Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017

Who is Blue Canopy? Operating at the intersection of mission and technology, Blue Canopy Group is one of the fastest growing Technology Solutions and Cybersecurity Firms in the United States. At Blue Canopy, we are relentless in our pursuit to innovate and help our clients’ problem solve by building solutions as a team. We are headquartered in Reston, Virginia and employ over 600+ highly skilled professionals.

Who is Blue Canopy? One of our core competencies is understanding the business and cybersecurity needs within the Financial Industry and the Financial Regulatory Agencies. Blue Canopy is uniquely positioned to provide guidance to both the private and public sector in tackling large scale initiatives such as: 3

Blue Canopy Corporate Awards and Recognition

Cybersecurity & the Student Aid Industry Jonathan Edwards is a Cybersecurity Senior Director at Blue Canopy Program Manager for Federal Student Aid’s Cybersecurity Support Program. 5

Cybersecurity Landscape Has Changed Student Aid and Student Loan Organizations are now Major Targets: Social Security Numbers Financial Records Techniques: Email Phishing Attacks Social Engineering Exploiting Un-Patched Systems Ransomware Hackers gaining sensitive information through Financial application. 6

Shift to Cyber Risk Management over Compliance Federal and Commercial Sector Shifting to focus on Cyber Risks: People, Processes, Technology Security Training and Cyber Knowledge Skills Assessments Incident and Breach Response Understanding Threats (Both Outside and Inside) Vulnerability and Patch Management Security Operations and Continuous Monitoring Application Level Security Modernization through the Cloud 7

Cybersecurity Industry Best-Practices Federal Agencies will be evaluating Contractors/Commercial Vendors on: Incident and Breach Response Understand and Oversight of all IT assets, and data stored, transmitted and processed. Vulnerability and Patch Management Security Operations and Continuous Monitoring Application Level Security Cloud Implementation (Security Framework) Best Practice Requirements: The White House and Department of Homeland Security have mandated that all Federal Agencies be compliant with Information Security Continuous Monitoring (ISCM) and Continuous Diagnostics and Mitigation (CDM) and FedRAMP Cloud Standards. ISCM and CDM align with the SANS Institute CIS Critical Security Controls (Commercial Best Practice), as well. 8

What Do New Federal Mandates Mean to Us? Requirements Driven Down to Commercial Contractors and Vendors: Federal Agencies, like FSA, IRS, FDIC and Treasury, will require their support contractors and service providers to meet the ISCM, CDM and SANS CIS Critical Control Requirements. Incident and Breach Response – How mature is your cybersecurity program to identify and detect breaches, notify the appropriate personnel, respond and mitigate these threats? IT Asset Management and Information Management – Do you know what your IT footprint is and where all your IT assets are? Do you know where all your sensitive data and information are stored, transmitted and processed? Vulnerability & Patch Management – Are all your IT assets continuous assessed for new vulnerabilities and patches? Are you mitigating deficiencies in a timely manner? Security Operations and Continuous Monitoring – Do you have Security Monitoring Support (Internal or External) watching and responding to threats? 9

Rise of Ransomware – WannaCry? Rise of Ransomware in 2017 What is it? Attack based on gaining access to data, systems, or devices and encrypting them “for ransom” so that a victim cannot regain access to them. Easier than data extraction. 638 Million attacks in 2016 (167% rise from 2015) Estimated $1.2 Billion was paid out by victims of attacks 10

Rise of Ransomware – WannaCry? How it Works: Exploits a Microsoft Vulnerability very commonly found on Windows Servers and Machines. Attackers Exploited a Top 3 Cyber Issue facing Businesses: Lack of Enterprise Vulnerability and Patch Management Security Patch was available since March 2017. 230,000 computers in 150 countries were affected. How can we defend against WannaCry? Perform authenticated vulnerability scans on all devices. Patch Monthly or when critical weaknesses are found. If you become a victim of ransomware, do not pay out. 50% or more do not receive their data back. 11

How Can We Prepare for the Future? Commission an Independent Risk Assessment: Evaluate the Organizations Cybersecurity Risk Posture for: #1 Independence is Key Security Training and Skills Incident and Breach Response Program Vulnerability and Patch Management Processes Asset and Information Management Security Operations and Continuous Monitoring Security Policies, Procedures and Guidance Use of Independent Security Assessments Compliance with Best Practices like SANS, NIST ISCM and CDM.

How Can We Prepare for the Future? Cybersecurity Knowledge Skills and Needs Assessment Stronger Security Training Programs – All Levels of the Organization. New Rule: If you use IT systems or interact with personnel who do, you must be trained. Recommend Hiring Training Experts 50+% of Hacks are due to Employees clicking on malicious emails and links. Test through simulations at all levels.

How Can We Prepare for the Future? Incident and Breach Response Capabilities Ensure Security Administrators receive Latest Commercial Threat Intelligence to understand what is our there in your sector. Test your organization against current and emerging treats through simulated security incidents. (Recommend Quarterly) Lessons Learned: Take back the results and improve your people/processes/technologies against incidents. If Financial Feasible – Outsource Technical Services (CSIRC and SOC)

How Can We Prepare for the Future? Vulnerability and Patch Management: Invest in latest scanning capabilities. (Not all vendors are equal) Fully credentialed and authenticated scanning. Prioritize vulnerabilities by Critical to Low. Implement dedicated patch cycles based on vendor releases and updates. Perform periodic security testing of applications. (Business and Technical) When critical vulnerabilities are found, respond and remediate. (WannaCry) 15

How Can We Prepare for the Future? Security Operations and Continuous Monitoring People, Processes and Technology are required. Who is monitoring your network? Do I have 24 x 7 coverage against attacks? When threats, vulnerabilities and weaknesses are identified, do we have a continuous process in place to respond? If the answer is “No”, look to outsource support to specialized companies who can provide services. Develop processes to identify, notify, prioritize and respond to risks within your organization. (Continuous Monitoring Program) 16

How Can We Prepare for the Future? Benefits of Leverage the Cloud: Drive Down IT Infrastructure and Specialized Service Costs Dramatically Cloud Service Providers (CSPs) build in Cyber Best Practices Lower Server, Network and Infrastructure Costs Cloud Provider can perform Systems and Security Administrator Functions as a service. Patch and Vulnerability Management can be “built-in” Security-as-a-Service can be implemented within Cloud Hosting. Many CSPs can meet Federal Standards, such as FedRAMP and ISCM without large increases in cost to you. Use Third-Party Assessment Organizations (3PAOs) to help you become compliant and Authorized.

Senior Director | Cybersecurity Jonathan Edwards Senior Director | Cybersecurity Jedwards@bluecanopy.com; www.bluecanopy.com 2017 Conference Review