“Cyber Resilience”fpasouthcarolina.org/wp-content/uploads/2018/10/Scott-Presentation… ·...
Transcript of “Cyber Resilience”fpasouthcarolina.org/wp-content/uploads/2018/10/Scott-Presentation… ·...
Financial Planning Association
South Carolina
“Cyber Resilience”
OCTOBER 19, 2018COLUMBIA, SC
2 | N C S C Y B E R . C O M
Tom Scott
New Century Solutions LLC | NCS Cyber
Certified Information Systems Security Professional
Certified Information Systems Auditor
Certified Risk Information Systems Control
Project Management Professional
Certified Critical Infrastructure Manager
Cyber Resilience Professional
3 | N C S C Y B E R . C O M
SCCYBER.ORG3 |
4 | N C S C Y B E R . C O M
“The Internet
has made the
world flat.”
5 | N C S C Y B E R . C O M
Computing is an immature Industry…
➢Real Internet or www. begins in the early 1980’s.
➢Just earlier in 1973 the first network (exclusively run by government and educational institutions) had only 100 nodes on it (means 100 different servers were connected).
➢Late 1980’s, CRAY XMP-1 super computer was touted as fastest computer of all time at 200m calculations per second.
➢Today’s iPhone 7 is faster.
➢Windows 10 has 60m lines of code.
6 | N C S C Y B E R . C O M
SCCYBER.ORG6 |
“E-commerce has led to various challenges and opportunities through new technologies.”
7 | N C S C Y B E R . C O M
8 | N C S C Y B E R . C O M
9 | N C S C Y B E R . C O M
1 0 | N C S C Y B E R . C O M
1 1 | N C S C Y B E R . C O M
1 2 | N C S C Y B E R . C O M
MORE HEADLINES
➢This case (U.S. v. Hong) of cyber meets securities fraud should serve as a wake-up call…around the world: You ARE and WILL BE targets of cyber-hacking, because you have information valuable to would-be criminals.
Preet Bharara
US Attorney, SDNY
➢I am convinced there are only two types of companies: those that HAVE been hacked AND those that WILL BE …And even they are converging into one category: companies that HAVE been hacked AND will be HACKED AGAIN…
Robert MuellerDirector, FBI
March 1, 2012
1 3 | N C S C Y B E R . C O M
1 4 | N C S C Y B E R . C O M
Large Data Breaches to Date:
➢Equifax 146M Users
➢Yahoo 1.5B Users
➢E-bay 145M Users
➢Target 110M Users
➢Sony 102M Users
➢JPMC 76M Users
➢Anthem/BCBS 80M Users
➢Home Depot 56M Users
➢OPM 22.5M Users
➢Ashley-Madison 30.M UsersPRIVACYRIGHTS.ORG
1 5 | N C S C Y B E R . C O M
Computer incident response was once
the sole responsibility of the IT
department, but as it has become clear
that the consequences of a computer
incident can threaten an enterprise’s
very existence, directors are now being
held more accountable.
Directors have to be aware that a
serious computer incident could result in
a number of negative consequences for
their enterprise, such as reputational damage or regulatory fines
1 6 | N C S C Y B E R . C O M
1 7 | N C S C Y B E R . C O M
1 8 | N C S C Y B E R . C O M
SCCYBER.ORG
“ …what we have to remember is those who attack are patient, and those that attack never stop trying.
So, if that’s the case, we can never stop working to make sure we keep things safe. “
-- Governor Nikki Haley
1 9 | N C S C Y B E R . C O M
2 0 | N C S C Y B E R . C O M
2 1 | N C S C Y B E R . C O M
75 % 25 %
2 2 | N C S C Y B E R . C O M
“ I don’t need a robot army.
I intend to use yours.”
Dr. Edward SobieskUS Army CCOE
2 3 | N C S C Y B E R . C O M
70% of Cyber attacks target SMBs
50% of SMBs have experienced a cyber attack
60% of SMBs go out of business within 6 months of suffering a cyber attack
ARE YOU A SMB?
2 4 | N C S C Y B E R . C O M
Your Organization
2 5 | N C S C Y B E R . C O M
2 6 | N C S C Y B E R . C O M
2 7 | N C S C Y B E R . C O M
MECKLENBURG COUNTY GOVERNMENT
Largest population in North Carolina – over one million residents
Includes City of Charlotte and 6 other towns
Major county services
• Health & Human Services
• Criminal Justice Services
• Land, Use and Environmental Services
• Parks & Recreation
• Tax Assessment & Collection
$1.7 Billion Operating Budget
2 8 | N C S C Y B E R . C O M
Ransomware attack—December 5, 2017
Mecklenburg County network credentials were compromised by cyber criminal(s) using a social engineering Phishing attack
The criminal(s) utilized harvested user sign-on credentials to gain un-authorized access to Mecklenburg County systems
The criminal(s) then planted Ransomware to ‘Freeze’ select systems and then demanded payment to ‘Unfreeze’
48 Servers encrypted—Over 200 systems impacted
2 9 | N C S C Y B E R . C O M
Backups: Server team stood up a new database environment & restored database backups for various systems which ran overnight
Gained additional insights from various sources regarding potential risks & benefits of paying ransom. Engaged Experts (Microsoft, FBI, Fortalice, TrendMicro, Others)
Based on risk / benefit analysis and input from numerous discussions with County Executive Leadership, decision was made and communicated that:
Mecklenburg County would not pay
https://www.nytimes.com/2017/12/06/us/mecklenburg-county-hackers.html
3 0 | N C S C Y B E R . C O M
What Went Well
▪ Treated as a County crisis – Not an IT issue
✓Daily command center engaged throughout
▪ Communication strategy came from the Top – early and timely frequency
(email & telephony was essential)
▪ Had strong back-ups and ability to restore
▪ Had practiced IT and Department COOP’s (table top exercises)
▪ Had strong relationship with Forensic IT companies (on the job within hours)
▪ Had Cyber Insurance
▪ Got Lucky – No Data Loss
3 1 | N C S C Y B E R . C O M
Lessons Learned?
