Multi-faceted Cyber Security v1
Download as PPTX, PDF1 like312 views
This document discusses various IT security, compliance, legal risk, and disaster preparedness topics. It begins by outlining the basics of an IT security lifecycle including inventorying assets, identifying risks, remediating risks, and monitoring alerts. It then discusses threats like cybercrime, phishing, and issues related to e-discovery, PCI compliance, and HIPAA compliance. The document provides recommendations for legal risk mitigation, disaster preparation, cyber incident handling, and options for addressing IT security needs either through do-it-yourself methods, outside help, or hiring a support organization.
Multi-faceted Cyber Security v1
- 1. Copyright 2014 – LP3 September 2014 Asad Zaman MBA, MSc-CyberSecurity
- 2. Copyright 2014 – LP3 • IT Security • e-Discovery • Compliance • Legal Risk • Disaster Plans • What can you do? Agenda
- 3. Copyright 2014 – LP3 IT Security Lifecycle Basics Inventory Assets Hardware, software, mobile devices, communications links, processes, procedures, checklists, documents, contacts, customer lists Identify Risk Create discrepancy reports and act on them Remediate Risk Assign actions and close them Monitor and triage alerts Log reduction and analysis Execute and Test Backups Data, configurations, processes documentation
- 4. Copyright 2014 – LP3 • Steady increase in cyber crime – collection/exploitation • Government and hackers can access your unprotected data • Damage from cyber crime rising dramatically • Critical business issues • Reputation – share value • Fines/penalties – FINRA, SEC • Litigation – client identity theft, negligence, due diligence • Compliance • Business continuity Cyber Criminals – No Rules! 60% of small businesses that get hacked are out of business within 1 year
- 5. Copyright 2014 – LP3 Phishing • Fake emails seeking to get credentials • Financial assets: 76% of targets • Spear phishing – by-name emails • Company executives, key decision makers, celebrities, names on company website Red Flag Words: account locked, suspended, verification required, suspicious transaction, protect your computer, funds due to you Countermeasures: • Don’t click on emailed links and attachments – only takes ONE person • Security Awareness Training Source: Symantec study 2007
- 6. Copyright 2014 – LP3 Phishing Examples
- 7. Copyright 2014 – LP3 Countermeasures: • Encrypt data and know where it goes • Use redundant automated backups and test them Are My Documents Safe? NSA…“full take,” “bulk access” and “high volume” operations onYahoo and Google networks. (WashPost, 4 Nov 13) Work server Home computer
- 8. Copyright 2014 – LP3 “click here” emails Business Associate Connections “Please reset my password! Mr. Smith is yelling at me to get this report done now!” – Social Engineering How do hackers crack businesses?
- 9. Copyright 2014 – LP3 What is it? • Mandated electronic discovery in litigation or investigations with electronically stored information (ESI) Why do I care? • If you cannot find documents and metadata then you may lose the case – significant financial risk e-Discovery Risk Deliver all documents with the name “John Smith” or “Company XYZ” from 2008 to 2012…
- 10. Copyright 2014 – LP3 What should I do? 1. Identify 2. Preserve and Retain 3. Collect 4. Process 5. Review 6. Produce e-Discovery Actions
- 11. Copyright 2014 – LP3 Payment Card Industry Compliance
- 12. Copyright 2014 – LP3 PCI (Payment Card Industry) DSS WHAT: Standards and requirements for payment card data security Non-legislative – enforceable through fines and penalties Obligation on merchants and service providers WHO: “Payment Card Industry (PCI) Data security requirements apply to all Members (banks), merchants and service providers that store, process or transmit cardholder data.” HOW: Sensitive authentication data cannot be stored Cardholder data must be protected New requirements from PCI DSS 2.0 to 3.0 came out in Nov 2013 Requires Qualified Security Assessor (QSA) validation annually or Self- Assessment Lack of COMPLIANCE: Fines: Up to $500k per incident (VISA), government fines, insurance costs, and litigation Brand reputation: Share price falls, loss of customer confidence Revocation: Inability to process credit card transactions More compliance: Additional PCI validation required
- 13. Copyright 2014 – LP3 PCI DSS 2.0 Requirements
- 14. Copyright 2014 – LP3 Health Insurance Portability & Accountability Act (HIPAA) Compliance WHAT: • Uniform rules for protecting Health Info • Written or Oral communcations • E-mail, computerized and electronic information (computer records, faxes, voicemail, PDA entries, etc.) WHO: • Comes from a health care provider or a health plan • Could be used to identify an individual • Describes the health care, condition, or payments or demographics of an individual HOW: Physical Safeguards • Computer terminals are not placed in public areas Technical Safeguards • Every associate must keep his/her password confidential Administrative Safeguards • Policy and procedure for release of patient information COMPLIANCE: • $100 fine per day for each standard violation. (Up to $25,000 per person, per year, per standard.) • $50,000 fine + up to one year in prison for improperly obtaining or disclosing health information. • $100,000 fine + up to five years in prison for obtaining or disclosing health information under false pretenses. • $250,000 fine + up to ten years in prison for obtaining health information with the intent to sell, transfer or use for commercial advantage, personal gain or harm.
