©2015 RSM US LLP All Rights Reserved

NASACT CONFERENCE

©2015 RSM US LLP. All Rights Reserved.

Information Security Trends

August 16, 2016

Introduction

2

Jay SchulmanPrincipal

Great Lakes Leader for Security and Privacy

• Work with State and Local Governments ranging from tollways to schools

• Helped secure everything from welding machines to medical devices to web applications

©2015 RSM US LLP All Rights Reserved

MisconceptionsThreat Overview

Misconceptions

• “If I’m not a top‐tier financial organization, retailer or contain military secrets, they don’t care about me.”

– You will be hard pressed to make appropriate risk management decisions until you understand who they are and why they act. 

– “Attackers” are not a vague, all‐encompassing, generic horde.

4

Misconceptions (continued)

– Think of attackers as a spectrum rather than a generic entity.

– Recognize that attackers have differing, shifting motives.• Targets of opportunity• Hacktivism• Financial data and intellectual property 

– #1 asset on underground market

• Revenge and retribution• None of the above

5

Misconceptions (continued)

• Compliance ≠ Security– Compliance = You have built the foundation to get secure 

• Security is not bought. – Tools are tools, not solutions.– Security cannot be successful unless it is embedded in a variety of enterprise policies and processes. 

©2015 RSM US LLP All Rights Reserved

SECURITY STATISTICS

Security StatisticsCompiled from:‐ NetDiligence/McGladrey 2015 Annual Cyber Claims Study

Security statistics (continued)Trouble with mathCompiled from:

‐ NetDiligence/McGladrey 2015 Annual Cyber Claims Study

Security Statistics

10

Compiled from:‐ NetDiligence/McGladrey 2015 Annual Cyber Claims Study

This will never happen to me –We are too small!!

©2015 RSM US LLP All Rights Reserved

THREAT OVERVIEW

Threat overview1.Hacking • Current methods focus on web apps and browser plug‐ins

• Transitioning to Internet of Things

2. Malware • Finding and purchasing non‐detectable malware in the  underground market is trivial

• Modern anti‐virus is an 80‐20 proposition at best

3. Social  Engineering

• Why bother to do all the heavy lifting involved with “hacking”  when you can just ask someone to do something for you?

• While there is a technical component, the attack is against human  nature

<examples next>

4. Physical Loss • Rare occurrence but significant impact

Threat overview (continued)• Vendor Fraud aka Invoice Fraud aka Supply Chain

Fraud:• Attacker identifies a vendor of the organization• Attacker attempts to convince the organization to make a

normal or additional payment to a new account• Organization unaware of fraud until notified by the vendor• Typical example:

To: [Someone in finance]  From: Executive@vend0r.comSent: Mon, Oct 5, 2015 at 2:01am

Mr/Mrs. Someone, please be aware that we have recently changed banking  providers. Our new account and routing numbers are in the attached pdf.Respectfully, Mr. Vendor Executive

Threat overview (continued)• Fake executives:

• Often create entire fake email chains, includingsupposed communications with other executives

• May tie to fake vendor claims, but also tax payments, legal fines, issuing corporate credit cards, fake checks, etc.

• Utilizes organizational and positional pressure to succeed• Typical Example:

To: [Someone in finance]From: Executive@ourc0mpany.com Sent: Mon, Oct 5, 2015 at 2:01am

Hey, [nickname]. I was just contacted by one of our key vendors and it looks like we  missed a payment last month. We are currently negotiating next year’s contract so  this is VERY sensitive. Immediately wire $xxx,xxx to the attached account  information or there will be hell to pay for all of us.Respectfully, CEO Executive

©2015 RSM US LLP All Rights Reserved

A PROACTIVE APPROACH

Threat Modeling Methodology

Threat Model

Assets(What/Where)

Risk Tolerance(Why)

Threats(How)

Mitigationsand

AssessmentStrategy

Actors(Who)

Focus on where your risks are, not where other people are breached.

First 90 daysMarch 30, 2015Data Security and Privacy

A State PerspectiveAugust 16, 2016

State of Illinois © 2015 Confidential : For discussion only

Kirk Lonbom Chief Information Security OfficerState of Illinois

Responsible for information and cyber security for entities operating under the Governor

64 Agencies, Boards and Commissions 50,000 state employees Compliance areas including FISMA, HIPAA, PCI, CJIS, more

What is being attacked?

