Florida SBDC at UCF's Cybersecurity for Small Businesses: … · 2019-06-15 · Helping Businesses...

Helping Businesses Grow & Succeed

Florida SBDC at UCF's Cybersecurity for Small Businesses: Protecting Your

Digital Assets in 2018BYTE-SIZE: The Small Business Cybersecurity

Program of the FSBDC Network

NOTE: These materials are intended to provide information to assist small businesses consider key

cybersecurity concepts, to share ideas for reducing cyber risk, and to identify helpful resources from

multiple public and private organizations. However, no single technology or program can eliminate all

cyber risk nor can they guarantee protection from constantly evolving digital attacks. It is always best to

consult IT security and legal professionals to understand your responsibilities and to manage the specific

cyber risks associated with your business.

This presentation is a companion to the publication entitled The Florida SBDC

Network Byte-Size Program: Cybersecurity Basics for Small Business.

For more information, visit floridasbdc.org/cybersecurity

http://floridasbdc.org/cybersecurity


Lee V. Mangold

@[email protected]

(CISSP, CEH, GLSC, ITIL...)

Co-Founder & CEOGoldSky Security

Co-Founder & Vice PresidentFlorida Cyber Alliance

PresidentInformation Systems Security Association (CFL Chapter)

Board DirectorSecurity BSides Orlando

Adjunct ProfessorUniversity of Central Florida

CYBERSECURITY BASICSSection 1


Trends (2009-2016)


Who are the attackers?

• Organized Crime Organizations– Large syndicates of attackers– Hierarchical organizations; Mafia

• State-Sponsored Attackers– Government organizations– Russia, China, Iran, North Korea, etc...

• Script Kiddies– Use downloaded tools and scripts– Motivated by fame

• Other Professionals– Usually experimenting, learning, or

shaming

• Hacktivists– All-the-above– Motivated by a social cause


Top Threats & Targets

• Top Threats

• Malware – Specifically Ransomware

• Social Engineering– Phishing emails– Extortion attempts

• 3rd Party Data Theft– Stolen Credentials– 3rd Party breaches

• Top Targets• Medical Industry

– Compromising PHI– Compromising PHI– Potentially more...

• Legal Industry– Compromising PII– Compromising PHI

• Financial & Administrative Services– Compromising PII– Fraud and monetary theft

• Retail– Monetary theft (PCI)


Three Foundational Cybersecurity Principles

Know what your critical data/assets areWhat

Know where your critical data/assets areWhere

Know how they are protectedHow


CLOUD!!

IaaSPaaSSaaS


Types of Attacks


MALWARE

• Malicious software

– Steal credentials or other information

– Steal money

– Ransomware

– Botnets

– Sabotage

– Denial of service


PHISHING

• Email designed to lure you in to

doing something ill-advised

– Execute an attachment

– Click on a link

– Unwittingly give away sensitive

information

• Some are really good at exploiting

human gullibility


INTERNET OF THINGS (IoT)

• Increasingly, tech devices are being

targeted

– Eavesdropping

– Steal data

– Botnet agents

– DDoS attacks


APPLICATION ATTACKS

• Maliciously manipulate application

software

– Steal data from database server

– Run attack scripts on other users’ PCs

– Steal user credentials


Remediation Activities


Employee Education

• Technology is great, but

your most important

assets are your

employees

– First line of defense

– Train them on the tools you

use

– Encourage them to report

strange computer activity


Passwords & MFA

• Use Strong Passwords or Passphrases

• NEVER share your passwords

• Don’t re-use passwords

• Enable Multi-Factor Authentication where possible!


PROTECTIONS

• Policies and policy

management

• Software updates

• Configurations

• Security products

• Application software

controls


DETECTION MEASURES

• Event monitoring

• Intrusion detection and

prevention systems

• Threat monitoring

• User reports


RESPONSES

• Incident response

– Advocates for the business

– Reduce the losses

– Get back in businesses as

quickly as possible

– Support investigations

– Decision support during

incident

– Crisis communications


INSURANCE

• Is cybersecurity

insurance right for you?

– It depends

– Policies exist

– Read the fine print and

comply with their

requirements

– Answer their questions

candidly

– Understand what is and is

not covered


INSURANCE 101Key questions:

• Bundled vs. Stand

alone?

