© 2018 RSM US LLP. All Rights Reserved. County/IIA OC...•Currently practices Cyber Threat Intelligence at RSM •Located in Washington, DC •Has a background in dark web investigations

© 2018 RSM US LLP. All Rights Reserved. © 2018 RSM US LLP. All Rights Reserved.


SO YOU DON’T THINK YOU HAVE BEEN HACKED?Shedding light on breaches

June 25, 2018

© 2018 RSM US LLP. All Rights Reserved.

Who are we?

Loras EvenPrincipalSecurity and Privacy Risk Consulting Services

• Western regional leader for security and privacy risk consulting

• Located in Las Vegas, Nevada

• Created the attack and penetration testing practice in RSM in the late 90s, plus about six other practices

• Helps clients build or enhance cybersecurity programs domestically and globally

• More years experience than I openly admit to

• Other interests are reprograming vehicles, disabling OnStar

3


Who are we?

Wanda ArchySr. AssociateSecurity, Privacy, and Risk Services

• Currently practices Cyber Threat Intelligence at RSM

• Located in Washington, DC

• Has a background in dark web investigations

• Obtained her degree at Georgetown University; M.A., Intelligence, B.S., Sci/Tech/Intl Affairs

• Previously a threat intelligence consultant, financial institution security analyst

• Has certifications as CISSP, CEH, Security+

• Other skills are native Russian speaker, yoga enthusiast

4


Agenda

Topic MinutesCyber Incident—Current Trends 15Risk Mitigation 15Shedding Light on the Dark Web 15Questions 5

5


CYBER INCIDENTS—CURRENT TRENDS


Cyber incident—Current trends

According to The Economist, what has replaced oil as the most valuable resource on earth?

7

DATA

Source: The Economist, May 6, 2017


Cyber incident—Current trends (continued)

If data has value, what is the value of intellectual property loss FROM the USA?

8

Source: The Economist, May 6, 2017

Total theft of U.S. trade secrets account for anywhere from $180 billion to $540 billion per year, according to the Commission on the Theft of American Intellectual Property

http://ipcommission.org/report/IP_Commission_Report_Update_2017.pdf



9

Social Security Number

Social Security Number

Online Payment Services

Online Payment Services

Driver LicenseDriver License Loyalty AccountsLoyalty Accounts

DiplomasDiplomas PassportsPassports

Credit or Debit CardsCredit or Debit Cards

General Non-financial Institution LoginsGeneral Non-financial Institution Logins

Subscription ServicesSubscription Services Medical RecordsMedical Records

$1$20 -$200

$20 $20

With CCV #

$5With Bank Info

$15Fullz Info

$30

$1 - $10 $1 - $1000$100 -$400 $1000 +

$1



• Hacking—Breaking through vulnerability and moving laterally- Network penetration

- Data leakage and theft

- Social engineering

• APT—“Uninvited Guest”- Arrives into your network and stays there under the radar

- Harvesting information over time

- Typically not found with anti-virus software

- Sophisticated

• Malware—Code that is designed to do bad things- Execution of malicious code on an infrastructure

- Escalate unauthorized privileges

- Shut down your network (DDoS)

- Encrypt key data (ransomware)

10



• Breaches detected in first 24 hours: 1–2%

• Breaches with data loss in first 24 hours: 60–68%

• Breaches detected by an external third party: 71–92%

• Breaches undetected for two years or more: >14%

• Average days discovery: 87–210

11



12

Small and midsize

organizations ($2B and under in revenue) account for 88% of claims.

Payment card Industry (PCI)was the most

frequently exposed data,

followed by PHI and PII.

Lost/stolen devices and

internal threats is the second

highest threat behind external

hackers.

Health care, professional and financial services sectors account

for nearly 50 percent of incidents.

Third parties accounted for 13

percent of the claims submitted. Nanorevenue

companies (less than $50 million) experienced the

majority of records exposed (48

percent).Insider involvement

occurred in 25 percent of the

claims submitted.

Average cost of claims have

stabilized, but legal guidance and forensics

account for over half of incident

costs.

http://rsmus.com/our-insights/newsletters/financial-reporting-insights/the-real-cost-of-a-data-breach.html


How are you being targeted?

Exploiting the Human• Phishing• Social engineering• Physical security• Poor security habits

Exploiting the Technology• Malware/ransomware• Web-based email account• Wi-Fi and Bluetooth connections• Free thumb drives

13


RISK MITIGATION


What can I do in this dangerous world?

