Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Risk Management Threats, Recent Cases, Real Risks, and a strategy for managing them Presented by: Doug Selix, MBA, CISSP, CISM, PMP IT Security Consultant.

Similar presentations


Presentation on theme: "Cyber Risk Management Threats, Recent Cases, Real Risks, and a strategy for managing them Presented by: Doug Selix, MBA, CISSP, CISM, PMP IT Security Consultant."— Presentation transcript:

1 Cyber Risk Management Threats, Recent Cases, Real Risks, and a strategy for managing them Presented by: Doug Selix, MBA, CISSP, CISM, PMP IT Security Consultant

2 The Bottom Line Cyber Risks are Increasing State and Local Government Organizations are targets and are not well defended – Traditional defenses are no longer effective – Probability of successful attack increasing – IT security is not well managed at the enterprise level – Workstations are the frontline, they are not well defended – IT Security mistakes are happening too often – We have too much old insecure technology in use 2

3 Why is This Happening? You have things the bad people want – Money – Information that is worth money – You have things that can be damaged to make a political statement Because it is easy to attack you – Too much information in the public – Your IT environment is not well defended – Our people are not well trained in this topic – The Bad Guys are Good – We do not have an effective defense – We are not good at detecting and responding to attack – We have a lot of outdated technology that needs replaced 3

4 The Threat Is Growing 4 Source: McAfee – State of Malware 2013

5 Recent Cyber Liability Incidents City of Burlington WA – 2012 – $400K Stolen from City Bank Account Skagit County Transit – 2012 – Failed Attack on Bank Account Chelan County Hospital District – $1 Million Stolen from Bank Account State of South Carolina – 2012 – 3.6 Million SSN’s and 387,000 Credit Card Numbers Stolen 5

6 The State Has Had Issues Too Department of Revenue – 1/15/2013 USB Drive with Virus No Data Breach Department of Enterprise Services - 2/12/2013 User went to infected web site No Data Breach Administrator of the Courts – 5/9/2013 Web Site Hacked Data Breach - 1 Million WDL and 160K SSN’s 6

7 Mistakes Happen Too Skagit County Data Security Breach – Cause – Human Error – Medical Records posted to public web site – Discovered by Citizen, Reported to Fed’s. – Result HIPAA Violation State Data Breach Notification Event – Press Release Press Release 7

8 How Attackers are Succeeding Advanced Persistent Attack (APT) Approach is working because: – People are taken by Phishing – Workstations are vulnerable Elevated User Permissions Poor security maintenance practices for patching and current end-point defensive systems – Network defense is not well done Bad guys are good - Malware detects defense and morphs Complacent Leaders - People don’t believe it “will happen to them” Government IT is not fully staffed or funded 8

9 How a “Phishing” Attack Works 9

10 It is easy to attack you, you are not well defended 79% of victims were targets of opportunity 96% of attacks were not highly difficult 94% of all data was compromised from servers 85% of breaches took 2 weeks or more to detect 92% were discovered by a third party 97% of breaches were avoidable through simple or intermediate controls 96% of victims subject to PCI-DSS had not achieved compliance US Secret Service Banking Data 10 Source: 2012 Verizon Data Breach Investigation Report: 2012 Verizon Data Breach Investigation Report 2013 Verizon Data Breach Investigation Report

11 Cost of a Data Security Breach Costs associated with Regulatory Compliance – RCW Personal information — Notice of security breaches. $3/Record Minimum Cost to Notify RCW Regulatory Fines – HIPAA, FERPA, Etc. Harm to persons – Banking Information Cost of recovery and mitigation if harm occurs – ~$134 – Estimated Public Sector cost per record in data breach (Ponemon Institute 2011 US Cost of a Data Security Breach Report) (Ponemon Institute 2011 US Cost of a Data Security Breach Report) Unplanned Cost Impact to budget planning – Cost to fix the cause of the problem Loss of Reputation – Cost to regain trust 11

12 So What? Why Do I Care? You only care if: – You have large amounts of money in online managed bank accounts – You have large amounts of protected data in your computing environment – The availability and integrity of your systems is important to your customers 12

13 Approach to the Problem Choices for dealing with Risk – Eliminate the Risk (Mitigation) – Plan to do something if the Risk happens (Response) – Transfer the Risk (Insurance) – Accept the Risk 13

14 Risk Manager Action Plan Partner with IT leadership – You can’t do this alone and neither can they – Then: 1.Measure your risk Do you know what protected data you have? Do you know how well your IT Dept. is doing? Has IT perform vulnerability assessments Does IT have an incident detection & response plan 2.Implement Secure On-Line Banking 3.Adopt a standard for IT Security - Recommend the SANS 20 Critical Controls as a Framework. SANS 20 Critical Controls 4.Eliminate Old Risky Technology 14

