Preparing For & Responding To Data Breaches€¦ · Preparing For & Responding To Data Breaches...

Preparing For & Responding To Data Breaches

Northeast Ohio ISACA

March 16, 2017


Fire Statistics

• According to the NFPA

• Educational• Average of 1,150 fires in elementary schools annually

• 16 civilian injuries on average each year (elementary)

• 1 civilian death per year (elementary school)

• Compared to All Fires• Civilian Injury every 34 minutes (15,400+ annually)

• Civilian Death every 2 hours & 40 mins (3,275+ annually)


Effectiveness of Fire Drills

• Compare & Contrast to 9/11 WTC (UCSF, Gershon)• 94% of occupants had NEVER exited buildings as part of

drill,• 84% NO PLANS for gathering after evacuating• 82% never provided evacuation plans• 11% of occupants had entered stairwell as part of fire

drill

• Morgan Stanley• Had a plan. Practiced 2x per year• ALL but 13 employees out of 2500+ employees survived


Preparedness in CyberSecurity

If we observe that preparedness works in other disasters…

Why would we not prepare for CyberSecurity?


GASP

• Getting

• And

• Staying

• Prepared


Planning CyberSecurityWhy We Are Approaching It Wrong


Technology

• Poll:• Have a CyberSecurity BUDGET?

• Implement the latest in:• Firewall Technology (NextGen Firewall)

• IDS / IPS / SIEM

• DLP

• Believe CyberSecurity is an Arms-Race?


We Are All a target

• 62% of Cyberattacks are at mid-size & small businesses

• 34,529 Security Incidents / day• 12.6million / year

• 28.9million businesses

• 1 in 2.3 businesses

• More than 822 million records compromised


Is IT Security an IT Issue?• Top Means of CyberAttacks in 2016

• Phishing• Malware

• Number of Consecutive Years these have been Top vector?• 8

• Percentage of Phishing E-mails Opened by Receiver?• 30%

• Percentage of users clicking on links• 12%


Is IT Security an IT Issue?

Video: Amazing mind reader reveals his ‘gift’

https://www.youtube.com/watch?v=F7pYHN9iC9I

https://www.youtube.com/watch?v=F7pYHN9iC9I


Prevention or Discovery?

• CyberSecurity Industry is $75B with majority being preventative technologies

• Gartner Group predicts trend to Detection & Responding at 40% in 2018 up from 0% today


Knock, Knock…It’s the FBI

• When, Not If

“The majority of data breach victims surveyed, 81 percent, report they had neither a system nor a managed security service in place to ensure they could self-detect data breaches, relying instead on notification from an external party. This was the case despite the fact that self-detected breaches take just 14.5 days to contain from their intrusion date, whereas breaches detected by an external party take an average of 154 days to contain.”

– “2015 Trustwave Global Security Report” | Trustwave

http://www.isaca.org/cyber/Documents/2015-Global-Cybersecurity-Status-Report-Data-Sheet_mkt_Eng_0115.pdf


Change in Legal Tide

• Increase in number of regulations• GLBA, HIPAA, PCI DSS, FERPA, FISMA, CFTC Red Flags,

FINRA, CFPB’s entry under UDAAP prohibition, FTC via GLBA’s Safeguards Rule, FCC for ISPs and other covered entities, DFARS, NHTSA, FDCA, NAIC, NY Dept of Financial Services, FERC’s CIP and the list goes on and on

• Can’t prove…You must assume!• Notification Duties• Timeframe (30? 45? 60? – Reasonable?)


Costs

• Ponemon Institute Report – 2016• $7.01 million average cost

• 65% is indirect costs

• 35% is direct, including investigating, containing & remediating

• Up 7% from 2015

• $221 per record (2% increase)


Costs

• Factors that Helped Lower Cost:• Extensive use of encryption• Employee training• Implementation of DLP

• Factors that Increased Cost:• Industry• Malicious actor vs negligence• Third Party Errors• Extensive Cloud Migration• Rush to notify


Other Expenses

• Loss of Revenue (average $4m)

• Notification

• Call Center

• Credit Monitoring

• Public Relations

• Legal

• Upstream-Downstream Liability


Getting And Staying PreparedA Practical Guide to Shifting Our Approach


The 4 Most Important Questions

1. How Bad is the Breach?

2. How Did it Occur?

3. Do We Need to Disclose?

4. How Do We Know We Have It Cleaned Up?


The Big Win!