• What are the

policy exclusions?

• How much

coverage should I

purchase?

• Who is the breach

response firm? B

und

led

•Bundled cyber policies often offer limited coverage, not broad protection

•Have gaps

•and more exclusions.

•Usually are an endorse- mentto other liability policies.

•Can result in greater exposure

Ele

ctr

onic

Data

Pro

cessin

g (

ED

P)

•EDP policies are not cyber coverage.

•They usually

•cover:

•Data processing equipment.

•Hardware replacement.

•Property coverage.

Sta

nd

-Alo

ne

• Stand alone cyber policies offer the most protection.

•Normally

•cover:

•Third party liability.

•Breach Response.

•Notification.

• Restoration.

• Business interruption.

• Reputation risk.

Sto

p-L

oss (

DIC

)

• DIC plans are for larger organizations with greater risk profiles.

•They provide:

• Catastrophic backstop

•Covers gaps

•Meant for large Losses when underlying coverage is exhausted.

Danger Zone Safe(r) Zone

CASE STUDIES IN CYBERSECURITYSection 2


Breach Case Studies

• Insurance Company– COO’s Email Account Credentials Phished– Account Data stolen from Email & Storage– Data exfiltrated to unknown destinations in Russia– Had to notify 3600+ individuals, pay for credit monitoring, etc...

• Healthcare Practice– Hard Drive Stolen during A/C Maintenance– Owners extorted, police involved– Had to notify 37,000+ individuals

• CPA & Patent Firm– User sent a fake Docusign link, logged in, downloaded malware– Forwarded the email to colleagues– Data exfiltrated to unknown destinations in Russia


Breach Case Studies• TerraCom and YourTel America (2014)

– Failed to protect PII of customers– 300,000 identities at risk– Settled with FCC for $3.5M

• Verizon (2017)– Failed to protect PII of customers– 3rd party IT contractor left data unprotected in AWS

• Undisclosed Carrier– Hackers gained unauthorized access to SIP trunks– Hundreds of thousands in fraudulent charges billed to

customers– Company had no idea how to track or prevent the attacks


Case Study: Mossack Fonseca


Case Study: Mossack Fonseca

WordPress Website

Plugin: Revolution Slider

Plugin: WP-SMTP plugin

Plugin: ALO EasyMail

Exploited

Email Passwords

Email Passwords

Email Server

Log In

Get M

ail!

Drupal Web Portal

https://Portal.Mossfon.com

Outdated; Several Critical Vulnerabilities

Exploited

Get Data!


Misconfiguration

Configuration Management

– Are all your systems provisioned to a baseline standard?

– Are all your systems audited REGULARLY?

– Could you audit your systems if you had to?

– Who has access to what data and how is it protected?


3rd Party Problems

• How do you know your 3rd parties are secure?

• What data do you share with them? Do you know?

• How often have you (or can you) audit 3rd

parties?

• Have THEY been breached already?


Mismanagement

• Have you formed a security team or a formal security effort?

• Do you have procedures in place to help prevent breaches?

• What do you do when you HAVE a breach? Would you know?

• Are you practicing risk management in IT and Security?


Seek out best practices!

Begin practicing security risk management

1

Work across IT (and all domains) to identify the “what, where, how”

2

Establish baseline security standards

3

Have a plan and seek help where you need it!

4

CYBERSECURITY COMPLIANCE(AND RISK MANAGEMENT)

Section 3


Cybersecurity Management

IS

Risk Management


NIST Cyber Security FrameworkNOT A STEP-BY-STEP PROCESS


Cyber Risk Management Objectives

• What are my BIGGEST areas of risk?

• What are my potential mitigation strategies?

• What is the cost-benefit of implementing various mitigation strategies?

• What is the cost of doing nothing?


NIST 800-30 – Security Risk Assessment


Security - vs - Compliance

Security

Protecting what’s important

• Confidentiality

• Data Integrity

• Availability

Compliance

Following the rules

• 800-151

• HIPAA

• FIPA and other PII regs

• PCI

• GLBA, etc...


Three Foundational Cybersecurity Principles

Know what your critical data/assets areWhat

Know where your critical data/assets areWhere

Know how they are protectedHow


Legal Frameworks (Federal)

• Government Contractors– 800-151 Compliance (and more...)

