute• Regulatory defense and penalties• PCI fines and expenses• Notification of Individuals expenses• Legal services/crisis management/public relations services.• Cyber extortion• Specific coverage parts can be bought “ala carte” or are offered as a
“bundle” depending on specific need.
What Perils will Cyber/Privacy breach NOT Insure for?
• Failure to perform professional duties in a satisfactory manner. (Ex: systems designs, software build).
• Loss of digital assets (data).• Loss of revenue (unless specifically added to the cyber policy).• First party theft of money/securities.
Premium Drivers• Revenues/Size of the organization or business.• # of records/contacts in the possession of the entity.• Past claim history.• Industry group (low risk versus high risk).• Limits of insurance purchased/deductibles taken.• Specific coverage parts purchased.• Presence of systems safeguards/professional handling of IT exposures.
Availability of Insurance• Evolving market…some new entrants, some have left the market.
Some names you will recognize (AIG), some you will not (Beazley).• Insurance policy, generally, has been adding more coverage in
recent years.• Insurance pricing, generally, has declined a bit in recent years.• Application process remains fairly simple: complete a written
application (2 to 10 pages), and provide any requested documentation.
• If application is denied, carriers will tell you why.
Claim Examples• Accounting firms: Systems are hacked…private info stolen.• Ad Agency: Disgruntled employee provides ‘per click’ data to a
competitor of the firm’s client. Client sues for breach of contract/confidentiality.
• Not For Profit Group: Loss of a donor list.• Country club/golf course: Credit card transactions are hacked.
Loss of cash and private information.• Hacking from outside/”inside job”/carelessness.
Cyber/Privacy Breach Insurance Impacts• In 2011, 35% of all Zurich Ins. Co. survey respondents bought cyber
insurance; by 2015, the figure was 61%.• Of cyber attacks experienced by 252 sample employers, 99% were
viruses/worms/trojans (high end) with 35% caused by malicious insiders (low end). (Poneman Institute 2015 Study)
• Average claim cost due to cyber events were $1,388 per capita for small firms; $431 per capita for large firms. (Poneman Institute 2015 Study)
THANK YOU TO OUR SPONSORS!
Live Hacking Demo