w w w . e i d e b a i l l y . c o m
Anders EricksonDirector of Cyber Security Services
NAHEFFA Fall 2017 Conference
Modernizing Our IT EffortsThe Role of Cyber Security
w w w . e i d e b a i l l y . c o m
Introduction
Anders EricksonDirector of Cyber Security Services• 15+ years providing IT risk &
controls solutions within the public & private sectors • Certified Information Systems
Auditor• Certified Information System
Security Professional• Certified in Risk & Information
Systems Control
w w w . e i d e b a i l l y . c o m
Agenda
• Lessons Learned from Recent Cyber Breaches• Challenges of Cyber Security• Greatest Needs from IT • First Steps • Get Your Bearings - Where do you stand?• Plot Your Course - Where are you going?
• Common Areas of Concern
w w w . e i d e b a i l l y . c o m
The HBO Data Breaches
• Three separate, unrelated data breaches in 2017• All occurred between June 30 and August 16 • Indicative of the cyber security challenges facing society
w w w . e i d e b a i l l y . c o m
HBO Data Breach #1
July 30, 2017Hackers announces breach in email to reporters and demands $6M ransom paid within three days.
July 30, 2017Hackers leak first batch of data including episodes of Ballers & Room 104 and script to upcoming Game of Thrones episode.
August 6, 2017Hackers release second batch of data including month of emails from HBO executive and script to another Game of Thrones episode.
August 11, 2017Hackers release email from HBO offering $250K to extend deadline for ransom payment.
August 9, 2017Hackers release home addresses and phone numbers belonging to some Games of Thrones cast members.
w w w . e i d e b a i l l y . c o m
HBO Data Breach #2
August 13, 2017
HBO Spain on-demand accidently broadcast Game of Thrones season 7 episode 6 a week before its release date.
“The error appears to have originated with a third party vendor.”
- HBO Statement
w w w . e i d e b a i l l y . c o m
HBO Data Breach #3
August 16, 2017
HBO and Game of Thrones official Twitter and Facebook accounts got compromised by hacker group called OurMinefrom Saudi Arabia.
Hackers gained access by credentials exposed in previous, publicly known data breaches.
w w w . e i d e b a i l l y . c o m
Lessons Learned from HBO Breaches
Organizations need to consider the following:
1. Monitoring, detection, and response
2. Vendor management
3. Security awareness training and education
w w w . e i d e b a i l l y . c o m
Lessons Learned from HBO (and the Navy)
Incidents and breaches are a reflection of an organization’s culture.
Washington Post
Detroit Free Press
w w w . e i d e b a i l l y . c o m
2017 Cost of Data Breach Study
Conducted by IBM and Ponemon – Released in June 2017
Overview of Findings
$3.62 million is the average total cost of data breach
$141 is the average cost per lost or stolen record
27.7% is the likelihood of a recurring material data breach over the next two years
2.1% increase in the likelihood of a recurring material data breach
w w w . e i d e b a i l l y . c o m
WannaCry Ransomware
• Attacks were first recorded in Europe on May 12, 2017. • Utilized social engineering - virus embedded in .zip files
sent to users as an email attachment.• Exploits a vulnerability in Windows called “EternalBlue”
WikiLeaks
EternalBlue
WannaCry
w w w . e i d e b a i l l y . c o m
WannaCry Ransomware
Known Affected Companies
Utility Companies Other Companies Governmental Entities
• West Bengal State Electricity Distribution Company
• Iberdrola• Petrobras• Gas Natural• PetroChina• Telefonica• Portugal Telecom• MegaFon
• FedEx• Renault• Nissan• Deutsche Bahn• Russian Railways• Sberbank• Bank Of China• Singapore malls• Sandvik
• NHS• Russian Interior Ministry• Andhra Pradesh (Indian
police)• Chinese traffic police,
immigration and public security bureaus
• Brazil Foreign Ministry, social security systems and court systems
• Russia Central Bank
w w w . e i d e b a i l l y . c o m
Lessons Learned from WannaCry
WannaCry ransoms were $300 - $600 per affected computer.
Anyone and everyone can be a target
w w w . e i d e b a i l l y . c o m
Ransomware as a Service
w w w . e i d e b a i l l y . c o m
Common Cyber Security Challenges
• Acquiring and retaining experienced information technology (IT) professionals
• Limited funding and investment in cyber security
• Heavy reliance on third-party vendors for IT services.
