Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© 2018 RSM US LLP. All Rights Reserved. © 2018 RSM US LLP. All Rights Reserved.
© 2018 RSM US LLP. All Rights Reserved. © 2018 RSM US LLP. All Rights Reserved.
SO YOU DON’T THINK YOU HAVE BEEN HACKED?Shedding light on breaches
June 25, 2018
© 2018 RSM US LLP. All Rights Reserved.
Who are we?
Loras EvenPrincipalSecurity and Privacy Risk Consulting Services
• Western regional leader for security and privacy risk consulting
• Located in Las Vegas, Nevada
• Created the attack and penetration testing practice in RSM in the late 90s, plus about six other practices
• Helps clients build or enhance cybersecurity programs domestically and globally
• More years experience than I openly admit to
• Other interests are reprograming vehicles, disabling OnStar
3
© 2018 RSM US LLP. All Rights Reserved.
Who are we?
Wanda ArchySr. AssociateSecurity, Privacy, and Risk Services
• Currently practices Cyber Threat Intelligence at RSM
• Located in Washington, DC
• Has a background in dark web investigations
• Obtained her degree at Georgetown University; M.A., Intelligence, B.S., Sci/Tech/Intl Affairs
• Previously a threat intelligence consultant, financial institution security analyst
• Has certifications as CISSP, CEH, Security+
• Other skills are native Russian speaker, yoga enthusiast
4
© 2018 RSM US LLP. All Rights Reserved.
Agenda
Topic MinutesCyber Incident—Current Trends 15Risk Mitigation 15Shedding Light on the Dark Web 15Questions 5
5
© 2018 RSM US LLP. All Rights Reserved. © 2018 RSM US LLP. All Rights Reserved.
CYBER INCIDENTS—CURRENT TRENDS
© 2018 RSM US LLP. All Rights Reserved.
Cyber incident—Current trends
According to The Economist, what has replaced oil as the most valuable resource on earth?
7
DATA
Source: The Economist, May 6, 2017
© 2018 RSM US LLP. All Rights Reserved.
Cyber incident—Current trends (continued)
If data has value, what is the value of intellectual property loss FROM the USA?
8
Source: The Economist, May 6, 2017
Total theft of U.S. trade secrets account for anywhere from $180 billion to $540 billion per year, according to the Commission on the Theft of American Intellectual Property
http://ipcommission.org/report/IP_Commission_Report_Update_2017.pdf
© 2018 RSM US LLP. All Rights Reserved.
Cyber incident—Current trends (continued)
9
Social Security Number
Social Security Number
Online Payment Services
Online Payment Services
Driver LicenseDriver License Loyalty AccountsLoyalty Accounts
DiplomasDiplomas PassportsPassports
Credit or Debit CardsCredit or Debit Cards
General Non-financial Institution LoginsGeneral Non-financial Institution Logins
Subscription ServicesSubscription Services Medical RecordsMedical Records
$1$20 -$200
$20 $20
With CCV #
$5With Bank Info
$15Fullz Info
$30
$1 - $10 $1 - $1000$100 -$400 $1000 +
$1
© 2018 RSM US LLP. All Rights Reserved.
Cyber incident—Current trends (continued)
• Hacking—Breaking through vulnerability and moving laterally- Network penetration
- Data leakage and theft
- Social engineering
• APT—“Uninvited Guest”- Arrives into your network and stays there under the radar
- Harvesting information over time
- Typically not found with anti-virus software
- Sophisticated
• Malware—Code that is designed to do bad things- Execution of malicious code on an infrastructure
- Escalate unauthorized privileges
- Shut down your network (DDoS)
- Encrypt key data (ransomware)
10
© 2018 RSM US LLP. All Rights Reserved.
Cyber incident—Current trends (continued)
• Breaches detected in first 24 hours: 1–2%
• Breaches with data loss in first 24 hours: 60–68%
• Breaches detected by an external third party: 71–92%
• Breaches undetected for two years or more: >14%
• Average days discovery: 87–210
11
© 2018 RSM US LLP. All Rights Reserved.
Cyber incident—Current trends (continued)
12
Small and midsize
organizations ($2B and under in revenue) account for 88% of claims.
Payment card Industry (PCI)was the most
frequently exposed data,
followed by PHI and PII.
Lost/stolen devices and
internal threats is the second
highest threat behind external
hackers.
Health care, professional and financial services sectors account
for nearly 50 percent of incidents.
Third parties accounted for 13
percent of the claims submitted. Nanorevenue
companies (less than $50 million) experienced the
majority of records exposed (48
percent).Insider involvement
occurred in 25 percent of the
claims submitted.
Average cost of claims have
stabilized, but legal guidance and forensics
account for over half of incident
costs.
http://rsmus.com/our-insights/newsletters/financial-reporting-insights/the-real-cost-of-a-data-breach.html
© 2018 RSM US LLP. All Rights Reserved.
How are you being targeted?
Exploiting the Human• Phishing• Social engineering• Physical security• Poor security habits
Exploiting the Technology• Malware/ransomware• Web-based email account• Wi-Fi and Bluetooth connections• Free thumb drives
13
© 2018 RSM US LLP. All Rights Reserved. © 2018 RSM US LLP. All Rights Reserved.
