Cyber Security Statistical Consulting...Patch and Update All Software and Systems - Min 30 days - With cyber-criminals constantly inventing new techniques and looking for new vulnerabilities,

© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com

Kristofer Laxdal , Director Info and Cyber Security – Prophix Software Inc

November 13th, 2018

Cyber Security

| 2© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com

Overview

▪ Introduction

▪ Everything “Old Is New Again”

▪ Myth Busting

▪ What is Cyber Security

▪ Containment Strategies

▪ Top Five Predictions for 2017 -2018 How did I do ?


Introduction

| 4

Introduction – About Me


▪ Kristofer Laxdal , Director

Information and Cyber Security

Prophix Software Inc.

▪ Prophix is a leading FP&A SaaS

provider - as well as on prem-

http://www.prophix.com/

▪ Previously held Executive Cyber

Security roles within CanDeal, IBM

Hewlett Packard, Hbc and many

more .

http://www.prophix.com/

| 5

‘Everything Old is New Again’


In 2017, the world saw more data breaches

than any year prior.

On December 20th, the Identity Theft Resource Center

(ITRC) reported that there were 1,293 total data

breaches, compromising more than 174 million records

• Yet before the web, before the computer, before

the phone, even before Morse code, there

was… “le systeme Chappe”

• Comprised 534 stations covering more than

5,000km (3,106 miles) !

• The record was 60 minutes for a message

travelling from Paris to Strasbourg.

| 6

‘Everything Old is New Again ’


What the heck does this have to do with

Cyber Security ?

• The network was reserved for government use

but in 1834 two bankers, François and Joseph

Blanc, devised a way to subvert it to their own

ends.

• The Blanc brothers traded government bonds at

the exchange in the city of Bordeaux and

information about market movements took

several days to arrive from Paris

Just like today.

Data + Speed = Money $$$

| 7



The brothers bribed a telegraph operator

in the city of Tours to introduce deliberate

errors into routine coded messages being

sent over the network

• The system included a “backspace” symbol

that instructed the transcriber to ignore the

previous character.

• Added a character indicating the direction of

the previous day’s market movement, followed

by a backspace,

• Message being sent was unaffected when it

was written out for delivery at the end of the

line.

| 8



Extra character could be seen by

another accomplice:

A former telegraph operator who

observed the telegraph tower outside

Bordeaux with a telescope, and then

passed on the news to the Blancs.

Caught and arrested in 1836

The Blanc brothers were put on trial, though they

could not be convicted because there was no

law against misuse of data networks

Hacking of the data network arguably qualifies

as the world’s first cyber-attack.

| 9

Everything Old is New Again


1. Network intrusions - can and do -

go unnoticed

2. Cyber Security is like a chain - we

are always the weakest link.

3. Network attacks do not just pre-date

modern electronic networks – they

are as old as networks themselves

4. Most attacks aren’t sophisticated !

“Sooner or later, everything old is new again.”

― Stephen King, The Colorado Kid

https://www.goodreads.com/work/quotes/856005

https://www.goodreads.com/author/show/3389.Stephen_King

| 10© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved

www.scorestat.com

Myth Busting

Myth #1: All Cyber Attacks are Sophisticated and Complex.

The next time you hear about a complex cyber-attack on a business, there is a better chance that it the attack succeeded not because it was conducted by a nation-state or clever attacker, simply individuals taking advantage of bad cybersecurity hygiene


www.scorestat.com

Myth Busting

Myth #2: Throw Money At The Problem

JPMorgan was on the receiving end of a successful cyber-attack despite having spent close to U.S. $250 million on cybersecurity in 2014.


www.scorestat.com

Myth Busting

Myth #3: The Threats are on the Outside

Regardless of the origin of the attacker, internal or external, most regular and complex attacks need the privileges or the access rights of an insider to succeed. ( Think Phishing )


www.scorestat.com

Myth Busting

Myth #4:Nothing Could Prevent the Attack

Most companies do not have the proper cybersecurity controls in place such as logging, layering of security controls, alerts established to detect an intruder, not filtering malicious traffic, lack of security awareness training


These Breach Announcements Are Getting Old

| 15

No Mysterious ‘Sophistication’


Saks, Lord & Taylor ( Hbc )

Date disclosed: April 3, 2018 - 5 million records breached

• JokerStash hacking syndicate offering five million stolen credit and debit cards up for sale.

