cs11 rsm formatted - amazon s3 · •compliance ≠ security –compliance = you have built the...

56
©2015 RSM US LLP All Rights Reserved NASACT CONFERENCE ©2015 RSM US LLP. All Rights Reserved. Information Security Trends August 16, 2016

Upload: others

Post on 27-May-2020

0 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

©2015 RSM US LLP All Rights Reserved

NASACT CONFERENCE

©2015 RSM US LLP. All Rights Reserved.

Information Security Trends

August 16, 2016

Page 2: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Introduction

2

Jay SchulmanPrincipal

Great Lakes Leader for Security and Privacy

• Work with State and Local Governments ranging from tollways to schools

• Helped secure everything from welding machines to medical devices to web applications

Page 3: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

©2015 RSM US LLP All Rights Reserved

MisconceptionsThreat Overview

Page 4: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Misconceptions

• “If I’m not a top‐tier financial organization, retailer or contain military secrets, they don’t care about me.”

– You will be hard pressed to make appropriate risk management decisions until you understand who they are and why they act. 

– “Attackers” are not a vague, all‐encompassing, generic horde.

4

Page 5: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Misconceptions (continued)

– Think of attackers as a spectrum rather than a generic entity.

– Recognize that attackers have differing, shifting motives.• Targets of opportunity• Hacktivism• Financial data and intellectual property 

– #1 asset on underground market

• Revenge and retribution• None of the above

5

Page 6: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Misconceptions (continued)

• Compliance ≠ Security– Compliance = You have built the foundation to get secure 

• Security is not bought. – Tools are tools, not solutions.– Security cannot be successful unless it is embedded in a variety of enterprise policies and processes. 

Page 7: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

©2015 RSM US LLP All Rights Reserved

SECURITY STATISTICS

Page 8: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Security StatisticsCompiled from:‐ NetDiligence/McGladrey 2015 Annual Cyber Claims Study

Page 9: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Security statistics (continued)Trouble with mathCompiled from:

‐ NetDiligence/McGladrey 2015 Annual Cyber Claims Study

Page 10: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Security Statistics

10

Compiled from:‐ NetDiligence/McGladrey 2015 Annual Cyber Claims Study

This will never happen to me –We are too small!!

Page 11: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

©2015 RSM US LLP All Rights Reserved

THREAT OVERVIEW

Page 12: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Threat overview1.Hacking • Current methods focus on web apps and browser plug‐ins

• Transitioning to Internet of Things

2. Malware • Finding and purchasing non‐detectable malware in the  underground market is trivial

• Modern anti‐virus is an 80‐20 proposition at best

3. Social  Engineering

• Why bother to do all the heavy lifting involved with “hacking”  when you can just ask someone to do something for you?

• While there is a technical component, the attack is against human  nature

<examples next>

4. Physical Loss • Rare occurrence but significant impact

Page 13: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Threat overview (continued)• Vendor Fraud aka Invoice Fraud aka Supply Chain

Fraud:• Attacker identifies a vendor of the organization• Attacker attempts to convince the organization to make a

normal or additional payment to a new account• Organization unaware of fraud until notified by the vendor• Typical example:

To: [Someone in finance]  From: [email protected]: Mon, Oct 5, 2015 at 2:01am

Mr/Mrs. Someone, please be aware that we have recently changed banking  providers. Our new account and routing numbers are in the attached pdf.Respectfully, Mr. Vendor Executive

Page 14: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Threat overview (continued)• Fake executives:

• Often create entire fake email chains, includingsupposed communications with other executives

• May tie to fake vendor claims, but also tax payments, legal fines, issuing corporate credit cards, fake checks, etc.

• Utilizes organizational and positional pressure to succeed• Typical Example:

To: [Someone in finance]From: [email protected] Sent: Mon, Oct 5, 2015 at 2:01am

Hey, [nickname]. I was just contacted by one of our key vendors and it looks like we  missed a payment last month. We are currently negotiating next year’s contract so  this is VERY sensitive. Immediately wire $xxx,xxx to the attached account  information or there will be hell to pay for all of us.Respectfully, CEO Executive

Page 15: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

©2015 RSM US LLP All Rights Reserved

A PROACTIVE APPROACH

Page 16: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Threat Modeling Methodology

Threat Model

Assets(What/Where)

Risk Tolerance(Why)

Threats(How)

Mitigationsand

AssessmentStrategy

Actors(Who)

Focus on where your risks are, not where other people are breached.

Page 17: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

First 90 daysMarch 30, 2015Data Security and Privacy

A State PerspectiveAugust 16, 2016

State of Illinois © 2015 Confidential : For discussion only

Page 18: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Kirk Lonbom Chief Information Security OfficerState of Illinois

Responsible for information and cyber security for entities operating under the Governor

64 Agencies, Boards and Commissions 50,000 state employees Compliance areas including FISMA, HIPAA, PCI, CJIS, more

Page 19: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions
Page 20: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

What is being attacked?