1. Understanding our Risks & Control Environments

2. Having Right things in-place

3. Practicing

4. Vigilance

5. Active Pursuit


Understanding the Control Environment

• Risk Assessment

• Audit• Compliance-based

• Framework


Frameworks

• ISO/IEC 27000 Series• One of most widely referenced & discussed security

models

• Some controversy over adoption & usefulness –completeness of model


Frameworks• ISO/IEC 27002:2013 Sections (114 controls)

• Structure• Security policy• Organization of Information Security• Asset Management• HR Security• Crytography• Physical/Environmental Security• Communications & Operations Management• Access Controls• Information Systems acquisition, development & maintenance• Supplier Relationships• Information Security Incident Management• Business Continuity• Compliance


Frameworks

• NIST CyberSecurity Framework• 5 Framework Core Functions

• Identify

• Protect

• Detect

• Respond

• Recover

• Customizable to organization’s own needs

• Approx. 100 controls


Frameworks• NIST CyberSecurity

Framework


Frameworks

• ISACA: Cybersecurity: Based on the NIST Cybersecurity Framework• Announced January 2017

• Aligns NIST CSF with COBIT 5


Frameworks

• CIS Controls• Center for Internet Security

• Embraces the Pareto Principle – ie. Prioritized based upon Impact

• Claim to Fame:• Organizations implementing just the Top 5 Controls reduce risk

of exposure by 85 percent

• Organizations implementing all 20 Controls reduce risk by 94%


Frameworks

• CIS Controls• Really like their published benchmarks and roadmaps for

hardening specific assets,• Including pre-hardened VMs for Amazon (AMIs)


Frameworks

Which should you use?


Having the Right Things In-Place

• Log Management• Logging the right things

• Cautious with rollover

• Keeping them long enough

• Capturing enough granularity

• Security Awareness Training• Regularly recurring

• “drip campaign”



• Someone Accountable for CyberSecurity

• Written Information Security Program (WISP)• Compliance (i.e. 201 CMR 17 – Massachussets, PCI,

HIPAA, etc)

• Insurance purposes

• CyberLiability Insurance



• Incident Response Plan• Simple to follow

• Detailed enough that non-Technical can carry out

• “Triage” based upon specific types of incidents

• Ability to capture volatile, temporal data• Trample-free

• Memory (RAM)

• Content AND Artifacts



• Pre-Negotiated Agreements• Legal

• Breach Notification

• Credit Monitoring

• Call Center

• Public Relations


Practicing

• Tabletop Exercises

• Red Team / Blue Team / Purple Team Exercises


Staying Vigilant

• Review Audit Programs – Implement Best Practices• Review of Authorized Users

• Review & Signoff of ACLs

• Review Firewall & Router Configs

• Ensure Change Management is being followed

• Automated Network Discovery / Rogue Device ID

• Password Audit – of ALL Devices

• Trusted Entity Review


Active Pursuit

• Hunt Team


GASP

1. Understanding our Risks & Control Environments

2. Having Right things in-place

3. Practicing

4. Vigilance

5. Active Pursuit


Conclusion


Q&A

Damon S. Hacker, MBA, CCE, CISA

Vestige Digital Investigations

Cleveland | Columbus | [email protected]

mailto:[email protected]


CSX: THE ROADMAP

Isaca AND CSX AT THE FOREFRONT

47

ISACA and CSX are Leaders in Cybersecurity Career Management

• Cybersecurity is a natural extension building on how ISACA has evolved to serve the needs of professionals worldwide

• ISACA collaborates with leading global governments and organizations at the center of cybersecurity

• Through CSX, ISACA is providing the first holistic program for cybersecurity career progression

OUR SOLUTION

48

CSX Is Providing a Single Source for Cybersecurity Professionals: our holistic program will be the first and only “one stop shop” providing a complete solution and covering the full career lifecycle.