▪ If you have valuable data (personal, HIPPA, PCI), provide critical infrastructure services, or have the ability to pay, you are a cybersecurity target – You are probably being watched and tested as we speak.
▪ Cyber criminals are highly sophisticated and persistent – in our case, they spent considerable time looking for a way in – moved quickly once in.
▪ Your employees will fall for phishing (no matter how much training you do).
▪ Your employees are unaware of file sharing and other social media risks –you may be surprised at how much unauthorized file sharing is going on: personal storage, Dropbox, etc.
3 2 | N C S C Y B E R . C O M
Lessons Learned
▪ If (when) you are hacked, be aware that your IT access will be blocked (inbound and outbound) by 3rd parties. You will need to prove to each provider that it is safe to restore access (can take weeks)
▪ Banks
▪ State, Federal, Local systems (even cities and towns within the County)
▪ You will be inundated with assistance and advice (these were unanticipated management communication challenges)
▪ Be prepared for counter attacks
3 3 | N C S C Y B E R . C O M
3 4 | N C S C Y B E R . C O M
SCIDSA
South Carolina Insurance Data Security Act
3 5 | N C S C Y B E R . C O M
SCIDSA
South Carolina Insurance Data Security Act
Key Dates
January 1, 2019 Agencies are required to notify the SC DOI Director, no later than 72 hours after determining that a cyber Security event has occurred.
July 1, 2019Agencies are required to have established a comprehensive, written Information Security program by July 1, 2019. Section 38-99-20
July 1, 2020Agencies are required to have vetted their supply chain’s implementation of administrative, technical and physical controls to safeguard their Information Systems storing agency Non-Public Data. Section 38-99-20(F)
February 15, 2020Agencies operating in South Carolina must submit a written statement certifying to the SC DOI Director, a written statement certifying that the insurer complies with the requirements set forth in the Act. Section 38-99-20(H)(2)(1)
3 6 | N C S C Y B E R . C O M
SCIDSA
South Carolina Insurance Data Security Act
Key Requirements
➢ Risk Assessment
➢ Comprehensive Written Information Security
Program, including an Incident Response Plan
➢ Chief Information Security Officer appointed to
oversee the Information Security Program
➢ Annual reporting by CISO to Board of Directors or
Owner(s)
➢ Annual reporting to SC Department of Insurance
3 7 | N C S C Y B E R . C O M
SCIDSA
South Carolina Insurance Data Security Act
Is Outsourcing Compliance Right For You?
Insurance agents routinely identify and calculate risks
when developing a client's policy, be it health, auto,
or life. *
Assessing cybersecurity risks follows a similar path of
identifying risks and corresponding threats by
answering these questions:
➢ What are the known risks within your business?
➢ What are your business's unidentified risks?
➢ What are the existing and evolving threats?
➢ What are you doing to effectively counter threats?
➢ Are you managing the risks to your business?
*Dragoon Security Group
3 8 | N C S C Y B E R . C O M
SCIDSA
South Carolina Insurance Data Security Act
How We Can HelpNCS Cyber has commissioned a feasibility study and corresponding guide describing the SC Insurance Data Security Act and its impact on licensees of the SC Department of Insurance.
Toolkit:Roadmap GuideSample Request for Proposals (RFP)Resource Connections.
NCS Cyber brings decades of experience building and maturing Information Security Programs in highly regulated industries, both public and private sector. Our ability to connect with industry partners and deliver solutions necessary for organizations to manage their cyber risk has kept us at the forefront of the cybersecurity field.
3 9 | N C S C Y B E R . C O M
How Are You Managing Your Risks?
4 0 | N C S C Y B E R . C O M
Security Measures Against Ransomware
➢Anti-virus signatures: Selection and deployment of anti-virus signatures are critical.
➢Monitoring: Updating patches is critical to protect against new variants
➢Containment Plan: If compromised, have your response ready, which starts with containment.
➢Response Plan: Must address three (3) key issues:
˃ Whether and how to pay the ransom
˃ How to interact with law enforcement
˃ How to restore operations
˃ Backup does not equal file retrieval
4 1 | N C S C Y B E R . C O M
What does Cyber Insurance Cover?
➢Defense and indemnity for alleged liability due to a cyber or privacy incident (LIABILITY)➢ Cyber incident = failure of insured’s computer system security➢ Privacy incident = failure to protect confidential information
➢ Coverage for investigating and mitigating a cyber or privacy incident (EVENT RESPONSE)
➢ Coverage for business interruption due to a cyber incident (BUSINESS INTERRUPTION)
➢ Coverage for threats to harm a network or release confidential information (CYBER EXTORTION)
➢ All insurance is based on systems employed
4 2 | N C S C Y B E R . C O M
4 3 | N C S C Y B E R . C O M
Lorem ipsum dolor sit amet, cras lobortismolestie urna purusmetus.
Lorem ipsum dolor sit amet, cras lobortis molestie
urna purus metus, scelerisque amet non vestibulum
at. Id semper non est justo venenatis, ac ut justo,
semper massa viverra purus libero. Purus accumsan
lorem vestibulum vestibulum id eros, malesuada
enim ipsum, elementum tellus.
4 4 | N C S C Y B E R . C O M
Parting thoughts…
4 5 | N C S C Y B E R . C O M
THANK YOU
4 6 | N C S C Y B E R . C O M
SCCYBER.ORG46 |