copyright © 2014 k2 enterprises, llc. reproduction or reuse for purposes other than a k2...

Copyright © 2014 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.

Best Practices For Cyber Security

November 3, 2014


Tommy Stephens

• CPA from Woodstock, Georgia• Twenty-nine years public accounting & private

industry experience– Nineteen years CPE discussion leader

• BSBA (Accounting) Auburn University• MS (Finance) Georgia State University• Please contact me: [email protected]• Follow me on Twitter: @TommyStephens

mailto:[email protected]


WHAT ARE THE BIGGEST CYBER THREATS?


Top Cybersecurity Threats

1. Social Engineering2. Advanced Persistent

Threats3. Internal Threats4. Bring Your Own Device

5. Cloud Security6. HTML 7. Botnets8. Precision Targeted

Malware

Source: Forbes


Social Engineering

• Using social networks such as Facebook and LinkedIn to obtain information directly from the networks or by misleading others– Should you really post your vacation plans

Facebook before you go?– Do you really know all of your “friends”?

• Also includes phishing, baiting, and computer virus hoaxes


Advanced Persistent Threats

• Advanced Persistent Threats (APTs) take a “low and slow” approach

• Intention is to gain access to a network and take information quietly

• Likely executed by a government or very sophisticated entity as most individuals and small organizations lack the resources to execute


Internal Threats

• Most data losses and breaches are committed by insiders

• Who’s guarding your server while you are participating in this session?

• CERT Insider Threat Center found that malicious insiders within the financial industry get away with their fraud for approximately 32 months before discovery


Bring Your Own Device

• Bring Your Own Device (BYOD) is a relatively new phenomenon where team members acquire their own technology and use it for corporate purposes

• Though well-meaning team members can be more productive in a BYOD environment and save the organization money, the problem is that they don’t secure the technology– What happens to the corporate data when the

smartphone or tablet is lost, stolen, or hacked?


Cloud Security

• Cloud computing is the most significant trend in information technology today

• The cloud offers potentially huge benefits, but the risks can be great as well because you surrender control of your data

• Do your due diligence before engaging a vendor to provide cloud services!


HTML5

• HTML5 is a relatively new markup language being used to develop web applications– Provides better support for multimedia and

communications with a server• A big advantage of HTML5 over its

predecessors is cross-platform support• However, because of its newness, many are

concerned about its security


Botnets

• A botnet is a network created with malicious software that exploits the computing power of multiple private computer, without the knowledge of the owners of those computers

• Cybercriminals often use botnets to send spam, spread viruses, and attack other computers and servers

• Is your computer running slowly?


Precision Targeted Malware

• The attackers are getting smarter!• With Precision Targeted Malware (PTM), they

are developing code that doesn’t execute unless it is in the environment for which its’ developers designed it

• This makes it harder to detect malware in testing environments

• “Gauss” is an example of PTM


What Are The Crooks After?

• Anything they can sell for a profit or hold hostage in return for a ransom

• In other words, sensitive information!


Two Specific Areas Of Concern For Carolinas HealthCare System

• Credit card information– To reduce the risk of credit card fraud, CHS is

implementing EMV readers instead of card swipes– This should be completed by October 2015– EMV uses PIN codes and encryption algorithms to

reduce the risk of fraud• Vendors with weak internal controls– “A chain is only as strong as its weakest link”


WHAT ARE THE COSTS OF THESE THREATS?


Cost Of Cyber Crime Study

• The time it takes to resolve a cyber attack has increased by 130% in four years

• The average cost to resolve a single attack is more than $1 million

• Organizations in defense, financial services, and energy suffered the highest cybercrime costs

• $188 per record breached, on average, to respond/resolve a cyber attack

Source: Ponemon Institute


Cost Of Cyber Crime Study

• Data theft caused major costs, 43% of the total external costs,

• Business disruption, or lost productivity accounts for 36% of external costs

• The average time to resolve a cyber attack was 32 days, with an average cost of $1,035,769– $32,469 per day!

