Date post: | 22-Jan-2018 |
Category: |
Technology |
Upload: | scott-diehl |
View: | 297 times |
Download: | 4 times |
CYBER SECURITY
Scott DiehlVice President of Product Management
Aka. The Tech Guy
WORD & BROWN GENERAL AGENCY
INTRODUCTION
What is Cyber Security?
How Cyber-Safe is Your Business? / Statistics
Cyber Threats
Relevant Security and Privacy Laws
Consequences of a Breach
Tools to Aid in Cyber Security
WORD & BROWN GENERAL AGENCY
COURSE OBJECTIVES
• Understand Cyber Security & Common Threats
• Understand relevant security laws with which we must
comply
• Understand that any Internet-connected system can be
hacked and what to do in the event of a breach
• Obtain tools to aid in the event of a breach and to aid in
preventing a breach
WORD & BROWN GENERAL AGENCY
WHAT IS CYBER SECURITY?
• History
– 1988 – The Morris Worm
• Current
– A method of preventative security
measures designed to protect
systems and networks from such
attacks.
WORD & BROWN GENERAL AGENCY
FAST FACTS
• What is the cloud?
– This is storage on a centralized
server owned by a hosting company
– Ex: Azure, iCloud, AWS
• Think: “Accessible Anywhere”
• Aug 31, 2014 iCloud Hack – 200
celebrity photos posted to 4chan
WORD & BROWN GENERAL AGENCY
WHY IS HACKING SO PREVALENT?
• $$$$
– The TOR Network
• The AlphaBay Market
– Credit Cards for Sale
– RDP Access for Sale
WORD & BROWN GENERAL AGENCY
HOW CAN I BE HACKED?
• Implanted Medical Devices (~2006)
• 'Smart" Phone
• Connected Cars
• Communication Infrastructure (P25
Radio)
• Public Recording& Reflections (UNC
Labs)
• SmartPhone Accelerometer
WORD & BROWN GENERAL AGENCY
PERMISSIBLE HACKING?
• Advertising
– Ex: Gmail
• You’re being tracked on the
Internet at all times.
WORD & BROWN GENERAL AGENCY
PERMISSABLE HACKING?
• Gary Kovacs – Firefox
– Behavioral Tracking
WORD & BROWN GENERAL AGENCY
PERMISSABLE HACKING?
Gary Kovacs – Tracking the Trackers:
http://bit.ly/2cfUiWI
WORD & BROWN GENERAL AGENCY
HOW CYBER-SAFE IS YOUR BUSINESS & LIFE?
• 2015 Major Breaches– Experian – 15 Million Records
– Anthem - 80 Million Records
– Target – 50 Million Records
– Home Depot – 15 Million Records
– JP Morgan Chase – 12 Million Records
WORD & BROWN GENERAL AGENCY
HOW CYBER-SAFE IS YOUR BUSINESS & LIFE?
• And healthcare is becoming
increasingly targeted … with very
good reasons ... And results.
WORD & BROWN GENERAL AGENCY
HOW CYBER-SAFE IS YOUR BUSINESS & LIFE?
• 2016 Data Breach Category Summary
• Institution Type | # Breaches
• Banking/Credit/Financial: 4
• Business: 82
• Educational: 20
• Government/Military: 8
• Medical/Healthcare: 63
SOURCE: 2016 DATA BREACH CATEGORY SUMMARY | IDENTITY THEFT
RESOURCE CENTER
WORD & BROWN GENERAL AGENCY
HOW CYBER-SAFE IS YOUR BUSINESS & LIFE?
• 2016 Data Breach Category Summary
• Institution Type | # Records
• Banking/Credit/Financial: 4,382
• Business: 365,356
• Educational: 307,457
• Government/Military: 102,459
• Medical/Healthcare: 3,828,098
SOURCE: 2016 DATA BREACH CATEGORY SUMMARY | IDENTITY THEFT
RESOURCE CENTER
WORD & BROWN GENERAL AGENCY
HOW CYBER-SAFE IS YOUR BUSINESS & LIFE?