Breach period occurred from March 2017 to March 2018

• Class Action alleges “failed to comply with security standards and allowed its customers’

financial information and other private information to be compromised by cutting corners on

security measures that could have prevented or mitigated the security breach

• 2nd time on my hit list in less than a year !

Ticketfly

Date disclosed: June 7, 2018 - 27 million records breached

• The hacker behind the attack had reportedly warned Ticketfly of a vulnerability and

demanded a ransom to fix it. When the company refused, the hacker hijacked the Ticketfly

website, replaced its homepage, and made off with a large directory of customer and

employee data, including names addresses, email addresses, and phone numbers

| 16



Panera

Date disclosed: April 2, 2018 - 37 million records breached

• Company initially downplaying the severity of the breach and indicating fewer than 10,000

customers had been affected, the true number is believed to be as high as 37 million.

• Had been advised by a Security Researcher – company ignored the warning

Exactis

Date disclosed: June 26, 2018 - 340 million records breached

• Exacts, a marketing and data aggregation firm based in Florida, had left a database exposed

on a publicly accessible server.

• The database contained two terabytes of information that included the personal details of

hundreds of millions of Americans and businesses.

| 17



Sears

Date Disclosed April 4th, 2018 – 100,000

• A "security incident" with an online support partner [24]7.ai that resulted in up to 100,000

people having their credit-card information stolen.


What Is Cyber Security ?

| 19

What is Cyber Security ?

▪ Cyber security is the body of

technologies, processes and

practices designed to protect

networks, computers,

programs and data from

attack.

▪ This includes damage or

unauthorized access - as

well as - disruption or

misdirection of the services

they provide

▪ Wow ! That covers a lot of

ground .


| 20

Cyber Security Domains



2018 Breach Profile

| 22

The Cyber Breach Profile


Statistics from the Verizon Data Breach Investigation Report 2018

This year we have over 53,000 incidents and 2,216 data breaches.

| 23

The Cyber Breach Profile


Statistics from the Verizon Data Breach Investigation Report 2018


Cyber Strategies

| 25

Cyber Strategies

Implementing a formal information

security governance approach

Establish and maintain a framework

that provides assurance information

security strategies are aligned with

and support the business - a great

starting point –

When selecting one of these

methods, ensure your program

provides the ability to employ a risk-

based approach and enables your

teams to detect incidents


| 26

Cyber Strategies

Stop Data Loss

Most enterprises rely on employee

trust, but that won’t stop data from

leaving the company.

Now, more than ever, it is

extremely important to control

access, monitor vendors and

contractors as well as employees,

and know what your users are

doing with company data.


| 27

Cyber Strategies

Detect Those Insider Threats

Your biggest asset is also your

biggest risk.

While well trained users can be

your security front line, you still

need technology as your last

line of defense.

UEBA allows you to detect

unauthorized behavior and

verify user actions are not

violating security policy.


| 28

Containment Strategies

Back Up Data, Rinse ,

Repeat

It is crucial for organization

to have a full ,tested and

working back up of all of

data - not only from a basic

security hygiene

prospective, but also to

combat emerging attacks

( Ransomware )


| 29


Beware of Social Engineering

The technology and IT security

policies you implement doesn’t

replace the need for common

sense or eliminate human error.

Remember most hacks are

‘credentialed hacks’

Attempts may come from

phone, email (phishing) or

other communications with your

users.

The best defense is to…


| 30


Educate and Train Your Users

Users will always be the weakest

link when it comes to information

security.

Training should include how to:

recognize a phishing email, create

and maintain strong passwords,

avoid dangerous applications,

ensure valuable information is not

taken out of the company in

addition to other relevant user

security risks is critical


| 31


Patch and Update All Software and

Systems - Min 30 days -

With cyber-criminals constantly

inventing new techniques and looking

for new vulnerabilities, an optimized

cyber security is only optimized for so

long.

Make sure your software and

hardware is up to date with the latest

and greatest within a minimum of 30

days of a patch release - immediately

if critical / zero day


| 32


Create an Incident Response Plan

No matter how well you follow these

best practices, you will still get

breached – it’s not an if – it is a

when

Having a tested response plan laid

out ahead of time will allow you to

close any vulnerabilities, limit the

damage of a breach, and allow you

to remediate nimbly and effectively


| 33


Maintain Your Compliance

Regulations like HIPAA, PCI

DSS and ISO offer standards

for how your business should

conduct and measure its

security posture .