Credentialingand Training

Education/ Conferences

Membership Resources/ Publications

Career Management

CAREER PATH: CYBERSECURITY CERTIFICATIONS

www.isaca.org/csx-certifications

CSX training and certifications offered for skill levels and specialties

throughout a professional’s career.

http://www.isaca.org/csx-certifications

CAREER PATH: CYBERSECURITY CERTIFICATIONS

CSX Practitioner—Demonstrates ability to serve as a first responder to a cybersecurity incident following established procedures and defined processes. (1 certification, 3 training courses; prerequisite for CSX Specialist)

CSX Specialist—Demonstrates effective skills and deep knowledge in one or more of the five areas based closely on the NIST Cybersecurity Framework: Identify, Detect, Protect, Respond and Recover. (5 certifications, 5 training courses; requires CSX Practitioner)

CSX Expert—Demonstrates ability of a master/expert-level cybersecurity professional who can identify, analyze, respond to, and mitigate complex cybersecurity incidents. (1 certification, 1 training course; no prerequisites required)

Certified Information Security Manager certification (25,000+ professionals certified since inception; named the second-highest-paying certification by Global Knowledge’s 2015 IT Skills and Salary Survey; 5+ years experience required)

Cybersecurity fundamentalsknowledge certificate

• Knowledge-based exam for those with 0 to 3 years experience

• Foundational level covers five domains:1) Cybersecurity concepts2) Cybersecurity architecture principles3) Security of networks, systems, applications and data 4) Incident response5) Security implications related to adoption of emerging technologies

The exam will be offered online and at select ISACA conferences and training events. The first is in September.

The content aligns with the US NICE

51 | 3/17/2017

Career path

• 0-3 years: Cybersecurity Fundamentals Certificate (no experience required; must pass knowledge-based exam)

• 3-5 years: Cybersecurity practitioner-level certification

• 5+ years: Certified Information Security Manager certification (25,000+professionals certified since inception)

52 | 3/17/2017

CSX Elements

AVAILABLE NOW Cybersecurity Fundamentals Certificate (workshops and

exams taking place in Q3; first workshop sold out)

Transforming Cybersecurity Using COBIT 5

Responding to Targeted Cyberattacks

Advanced Persistent Threats: Managing the Risks to Your Business

APT data

Cybersecurity webinars and conference tracks (six-part webinar series begins in June)

Cybersecurity Knowledge Center community

53 | 3/17/2017

COMING SOON Mentoring Program

Implementation guidance for NIST’s US Cybersecurity Framework (which incorporates COBIT 5) and the EU Cybersecurity Strategy

Cybersecurity practitioner-level certification (first exam: 2015)

Cybersecurity training courses

SCADA guidance

Digital forensics guidance

CSX Practitioner

• Entry Level, practitioner route

• Requirements:• Pass the CSX Practitioner Exam

• Comply with Code of Professional Ethics

• Resources Available:• Training Courses

• Identification & Protection

• Detection

• Respond and Recover

CSX Practitioner

• Exam• Fee: Members - $540, Non-Members $725

• Special of $375 until 12/15/15

• “Hands-on” in a cyberlab environment

• Working knowledge of Linux and Windows

• Continuing Education• 3 Year Certification

• 30 CPEs, with 24 of those being skills-based training & labs (annually)

• Retake Certification Exam in year 3

CSX Specialist

• CSX Practitioner, followed by specialization in:• Identify

• Protect

• Detect

• Respond

• Recover

CSX Specialist

• Training Classes (5-Day)

• Pass corresponding Exam for specialty desired

• Fees: Member - $590, Non-Member-$775

• Continuing Education:• 30 CPEs, with 24 being skills-based training & labs

• Recertification test in year 3

CSX Expert

• Mastery in even most complex cyber security incidents

• Certification• Pass the CSX Expert Exam

• Fees: Members - $640, Non-Member $825

• 30 CPEs with 24 from skills-based training & labs

• Retake examination in year 3

Gauging Interest

Number of people / companies interested in obtaining:

• CSX Fundamental Certification?• 2-Day Chapter-Based training


Q&ADamon S. Hacker, MBA, CCE, CISA

Vestige Digital Investigations

Cleveland | Columbus | Pittsburgh330.721.1205

[email protected]

mailto:[email protected]

Preparing For & Responding To Data Breaches€¦ · Preparing For & Responding To Data Breaches...

Documents

Transcript of Preparing For & Responding To Data Breaches€¦ · Preparing For & Responding To Data Breaches...