• Smaller organizations incur significantly higher per capita costs

Source: Ponemon Institute


Cost Of Cyber Crime

• McAfee: Malicious cyber attacks could cost the U.S. $100 billion annually– $300 billion worldwide

• U.S. Congressional report: Nearly 20% of all cyber attacks are aimed at companies with fewer than 20 employees

• Experian: Only 31% of U.S. companies have cyber insurance policies


Cost Of Cyber Crime

• McAfee: Malicious cyber attacks could cost the U.S. $100 billion annually– $300 billion worldwide

• U.S. Congressional report: Nearly 20% of all cyber attacks are aimed at companies with fewer than 20 employees

• Experian: Only 31% of U.S. companies have cyber insurance policies

Don’t ignore the cost associated with a

damaged reputation and lost business!


SOME SPECIFIC EXAMPLES…


Target Debit/Credit Card Breach

• Actually, two incidents– 40 million customers names, debit/credit card

numbers, PIN codes, expiration dates, security code, and phone numbers were compromised from November 27 to December 15, 2013

– Up to 70 million names, addresses, phone numbers, and email addresses may have also been compromised

• Cost to Target: TBD, but a similar hack at TJ Maxx cost $256 million


Adobe

• 38 million records, including credit card numbers and username/password combinations were compromised from products and services, including Adobe Acrobat and ColdFusion

• Notification costs alone would approximate $17.5 million

• Assuming $188 per record, total costs could exceed $700 million


Republic Services

• In August 2013, laptop was stolen from employees’ home

• The laptop contained personal information on 82,160 current and former employees

• Of course, the laptop’s hard disk was not encrypted or otherwise protected


Palm Beach CountyHealth Department

• A senior clerk was arrested and charged with using her job to steal identity information on more than 2,800 patients

• The clerk then shared the information, including Social Security numbers, with accomplices to file fraudulent income tax returns seeking refunds


TEN COMMON SENSE APPROACHES TO REDUCING CYBER THREATS


Education Is Critical

• Most team members truly want to do the right thing, but they often don’t know what the right thing is

• Educate on the risks associated with cyber attacks• Create a “culture of security and personal

accountability” across the organization– Like all internal controls, this starts at the top of

the organization• Includes developing and implementing policies


Use “Long And Strong” Passwords

• Passwords can be a good first line of defense, but are rarely as effective as they should be

• According to The SANS Institute, a “strong” password now consists of fifteen alphanumeric characters

• Want to test your password?– Try https://www.grc.com/haystack.htm

https://www.grc.com/haystack.htm

https://www.grc.com/haystack.htm


Use “Long And Strong” Passwords

• In reality, can we really expect to use different long and strong passwords on all of our devices, applications, and web sites?– After all we are only human

• Consider using password management software such as RoboForm, Password Depot, KeepPass, and others to ease the burdens associated with long and strong passwords


Consider AlternativeAuthentication Measures

• Fingerprint swipes instead of passwords, for example, might prove to be more secure in many organizations

• Multi-factor authentication is also an excellent internal control for mitigating cyber risk– Something you know – password, for example –

plus something you have – key fob, for example


Limit Administrative Rights

• Most end users should not have administrative rights on their PCs– Yet many of them do

• Without administrative rights, end users cannot change settings that might compromise the security of their device


Get A Grip On BYOD

• Bring Your Own Device, Bring Your Own Cloud, Bring Your Own Technology are all significant risks to every organization

• Get policies in place today– www.tinyurl.com/k2byodpolicies

• Consider forcing security measures onto team members’ devices as a condition of accessing and storing personal data– iPhone/iPad Configuration Utility, for instance

http://www.tinyurl.com/k2byodpolicies


Disable USB Ports For Storage

• USB flash drives, external hard disks, etc. are rarely encrypted by end users

• Therefore, security risks are huge!• You can disable USB ports for storage with an

edit to the Windows Registry


Disabling USB Ports For Storage

Registry edit to prevent USB access to external storage devices…IMPORTANT, backup registry first!• Click Start, and then click Run• In the Open box, type regedit, and then click OK• Locate and then click the following registry

key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

• In the details pane, double-click Start• In the Value data box, type 4, click Hexadecimal (if it is not

already selected), and then click OK• Exit Registry Editor


Thoroughly Vet All Cloud Vendors

• Though many have resisted and continue to resist, the Cloud tsunami continues to grow

• For many smaller organizations, it is entirely likely that moving to the cloud offers improved security

• However, thoroughly vet any cloud vendor before signing a contract or moving data

• Look for SSAE 16, ISO 27001, SOC 1, SOC 2, SOC 3, etc. certifications


Configure Firewalls Properly

• Firewalls serve as a “buffer” between two networks – LAN and Internet, for example