• Take steps to protect your data (encryption/access control), especially your “crown jewels.”

• Install malware detection and intrusion detection systems (IDS).

• Develop comprehensive “security awareness” campaigns.

• Perform a cyber threat intelligence (CTI) assessment.

• Actively monitor logs and IDS to identify potential problems as early as possible.

• Develop, evaluate and test your Incident Response Program.

• When (not if) something bad happens, consult someone who handles incidents regularly.

15

Prevent

Detect

Correct


What can I do in this dangerous world? (continued)

• Obtain and/or review your cyber insurance coverage. • Be sure to encrypt your laptops and external storage

drives.• The potential for an insider threat is real, but many times

overlooked.• Implement some controls around and proper disposal of

paper records.• No business sector is immune from a cyber incident, so

be prepared.

16


Some personal security suggestions

Security, Security• Always ask why someone needs your information.• Do not use public Wi-Fi.• People actually “dumpster dive.”

Social Engineering• “Delivery person,” “corporate IT”• A LinkedIn “recruiter” or “met you at a conference” request

to add you to their network

Too Much Information (TMI)• Do not use geolocation tagging in photos or social media

posts.• Be careful what you post on social media.

17


General cybersecurity recommendations

• Always ask why someone needs your information. − Do you really want spam email anyways? Why are you wearing a nametag?

• Don’t get lazy! Avoid clicking links within unsolicited emails or text messages; go to the legitimate site and type in URL.

− https://www.bankofamerica.com—Correct

− http://www.bankofmerica.com—Incorrect

• Use strong passwords and change them often.− We advocate for passphrases.

• Do not use public Wi-Fi (note Pineapple!!).

• Start with physical security.− We do actually “dumpster dive.”

• Avoid geolocation tagging in photos or tweets.− How many pictures of your cat do I need?

• Make your social media as private as possible.

• Don’t talk publicly about your company. − Happy hours are perfect targets!!

18


SHEDDING LIGHT ON THE DARK WEB


Shedding light on the dark web

20


Shedding light on the dark web (continued)

• The dark web is the part of the web that requires anonymizing software to access.

• The dark web is a subset of the deep web, which is unindexed by conventional search engines.

• Where criminals live!

21


Five steps for effective cyber threat intelligence

22

1. Create threat actor profiles to monitor malicious actors.2. Perform due diligence sweeps across open and closed

sources for your data.3. Perform dark web investigations on an ad hoc basis

depending on your sector and industry.4. Conduct intelligence briefings and C-suite level

reporting to keep executives informed.5. Build out internal threat intelligence capabilities to

improve overall cybersecurity strategy and determine exposure risks (see next slide).


Determining intelligence criticality

23

Risk Examples

Critical

• Client administrative-level credentials• Sensitive data breach dumps, including full PII, PHI, emails or company blueprints• Zero-day exploits discovered that are not known by the client• Malicious indicators (IP addresses, botnets, malware) directly linked to the organization that imply compromise• Imminent attacks planned by actors• Active company credit cards (corporate and customer) sold on closed sources

High

• Other leaked credentials, such as employee or customer passwords• Company goods (excluding credit cards) sold on closed sources• ”Doxed” information on high-level executives• Potential for company to be linked to a malicious technical indicator that requires further investigation• Company ID badges (to be used for impersonation)

Medium

• Known exploits or vulnerabilities being used by threat actors to target the organization• Leaked credentials that are not in cleartext or able to be decrypted by the RSM team• Seemingly credible threats against the organization• Technical data dumped to paste sites that requires further analysis • Inactive company credit cards sold on closed sources

Low• Chatter on closed sources, such as the dark web and IRC networks• Dumps containing only usernames• Company signatures (to be used for social engineering campaigns)

Non-Issue/

Observa-tion

• Chatter on open sources, such as social media• False positives associated with the company• Company events (to be used for social engineering campaigns)


24


This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. Internal Revenue Service rules require us to inform you that this communication may be deemed a solicitation to provide tax services. This communication is being sent to individuals who have subscribed to receive it or who we believe would have an interest in the topics discussed.

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International.

RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registered trademark of RSM US LLP.


RSM US LLP

18401 Von Karman Ave. Fifth FloorIrvine, CA 92612

+1 800 274 3978www.rsmus.com

Documents

© 2018 RSM US LLP. All Rights Reserved. County/IIA OC...•Currently practices Cyber Threat Intelligence at RSM •Located in Washington, DC •Has a background in dark web investigations