• Modest start with increased reliance on technology
• Leadership has limited or no experience managing IT risk
w w w . e i d e b a i l l y . c o m
Maybe the Biggest Challenge
“This is core to the hacker mentality: We hack systems that can be hacked and leave the rest”
Sean ParkerCo-founder of Napster and founding president of Facebook
w w w . e i d e b a i l l y . c o m
Our Greatest Need
Boards and Executives need two things from IT
TRANSPARENCY | INDEPENDENCE
w w w . e i d e b a i l l y . c o m
Transparency
In general, IT Departments operate in one of three communication models.
1. Proactive2. Willing 3. Hostile
Challenge for Management
Which questions to ask IT?
Most Organizations
w w w . e i d e b a i l l y . c o m
Independence
“The most likely architects of cyberattacks are system administrators or other IT staff with privileged system access.”
U.S. Computer Emergency Readiness Team (CERT)
w w w . e i d e b a i l l y . c o m
Why Treat IT Differently?
Look to Finance and Accounting industries as guide• Experts provide transparency• Evaluation is independent of the entity
w w w . e i d e b a i l l y . c o m
First Steps – Get Your Bearings
Where do you stand?Conduct an independent risk assessment of your organization’s cyber security posture.
• You should expect this assessment to…
• Gather information about your IT environment
• Follow a framework of best practices
• Provide results that are understandable to non-IT personnel
w w w . e i d e b a i l l y . c o m
First Steps – Get Your Bearings
Risk Assessment: NIST Cybersecurity Framework
w w w . e i d e b a i l l y . c o m
First Steps – Plot Your Course
Where are you going?Identify a trusted advisor to help you:
• Prioritize changes that need to be made.
• Address significant issues immediately.
• Identify resources that can help.
• Periodically revaluate
w w w . e i d e b a i l l y . c o m
Common Areas of Concern
What we are seeing
w w w . e i d e b a i l l y . c o m
Vendor Management
• Approximately 1 in 5 organizations does not invest sufficient effort to management vendors.
• Almost 70% of organizations do little to nothing to determine if vendors comply with terms specified in contacts.
• Only 12% of enterprises devote great effort to gather information from vendors and take action to manage compliance and risk posed by vendors.
w w w . e i d e b a i l l y . c o m
The Vendor Management Cycle
Acquire and Select
Contract and
AgreementMonitor and
Measure
26
Transition Out
w w w . e i d e b a i l l y . c o m
Improving Vendor Management
1. Establish formal vendor management policies and procedures• Roles and responsibilities• Processes and standards• Templates and forms
2. Create listing of all current vendors
3. Rank vendor relationships according to risk• Access to data and information• Type of risk (e.g., financial, operational, reputational,
legal/compliance)
4. Monitor and measure using the processes previously outlined
w w w . e i d e b a i l l y . c o m
Security Awareness Training
In mid-2000’s, companies realized the need to provide security awareness training.
McAfee Study• One in five workers let family and friends use company laptops
and PCs to access the Internet.• More than half connect their own devices or gadgets to their
work PC...a quarter of who do so every day.• One in ten confessed to downloading content at work they
should not.• Two thirds admitted they have a very limited knowledge of IT
Security. • Five percent say they have accessed areas of their IT system
they should not have.
w w w . e i d e b a i l l y . c o m
Security Awareness Training
Types of Training
• Classroom-Style Training• Online Training• Security Awareness
Website• Helpful Hints• Visual Aids• Promotions
w w w . e i d e b a i l l y . c o m
Security Awareness Training
Training Content
• Physical Security• Desktop Security• Wireless Networks and
Security• Password Security• Phishing• Malware• File Sharing and Copyright
w w w . e i d e b a i l l y . c o m
Continuous Monitoring
Many, Many Logs
ALERTS &SIGNATURES
w w w . e i d e b a i l l y . c o m
Planning for Incidents and Contingencies
w w w . e i d e b a i l l y . c o m
Planning for Incidents and Contingencies
Incident planning should include development of the following:
1. Documented responsibilities, policies and procedures2. Channels and requirements for reporting incidents3. Definitions for what constitute an information security
incident4. Knowledge base used to respond to future incidents5. Procedures for handling of evidence
w w w . e i d e b a i l l y . c o m
Conclusion
1. Everyone is at risk of being targeted for a cyber attack
2. Take the first steps in managing your cyber risks• Get your bearings• Plot your course
3. Be aware of common areas of risk and concern• Vendor management• Security awareness training• Continuous monitoring• Incident response planning
w w w . e i d e b a i l l y . c o m
Anders EricksonDirector of Cyber Security
Services
208.383.4731
www.eidebail ly.com/cybersecurity