1 / 24

Agenda:

Cyber Security Threats Today: What You N eed T o K now October 21, 2016 Maureen Connolly Risk Manager, Maps Credit Union. Agenda:. In the news – Some past and present in Benefit System Takeover’s and other big breaches

leighanna
Download Presentation

Agenda:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Security Threats Today:What You Need To KnowOctober 21, 2016Maureen Connolly Risk Manager, Maps Credit Union

  2. Agenda: • In the news – Some past and present in Benefit System Takeover’s and other big breaches • Breach Overview – What to do if your employee data is compromised – Incident Response • Breach Statistics – A growing problem with no end in sight • Types of Social Engineering - Protecting your network • Its Not Just About Prevention, It’s About Reaction • Recommendations • Q and A

  3. Time Magazine Cover 1995

  4. In 2014, cyber attacks are on the rise – more and more industries are making the news! 2015 & 16 continued to show an increase. Not just nationwide, but worldwide.

  5. Breach Overview: What is a data breach? •Actual release or disclosure of information to an unauthorized individual/entity that relates to a person and that: –May cause the person inconvenience or harm (financial/reputational) •Personally Identifiable Information (PII) •Protected Healthcare Information (PHI) –May cause your company inconvenience or harm (financial/reputational) •Current/former employee data, applicant data •Corporate information/intellectual property Intellectual property = (Inventions, Patents, Trademarks, Literary Work, Artistic Work)

  6. And Then There Was Sony… November 2014 The Arrival of the True Blended Attack: • Denial of Service • Wiped Hard Drives • Theft of Intellectual Property • Threat of Extortion • Threat of Terrorism

  7. 2014, 15, & 16 • March 2014, The Office of Personnel Management disclosed a cyber incident that affected 18 million current and former federal employees. • In February, 2015, Anthem announced a cyberattack that stole almost 80 million files that contained personal data, making this one of the largest breaches in healthcare. • In March 2015, Premera Blue Cross announced a massive cyberattack that occurred in May 2014 and might have exposed the personal information of more than 11 million individuals. • Just in the month of March 2016, The Dept. of Veterans Affairs received 754,465,668 Malware attempts that were either blocked or contained.

  8. Centene 2016 Luck didn't improve much for the health-care sector in 2016, following up on a tough year for data breaches. In January, multi-line health-care enterprise Centene announced that 950,000 members had potentially been impacted by a data breach. The breach was caused by the loss of six hard drives that included personal health information on members who had had lab services between 2009 and 2015. It also included names, addresses, dates of birth, Social Security numbers, ID numbers and other health information, the company said.

  9. ADP 2016 Payroll giant ADP experienced a breach in May that exposed the payroll, tax and benefits information of nearly 640,000 companies, security journalist Brian Krebs reported in a blog post. The breach occurred because of a vulnerability in ADP's customer portal, the company said, giving hackers access to the W-2 information. ADP said the hackers already appeared to have access to users' personal data before accessing the systems, likely from a previous hack. The breach was part of a flurry of W-2 attacks that occurred during this year's tax season.

  10. Yahoo! September 2016 Yahoo has confirmed data "associated with at least 500 million user accounts" has been stolen in what may be one of the largest cybersecurity breaches ever. The stolen data may include names, email addresses, telephone numbers, dates of birth, passwords, as well as security questions and answers. If you share the same password and security questions for other programs, it is advisable to change all of your accounts immediately.

  11. Increase in Health Records

  12. Breach Overview: • We still hear quotes today, that lost materials such as laptops, hard drives, tapes, paper, etc., are the largest source of data loss. But this stopped being true around 2008. • External attacks have become the bulk, consistent source of data loss. • Hacking, malware, and social engineering attacks will account for 80%-90% of breaches. • –aka. “The big three”

  13. What do Attackers want from your business? • Attackers have at least one of two goals (maybe both): • #1 - Get your data • employee’s personal information, • Employee’s bank/credit union account numbers(Direct Deposit of Payroll), • healthcare information, • social security numbers, • credit card numbers, • your corporate bank account numbers, • your corporate financial information, • your intellectual property, • your merger and acquisition plans, • And anything else with value. • #2 - Hurt your business • Damage you and shut you down, temporarily or permanently • Why? For revenge, for political reasons, to gain an advantage and/or just so they can sell the information for money!

