View
66
Download
3
Category
Preview:
Citation preview
How To Survive In A Risky Cyber World
2016 IFG Wealth Management Forum Scottsdale, AZ April 2016
Mitch Tanenbaum www. CyberCecurity . com Mitch @ CyberCecurity.com 720-891-1663
GEEK ALERT!
Ransomware
What can you do?
1. Backups, backups and more backups 2. Business continuity plan 3. Disaster recovery plan 4. Incident response plan
• Rowlett incident
Test repeatedly!
Law Firms (and financial advisors)
1500 x the size of the WikiLeaks State Department cable leak
And Financial Advisors
Ask your law firms and advisors for a copy
of their written cyber security plan
As a law firm or advisor have a written plan
Same goes for family offices – have a plan, ask for a plan
NASDAQ Study
1500+ CxOs and Directors
90% of respondents have a medium to high
cybersecurity vulnerability
91% of NEDs cannot read a cybersecurity report, preventing them from asking the intelligent questions (executive coaching)
40% don’t feel responsible for the repercussions of a cyber attack.
Spear Phishing
Targeted Emails–often to execs and finance
Drop malware
Asks employees to wire money
Conduct phishing tests
• At one client, they sent 350 emails
139 were opened, 35 clicked on the malware
Including one C-Suite member
What Does The FBI Think?
“I am convinced that there are only two types
of companies: those that have been hacked
and those that will be. And even they are
converging into one category: companies that
have been hacked and will be hacked again “
- Robert S Mueller III,
Director, Federal Bureau of Investigation
RSA Cyber Security Conference,
San Francisco, CA. , March 1, 2012
New York DFS Proposed Regulations
(Post Ben Lawsky)
Shared proposal with every state, federal and local regulator in the country
1. 12 written cyber security policies and procedures
2. Third party service provider management 3. Multi factor authentication 4. Chief Information Security Officer
http://mtanenbaum.us/ny-regulator-unveils-proposed-new-cyber-security-regulations/ http://www.dfs.ny.gov/about/letters/pr151109_letter_cyber_security.pdf
5. Application security 6. Cyber security personnel and
intelligence 7. Annual cyber security audits 8. Notice Of cyber security incidents
http://mtanenbaum.us/ny-regulator-unveils-proposed-new-cyber-security-regulations/ http://www.dfs.ny.gov/about/letters/pr151109_letter_cyber_security.pdf
If you are required to comply, it will require
outside expertise
http://mtanenbaum.us/ny-regulator-unveils-proposed-new-cyber-security-regulations/ http://www.dfs.ny.gov/about/letters/pr151109_letter_cyber_security.pdf
SEC Risk Alert To Investment Advisors
and Broker Dealers
Issued Last September
1. Governance – manage the cyber risk process 2. Access rights – who can see what 3. Data Loss Prevention – PII in emails 4. Vendor Management – who do you share data with? 5. Training 6. Incident response plan
Cyber security exam initiative to improve compliance
http://mtanenbaum.us/sec-issues-risk-alert-to-advisors-and-brokers/
What To Do
California – Bellwether for the rest of the
country
CA AG Kamala Harris released a breach
report in February
As part of that, she defined
REASONABLE SECURITY PROCEDURES as
referred to in CA AB 1950
Implement all CIS 20 controls which are
appropriate
Implement multi factor authentication for
consumer facing web sites containing
sensitive personal information
Consistently use strong encryption on
portable devices and maybe desktops
AG Harris Says:
The failure to implement all the controls
that apply to an organization’s environment
constitutes a lack of reasonable security.
What Is The CIS 20
Center For Internet Security: 1. Inventory devices 2. Inventory software 3. Secure configurations for user devices 4. Continuous vulnerability assessment 5. Control admin privileges 6. Manage audit logs
What Is The CIS 20
7. Email and web protection
8. Malware defenses
9. Control of ports, protocols and services
10. Data recovery capability
11. Secure configuration For network devices
12. Boundary defense
13. Data protection
What Is The CIS 20
14. Control access based on need to know
15. Wireless control
16. Account monitoring
17. Security skills assessment and training
18. Application software security
19. Incident response and management
20. Penetration testing and red team exercises
What Does The CFPB Say?
CFPB entered consent decree with fintech firm Dwolla in February
Specifies what CFPB expects Dwolla to do
$100k fine, 5 years of monitoring
NO BREACH INVOLVED!
1. Establish, implement and maintain a comprehensive data security plan 2. Adopt and implement reasonable and appropriate data security policies and procedures 3. Designate a qualified person to be accountable for the data security program 4. Conduct data security risk assessments twice a year 5. Evaluate and adjust the data security program in light of the results
6. Conduct regular, mandatory employee security training 7. Develop, update and implement security patches 8. Develop, implement and maintain an appropriate method of customer identity authentication at registration time. 9. Develop, implement and maintain reasonable procedure for third party risk (service providers). 10. Obtain an annual data security audit from an independent, qualified, third party, using generally accepted professional procedures and standards
The Board must review all submissions
The Board is ultimately responsible for
ensuring compliance with the consent
order
Mobile
More and more sensitive data on mobile
Encrypt devices
Restrict what applications are installed
Use encrypted text (WhatsApp, Signal)
Use encrypted email (Absio)
• Both directions
• With clients and internally
Mobile Device Management (MDM)
software
Use current OS version
• Android Ver 6 – Marshmallow
• iPhone iOS 9
PATCH
Cyber Insurance
It is not a silver bullet
We are seeing insurance carriers claiming
the insured “failed to follow minimum
required practices”
You need to verify that coverages and
practices are aligned
Education
To get our free weekly cyber security
email newsletter, please send an email to
Mitch @ CyberCecurity.com and we will
add you to the list.
Recommended