RISK MITIGATION
© 2018 RSM US LLP. All Rights Reserved.
What can I do in this dangerous world?
• Take steps to protect your data (encryption/access control), especially your “crown jewels.”
• Install malware detection and intrusion detection systems (IDS).
• Develop comprehensive “security awareness” campaigns.
• Perform a cyber threat intelligence (CTI) assessment.
• Actively monitor logs and IDS to identify potential problems as early as possible.
• Develop, evaluate and test your Incident Response Program.
• When (not if) something bad happens, consult someone who handles incidents regularly.
15
Prevent
Detect
Correct
© 2018 RSM US LLP. All Rights Reserved.
What can I do in this dangerous world? (continued)
• Obtain and/or review your cyber insurance coverage. • Be sure to encrypt your laptops and external storage
drives.• The potential for an insider threat is real, but many times
overlooked.• Implement some controls around and proper disposal of
paper records.• No business sector is immune from a cyber incident, so
be prepared.
16
© 2018 RSM US LLP. All Rights Reserved.
Some personal security suggestions
Security, Security• Always ask why someone needs your information.• Do not use public Wi-Fi.• People actually “dumpster dive.”
Social Engineering• “Delivery person,” “corporate IT”• A LinkedIn “recruiter” or “met you at a conference” request
to add you to their network
Too Much Information (TMI)• Do not use geolocation tagging in photos or social media
posts.• Be careful what you post on social media.
17
© 2018 RSM US LLP. All Rights Reserved.
General cybersecurity recommendations
• Always ask why someone needs your information. − Do you really want spam email anyways? Why are you wearing a nametag?
• Don’t get lazy! Avoid clicking links within unsolicited emails or text messages; go to the legitimate site and type in URL.
− https://www.bankofamerica.com—Correct
− http://www.bankofmerica.com—Incorrect
• Use strong passwords and change them often.− We advocate for passphrases.
• Do not use public Wi-Fi (note Pineapple!!).
• Start with physical security.− We do actually “dumpster dive.”
• Avoid geolocation tagging in photos or tweets.− How many pictures of your cat do I need?
• Make your social media as private as possible.
• Don’t talk publicly about your company. − Happy hours are perfect targets!!
18
© 2018 RSM US LLP. All Rights Reserved. © 2018 RSM US LLP. All Rights Reserved.
SHEDDING LIGHT ON THE DARK WEB
© 2018 RSM US LLP. All Rights Reserved.
Shedding light on the dark web
20
© 2018 RSM US LLP. All Rights Reserved.
Shedding light on the dark web (continued)
• The dark web is the part of the web that requires anonymizing software to access.
• The dark web is a subset of the deep web, which is unindexed by conventional search engines.
• Where criminals live!
21
© 2018 RSM US LLP. All Rights Reserved.
Five steps for effective cyber threat intelligence
22
1. Create threat actor profiles to monitor malicious actors.2. Perform due diligence sweeps across open and closed
sources for your data.3. Perform dark web investigations on an ad hoc basis
depending on your sector and industry.4. Conduct intelligence briefings and C-suite level
reporting to keep executives informed.5. Build out internal threat intelligence capabilities to
improve overall cybersecurity strategy and determine exposure risks (see next slide).
© 2018 RSM US LLP. All Rights Reserved.
Determining intelligence criticality
23
Risk Examples
Critical
• Client administrative-level credentials• Sensitive data breach dumps, including full PII, PHI, emails or company blueprints• Zero-day exploits discovered that are not known by the client• Malicious indicators (IP addresses, botnets, malware) directly linked to the organization that imply compromise• Imminent attacks planned by actors• Active company credit cards (corporate and customer) sold on closed sources
High
• Other leaked credentials, such as employee or customer passwords• Company goods (excluding credit cards) sold on closed sources• ”Doxed” information on high-level executives• Potential for company to be linked to a malicious technical indicator that requires further investigation• Company ID badges (to be used for impersonation)
Medium
• Known exploits or vulnerabilities being used by threat actors to target the organization• Leaked credentials that are not in cleartext or able to be decrypted by the RSM team• Seemingly credible threats against the organization• Technical data dumped to paste sites that requires further analysis • Inactive company credit cards sold on closed sources
Low• Chatter on closed sources, such as the dark web and IRC networks• Dumps containing only usernames• Company signatures (to be used for social engineering campaigns)
Non-Issue/
Observa-tion
• Chatter on open sources, such as social media• False positives associated with the company• Company events (to be used for social engineering campaigns)
© 2018 RSM US LLP. All Rights Reserved. © 2018 RSM US LLP. All Rights Reserved.
24
© 2018 RSM US LLP. All Rights Reserved.
This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. Internal Revenue Service rules require us to inform you that this communication may be deemed a solicitation to provide tax services. This communication is being sent to individuals who have subscribed to receive it or who we believe would have an interest in the topics discussed.
RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International.
RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registered trademark of RSM US LLP.
© 2018 RSM US LLP. All Rights Reserved.
RSM US LLP
18401 Von Karman Ave. Fifth FloorIrvine, CA 92612
+1 800 274 3978www.rsmus.com