More than a hassle which

you need to prepare audit

logs for, compliance can help

guide your business.



Top Five 2017 -2018 Cyber

Security Predictions

| 35

2017-2018 Cyber Security Predictions

Increase in Supply Chain

Attacks Though 2018

In a nutshell, a “supply chain

attack” refers to the

compromise of a particular

asset, e.g. a software

provider’s infrastructure and

commercial software, with the

aim to indirectly damage a

certain target or targets, e.g.

the software provider’s clients.

.


Used as a stepping stone for

further exploitation, once

foothold is gained to the target

system or systems

| 36


Increase in Supply Chain

Attacks Though 2018

In a nutshell, a “supply chain

attack” refers to the

compromise of a particular

asset, e.g. a software

provider’s infrastructure and

commercial software, with the

aim to indirectly damage a

certain target or targets, e.g.

the software provider’s clients.

.


Used as a stepping stone for

further exploitation, once

foothold is gained to the target

system or systems

| 37


IoT – Continued serious

attacks

DDoS / Credential Stealing

Gartner estimates that there

are 6.4 billion connected things

worldwide in use this year, a

number expected to reach 20.8

billion by 2020.

That’s a lot of targets. ( most

aren’t or cannot be patched

easily )


| 38


IoT – Continued serious

attacks

DDoS / Credential Stealing

Gartner estimates that there

are 6.4 billion connected things

worldwide in use this year, a

number expected to reach 20.8

billion by 2020.

That’s a lot of targets. ( most

aren’t or cannot be patched

easily )


| 39


Ransomware

▪ If you thought 2016

was bad for

ransomware then

2017 – 2018 will be

worse.

▪ Expect to see a higher

attack volume, using

more sophisticated

technologies and

continue an upward

trajectory in 2017 and

2018


What you need to consider:▪ When was the last time you tested and

verified the backup?

▪ Have you applied basic file blocking to

prevent threats from entering your

organization?

▪ Certain file types can be a risk to your

organization. Ask yourself, “Should we

allow all files or should we manage the

risk by not allowing malicious files types

that may cause an issue?”

| 40


Ransomware

▪ If you thought 2016

was bad for

ransomware then

2017 – 2018 will be

worse.

▪ Expect to see a higher

attack volume, using

more sophisticated

technologies and

continue an upward

trajectory in 2017 and

2018


What you need to consider:▪ When was the last time you tested and

verified the backup?

▪ Have you applied basic file blocking to

prevent threats from entering your

organization?

▪ Certain file types can be a risk to your

organization. Ask yourself, “Should we

allow all files or should we manage the

risk by not allowing malicious files types

that may cause an issue?”

| 41


Blockchain Technology

Blockchain technology

vulnerabilities will be

discovered by malicious

actors who will exploit

them in an effort to

compromise the security

and confidentiality of

financial transactions in

2017 -2018.


| 42


Blockchain Technology

Blockchain technology

vulnerabilities will be

discovered by malicious

actors who will exploit

them in an effort to

compromise the security

and confidentiality of

financial transactions in

2017 -2018.


| 43


Exchange: Coincheck

Amount: $534,800,000

Exchange: BitGrail

Amount: $195,000,000

Exchange :CoinSecure

Amount: $3,300,000

Exchange: Coinrail

Amount: $40,000,000


Exchange: Zaif

Amount: $60,000,000

Exchange: MapleChange

Amount: $6,000,000

$839,100,000 Electronic theft

| 44


Rise of artificial intelligence and machine

learning-driven security

These frameworks will be leveraged by

Cyber Security teams for implementing

predictive security analytics across public,

private and SaaS cloud infrastructures by

leveraging externally sourced threat data

and using it for self-configuring / self-healing

based on organization-specific needs


| 45


Rise of artificial intelligence and machine

learning-driven security

These frameworks will be leveraged by

Cyber Security teams for implementing

predictive security analytics across public,

private and SaaS cloud infrastructures by

leveraging externally sourced threat data

and using it for self-configuring / self-healing

based on organization-specific needs



Thank you

Documents

Cyber Security Statistical Consulting...Patch and Update All Software and Systems - Min 30 days - With cyber-criminals constantly inventing new techniques and looking for new vulnerabilities,