TIME TO GET SERIOUS: PROTECTING YOUR COMPANY FROMCYBERATTACKSEvery day, you and your team find ways to overcome the challenges (e.g., schedules, budgets, safety, compromised workers, failed equipment) to completing projects on time and on budget. But there is another and possibly even more sinister threat to your company that is entrenched in your business model and cybercriminals want it: YOUR DATA.BY ROB RUDLOFFTIME TO GET SERIOUS: PROTECTING YOUR COMPANY FROMCYBERATTACKSData Is Increasingly at RiskData exists on your servers, in every e-mail, and in every text message. It lives on every mobile device carried by your employees, in every drawing received from an architect, and in every sche-matic sent to a client. Your laptops, printers, tablets, phones, fax machines, scanners, and mobile devices are constantly accessing and transmitting data. Data crosses your job schedules, employee and safety records, blueprints, and CAD drawings. It travels through your accounting and billing departments; to your fabrication shop and warehouse; through your HR department and into your payroll; out to your jobsites to your superintendents, PMs,andsafetydirectors;and,mostimportantly,toyourcustomers.Inotherwords,itsall around you and your projects because its at the heart of your business. That said, its easy to understand how your company could become a target for a data security breach. As part of its 2014 Data Breach Investigations Report, Verizon reported on the break-downofbreacheswithintheconstructionindustry,withcrimewareaccountingforthemost frequent cause.1 (See Exhibit 1 on page 26.) Crimewares goal is to gain control of systems as a platform for illicit uses like stealing credentials, DDoS attacks, spamming, etc. Web downloads anddrive-bysarethemostcommonvectors.Initsrecommendations,thereportprioritizes softwareinventory,standardconfigurations,malwaredefenses,andboundarydefenseforthe construction industry.Onedisturbingphenomenonthathasgrownexponentiallyoverthepastdecadeissocialengi-neeringtheuseofhumanassetsandvulnerabilitiestotrytobreakintosystems.Examples include hackers calling people to try to gain information, picking up access codes or entry cards by shoulder surfing employees, sending phishing e-mails, or placing calls asking users to update computers or software all in order to gain context or credentials for hacking into your systems. Phishing e-mail attacks are increasingly sophisticated, presenting seemingly legitimate informa-tion with disastrous consequences. Assuming a 5% click-through rate on these types of attacks, it is very likely to happen in your company. The question is: Will you know when it has happened and are you equipped to deal with it effectively? According to the Ponemon Institutes 2014 Cost of Data Breach Study: Global Analysis,2 U.S. companies had the most costly data breaches worldwide on average ($201 per record); on aver-age, they also had data breaches that resulted in the greatest number of exposed or compromised records (29,087). Based on these figures, a single breach costs approximately $5.8 million. For more on the costs of an attack, see Exhibit 3 on page 27.How Can You Protect Your CompanyWith the rising risks and costs of cybersecurity, knowing how to protect your company is critical. Such risk must be managed as an ongoing enterprise-wide concern, not just an IT issue. The first step is to admit that the threat is real and your company could be a target. CYBERATTACKSKNOW YOUR SELFDetermine what is known about your companys data, where and how it is accessed, and how it is protected. Consider the following questions to develop a clear snapshot of your com-panys sensitive information:What Sensitive Information Exists in Our Company? Do we have social security numbers, drivers license photos, credit information, or other personally identifiable informa-tion for our employees, contractors, or vendors? Do we have marketing,pricing,drawings,orotherinformationthatis valuabletoourcompetitors?Whatkindofcustomerinfor-mation is covered by confidentiality agreements?Where Does the Sensitive Information Exist? Where dowestorepaperdocuments,scanneddocuments,elec-tronicfiles,e-mail,applicationdata,andfaxes?Arewe usingcloudserviceapplicationstostoredataoutsideour environment? Who Has Access to Our Data? Who in our organization hastheabilitytologinandaccessthedata?Oncelogged in, are there rules to restrict who has access to only what is needed? Do we have any partners, suppliers, subcontractors, or other vendors in our systems with access to our data? Do weusesegregationofdutiestolimitanddetectfraudulent activity?HowIsOurDataProtected?Isourdataencryptedas it is transmitted between our internal environment and out-side recipients? Is our data encrypted when stored? Do we have appropriate authentication methods in place? How do users get provisioned for access?HowIsOurTechnologyProtected?Dowehave adequate perimeter controls to detect and prevent attacks againstourITsystems?Dowehaveadequateinternal controlstodetectandpreventattacksfromwithinour environment?Isourtechnologyphysicallyprotectedto prevent tampering? Do we have disaster recovery and con-tinuity plans in place?How Will We Know? Unfortunately in todays world, it is notifbutratherwhenwellbecomeavictim.Howwill weknowif/whenasecurityeventorbreachhasoccurred? 