Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Today’s Security Threats: Emerging Issues Keeping CFOs
Up at Night
Understanding & Protecting Against Information Security Breaches
Chris Bucolo, PCIP, MBA
Today’s Speaker
Chris BucoloSr. Manager, Sikich Technology
Chris Bucolo, Senior Manager for Sikich, has over 30 years' experience in the financial technology, payments and security/compliance industries. At Sikich, he is a Senior Manager of Client Relations: Compliance and Security Services.
Prior to Sikich, Bucolo was a Senior Manager of Security Consulting for ControlScan, where he was a key part of building the security consulting group, including QSA assessments and security testing services.
Agenda» About Us» How Breaches Happen» Review of Attack Vectors
» Emerging: Ransomware, Skimmers» Risk Mitigation
» Cyber Security Insurance» Incident Response Planning
» The CFO’s Role in IT Security» Six Questions to Ask Your IT Folks» 2016 Data Security Outlook» Top Ten Tips List» Questions
About Sikich Security & Compliance» Dedicated to information security and
compliance» Compliance audits» Security assessments and consulting» Penetration tests» Vulnerability management» Forensic investigations
About Sikich Security & Compliance» Handle anything having to do with security or
protecting data, including:
» Credit card data (PCI DSS)» Patient data (HIPAA/HITECH)» Bank account numbers (GLBA)» Service provider reviews (SOC 1/2/3)» Federal information security standards (NIST/FISMA)» Intellectual property
The Latest Breach Data
Source: Verizon 2016 Breach Investigations Report
More Breach Data
Source: Verizon 2016 Breach Investigations Report
Many Impacts» Forensic investigation to determine the cause
and extent of the breach» Remediation activities including clean up of old
databases and possible migration of IT systems to third parties
» Additional IT audit scrutiny in following years» Navigate State by state notification laws-Ags» Insurance carriers» Credit monitoring for victims » Brand damage repair
Breaches – Not Just for Merchants
Every morning in Africa…
Frequent Attack Vector: Malware» Malware includes viruses, Trojans, spyware,
rootkits and other malicious software» Often delivered through phishing, “drive-by”
downloads or removable media
Malware in Targeted Attacks» The attacker has a specific organization in mind» Spearphishing, social media, removable devices» May include custom malware with no anti-virus
signature
Malware in Opportunistic Attacks» The attacker is trying to infect as many systems
as possible» Broad phishing attacks» Internet scanning» Self-propagating viruses» Malvertising
Malware Command and Control» The initial infection is a small “gain a foothold”
program» That program calls back to the attacker to
download the malware package» Keylogging» Memory scraping» Network scanning and spreading» Anti-virus evasion and other tactics to hide its presence
» Once the malware is installed, it initiates a command-and-control channel to the attacker’s systems on the Internet
Frequent Attack Vector:Third-Party Connections
Remote Access Breach Formula
What are the Weaknesses?» Single-factor authentication» Weak passwords» Password re-use» Malware on home PCs
Frequent Attack Vector:Website Vulnerabilities
Frequent Attack Vector:Social Engineering
Email from the CFO“Hey I’m travelling, but we need to wire $22,000 to this vendor ASAP or we’re going to lose a discount on the contract.”
» Forged emails are extremely easy to create» Compromise of the CFO’s work or home PC, allowing access to
inbox» Email system security settings that don’t authenticate a sender» Use of a similar domain name (for example [email protected])
» Fraudsters monitor and take advantage of out-of-office
» How would your peers or staff respond?
Step 1: Focus on Doing the Basics Well
» Anti-virus» Patch management» User account management» Rights management» Firewall/filtering configuration
A.K.A. “Do a good job configuring and managing the stuff you already own.”
Step 2: Don’t be Afraid of Mature Solutions » Multi-factor authentication for remote access» Automated patching» Vulnerability scanning» Web filtering» Password complexity
Step 3: Reinforce the Need for Secure Behaviors » Employee security awareness training
» Password practices» Information protection» Social engineering
» Doing their jobs well
Step 4: Evaluate Your Environment» Risk assessments» Audits» Penetration testing
» Internal» External» Physical» Social engineering
What threats are you exposed to?
