Cybersecurity Overview

WYCCC December 14, 2016

Mark Mellas Vice President

Commercial Lending

Tim Tewksbury Senior Vice President

Chief Information Officer

Where did we come from?

Data Availability, Integrity, Authentication,

Authorization • Provide safeguards to ensure data is available when

we need it. • Ensuring accuracy and consistency to data stored

electronically. • Provide methods to verify credentials of those trying

to access data. • Provide mechanisms to determine access levels or

privileges to electronic data.

Natural Disasters

Flooding

Tornados

Fire

Cybersecurity ˌ /sībərsiˈkyo͝orədē/

• noun

• noun: cybersecurity • the state of being protected against the criminal or unauthorized use

of electronic data, or the measures taken to achieve this.

The “Be Afraid” Slide

The “Be Afraid” Slide #2

Threat Actors

Threats

• Physical Datacenter breach. • Disaster situations • Electronic Data Breach • Viruses and Malware including things like crypto locker algorithms. • Key loggers • Social Engineering

Physical Safeguards

• Redundant data centers – servers, connectivity, and environmental • Restricted access to physical systems and electronic data • If outsourcing computer resources, review your vendor’s protocols,

know where your data is! (SSAE16) • Dual controls for administration of systems • Off network/ off site backups!! (tape, USB drives, outsourced

backups) • Remember your individual PCs and laptops!!!

Electronic Safeguards

Firewalls – a component on the network or PC designed to block unauthorized access while

permitting outward communication.

Cisco, Meraki, and Microsoft Windows Firewall

Viruses & Malware

• A computer virus is a type of malicious software program that, when executed, replicates by reproducing itself or infecting other computer programs by modifying them.

• Installation mechanisms: • SPAM (unsolicited email) - email attachments or links in emails, Trojan horse

software • Fake websites or links to these sites • Access to computer systems that are unpatched/out of date.

Viruses & Malware

• Effects: • Performance degradation on your PC (adware) • Can steal personal information saved on your system or anything you have

access to. • Can corrupt system files making the PC or server unusable. • Keyloggers - has the capability to record every keystroke you make to a log file • CryptoLockers - encrypts files on an affected system and demands ransom for

recovering the data. Can spread to any file to which you have “write access”.

Email examples

• Emails with dangerous links – False Amazon, UPS, Fedex, or IRS emails asking you to click on an embedded link.

• Attachments (especially .zip or .exe files) – similar sources but asks you to run the attached files. Some purport to be invoices, IRS letters, or a document for you to review.

Protect Yourself!

• Install an antivirus/antimalware package on ALL servers and PCs (Symantec, Norton, McAfee, Malwarebytes Antimalware)

• Verify that this software is getting regular updates from the vendor • Install an email AntiSpam solution (Symantec, AppRiver)

• ~70% of email is Spam! • Consider quarantining email attachments with .zip and .exe

extensions • Use a quality firewall and make sure it stays updated. • Keep electronic systems up to date – install latest patches, retire older

software.

Time to upgrade your System(s)?

Additionally, Protect Yourself by:

• Making sure you choose an adequate user name and password that mixes in small case letters, upper case letters, numbers and special characters

• Periodically change your password (90 days) • Safeguarding your username and password

Password Reminders….

Risks related to online transactions that you may face

• Passwords being written down and left out in the open • The use of old or inadequate passwords • Possibility of internal fraud or theft • Delays in terminating the rights of former employees • Lack of dual controls or other checks and balances over individual

access to online transaction capabilities.

STUPID SPAM!!!!!!!

What is Social Engineering?

• Social engineering is the act of manipulating people so they give up

confidential information. • The types of information criminals are seeking can vary, but can

include your passwords, bank information, or access to your computer.

• Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust then to hack your accounts.

• This could be SPAM email, phone calls, physical mail, impersonators…

Flash/Thumb Drives

• Passwords - Use password protection on all flash drives • Encryption - Turn on encryption • Access - consider turning off access for flash drives

So, I found this Flash Drive…

Don’t Be a Victim!

• Slow down. Spammers want you to act first and think later - never let their urgency influence your careful review.

• Research the facts. Be suspicious of any unsolicited messages. • Delete any request for financial information or passwords. • Beware of any download. If you don’t know the sender personally AND

expect a file from them, downloading anything is a mistake. • Curiosity leads to careless clicking–if you don’t know what the email is

about, clicking links or using enclosed phone numbers is a poor choice. • Don’t let a link control where you land. Hovering over links in email will

show the actual URL at the bottom.

Cyber Risk Management

Incident Response and resilience • Preparation Incident response plan and policy Incident response team

• Escalation: internal • Notification: external

Passwords are like underwear…

1. Change them often

2. Don’t share them

3. Don’t leave them out where others can see them

Summary

You are one of the most important links to keeping your customers’ information safe.