26CFMA Building ProfitsJuly/August 2015CRIME WAREEVERYTHING ELSEMISCELLANEOUS ERRORPOS INTRUSIONCYBER ESPIONAGEINSIDER MISUSETHEFT/LOSS13%33%13%13%14%7%7%CRIMEWAREEVERYTHING ELSETHEFT/LOSSINSIDER MISUSECYBER ESPIONAGEMISCELLANEOUS ERRORPOS INTRUSIONEXHIBIT 1: BREACHES WITHIN THE CONSTRUCTION INDUSTRYSource: Verizon 2014 Data Breach Investigations ReportEXHIBIT 2: DID YOU KNOW? DISTRIBUTED DENIAL OF SERVICE (DDOS) uses a network of(mainly) compromised systems to attack a single target causing adenial of service. DRIVE-BYS are a malware infection technique where malwareis downloaded without a persons knowledge (often embedded ina legitimate file). SHOULDER SURFING refers to following an authorized personthrough a door to avoid presenting credentials. PHISHING E-MAILS look like legitimate e-mail, but in reality are designed to gather personal information, credentials, or convince the person to execute an attachment. CLICK-THROUGH RATE measures the success of an online campaign through number of users that clicked on a specific link.CYBERATTACKSDo we have enough security intelligence to inform us when somethingabnormalisoccurringsoitcanbeinvestigated, contained, and eradicated?Once this information is obtained, share your concerns with your leadership team, board, and investors. Find those with expertise in this area to evaluate your current systems and suggest solutions. Develop programs to detect and prevent cyberbreaches,thenperformongoingtestingofthosesys-tems. Most of all, be vigilant in monitoring and testing your systems. When (not if) there is a breach, have a plan in place to address it immediately.Itisalsoessentialtodeterminewhowithinkeymanage-ment has responsibility for protecting your company against cyberattacks. The lead employee should report to the owner orCEO.Also,considerrampingupfinancialandhuman resources to tackle the job on an ongoing basis. A security breachcandisruptoperations,couldcausejobshutdowns, and may tarnish your companys brand and threaten its well being in the marketplace. LIMIT YOUR EXPOSUREA good next step is to review your construction or customer contracts with your legal advisor to ensure you are limiting your exposure in case of a data breach. It is critical to review yourvendorcontractsforthesameissues,especiallydata centers,cloudandsoftwareproviders,ITspecialists,and other outside suppliers with access to your internal systems. Talk with your industry peers about what they have learned andwhichsystemstheyareimplementing,andassign responsibility within your own organization. Regularlyreviewyourcompanyscyberliabilityinsurance coveragetodeterminewhethercoverageisappropriate. Determinewhatrisksyouarewillingtotakeonatyour company.Aboardmanagementdiscussionshouldinclude identificationofwhichriskstoavoid,accept,mitigate,or transfer through insurance, as well as specific plans associ-ated with each approach.Safeguard Your DataData protection must be company-wide. Think about the vari-ouswaysinwhichyourcompanyinteractswithtechnology July/August 2015CFMA Building Profits27EXHIBIT 3: DATA SECURITY BREACHES & COSTS DATA SECURITY BREACHES ARE AT ANALL-TIME HIGH, AS ARE THE COSTS:The Office of Personnel Management (OPM) recently disclosed that personal information of more than four million federal employees may have been compromised, potentially by a foreign nation-state. However, the American Federation of Government Employees has stated that the breach was far more damaging, and that all personnel data for every federal employee, every federal retiree, and up to one million former federal employees was compromised.3JPMorgan Chase was reportedly compromised on 76 millionconsumer and seven million small business accounts.4Direct costs of stolen credit and debit cards from the Target data breach in 2013 reportedly exceed $250 million5 and total costs are estimated at more than $1 billion.6 A record-breaking 1.1 billion personal and sensitive records were compromised in 2014 across 3,014 incidents, which is a 22% increase over 2013. Hacking and fraudulent activity accounted for a staggering 97.6% of the records lost.7The probability of a data breach of more than 10,000 records over the next two years is 