EVERYTHING!

“No locale, industry or organization is bulletproof when it comes to the

compromise of data”

Breaches in State Government

South Carolina Department of Revenue• Exposed Tax Records of 70 Million People• Costs to the state - $70 Million

Utah – Medicaid Program• Theft of 750,000 Medicaid Records• Costs to the state - $9 Million

California – Reported that there have been multiple data breaches at state agencies• Costs to the state - $8.8 Million

IBM 2016 Study of breaches in the U.S.• $7.01 million is the average total cost of a

data breach (up .5 mil from 2015)• $221 is average cost per lost or stolen record

Elected Official? Appointed Official? Program Executive or Manager? Fiduciary Responsibility? Placed in the Public’s Trust?

Elected Official? Appointed Official? Program Executive or Manager? Fiduciary Responsibility? Placed in the Public’s Trust?

Or do you just want to make sure you just keep your job?

State Business Risk Life, Health and Safety Delivering Services to our

Citizens Delivering Services to our

Employees

Financial Risk Lost Revenue Breach Costs Fraud and Theft

State Business Risk Life, Health and Safety Delivering Services to our

Citizens Delivering Services to our

Employees

Financial Risk Lost Revenue Breach Costs Fraud and Theft

Privacy & Confidentiality Risk Personal Information –

Identify Theft Confidential Information

State Business Risk Life, Health and Safety Delivering Services to our

Citizens Delivering Services to our

Employees

Reputational/Political Risk Elected Officials Agency Directors Program Managers

Financial Risk Lost Revenue Breach Costs Fraud and Theft

Privacy & Confidentiality Risk Personal Information –

Identify Theft Confidential Information

State Business Risk Life, Health and Safety Delivering Services to our

Citizens Delivering Services to our

Employees

Information Security Protect information from

unauthorized disclosure Ensure information is

trustworthy Guarantee reliable access to

mission critical information

Cyber-Resiliency Ability to anticipate,

withstand and recover from adverse cyber-events.

Evolve and improve in pace with the ever-changing cyber landscape.

Data Breach Causes, Malicious or

Criminal Attack, 50%

Data Breach Causes, Negligent

Employees, 23%

Data Breach Causes, System Problems -

Both IT and Business Process

Failures, 27%

Data Breach Causes

$ 86

$ 86 (what’s in YOUR database?)

• The longer it takes to detect, the more it costs.

• 70% of attackers move from the initial victim to a secondary target within 24 hours.

• An attacker is in your environment for over 200 days before detection

• Victims MUST report incidents quickly!

We DO know what we DO know! (known software vulnerabilities)

Phishing is still the biggest sport (it’s easy)

63% of breaches involved weak, default or stolen passwords (we just don’t get it – Multi-factor!)

Social Unrest = Increased Attacks

Web Applications have weaknesses (many easy to fix –just find them!)

We all make mistakes. (human errors cost us)

$0

$50

$100

$150

$200

$250

Cos

t

Mitigating Breach Cost

Cost

Daily Phishing, Brute Force, Calls, SQLi

Ransomware – (but getting better)

DDos Attacks – States and Law Enforcement

Administrative Errors

Indications of Increased Nation State Activity

Cyber-Risk Awareness Campaign

A Common Cybersecurity Framework for Illinois

Illinois Emergency Operations PlanCyber-Disruption Response Strategy

P.I.I. Encryption Expansion of monitoring capabilities

and detection. Detection of weak passwords Initial implementations of Two-Factor

Authentication

To what extent have the essential services and functions of YOUR agency been identified and programs implemented to provide for their resilience in the event of a disruption or cyber incident?

What are the risks to critical operations and what strategies are in place to mitigate that risk?

Is sufficient attention being given to the ability to defend against intrusions?

What is our plan in the case of a breach or other cyber-event?

Anticipate Threatening Events Quickly Detect Intrusions Protect Critical and Confidential Information Continue Essential Activities Despite Adverse Conditions Restore Mission-Critical Functions Within Agreed Upon

Time Periods Evolve and Learn so that the Impact of Potential and Actual

Events is Minimized