- 15. Purpose Criminal Penalties Criminal provisions • Could reach up to 10 years in prison • Fines started at $100 and could reach up to $25,000 for all identical violations of the same provision HITECH - Harsher Penalties • Tiers established for civil penalties • Maximum penalty of $1.5 Million • The higher the level of culpability, the higher the penalty Makes massive changes to privacy and security laws. Breach Notification requirements (Patient, Department of Health and Human Services, and Media) Applies to covered health care entities and business associates. Creates a nationwide electronic health record Increases penalties for privacy and security violations HITECH (Health InformationTechnology for Economic and Clinical Health Act)
- 16. Copyright 2014 – LP3 HIPAA INTHE NEWS Octomom: Hospital workers accessed records out of curiosity - 15 people fired – 8 under disciplinary action Brittany Spears: 13 or more workers fired – 6 workers suspended – 6 doctors face disciplinary action
- 17. Copyright 2014 – LP3 What is it? • Potential failure to comply or apply due care in various legal areas Why do I care? • Risk of civil or criminal prosecution • Significant financial impact for defense even if you win a case; losing can put you out of business Legal Risk
- 18. Copyright 2014 – LP3 What do I do? • Assess third party vendor and service provider agreements • Document Data Breach Notification and Incident Response Plans • Validate employer/employee privacy practices and technologies • Revise Policies and Procedures • Implement RiskTransfer / Insurance Assessment Legal Risk Mitigation
- 19. Copyright 2014 – LP3 What should I do? • Assess Risks • Hurricane, fire, flood, terrorism, disgruntled employee • Identify Critical Resources • Processes, computer systems, information, documents, employee contact info, customer contact lists • Develop Plans and Procedures • Simple step-by-step emergency and restoral procedures • Downtime is lost business—a good plan is valuable • Train andTest • Ensure key staff know the procedures • Execute both tabletop and actual failover testing Disaster Preparation
- 20. Copyright 2014 – LP3 • What are the potential identifiable disasters (internal and external)? • How would each affect your critical systems? Disaster Preparation Data Center Fire
- 21. Copyright 2014 – LP3 What do I do? 1. Preparation: Set up systems to detect threats and create policies for action; including public info release decisions 2. Threat Identification: Effects it is having on your systems 3. Containment: Limit effects by confining to as few systems as possible; freezing the scene for investigation 4. Eradication: Get rid of whatever the attacker might have left behind – rebuild from original media if possible 5. Recovery: Restore the system back into normal operations, reconnect to the network, restore data from known clean backups if necessary. 6. Follow-up: Root cause identification, deploy countermeasures, improve processes, etc. Cyber Incident Handling
- 22. Copyright 2014 – LP3 Multi-Faceted Cyber Security • IT Security – Can hackers modify or steal your data? • e-Discovery – Can you find files you need for legal defense? • Compliance –Will regulators see evidence of due care? • Legal Risk – Does your configuration keep data private? • Disaster Plans – Is your data backed up and restorable? Secure management of critical systems improves all key areas
- 23. Copyright 2014 – LP3 1. Do it yourself 2. Ask for help 3. Hire support What should I do?
- 24. Copyright 2014 – LP3 Do it yourself 1. Train IT staff on critical security issues with CISSP, SANS GIAC, Microsoft Certified Systems Engineer: Security 2. Patch workstations and laptops 3. Patch servers 4. Update anti-virus and spyware 5. Backup key systems 6. Use firewalls to limit access 7. Train employees regularly 8. Continuously monitor posture
- 25. Copyright 2014 – LP3 Ask for help 1. Web information services 2. Local colleges and universities 3. Part-time IT security employees 4. Consultants 5. Virtual CIO/CISO/CPO Protectingtomorrow.org Schools, Business,Vets
- 26. Copyright 2014 – LP3 Hire Support…but who? 1. Trust 2. Experience withAdvanced PersistentThreats 3. No software or hardware vendors 4. Industry experience 5. Technically current 199 critical vulnerabilities in a Financial Services Firm
- 27. Copyright 2014 – LP3 Thank you! Comments? Questions? Striking the critical balance between protection and performance sales@LP3.com
- 28. Copyright 2014 – LP3