Risk Assessments» Risk assessments are used to identify, estimate
and prioritize risk to an organization’s operations, assets, and individuals resulting from the operation and use of information systems.
Audits» An IT audit is the examination and evaluation of
an organization's information technology infrastructure, policies and operations, typically against an internal or industry baseline or standard.
Penetration Testing» Penetration Testing is the practice of testing a
computer system, network or application to find vulnerabilities that an attacker could exploit.
The CFO’s Role in IT Security» Request regular reports to monitor key IT
security metrics» Microsoft, Java, and Adobe patch coverage» Anti-virus coverage» Virus infections» External vulnerability scan finding counts
The CFO’s Role in IT Security» Make certain IT vendor management is sufficient
» Are all vendors tracked?» Do all have a vendor relationship manager assigned?» Is someone monitoring the vendor’s financial health?» Is someone monitoring adherence to service level agreements?» Is someone reviewing vendor’s third party audit and security
testing reports» Educate your IT staff how to interpret a SOC report
The CFO’s Role in IT Security» Make informed decisions on security spending
» Did we seek out this solution based on a risk or gap we identified, or did we realize we had the problem after we saw the solution?
» Don’t be afraid of mature solutions, especially those available from multiple vendors (Next-gen firewalls, multi-factor authentication)
» Be a bit skeptical of emerging technologies, especially those only available from one vendor
» Fully understand the initial and ongoing effort required of IT staff to get the full value out of new security solutions
Safe and (financially un)sound
The CFO’s Role in IT Security» Finance is mature in its application of internal
controls to prevent fraud and mistakes» IT has these same challenges but does not have
the same maturity of controls» Use your experience to teach and promote the
adoption of internal controls in IT» Separation of duties» Generation of audit trails» Formal documented approval processes» Exception reports» Independent reviews
Getting Started» You don’t need to be technical to oversee that IT
is doing its job well» The following six questions can help you gauge
where your IT shop stands.
Question 1How many of our computers are not running up-to-date anti-virus?
Organizations should have a centralized automated system to deploy and manage anti-virus. No systems should be exempt. Reliable reports of anti-virus coverage levels should be regularly generated and reviewed.
Question 2How many of our computers are not up to date on Microsoft security patches?
Organizations should have a centralized automated system to deploy Microsoft patches. Reliable reports of patch coverage levels should be regularly generated and reviewed.
Question 3How many of our computers are running unpatched versions of Java and Adobe software?
Organizations should have a centralized automated system to deploy and manage security patches for third party software, with Java and Adobe being the most important.
Question 4How do we keep employees from using the same password here and on other Internet sites?
Password rotation, password complexity rules and user awareness training all help reduce password re-use.
Question 5Can people log into our internal computers or network from the Internet with just a user ID and password?
Remote access services such as VPN, remote desktops and Citrix should be protected with multi-factor authentication.
Question 6If a virus on an internal computer was talking to a hacker’s server on the Internet, how would we know?
Secure organizations rely on web filtering, intrusion detection systems or threat prevention features of a next-generation firewall. Desktop anti-virus should not be the only protection from malware command-and-control channels.
2016 Data Security OutlookBased on our experience and the trends: anticipate the top data breach issues and trends of 2016 to include the following:
» Focus on healthcare: very valuable data» Higher education represents a treasure trove of pii
» Increase in IoT attacks: Mobile» Smaller orgs.- Lowest hanging fruit
» Social engineering/physical threats» Chip cards will start shift to ecommerce fraud-but not
quickly» Ransom attacks: I have your data» Hacktivism: I do not like your behavior» Increased legislative/regulatory focus: State AG offices
Top Ten Tips List» Start somewhere/Build on what you have
» Risk assessment is key for PCI, HIPAA/HiTECH, etc.» Need at least 2 trusted outside advisors
» Consulting, etc.» Employee education/Executive education
» Not once and done. Create security aware culture» Develop more technical security knowledge
» CISSP, ISA» Identify and manage 3rd Party Service Providers!» Develop robust incident response plan-coordinated across
departments-cyber security task force» Mitigate risks via Cyber Insurance/Breach coverage» Know the basics on state by state breach notification laws and AG
involvement.» When in doubt use PCI DSS as a guide for sensitive data: Most
prescriptive and most often updated-reflects emerging threats» Become a student of Data Security!