22%.8CYBERATTACKSanddata.Usetheseareastodeveloppolicies,procedures, andtechnologysolutions.Foreacharea,thegoalistohave layers of defense in place so that even if one is compromised, additional protection remains and access is still restricted. PHYSICAL ENVIRONMENTSafeguarding your data begins with a secure physical envi-ronment.Restrictaccesstophysicalareaswithsensitive informationandmonitorwhoaccessesthearea.Maintain secure destruction of paper and media, including PC drives, USBdrives,servers,copiers,scanners,faxmachines,etc. Most companies address this through normal operations at their main offices, but may neglect this practice at jobsites, sales offices, or other remote locations.TECHNOLOGY INFRASTRUCTURE Understand your inventory of hardware, software, and appli-cations so you can recognize something out of the ordinary. Implement web content filtering and automated threat intel-ligence feeds to block outbound access to known malicious sites. Install and update antivirus and anti-malware protection regularly. Decide who receives mobile devices and set up pro-tocolsforhowandwhentheyareused.Consistentlymoni-torformaliciousorabnormalbehavioracrossthenetwork, applications,andend-userworkstations.Finally,establish solidperimetercontrols,includingfirewallsandintrusion detection/prevention programs. APPLICATIONSLimitaccesstoyoursoftwareapplicationsonaneed-to-know basis, sometimes referred to as least privilege. Set upaccessrightsforsensitiveapplicationsthatlimitread vs.writeaccessandmanagesegregationofduties.Enable audit trails to monitor who has been on your system, when itwasaccessed,andwhatchangesweremade.Require strongpasswordsandconsiderusingmulti-factorauthen-tication(MFA),particularlywhenremoteaccessintothe environmentisinvolved.Regularlyreviewcontractsto understand the risk associated with the ongoing use of each application.RequireServiceOrganizationControls(SOC) reportsforallcloudprovidersandunderstandhowyour data will be handled in their environment. Encrypt all data in motion and assess risk to determine if it should be used for data at rest. 28CFMA Building ProfitsJuly/August 2015EXHIBIT 4: MOBILE DEVICES: RULES FOR THE ROAD APPS Make sure mobile applications you develop or deploy areself-contained and do not collect personal information from other mobile apps.CONTROL Use a mobile device management (MDM) solution togrant or restrict access, as well as manage, inventory, and remotely wipe mobile devices.INVENTORY Keep an inventory of authorized devices and requireregistration of all new devices.PROTECTION Require passwords, pins, or swipe technology onany mobile device attached to your network.EDUCATION Train your users how to protect themselves andimplement acceptable use policies to reinforce the message.Understanding howINFORMATION MOVESinto, through, and outof your business isESSENTIALto assessing securityVULNERABILITIES. CYBERATTACKSUSERS & ENDPOINTSUnderstanding how information moves into, through, and out of your business is essential to assessing security vulnerabili-ties. Identify any sensitive information that personnel or third parties have (or could have) access to via your systems. Limit theinformationcollectedandretainedtopreventneedless data storage and to reduce the risk of unauthorized access. Further,protecttheinformationthatismaintainedby assessingrisksandimplementingprotectionsincertain key areas physical security, electronic security, employee training, and oversight of service providers. And, be sure to properlydisposeofinformationthatisnolongerneeded. Finally, have a plan in place to respond to security incidents anddatabreachesshouldtheyoccur.Theplanshouldbe closely aligned with your companys continuity plan. MOBILE COMPUTING SECURITY Employeesuseoftheirpersonaldevices(BringYourOwn Device or BYOD) represents a huge potential threat to your company. With the explosion of social media sites and other applications, it is essential to decide whether or not you will allow personal mobile devices on your network. Cybercriminalsareincreasinglytargetingmobiledevices; seeminglyinnocuousactivitieslikedownloadingavideoor installing a new app could represent a serious threat. Clearly documentwhatdevicescanbeusedaswellashowand when they may be used. Set similar protocols for USB drives, tablets, and other hardware that may be connected to your environment. (See Exhibit 4 on page 28.)Prevention Is a Continuous ProcessOngoingvigilancecanbeoneofyourmosteffectivetools against risk to your cybersecurity. Continuously educating and trainingemployeesiscriticaltocombatthedailythreatsde-livered via e-mail and malicious websites. Are your employees awareofthethreats,andaretheyinformedandtrainedon properprocedures?Aretheyencouragedtoreportpossible breaches because those reports