260 likes | 265 Views
Top Ten Security Threats. 2019 NACA Conference. Speaker Bio. Angie Singer Keating, CEO. CERTIFICATIONS & AFFILIATIONS Pennsylvania State University – Electrical Engineering Technology
E N D
Top Ten Security Threats 2019 NACA Conference
Speaker Bio Angie Singer Keating, CEO • CERTIFICATIONS & AFFILIATIONS • Pennsylvania State University – Electrical Engineering Technology • Certified Information Systems Auditor (CISA) by the Information Systems Audit & Control Association (ISACA) • Certified Information Security Manager (CISM) by ISACA • Certified in Risk & Information Systems Control (CRISC) by ISACA • Certified Information Privacy Professional (CIPP) by the International Association of Privacy Professionals (IAPP) • President-Elect of the National Association for Information Destruction (NAID) Board of Directors & Certification Committee Chairperson • Co-Chairperson NAID Electronic Media Destruction Subcommittee • Board Member – Ben Franklin Technology Partners - CNP
Past Years in Review • Ransomware • Sony Pictures, Atlanta, Newark, Baltimore • Sophisticated Cyber Crime • Financial Losses Targeted at Specific Industries (Retail & Healthcare) • Breach Investigation • 1,367 Confirmed Breaches - 63,437 Incidents • Construction Industry • 2016 – Turner Construction – 6,000 employee records breached • 2013 – Target – HVAC Contractor compromised system – 40M-70M customers
Why Do Breaches Occur? 1. http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2019/
How Do Breaches Occur? 1. http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2019/
Who Are The Bad Actors? 1. http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2019/
What Gets Breached? 1. http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2019
Where Is The Attack From? 1. http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2019
Breach Commonalities 96% of attacks were not difficult 85% of breaches took weeks to discover 92% of incidents discovered by 3rd party 97% of incidents were avoidable with simple or intermediate controls Note: Stats vary from year to year by single digits
10. Cyber Liability Insurance Coverage • Many Insurers have suffered huge losses • Policies are including more exclusions • Policy Holders must litigate to attempt to get the coverage they thought they had or may have had previously • More Strict Determinations on Misconduct and Negligence and Reasonable Security • Policy Applications and Questionnaires are more in-depth • Terrorism? • Be sure clients are getting legal counsel review before purchase and prior to each renewal • Be sure clients are truthful in all aspects of the technology and security incident history portions of applications • Determine risks relevant to cyber-terrorism and insure accordingly
9. Denial Of Service Attacks (DDoS) • Botnets that flood servers with millions of packets per millisecond • Makes systems unavailable or can crash the entire internet • Cloud based applications vulnerable • IoT proliferation will exponentially increase attacks • Baby monitors, DVR’s, home security, routers - 2016, Mirai DDoS attack crippled ISP’s and Internet Backbone itself • Disaster Recovery and Business Continuity Plans must be updated to include DDoS attacks • Change default passwords on all internet-connected devices • Always monitor for high bandwidth usage
8. Ransomware Attacks • Data or entire hard drives are encrypted by malware (CryptoLocker) • Encryption key is held by hacker until payment is made with Bitcoin by the victim • If ransom is not paid, data may be lost forever • Ransom may now include demands to infect other devices (Popcorn Time) • Disaster Recovery and Business Continuity Plans must be updated to include ransomware attacks • BACKUP, BACKUP, BACKUP • Identify mission-critical data and systems and analyze risk for ransomware attack
7. Windows 7 Retirement • No more security patches releasedafter 1/14/20 • No more support for Internet Explorer 7 • Purchase Extended Support until Jan. 2023 • Perform risk analysis • Budget for a shorter hardware refresh cycle • Migrate to Microsoft Office 365 – get free Windows 10 Pro licenses (only Win7Pro)
6. Internal IT Staff or Vendors • Small and mid-size organizations most at risk • 0% Unemployment rate for experienced, credentialed security analysts (CISA, CISSP, CISM) • Most IT staff are trained and experienced in operational IT – keeping systems up and running efficiently • Security is now highly specialized by industry, device type, business risk, and information lifecycle • Most IT staff have no time for proactive monitoring and analysis required in all best practices, audit criteria, and security regulations • Consider managed security service providers plus regular IT vendor • Require frequent industry recognized certifications for all security staff and vendors • Require ongoing security education of all security staff • Don’t assume that security is a priority or even included in service level agreements with IT Vendors
5. Lost or Stolen Devices • Laptops, Smartphones, USB drives • Lost backup tapes • Data breach notification, privacy laws, OCR Wall of Shame, litigation, federal regulations? • ENCRYPT NOW – No excuses! • Perform vendor due diligence • Include lost/stolen devices in your incident response plan
4. Cloud – IaaS, PaaS, SaaS • Dude, where’s my data?? • 3rd party, 4th party, resellers? • Timeshare software license? • Retain specialized legal counsel • Data portability • Shared physical or virtual infrastructure • Vendor(s) business viability
3. Phishing and Spear Phishing • Disguised links in email • Social engineering to target specific people • Uses email, social messaging, or web links • URL shortening presents new problems • Train users on scams continuously • Allow only 1 admin to send out security alerts • Patch systems/AV, control user privileges
3. Phishing and Spear Phishing Training Works!
2. Un-Patched Machines, Programs, Firmware • Operating System Patches • Local machines AND servers AND gear • 3rd Party App Patches • Office, AV, Obscure Apps • Old exploits still happening • Force justification for patch delays • Enable automatic updates (if possible) • Perform regular internal scans (Nessus)
1. Windows Server 2008 Retirement • No more security patches releasedafter 1/14/20 • Highly complex migrations • Already in Extended Support • Perform risk analysis • Write and design conversion plans • Go for the easy wins – non mission critical server retirement • Migrate to Microsoft Azure – get 3 more years
Everyone Can Do Something NOW • Unencrypted Mobile Devices • - Encrypt before you leave TODAY! • Use Two-Factor Authentication • - Always, Always, Always!! • Poor Passwords • Move to a passphrase • Use a password keeper
Small Organization Focus Maintain inventory of IT assets Implement Access Control on remote access services Change default credentials on all internet facing devices Trust but VERIFY – Minimum annual security testing
Large Organization Focus Eliminate unnecessary and / or legacy data Monitor logs – outsource / co-source Annually review incident response plans – verify with gap analysis **Trust but VERIFY – security testing with social engineering, ethical hacking and aggressive penetration testing
Qu Additional Resources • Cybersecurity and the Construction Industry - https://www.zurichna.com/en/knowledge/articles/2019/08/cybersecurity-and-the-construction-industry • A Match Made In Cyber Hell - https://www.enr.com/articles/46832-construction-cybercrime-is-on-the-rise • Forbes – Hackers Take Control of Giant Cranes - https://www.forbes.com/sites/thomasbrewster/2019/01/15/exclusive-watch-hackers-take-control-of-giant-construction-cranes/#107472af1d0a
Questions Questions? Angie Singer Keating, CISA, CIPP, CISM, CRISC CEO & Co-Founder 814-684-5505 ext. 100 814-360-2648 (cell) www.reclamere.com http://www.linkedin.com/in/angiesingerkeating follow me on Twitter @VeepGeek