• Healthcare – Health Insurance Portability and Accountability Act (HIPAA)

• Financial Institutions– Gramm-Leach-Bliley Act (GLBA)

• Credit Unions– Various FFIEC / NCUA Regulations

• Federal Agencies– Homeland Security Act (FISMA)

• Public Companies– Sarbanes-Oxley Act (SOX, Section 302 & 404)

• International– General Data Protection Regulation (GDPR)– EU-PrivacyShield


Florida Information Protection Act

• Each covered entity shall take reasonable measures to protect and secure data in electronic form containing personal information.

• A covered entity shall provide notice to the department of any breach of security affecting 500 or more individuals in this state

What is PII• First & Last Name and one of:

– SSN– Financial Account Number– Government ID number– Health Information or Insurance ID

• Username or Email Address, including password or security questions– Encrypted passwords are not considered PII!


Other States

• 48 States with Data Breach and/or Data Privacy Laws

– Excludes Alabama and South Dakota

• District of Columbia

• Puerto Rico

• US Virgin Islands

• Guam


NIST SP 800-171 Compliance

• Describes information protection requirements for:

– Non-Federal Organizations holding Controlled Unclassified Information (CUI)

– 22 Categories of CUI Data


What is CUI?22 Categories of Controlled CUI

• Agriculture• Controlled Technical Info• Critical Infrastructure• Emergency Management• Export Control Research• Financial Data• Geodetic Information• Immigration• Information Systems Vulns• Intelligence Data or Records• International Agreements• Compulsory Tax Information

• Law Enforcement Data• Legal Data• Natural and Cultural Resources• NATO-Related Data• Nuclear Data• Patent Information • Privacy Information• Procurement and Acquisition• Proprietary Business Data• SAFETY Act Information• Statistical/Census Data• Some Transportation Data


Controlled Technical Info

• Research and engineering data• Engineering drawings and associated lists• Specifications, standards, process sheets• Manuals• Technical reports• Technical orders• Data sets• Studies and analyses and related information• Computer software executable code and source code• etc...


800-151 Requirements

• 14 Families of Controls– Access Control – Media Protection – Awareness and Training – Personnel Security – Audit and Accountability – Physical Protection – Configuration Management – Risk Assessment – Identification and Authentication – Security Assessment – Incident Response – System and Communications Protection – Maintenance – System Information Integrity


Control Example

From NIST SP 800-53


Next Steps...

• Download & Read NIST SP 800-171

– https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdF

• Plan for Implementation of Controls

– Assess for applicability and impact

• Implement controls like a project

• Continually assess your security!

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdF

CYBERSECURITY RESOURCES

Section 4


RESOURCES AND PLANNING

Information:

• Florida Small Business Development

Center Network: http://floridasbdc.org/cybersecurity

• US Chamber of Commerce https://www.uschamber.com/cyber

Threat Reporting & Alerts:

• FBI IC3: https://www.ic3.gov

• Secure Florida: http://secureflorida.org

Note: Additional resources may be found in the Florida

SBDC Network’s Byte-Size program publication:

Cybersecurity Basics For Small Business

Planning Materials:• US Small Business Administration (SBA):

https://www.sba.gov/business-

guide/manage/prepareemergencies-disaster-

assistance

• SBA Learning Center

at:https://www.sba.gov/tools/sba-learning-

center/training/cybersecurity-small-businesses

• National Institutes for Standards &

Technology (NIST): http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.76

21r1.pdf

http://floridasbdc.org/cybersecurity

https://www.uschamber.com/cyber

https://www.ic3.gov/

http://secureflorida.org/

https://www.sba.gov/business-guide/manage/prepareemergencies-disaster-assistance

https://www.sba.gov/tools/sba-learning-center/training/cybersecurity-small-businesses

http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf


RELATED TIPS

• Get to know your law

enforcement

– Who are they, what

resources do they have?

– Meet them in person (prior

to needing to)

– Consider FBI’s Infragard

Florida SBDC at UCF's Cybersecurity for Small Businesses: … · 2019-06-15 · Helping Businesses...

Documents

Transcript of Florida SBDC at UCF's Cybersecurity for Small Businesses: … · 2019-06-15 · Helping Businesses...