are vital to the company? Performing periodic assessments of the environment based onrisksandthreatscanbeextremelyusefultounder-standwhereweaknessesmayexistandhowthesecurity July/August 2015CFMA Building Profits29EXHIBIT 5: TOP CONTROLS ASSESSMENT The areas listed below are covered in the The Critical Security Controls for Effective Cyber Defense, Version 5 (www.sans.org/critical-security-controls) and include aspects of the National Institute of Standards & Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, International Organization for Standardization (ISO) 27000 series, and can be linked to other standards as well. ACCESS & Authentication Controls CHANGE Management DATA Retention & Secure Destruction DATA Security END-POINT Protection INFORMATION Security Policies IT RISK Assessment Process LOGGING, Auditing & Monitoring MOBILE Devices NETWORK Architecture, Design & Implementation PASSWORD Management PATCH Management PERIMETER & Network Segmentation RECOVERY, Response & Continuity Plans REMOTE Access & Authentication Controls THIRD-PARTY Security & Cloud Usage VULNERABILITY Management WIRELESS SecurityCYBER ATTACKS CYBERATTACKSinfrastructuredetectsandpreventsattacks.Thisapproach should also be applied to networks, systems, and applications. Monitoractivitiestodeterminewhatneedstobeupdated or replaced. If youre unsure of where to begin, take a look at Exhibit 5: Top Controls Assessment on page 29. A comprehensive review of your systems should include a review of available logs, alerts, reports,andkeysystems.Dataflowshouldbetraced(both inboundandoutbound)andbothcontrolsandweaknesses shouldbeidentified.Aneffectivereviewwillalsoincludean externalvulnerabilityassessment,examiningperimetercon-trols,andidentifyingpotentialissuesorvulnerabilitiesfrom external connections.Continuouslyidentifyanddeploynewsolutionstosecure your data as your environment and threats change. Consider developing a red team comprised of IT specialists who try to hack into your systems.9 This is a good way to identify vul-nerabilities and determine where an open door may exist. ConclusionConstructionisanextremelycollaborativeeffortamong owners, real estate professionals, financial institutions, archi-tects, engineers, GCs, subcontractors, equipment and mate-rialsuppliers,etc.Contracts,blueprints,CADdrawings, BIMmodels,workplans,andfinancialdocumentsrepresent merely the tip of the iceberg of the complex information that is shared among building partners during the life of a project. Yourcybersecuritymustbemanagedinthecontextofthis extended digital ecosystem. Datausedinconstructionprojectstodayimprovesefficien-cies, saves time, and creates digital footprints for future work. However,youoweittoyourcustomersandcolleaguesto operate securely and prevent threats. Proper management of cybersecuritywillensurethisvaluableinformationremains secure and that benefits of data continue to outweigh the risks. There is no silver bullet that will solve all cybersecurity chal-lenges,butinvestinginlong-termmaintenance,monitoring, andsecuritythatcanbesustainedovertimeisanexcellent defense. nROBRUDLOFF,CISSP,ISSMP,MBA,isPartner-in-Charge of the Cyber Security Risk Services at RubinBrown LLP in Denver, CO.Robhasbeenhelpingorganizationsimprovetheir security posture for more than 20 years. He specializes inapplicationandnetworksecurityvulnerabilityand penetrationtesting,securitypolicyandproceduresup-port,securityposturereviews,mitigationsupportand architecture development. Phone: 303-952-1220 E-Mail: rob_rudloff@rubinbrown.com Website: www.rubinbrown.comEndnotes1.2014DataBreachInvestigationsReport(DBIR),Verizon,availableat www.verizonenterprise.com/us/DBIR.2.2014CostofDataBreachStudy:GlobalAnalysis,PonemonInstitute, May5,2014,availableatwww.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis.3.bigstory.ap.org/article/af77f567a4b74f128a4869031dc9add9.4.dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues.5.Target Data Breach Price Tage: $252 Million and Counting. MintzLevin, February26,2015.www.privacyandsecuritymatters.com/2015/02/ target-data-breach-price-tag-252-million-and-counting.6.Cox,Randall.ExpectedTargetLosses.Rippleshot,January29,2014. info.rippleshot.com/blog/expected-target-losses.7.DataBreachQuickView:2014DataBreachTrendsreport,RiskBased Security,February2015.www.riskbasedsecurity.com/reports/2014-YEDataBreachQuickView.pdf. 8.2014CostofDataBreachStudy:GlobalAnalysis,PonemonInstitute, May5,2014,availableatwww.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis.9.Mejia,Robin.RedTeamVersusBlueTeam:HowtoRunanEffective Simulation. CSO. March 25, 2008. www.csoonline.com/article/2122440/emergency-preparedness/red-team-versus-blue-team--how-to-run-an-effective-simulation.html.30CFMA Building ProfitsJuly/August 2015