• From all the news, you might
assume that only big companies
like these are targets.
WORD & BROWN GENERAL AGENCY
HOW CYBER-SAFE IS YOUR BUSINESS & LIFE?
• WRONG!
• The National Small Business
Association (NSBA) released
statistics showing 68% of their
small business membership
reported being a cyber-victim more
than once.
WORD & BROWN GENERAL AGENCY
CYBER THREATS
• 2016 Targets– Attacks through employees– The cloud– Seniors– Automobiles– Cloud Services– Hardware & VMs– Wearable Tech– Internet Ads– Wifi Hotspots
WORD & BROWN GENERAL AGENCY
CYBER THREATS
• Employee Attacks
– Phishing & Whaling
– Our security is as strong as our
least-informed employee.
– Do you have employee security
awareness training?
WORD & BROWN GENERAL AGENCY
CYBER THREATS
• The Clouds
– Microsoft Azure, Yammer
– Amazon Web Services
– Salesforce Cloud
– Cisco & Citrix
– File-Sharing: Box, Dropbox, Cubby
WORD & BROWN GENERAL AGENCY
CYBER THREATS
• Internet Ads
• Ads when clicked can take you to a predator site that loads viruses, malware, adware, spyware and other harmful code.
• According to the Association of National Advertisers: ad-fraud has cost global advertisers more then $6 Billion in 2015.
WORD & BROWN GENERAL AGENCY
CYBER THREATS
• Malware
• An umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyway, adware, scareware and other malicious programs. It can take the form of executable code, scriprts, active contet and other software.
WORD & BROWN GENERAL AGENCY
CYBER THREATS
Google: Three tips for spotting Malware
http://bit.ly/2ctzzCU
WORD & BROWN GENERAL AGENCY
CYBER THREATS
• Phishing
• The attempt to acquire sensitive information such as usernames, passwords and credit card details, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
WORD & BROWN GENERAL AGENCY
CYBER THREATS
What is Phishing?
http://bit.ly/2bEYUJY
WORD & BROWN GENERAL AGENCY
CYBER THREATS
• Ransomware
• A type of malware that can be covertly installed on a computer without knowledge or intention of the user that restricts access to the infected computer system in some way and demads the user pay a ransom to the operators to remove restrictions.
• EX: Hollywood Presbyterian
WORD & BROWN GENERAL AGENCY
CYBER THREATS
RansomWare – Hollywood Presbyterian Story:
http://bit.ly/2bF06wW
WORD & BROWN GENERAL AGENCY
CYBER THREATS
• Whaling
• A new phenomenon
• Executive-directed
WORD & BROWN GENERAL AGENCY
CYBER THREATS
• Social Engineering
– Harvard Study
• Social Engineering
WORD & BROWN GENERAL AGENCY
CYBER THREATS
What is your Password?
https://www.youtube.com/watch?v=InTxJIF_bC
o
WORD & BROWN GENERAL AGENCY
CYBER THREATS
• Public Wifi
– How many here are connected to the free “public” wifi?
– Are you sure you’re connected to the right connection?
• Public Wifi
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA
• Stands for?
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA
• Enacted in 1996
• Set standards for the protection of health care information.
• Provides the ability to transfer and continue health insurance coverage for workers when they change or lose their jobs.
• Reduce health care fraud and abuse.
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA - Factoid
• The FBI estimates that Health
Care Fraud costs American tax
payers $80 Billion/yr.
• Examples?
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• What agency administers HIPAA?
• FBI
• HHS
• CMS
• CDI
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA
– Privacy
– Portability
– Accountability
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS• HIPAA – Portability
– Limits the ability for a new employer to exclude someone from coverage due to a pre-existing condition.
– Provides additional opportunities to enroll in a group health plan if you lose coverage.
– Prohibits discrimination based on health factors such as a prior medical condition.
