Preparing For & Responding To Data Breaches€¦ · Preparing For & Responding To Data Breaches...
Transcript of Preparing For & Responding To Data Breaches€¦ · Preparing For & Responding To Data Breaches...
Preparing For & Responding To Data Breaches
Northeast Ohio ISACA
March 16, 2017
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Fire Statistics
• According to the NFPA
• Educational• Average of 1,150 fires in elementary schools annually
• 16 civilian injuries on average each year (elementary)
• 1 civilian death per year (elementary school)
• Compared to All Fires• Civilian Injury every 34 minutes (15,400+ annually)
• Civilian Death every 2 hours & 40 mins (3,275+ annually)
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Effectiveness of Fire Drills
• Compare & Contrast to 9/11 WTC (UCSF, Gershon)• 94% of occupants had NEVER exited buildings as part of
drill,• 84% NO PLANS for gathering after evacuating• 82% never provided evacuation plans• 11% of occupants had entered stairwell as part of fire
drill
• Morgan Stanley• Had a plan. Practiced 2x per year• ALL but 13 employees out of 2500+ employees survived
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Preparedness in CyberSecurity
If we observe that preparedness works in other disasters…
Why would we not prepare for CyberSecurity?
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
GASP
• Getting
• And
• Staying
• Prepared
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Planning CyberSecurityWhy We Are Approaching It Wrong
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Technology
• Poll:• Have a CyberSecurity BUDGET?
• Implement the latest in:• Firewall Technology (NextGen Firewall)
• IDS / IPS / SIEM
• DLP
• Believe CyberSecurity is an Arms-Race?
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
We Are All a target
• 62% of Cyberattacks are at mid-size & small businesses
• 34,529 Security Incidents / day• 12.6million / year
• 28.9million businesses
• 1 in 2.3 businesses
• More than 822 million records compromised
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Is IT Security an IT Issue?• Top Means of CyberAttacks in 2016
• Phishing• Malware
• Number of Consecutive Years these have been Top vector?• 8
• Percentage of Phishing E-mails Opened by Receiver?• 30%
• Percentage of users clicking on links• 12%
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Is IT Security an IT Issue?
Video: Amazing mind reader reveals his ‘gift’
https://www.youtube.com/watch?v=F7pYHN9iC9I
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Prevention or Discovery?
• CyberSecurity Industry is $75B with majority being preventative technologies
• Gartner Group predicts trend to Detection & Responding at 40% in 2018 up from 0% today
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Knock, Knock…It’s the FBI
• When, Not If
“The majority of data breach victims surveyed, 81 percent, report they had neither a system nor a managed security service in place to ensure they could self-detect data breaches, relying instead on notification from an external party. This was the case despite the fact that self-detected breaches take just 14.5 days to contain from their intrusion date, whereas breaches detected by an external party take an average of 154 days to contain.”
– “2015 Trustwave Global Security Report” | Trustwave
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Change in Legal Tide
• Increase in number of regulations• GLBA, HIPAA, PCI DSS, FERPA, FISMA, CFTC Red Flags,
FINRA, CFPB’s entry under UDAAP prohibition, FTC via GLBA’s Safeguards Rule, FCC for ISPs and other covered entities, DFARS, NHTSA, FDCA, NAIC, NY Dept of Financial Services, FERC’s CIP and the list goes on and on
• Can’t prove…You must assume!• Notification Duties• Timeframe (30? 45? 60? – Reasonable?)
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Costs
• Ponemon Institute Report – 2016• $7.01 million average cost
• 65% is indirect costs
• 35% is direct, including investigating, containing & remediating
• Up 7% from 2015
• $221 per record (2% increase)
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Costs
• Factors that Helped Lower Cost:• Extensive use of encryption• Employee training• Implementation of DLP
• Factors that Increased Cost:• Industry• Malicious actor vs negligence• Third Party Errors• Extensive Cloud Migration• Rush to notify
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Other Expenses
• Loss of Revenue (average $4m)
• Notification
• Call Center
• Credit Monitoring
• Public Relations
• Legal
• Upstream-Downstream Liability
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Getting And Staying PreparedA Practical Guide to Shifting Our Approach
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
The 4 Most Important Questions
1. How Bad is the Breach?
2. How Did it Occur?
3. Do We Need to Disclose?
4. How Do We Know We Have It Cleaned Up?
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
The Big Win!
1. Understanding our Risks & Control Environments
2. Having Right things in-place
3. Practicing
4. Vigilance
5. Active Pursuit
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Understanding the Control Environment
• Risk Assessment
• Audit• Compliance-based
• Framework
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Frameworks
• ISO/IEC 27000 Series• One of most widely referenced & discussed security
models
• Some controversy over adoption & usefulness –completeness of model
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Frameworks• ISO/IEC 27002:2013 Sections (114 controls)
• Structure• Security policy• Organization of Information Security• Asset Management• HR Security• Crytography• Physical/Environmental Security• Communications & Operations Management• Access Controls• Information Systems acquisition, development & maintenance• Supplier Relationships• Information Security Incident Management• Business Continuity• Compliance
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Frameworks
• NIST CyberSecurity Framework• 5 Framework Core Functions
• Identify
• Protect
• Detect
• Respond
• Recover
• Customizable to organization’s own needs
• Approx. 100 controls
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Frameworks• NIST CyberSecurity
Framework
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Frameworks
• ISACA: Cybersecurity: Based on the NIST Cybersecurity Framework• Announced January 2017
• Aligns NIST CSF with COBIT 5
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Frameworks
• CIS Controls• Center for Internet Security
• Embraces the Pareto Principle – ie. Prioritized based upon Impact
• Claim to Fame:• Organizations implementing just the Top 5 Controls reduce risk
of exposure by 85 percent
• Organizations implementing all 20 Controls reduce risk by 94%
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Frameworks
• CIS Controls• Really like their published benchmarks and roadmaps for
hardening specific assets,• Including pre-hardened VMs for Amazon (AMIs)
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Frameworks
Which should you use?
