cybersecurity for construction & real estate...iso/iec 27001: 2013 established by: the...
TRANSCRIPT
![Page 1: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/1.jpg)
Cybersecurity for Construction & Real
Estate
Presented by:
Carly Devlin and Thomas Groenke
Moderated by:
Teresa Cushman
![Page 2: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/2.jpg)
TODAY’S PRESENTERS
Carly DevlinManaging Director, Columbus Office
Clark Schaefer Consulting
Thomas GroenkeManager, Construction & Real Estate
Clark Schaefer Hackett
![Page 3: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/3.jpg)
Cybersecurity for Construction & Real Estate
Presented by:Carly Devlin and Thomas Groenke
Moderated by:Teresa Cushman
![Page 4: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/4.jpg)
AGENDA
• Understanding Cyber Risk
• Cyber Threats
• Case Studies
• Managing Cyber Risk
• Cybersecurity Tools
• Questions
![Page 5: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/5.jpg)
UNDERSTANDINGCYBER RISK
![Page 6: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/6.jpg)
What is Cyber Risk
▪ Failure to mitigate this risk may cause:
- Disruption of systems/business processes
- Loss of confidential data
- Financial loss
- Fraudulent reporting and metrics
- Damage to reputation
Any risk of financial loss, disruption, or damage to the reputation of an organization from a failure of its information technology systems.
Source: The Institute of Risk Management
![Page 7: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/7.jpg)
Cybersecurity Industry Facts
Cyber Crime Damage:
$6 trillion annually by 2021
Cybersecurity Spending:
Will exceed $124 billion in 2019
Unfilled Cybersecurity
Jobs:
3.5 million by 2021
Human Attack Surface:
6 billion people by 2022
Global Ransomware
Damage Costs:
Will reach $11.5 billion in 2019
Source: CSO
![Page 8: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/8.jpg)
Cybersecurity Definitions
Threat:
Circumstance or event with the
potential to adversely impact
organizational operations,
organizational assets, and/or
individuals, through an information
system via unauthorized access,
destruction, disclosure,
modification of information, and/or
denial of service.
Threat Actors Actor Motives
National Governments Cyber warfare/espionage
Terrorist Groups Spread terror
Organized Crime Financial gain
Hacktivists Political agenda
Hackers Notoriety/financial gain
Insider Threats Revenge/financial gain
![Page 9: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/9.jpg)
CYBER THREATS
![Page 10: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/10.jpg)
Security Incident Survey
2018 Verizon Data
Breach Report:
Construction & Real
Estate
![Page 11: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/11.jpg)
Our Clients: Most Common Cyber Threats
Phishing
Ransomware
Human Error
Software Vulnerabilities
Internet of Things (IoT)
![Page 12: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/12.jpg)
Threat Horizon and Industry Outlook
▪ Social engineering attacks (phishing) will continue to be a matter of concern for the construction and real estate industries
▪ Ransomware continues to be a rising concern for the construction and real estate industries
▪ The rise of the Internet of Things (IoT) will continue to bring the threat of cyber attacks
![Page 13: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/13.jpg)
CASE STUDIES
![Page 14: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/14.jpg)
Attack #1 – BNP Paribas (Real Estate Subsidiary)
Attack Victim BNP Paribas
Attack Date June 2017
Description BNP Paribas’ real estate unit took a hit from a global cyber attack that disrupted the computers of companies around the world (malware).
![Page 15: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/15.jpg)
Attack #2 – All-Ways Excavating USA
Attack Victim All-Ways Excavating USA
Attack Date January 2019
Description 15-person construction contractor in Salem, Oregon fell victim to a cyber attack that was most likely carried out by a foreign government.
![Page 16: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/16.jpg)
Attack #3 – DC-Area Real Estate Company
Attack Victim DC-Area Real Estate Company
Attack Date Within the last couple years
Description Cybercriminals stole client contact information from a DC-area real estate company, then created a phishing scam, which resulted in $1.5 million being stolen in a wire fraud scheme from a couple about to close on a home.
![Page 17: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/17.jpg)
Attack #4 – Target
Attack Victim Target
Attack Date 2013
Description Hackers gained access to the network credentials that a small HVAC contractor used to remotely access Target’s network, resulting in the breach of credit and debit card information for tens of millions of customers in the U.S.
![Page 18: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/18.jpg)
MANAGING CYBER RISK
![Page 19: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/19.jpg)
Managing Cyber Risk
Mitigation vs. Elimination of Risk
![Page 20: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/20.jpg)
2018 SEC OCIE Examination Priorities
▪ 2018 Examination Priorities – The SEC’s Office of Compliance Inspections and
Examinations (OCIE) has prioritized cybersecurity.
▪ Compared to 2017, the OCIE has extended the scope of its examination to include:
▪ As a result, the OCIE examiners could potentially request related documents,
particularly ownership of third-party risks as it relates to tenants and vendors.
Governance and Risk
Assessment
Access Rights and Controls
Data Loss Prevention
Vendor Management
TrainingIncident
Response
![Page 21: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/21.jpg)
Use of a Security Framework
A series of documented processes that are used to define policies and procedures
around the implementation and ongoing management of information security controls
in an enterprise environment.