Page 21: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

EVERYTHING!

Page 22: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions
Page 23: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions
Page 24: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions
Page 25: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions
Page 26: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions
Page 27: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

“No locale, industry or organization is bulletproof when it comes to the

compromise of data”

Page 28: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions
Page 29: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions
Page 30: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Breaches in State Government

South Carolina Department of Revenue• Exposed Tax Records of 70 Million People• Costs to the state - $70 Million

Utah – Medicaid Program• Theft of 750,000 Medicaid Records• Costs to the state - $9 Million

California – Reported that there have been multiple data breaches at state agencies• Costs to the state - $8.8 Million

IBM 2016 Study of breaches in the U.S.• $7.01 million is the average total cost of a

data breach (up .5 mil from 2015)• $221 is average cost per lost or stolen record

Page 31: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Elected Official? Appointed Official? Program Executive or Manager? Fiduciary Responsibility? Placed in the Public’s Trust?

Page 32: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Elected Official? Appointed Official? Program Executive or Manager? Fiduciary Responsibility? Placed in the Public’s Trust?

Or do you just want to make sure you just keep your job?

Page 33: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

State Business Risk Life, Health and Safety Delivering Services to our

Citizens Delivering Services to our

Employees

Page 34: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Financial Risk Lost Revenue Breach Costs Fraud and Theft

State Business Risk Life, Health and Safety Delivering Services to our

Citizens Delivering Services to our

Employees

Page 35: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Financial Risk Lost Revenue Breach Costs Fraud and Theft

Privacy & Confidentiality Risk Personal Information –

Identify Theft Confidential Information

State Business Risk Life, Health and Safety Delivering Services to our

Citizens Delivering Services to our

Employees

Page 36: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Reputational/Political Risk Elected Officials Agency Directors Program Managers

Financial Risk Lost Revenue Breach Costs Fraud and Theft

Privacy & Confidentiality Risk Personal Information –

Identify Theft Confidential Information

State Business Risk Life, Health and Safety Delivering Services to our

Citizens Delivering Services to our

Employees

Page 37: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Information Security Protect information from

unauthorized disclosure Ensure information is

trustworthy Guarantee reliable access to

mission critical information

Cyber-Resiliency Ability to anticipate,

withstand and recover from adverse cyber-events.

Evolve and improve in pace with the ever-changing cyber landscape.

Page 38: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions
Page 39: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions
Page 40: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Data Breach Causes, Malicious or

Criminal Attack, 50%

Data Breach Causes, Negligent

Employees, 23%

Data Breach Causes, System Problems -

Both IT and Business Process

Failures, 27%

Data Breach Causes

Page 41: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions
Page 42: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions
Page 43: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

$ 86

Page 44: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

$ 86 (what’s in YOUR database?)

Page 45: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

• The longer it takes to detect, the more it costs.

• 70% of attackers move from the initial victim to a secondary target within 24 hours.

• An attacker is in your environment for over 200 days before detection

• Victims MUST report incidents quickly!

Page 46: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

We DO know what we DO know! (known software vulnerabilities)

Phishing is still the biggest sport (it’s easy)

63% of breaches involved weak, default or stolen passwords (we just don’t get it – Multi-factor!)

Social Unrest = Increased Attacks

Web Applications have weaknesses (many easy to fix –just find them!)

We all make mistakes. (human errors cost us)

Page 47: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

$0

$50

$100

$150

$200

$250

Cos

t

Mitigating Breach Cost

Cost

Page 48: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Daily Phishing, Brute Force, Calls, SQLi

Ransomware – (but getting better)

DDos Attacks – States and Law Enforcement

Administrative Errors

Indications of Increased Nation State Activity

Page 49: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions
Page 50: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Cyber-Risk Awareness Campaign

Page 51: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

A Common Cybersecurity Framework for Illinois

Page 52: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Illinois Emergency Operations PlanCyber-Disruption Response Strategy

Page 53: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

P.I.I. Encryption Expansion of monitoring capabilities

and detection. Detection of weak passwords Initial implementations of Two-Factor

Authentication

Page 54: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

To what extent have the essential services and functions of YOUR agency been identified and programs implemented to provide for their resilience in the event of a disruption or cyber incident?

What are the risks to critical operations and what strategies are in place to mitigate that risk?

Is sufficient attention being given to the ability to defend against intrusions?

What is our plan in the case of a breach or other cyber-event?

Page 55: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions

Anticipate Threatening Events Quickly Detect Intrusions Protect Critical and Confidential Information Continue Essential Activities Despite Adverse Conditions Restore Mission-Critical Functions Within Agreed Upon

Time Periods Evolve and Learn so that the Impact of Potential and Actual

Events is Minimized

Page 56: CS11 RSM FORMATTED - Amazon S3 · •Compliance ≠ Security –Compliance = You have built the foundation to get secure •Security is not bought. –Tools are tools, not solutions