  14. Breach Statistics: • Breaches detected in first 24 hours: 1%-2% • Breaches detected in first month: 35%-46% • Breaches with data loss in first 24 hours: 60%-68% • Breaches detected by an external third party: 71%-92% • Breaches contained within a week: <40% • Breaches undetected for 2 years or more: >14% • Average days from breach occurrence to discovery: 87-210 • From 2014:

  15. Threat Landscape: • 85% of breaches could be prevented by remediating known vulnerabilities • The average time to detect an advanced persistent threat on a corporate network is 229 days. • 94% of unauthorized data access was through compromised servers • The average malicious data breach took more than 123 days to resolve • Education is needed - When Government and Military heads were asked, they thought that Anonymous and Al-Qaida were one of the same. • Data that is not encrypted is an easy target for theft. • Don’t turn your back to insider threats…. • From 2014:

  16. Insider Threats Intentional and Unintentional Intentional • Malicious Insider Disgruntled, bored, or even coerced These risks will never go away even with the best cultures, benefits, and policies • Risk Mitigation Proactive security controls DLP on endpoints and perimeter • Incident response plan that includes digital forensic investigations Cyber Liability Insurance • Regular background checks on employees with elevated privileges

  17. Unintentional Lack of training and clear usage policies may lead to internal actors causing a lot of trouble. Weak passwords, mobile devices, insecure and compromised devices, phishing.

  18. Breach Costs: • Average cost per record of a data breach: $194 • Average records exposed per breach: 28,765 • Average cost spent on notification: $565,020 • Average cost of forensic services: $737,473 Combination of costs including hotline, credit monitoring, loss of business, discounts/rebates, fines, etc. • Average lost business and reputation: $3,030,814 • Average total cost per breach: $5,407,820 • Average range of insurance payouts: $954,253 - $3.5M • From 2014:

  19. Ransomware • Cyber Extortion - Ransomware Systems or files are encrypted by cyber criminals and require the company to pay the ransom to decrypt • – Primary risk points • • Phishing email attacks • • Website malware • • Compromised online ad campaigns • • Short-linked redirect links • – Risk Mitigation • • Up-to-date backups • • Limit local admin permissions • • Anti-virus (definitions and scanning) • • User education programs

  20. Social Engineering: • Social Engineeringdiffers from regular hacking in that social engineers access confidential information with your permission.  In essence, they’re con artists good enough to convince you to give them your information outright or manipulate you into thinking their access is legitimate. • Phishing – Email posing to be from someone they are not, in an attempt for you to give them the information they need. • Pre-Text Calling – When a victim receives a call from someone posing to be someone they are not, in an attempt to gain information to be used fraudulently.

  21. Prevention vs. Reaction: It’s not only good to prevent a breach from happening, but even more important is how you react to it. Ask yourself this…. • Do you have incident response procedures, and a team to handle a security incident? • Do you have a Business Continuity Plan in place? • Does your IT Department have a Disaster Recovery Plan? • Do you test your plans? • Do you have a strong password policy in place? • Where is your data stored, and how is it destroyed? • Do you have a strong vendor management program?

  22. Create an Incident Response Team: • Members should represent all areas of your business. • IT, Communications, Risk & Security, Legal • Procedures in place for responding to all types of information security breaches (Malware, Ransomware, Employee theft etc.) • Containment/Investigation Phase • Customer notification instructions • Restoration Phase • Reporting (If required to government agencies etc.) • Post Remediation Phase • Testing your procedures at least annually

  23. Recommendations: • Train, train and do more training. Train your employees on the basics at the very least. (strong passwords, phishing attempts, pre-text calling, incident reporting). • Have employees read and sign an electronic usage policy. • IT should contract with a third party vendor to conduct an information security audit. • Create incident response policy and procedures, and create an Incident Response Team. • HR should be represented in your BCP Team. Annually test your plan. • Educate yourself – stay on top of the latest breach attempts. (krebsonsecurity.com) • Make sure your business has sufficient cyber liability insurance coverage. • Create a vendor management program to review your critical vendors information security. • Making employees accountable after they have received training. • Be prepared for a certain amount of business loss due to reputational damage. • Conduct thorough screenings of new employees, segregation of duties, dual control.

  24. Wrap-up Q & A

More Related