1 / 26

2019 NACA Conference

Top Ten Security Threats. 2019 NACA Conference. Speaker Bio. Angie Singer Keating, CEO. CERTIFICATIONS & AFFILIATIONS Pennsylvania State University – Electrical Engineering Technology

jeromek
Download Presentation

2019 NACA Conference

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Top Ten Security Threats 2019 NACA Conference

  2. Speaker Bio Angie Singer Keating, CEO • CERTIFICATIONS & AFFILIATIONS • Pennsylvania State University – Electrical Engineering Technology • Certified Information Systems Auditor (CISA) by the Information Systems Audit & Control Association (ISACA) • Certified Information Security Manager (CISM) by ISACA • Certified in Risk & Information Systems Control (CRISC) by ISACA • Certified Information Privacy Professional (CIPP) by the International Association of Privacy Professionals (IAPP) • President-Elect of the National Association for Information Destruction (NAID) Board of Directors & Certification Committee Chairperson • Co-Chairperson NAID Electronic Media Destruction Subcommittee • Board Member – Ben Franklin Technology Partners - CNP

  3. Past Years in Review • Ransomware • Sony Pictures, Atlanta, Newark, Baltimore • Sophisticated Cyber Crime • Financial Losses Targeted at Specific Industries (Retail & Healthcare) • Breach Investigation • 1,367 Confirmed Breaches - 63,437 Incidents • Construction Industry • 2016 – Turner Construction – 6,000 employee records breached • 2013 – Target – HVAC Contractor compromised system – 40M-70M customers

  4. Why Do Breaches Occur? 1. http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2019/

  5. How Do Breaches Occur? 1. http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2019/

  6. Who Are The Bad Actors? 1. http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2019/

  7. What Gets Breached? 1. http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2019

  8. Where Is The Attack From? 1. http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2019

  9. Breach Commonalities 96% of attacks were not difficult 85% of breaches took weeks to discover 92% of incidents discovered by 3rd party 97% of incidents were avoidable with simple or intermediate controls Note: Stats vary from year to year by single digits

  10. 10. Cyber Liability Insurance Coverage • Many Insurers have suffered huge losses • Policies are including more exclusions • Policy Holders must litigate to attempt to get the coverage they thought they had or may have had previously • More Strict Determinations on Misconduct and Negligence and Reasonable Security • Policy Applications and Questionnaires are more in-depth • Terrorism? • Be sure clients are getting legal counsel review before purchase and prior to each renewal • Be sure clients are truthful in all aspects of the technology and security incident history portions of applications • Determine risks relevant to cyber-terrorism and insure accordingly

  11. 9. Denial Of Service Attacks (DDoS) • Botnets that flood servers with millions of packets per millisecond • Makes systems unavailable or can crash the entire internet • Cloud based applications vulnerable • IoT proliferation will exponentially increase attacks • Baby monitors, DVR’s, home security, routers - 2016, Mirai DDoS attack crippled ISP’s and Internet Backbone itself • Disaster Recovery and Business Continuity Plans must be updated to include DDoS attacks • Change default passwords on all internet-connected devices • Always monitor for high bandwidth usage

  12. 8. Ransomware Attacks • Data or entire hard drives are encrypted by malware (CryptoLocker) • Encryption key is held by hacker until payment is made with Bitcoin by the victim • If ransom is not paid, data may be lost forever • Ransom may now include demands to infect other devices (Popcorn Time) • Disaster Recovery and Business Continuity Plans must be updated to include ransomware attacks • BACKUP, BACKUP, BACKUP • Identify mission-critical data and systems and analyze risk for ransomware attack

  13. 7. Windows 7 Retirement • No more security patches releasedafter 1/14/20 • No more support for Internet Explorer 7 • Purchase Extended Support until Jan. 2023 • Perform risk analysis • Budget for a shorter hardware refresh cycle • Migrate to Microsoft Office 365 – get free Windows 10 Pro licenses (only Win7Pro)

  14. 6. Internal IT Staff or Vendors • Small and mid-size organizations most at risk • 0% Unemployment rate for experienced, credentialed security analysts (CISA, CISSP, CISM) • Most IT staff are trained and experienced in operational IT – keeping systems up and running efficiently • Security is now highly specialized by industry, device type, business risk, and information lifecycle • Most IT staff have no time for proactive monitoring and analysis required in all best practices, audit criteria, and security regulations • Consider managed security service providers plus regular IT vendor • Require frequent industry recognized certifications for all security staff and vendors • Require ongoing security education of all security staff • Don’t assume that security is a priority or even included in service level agreements with IT Vendors

  15. 5. Lost or Stolen Devices • Laptops, Smartphones, USB drives • Lost backup tapes • Data breach notification, privacy laws, OCR Wall of Shame, litigation, federal regulations? • ENCRYPT NOW – No excuses! • Perform vendor due diligence • Include lost/stolen devices in your incident response plan

  16. 4. Cloud – IaaS, PaaS, SaaS • Dude, where’s my data?? • 3rd party, 4th party, resellers? • Timeshare software license? • Retain specialized legal counsel • Data portability • Shared physical or virtual infrastructure • Vendor(s) business viability

  17. 3. Phishing and Spear Phishing • Disguised links in email • Social engineering to target specific people • Uses email, social messaging, or web links • URL shortening presents new problems • Train users on scams continuously • Allow only 1 admin to send out security alerts • Patch systems/AV, control user privileges

  18. 3. Phishing and Spear Phishing Training Works!

  19. 2. Un-Patched Machines, Programs, Firmware • Operating System Patches • Local machines AND servers AND gear • 3rd Party App Patches • Office, AV, Obscure Apps • Old exploits still happening • Force justification for patch delays • Enable automatic updates (if possible) • Perform regular internal scans (Nessus)

  20. Poor Patching Impact

  21. 1. Windows Server 2008 Retirement • No more security patches releasedafter 1/14/20 • Highly complex migrations • Already in Extended Support • Perform risk analysis • Write and design conversion plans • Go for the easy wins – non mission critical server retirement • Migrate to Microsoft Azure – get 3 more years

  22. Everyone Can Do Something NOW • Unencrypted Mobile Devices • - Encrypt before you leave TODAY! • Use Two-Factor Authentication • - Always, Always, Always!! • Poor Passwords • Move to a passphrase • Use a password keeper

  23. Small Organization Focus Maintain inventory of IT assets Implement Access Control on remote access services Change default credentials on all internet facing devices Trust but VERIFY – Minimum annual security testing

  24. Large Organization Focus Eliminate unnecessary and / or legacy data Monitor logs – outsource / co-source Annually review incident response plans – verify with gap analysis **Trust but VERIFY – security testing with social engineering, ethical hacking and aggressive penetration testing

  25. Qu Additional Resources • Cybersecurity and the Construction Industry - https://www.zurichna.com/en/knowledge/articles/2019/08/cybersecurity-and-the-construction-industry • A Match Made In Cyber Hell - https://www.enr.com/articles/46832-construction-cybercrime-is-on-the-rise • Forbes – Hackers Take Control of Giant Cranes - https://www.forbes.com/sites/thomasbrewster/2019/01/15/exclusive-watch-hackers-take-control-of-giant-construction-cranes/#107472af1d0a

  26. Questions Questions? Angie Singer Keating, CISA, CIPP, CISM, CRISC CEO & Co-Founder 814-684-5505 ext. 100 814-360-2648 (cell) www.reclamere.com http://www.linkedin.com/in/angiesingerkeating follow me on Twitter @VeepGeek

More Related