• You can configure your firewalls to block unwanted inbound as well as outbound traffic

• Ensure that both corporate level and computer level firewalls are configured to block intruders, as well as access to undesirable web sites


“White List” Software Titles

• Instead of trying to block all “bad” applications – which is virtually impossible, because that list is ever-changing – consider using a “white list” approach for approved applications on each computer

• Windows supports this control


“White List” Software Titles

• In “Run” dialog box, enter “gpedit.msc”• Navigate to “User Configuration,

Administrative Templates, System”• Scroll to “Run only specified Windows

applications”• Specify the applications allowed to run on

the computer


Implement Monitoring Tools

• According to EY, anti-virus software is not very effective against new forms of attack because it is reactive, rather than proactive

• Rather, monitoring and analytical tools that seek out unusual patterns in traffic should be used as early-warning mechanisms

• Such tools may have, for example, detected that Edward Snowden was downloading more files than what his job duties required


ADVANCED CYBER SECURITY MEASURES TO CONSIDER


SANS InstituteTwenty Critical Security Controls

• Based on a consortium of US and international agencies, including US National Security Agency (NSA)

• Prioritizes security functions that are effective against some of the more advanced threats

• The US State Department has demonstrated a 94% decline in risk as a result of adopting these twenty controls

• http://www.sans.org/critical-security-controls/

http://www.sans.org/critical-security-controls/

http://www.sans.org/critical-security-controls/


Twenty Critical Security Controls

1. Inventory of authorized and unauthorized devices

2. Inventory of authorized and unauthorized software

3. Secure configurations for hardware and software

4. Continuous vulnerability assessments and remediation



5. Malware defenses6. Application security software7. Wireless device controls8. Data recovery capability9. Security skills assessment and training to

fill gaps10.Secure configurations for network devices

such as firewalls, routers, and switches



11.Limitation and control of network ports, protocols, and services

12.Controlled use of administrative privileges13.Boundary defense14.Maintenance, monitoring, and analysis of

audit logs15.Controlled access based on need to know



16.Account monitoring and control17.Data loss prevention18.Incident response and management19.Secure network engineering20.Penetration tests and red team exercises


WE’VE BEEN HACKED!


What To Do When An Attack Occurs

• Create your response plan in advance– This is not something that should be done in the heat of

battle!• Include on response team appropriate personnel

from IT, PR, Customer Service, Legal and all other relevant departments in organization

• As part of the response plan, carefully consider legal and regulatory requirements– State security breach notification laws– HIPAA


In The First 24 Hours…

1. Record date and time of notification

2. Alert and activate response team

3. Secure the premises4. Stop additional data

loss5. Document everything

6. Interview those involved

7. Review protocols8. Assess priorities and

risks9. Bring in forensics team10. Notify law

enforcement, if necessary


Next, And In No Particular Order

• Fix the issue that caused the breach• Continue working with forensics• Identify legal obligations• Report to senior management• Identify and resolve conflicting initiatives• Alert your data breach resolution vendor


The preceding responses are summarized from “Data Breach Response Guide” produced and

published by Experian Data Breach Resolution. You may download the guide from http://

www.experian.com/assets/data-breach/brochures/response-guide.pdf

.

http://www.experian.com/assets/data-breach/brochures/response-guide.pdf




SUMMARY


Summary

• The numbers aren’t pretty, as the threats associated with cyber attacks continue to escalate, seemingly on a daily basis

• However, by understanding where the threats originate, we can position ourselves better to take appropriate cyber security measures


Summary

• When implementing cyber security measures, look for the low-hanging fruit first…you will get the biggest bang for your buck here

• Then, turn your attention to the more advanced security controls found in the SANS Institute’s Twenty Critical Security Controls


Summary

• Despite your efforts, it is likely impossible to completely insulate your organization from attack and eliminate all cyber risk

• Therefore, develop, put into place, and continually update a response plan in case your organization is attacked

• As part of this plan, ensure that you carefully consider all relevant legal and regulatory requirements


THANKS!

copyright © 2014 k2 enterprises, llc. reproduction or reuse for purposes other than a k2...

Documents

k2 enterprises training

corporate purposes

forbes slide

discovery slide

tommystephens slide

internal threats

cybersecurity threats

biggest cyber threats