Security Frameworks
ISO
NIST
![Page 22: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/22.jpg)
ISO/IEC 27001: 2013
▪ Established by:
The International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC)
▪ Designed to:
Provide requirements for an information security management system (ISMS)
▪ Overview:
Specifies the requirements for establishing, implementing, maintaining, and continually
improving an information security management system within the context of an
organization. It also includes requirements for the assessment and treatment of
information security risks tailored to the needs of the organization. The requirements are
intended to be applicable to all organizations, regardless of type, size, or nature.
![Page 23: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/23.jpg)
NIST Cybersecurity Framework
▪ Established by:
The National Institute of Standards and Technology (NIST)
▪ Designed to:
Be a U.S. government-ordered, cybersecurity framework
▪ Overview:
A structure for the nation’s financial, energy, healthcare, and other critical systems to
better protect their information and physical assets from cyber attack. NIST provides a
common language with which to address and manage cyber risk in a cost-effective way
based on business needs, without additional regulatory requirements.
![Page 24: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/24.jpg)
NIST Cybersecurity Framework (CSF)
▪ Three Parts:
– Framework Core
– Framework Implementation Tiers
– Framework Profiles
Allows organizations to:
▪ Describe current cybersecurity posture
▪ Describe target state for cybersecurity
▪ Identify and prioritize opportunities for improvement
▪ Assess progress towards target state
▪ Communicate using common language among internal and external
stakeholders about cybersecurity risk
![Page 25: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/25.jpg)
CSF Core
![Page 26: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/26.jpg)
CSF Core
![Page 27: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/27.jpg)
CSF Tiers/Profiles
▪ Tiers
–Tier 1: Partial
–Tier 2: Risk Informed
–Tier 3: Repeatable
–Tier 4: Adaptive
▪ Profiles
–Current profile (“as is”)
–Target profile (“to be”)
![Page 28: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/28.jpg)
CSF – Applying the Framework
1. Prioritize & scope
2. Orient
3. Create a current profile
4. Conduct a risk assessment
5. Create a target profile
6. Determine, analyze &
prioritize gaps
7. Implement action plans
Rep
eata
ble
![Page 29: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/29.jpg)
CSF – Benefits and Challenges
▪ Benefits:
–Voluntary
–Expose new risks
–Sharing, collaboration
–Layered approach
▪ Challenges:
–Not “set it and forget it”
–Requires “buy-in”
–Communicating risks
–Large, complex organizations
–Lack of quantifiable metrics
![Page 30: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/30.jpg)
OTHER CYBERSECURITY TOOLS
![Page 31: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/31.jpg)
NIST 800-53
▪ Security and Privacy Controls for Federal Information Systems
and Organizations
▪ 18 security areas
–Management/enterprise
–Operational
–Technical
▪ 8 privacy areas
![Page 32: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/32.jpg)
NIST 800-53: Example Control
![Page 33: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/33.jpg)
NIST 800-53: Benefits and Challenges
▪ Benefits:
–Comprehensive
–Supplemental guidance useful
–Baselines allow risk-based approach
–Supported by 53A, allowing for corresponding assessment
–Cross references throughout and to other NIST SPs
▪ Challenges:
–Comprehensive! (Complex)
–Focus on Federal systems
• Private entities? State/Local government?
–Focus on information systems
• IoT devices, industrial control systems, weapons systems
![Page 34: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/34.jpg)
NIST 800-61: Computer Security Incident Handling Guide
▪ Organizing a Computer Security Incident Response Capability
-Understanding Events and Incidents
-Incident Response Policy, Plan, Procedures
-Incident Response Team Structure
▪ Handling an Incident
-Preparation
-Detection and Analysis
-Containment, Eradication and Recovery
-Post-Incident Activity
![Page 35: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/35.jpg)
NIST 800-61: Benefits and Challenges
▪ Benefits:
-Easy to understand for detection, analyzing, prioritizing, handling
incidents
-Provides checklists, scenarios, examples, recommendations
▪ Challenges:
-Less focus on establishing incident response program
-Doesn’t provide specific template for Incident Response Policy or
Plan
![Page 36: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/36.jpg)
1800 Series: Cybersecurity Practice Guides
SP 1800-1 July 2015 Securing Electronic Health Records on Mobile Devices
SP 1800-2 August 2015 Identity and Access Management for Electric Utilities
SP 1800-3 September 2015 Attribute Based Access Control
SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds
SP 1800-5 October 2015 IT Asset Management: Financial Services
SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security
SP 1800-7 February 2017 Situational Awareness for Electric Utilities
SP 1800-8 May 2017 Securing Wireless Infusion Pumps in Healthcare Delivery Organizations
SP 1800-9 August 2017 Access Rights Management for the Financial Services Sector
SP 1800-10 Not yet released Identity and Access Management
SP 1800-11 September 2017 Data Integrity: Recovering from Ransomware and Other Destructive Events
SP 1800-12 September 2017 Derived Personal Identity Verification (PIV) Credentials
![Page 37: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/37.jpg)
Questions?
Carly DevlinManaging Director
Thomas GroenkeManager, Construction & Real Estate
![Page 38: Cybersecurity for Construction & Real Estate...ISO/IEC 27001: 2013 Established by: The International Organization for Standardization (ISO) and the International Electrotechnical Commission](https://reader034.vdocuments.net/reader034/viewer/2022042316/5f056caf7e708231d412e59b/html5/thumbnails/38.jpg)
Thank you!
Carly DevlinManaging Director
Thomas GroenkeManager, Construction & Real Estate