– Guarantees that certain individuals will have access to and can renew their individual health insurance policies.
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Portability
– Certificates of Creditable Coverage
• Issued after a loss of coverage, enables
continuation of coverage
• Who was covered
• Start & end dates of coverage
• Details the coverage provided
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Portability
– Certificates of Creditable Coverage
• Issued after a loss of coverage, enables
continuation of coverage
• Who was covered
• Start & end dates of coverage
• Details the coverage provided
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA + ARRA – Business
Associates
– General Agencies
– Insurance Brokers
– 3rd Party Administrators
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HITECH
– Health Information Technology for
Economic & Clinical Health
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HITECH
– Strengthened the notification and
penalty requirements for HIPAA
violations
– Business Associates are now subject
to ARRA’s civil and criminal penalty
provisions.
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information
– Individually identifiable information
that relates to:
• The past, present or future physical or
mental health or condition of a member
• The provisions of health care to a member
of a plan
• The past, present or future payment for
the provisions of health care to a member
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information
– Examples …
• Medical Conditions
• Treatments
• Medications
• Payment Information for Health Care
Services
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information
– PII vs. PHI
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information– PII vs. PHI
– Personally Identifiable Information refers to information that can be used to uniquely identify, contact, locate a single person or that can be used by other sources to uniquely identify a single individual.
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information– Personaly Identifiable Information
• Name
• Phone Number
• E-mail Address
• Address
• SSN
• License Plate #
• Account Number
• City
• Medical Record Number
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information
– Protected Health Information (PHI)
• Any information about health status,
provisions of health care or payments of
health care that can be linked to a
specific individual
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information
– Protected Health Information (PHI)
• Medical Condition + SSN = PHI
• Treatments + Phone # = PHI
• Payment Info + E-Mail Address = PHI
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information
– EPHI?
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information
– EPHI
• Emails which contain PHI.
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• PCI DSS
– Payment Card Industry – Data
Security Standards
WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• State Laws
– like California SB 1386 & AB 1710
– Security Breech Notification, 2003
– Purchased Data, 2014
WORD & BROWN GENERAL AGENCY
CONSEQUENCES OF A BREACH
• Identify a breach– Incorrectly sending PHI to the wrong
– Sending email not-encrypted (SSL + TLS or Encryption Service)
– Intruision
– Improper disclosure
– Los Information
WORD & BROWN GENERAL AGENCY
CONSEQUENCES OF A BREACH
• Identify a breach
– ITRC defines a breach as, “an
incident in which sensitive,
protected, or confidential data has
potentially been viewed, stolen, or
used by an individual unauthorized
to do so.
WORD & BROWN GENERAL AGENCY
CONSEQUENCES OF A BREACH
• Fines
– Violations range from $100.00 to
$50,000 per violation per day.
– Ignorance is no excuse!
WORD & BROWN GENERAL AGENCY
CONSEQUENCES OF A BREACH
• No one can put the consequences
more eloquently than someone
who has suffered a breach.
• Monika Lewinsky
WORD & BROWN GENERAL AGENCY
CONSEQUENCES OF A BREACH
Monica Lewinsky – The Price of Shame:
https://www.youtube.com/watch?v=xvSxxpFKJ5
w
WORD & BROWN GENERAL AGENCY
CONSEQUENCES OF A BREACH
• HIPAA Violation Fines
• Loss of clients
• Loss of reputation
• Personal liabilities – including
consequences at work
WORD & BROWN GENERAL AGENCY
TOOLS TO AID IN CYBER SECURITY
• BE PREPARED
– Identify a procedure for breach
protocol
– Designate someone to understand
compliance
– Have an investigative process in-
place to define a breach
WORD & BROWN GENERAL AGENCY
TOOLS TO AID IN CYBER SECURITY
• BE PREPARED
– Use 2-Factor Authentication
– Strong Passwords (get a password
manager for your phone!)
– Avoid unknown Android Apps (20K
apps with Malware)
– Don’t use public Wifi