15 Action Item No. 1 Measure Potential Impact Answer these questions: 1.How many records about people do you have in your computing environment? 2.How many of these include protected data? a.State Privacy Laws b.Federal Privacy/Security Laws (e.g. HIPAA) c.Credit Card information 3.Where are they? 15

16 Action Item No. 2 I mplement Secure Banking Procedures Use a dedicated computer (physical or virtual) for on-line banking Physical dedicated PC is most secure – Use Secure OS (Nothing Microsoft) Lightweight Portable Security OS – Lockdown the PC to only do one thing Run from CD only, disable everything else Assign static IP Firewall rule to only allow this IP to go to bank portal IP/ports Use sneaker net to move ACH data to this PC 16

17 Action Item No. 3 Achieve “Minimum” Security Controls Framework for “MINIMUM” IT Security Controls is the SANS 20 Critical ControlsSANS 20 Critical Controls – Free – 20 Categories – 197 Control Recommendations – 77 “Quick-Wins” – These should already be in place If not - Focus for Incremental Improvement 17

18 Download the Guide 18

19 Where to Start Implementing SANS 20 1.Boundary Defense 2.Controlled Use of Administrative Privilege 3.Continuous Vulnerability Assessment 4.Data Recovery Capability 5.Malware Defense 6.Audit Logging 7.Account Monitoring and Control 8.Inventory of Software 9.Secure Configurations for hardware and software 10.Inventory of Devices 19

20 Action Item No. 4 Eliminate Obsolete Technology Old Technology Causes Elevated Risk – Old Versions of Windows Operating Systems – Old Software that requires Administrator Privilege to run – Old firewall technology that only does one thing – Old anti-virus software that is not effective 20

21 Example - Windows XP Windows XP should go away – 34% of Installed Desktops No longer supported by Microsoft after April times more likely to be successfully attacked than Windows 8 21 Netmarketshare.com August 2013

22 How Much Will It Cost? It will cost more if you have a Fraud or Data Security Breach incident than it will to fix the problems 22

23 Next Steps to Solve this Business Problem 1.Partner with your IT Manger to quantify your Cyber Risks and fix the problems 2.Assess the quality of your defense Use SANS 20 as a risk assessment Baseline – Be Realistic Perform Vulnerability Scanning to Measure Do you have old technology that should be replaced? 3.Help IT Prioritize what is needed 4.Become the champion to senior leadership Help them see the business risk Help find loss prevention funding to reduce Cyber Liability Risk 5.Hold IT accountable for a good defense, detection, and response 23

24 Handouts I am providing the following tools and reference materials to help you get started: 1.Verizon DBIR Executive Summary Report 2.McAfee State of Malware Report 3.SANS 20 Controls Worksheet 4.WCIA Provided – SANS 20 Controls Prioritized with product recommendations. 5.SANS – Write-up on Phishing Available at Prima Web Site. 24

25 Reference Material 25 – NIST SP – Managing Information Technology Security Risk NIST SP – 2013 Verizon Data Breach Investigations Report (http://www.verizonenterprise.com/DBIR/2013/) 2013 Verizon Data Breach Investigations Report – 2013 Symantec Internet Security Threat Report (http://www.symantec.com/content/en/us/enterprise/other_re sources/b-istr_main_report_v18_2012_ en-us.pdf) 2013 Symantec Internet Security Threat Report – McAfee Threats Report – Fourth Quarter 2012 (http://www.mcafee.com/us/resources/reports/rp-quarterly- threat-q pdf) McAfee Threats Report – Fourth Quarter 2012 – Ponemon Institute 2012 Cost of a Cyber Crime Study (http://www.ponemon.org/library/2012-cost-of-cyber-crime- study) Ponemon Institute 2012 Cost of a Cyber Crime Study – Privacy Rights Clearinghouse – Chronology of Data Breaches Present (http://www.privacyrights.org/data-breach) Privacy Rights Clearinghouse – Chronology of Data Breaches Present

26 Thank You 26

27 Instructor Information 27 Doug Selix, MBA, CISM, CISSP, PMP  Worked in IT Field from 1971 to Present  Current Job 1)IT Security and Disaster Recovery Architect, Washington State Department of Enterprise Services 2)IT Security Consultant  Education BS – Management, City University, 1993 MBA – IS Management, City University, 1995 Project Management Certificate, U of W, 2001  Consulting Clients – 2012 & 2013  WSTIP (Transit Risk Pool)  WCIA (City Risk Pool)  Enduris (City Risk Pool)  WCRP (County Risk Pool)  Clark County  Skagit County Contact Information Phone:


Download ppt "Cyber Risk Management Threats, Recent Cases, Real Risks, and a strategy for managing them Presented by: Doug Selix, MBA, CISSP, CISM, PMP IT Security Consultant."

Similar presentations


Ads by Google