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Having the Right Things In-Place
• Log Management• Logging the right things
• Cautious with rollover
• Keeping them long enough
• Capturing enough granularity
• Security Awareness Training• Regularly recurring
• “drip campaign”
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Having the Right Things In-Place
• Someone Accountable for CyberSecurity
• Written Information Security Program (WISP)• Compliance (i.e. 201 CMR 17 – Massachussets, PCI,
HIPAA, etc)
• Insurance purposes
• CyberLiability Insurance
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Having the Right Things In-Place
• Incident Response Plan• Simple to follow
• Detailed enough that non-Technical can carry out
• “Triage” based upon specific types of incidents
• Ability to capture volatile, temporal data• Trample-free
• Memory (RAM)
• Content AND Artifacts
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Having the Right Things In-Place
• Pre-Negotiated Agreements• Legal
• Breach Notification
• Credit Monitoring
• Call Center
• Public Relations
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Practicing
• Tabletop Exercises
• Red Team / Blue Team / Purple Team Exercises
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Staying Vigilant
• Review Audit Programs – Implement Best Practices• Review of Authorized Users
• Review & Signoff of ACLs
• Review Firewall & Router Configs
• Ensure Change Management is being followed
• Automated Network Discovery / Rogue Device ID
• Password Audit – of ALL Devices
• Trusted Entity Review
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Active Pursuit
• Hunt Team
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
GASP
1. Understanding our Risks & Control Environments
2. Having Right things in-place
3. Practicing
4. Vigilance
5. Active Pursuit
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Conclusion
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Q&A
Damon S. Hacker, MBA, CCE, CISA
Vestige Digital Investigations
Cleveland | Columbus | [email protected]
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
CSX: THE ROADMAP
Isaca AND CSX AT THE FOREFRONT
47
ISACA and CSX are Leaders in Cybersecurity Career Management
• Cybersecurity is a natural extension building on how ISACA has evolved to serve the needs of professionals worldwide
• ISACA collaborates with leading global governments and organizations at the center of cybersecurity
• Through CSX, ISACA is providing the first holistic program for cybersecurity career progression
OUR SOLUTION
48
CSX Is Providing a Single Source for Cybersecurity Professionals: our holistic program will be the first and only “one stop shop” providing a complete solution and covering the full career lifecycle.
Credentialingand Training
Education/ Conferences
Membership Resources/ Publications
Career Management
CAREER PATH: CYBERSECURITY CERTIFICATIONS
www.isaca.org/csx-certifications
CSX training and certifications offered for skill levels and specialties
throughout a professional’s career.
CAREER PATH: CYBERSECURITY CERTIFICATIONS
CSX Practitioner—Demonstrates ability to serve as a first responder to a cybersecurity incident following established procedures and defined processes. (1 certification, 3 training courses; prerequisite for CSX Specialist)
CSX Specialist—Demonstrates effective skills and deep knowledge in one or more of the five areas based closely on the NIST Cybersecurity Framework: Identify, Detect, Protect, Respond and Recover. (5 certifications, 5 training courses; requires CSX Practitioner)
CSX Expert—Demonstrates ability of a master/expert-level cybersecurity professional who can identify, analyze, respond to, and mitigate complex cybersecurity incidents. (1 certification, 1 training course; no prerequisites required)
Certified Information Security Manager certification (25,000+ professionals certified since inception; named the second-highest-paying certification by Global Knowledge’s 2015 IT Skills and Salary Survey; 5+ years experience required)
Cybersecurity fundamentalsknowledge certificate
• Knowledge-based exam for those with 0 to 3 years experience
• Foundational level covers five domains:1) Cybersecurity concepts2) Cybersecurity architecture principles3) Security of networks, systems, applications and data 4) Incident response5) Security implications related to adoption of emerging technologies
The exam will be offered online and at select ISACA conferences and training events. The first is in September.
The content aligns with the US NICE
51 | 3/17/2017
Career path
• 0-3 years: Cybersecurity Fundamentals Certificate (no experience required; must pass knowledge-based exam)
• 3-5 years: Cybersecurity practitioner-level certification
• 5+ years: Certified Information Security Manager certification (25,000+professionals certified since inception)
52 | 3/17/2017
CSX Elements
AVAILABLE NOW Cybersecurity Fundamentals Certificate (workshops and
exams taking place in Q3; first workshop sold out)
Transforming Cybersecurity Using COBIT 5
Responding to Targeted Cyberattacks
Advanced Persistent Threats: Managing the Risks to Your Business
APT data
Cybersecurity webinars and conference tracks (six-part webinar series begins in June)
Cybersecurity Knowledge Center community
53 | 3/17/2017
COMING SOON Mentoring Program
Implementation guidance for NIST’s US Cybersecurity Framework (which incorporates COBIT 5) and the EU Cybersecurity Strategy
Cybersecurity practitioner-level certification (first exam: 2015)
Cybersecurity training courses
SCADA guidance
Digital forensics guidance
CSX Practitioner
• Entry Level, practitioner route
• Requirements:• Pass the CSX Practitioner Exam
• Comply with Code of Professional Ethics
• Resources Available:• Training Courses
• Identification & Protection
• Detection
• Respond and Recover
CSX Practitioner
• Exam• Fee: Members - $540, Non-Members $725
• Special of $375 until 12/15/15
• “Hands-on” in a cyberlab environment
• Working knowledge of Linux and Windows
• Continuing Education• 3 Year Certification
• 30 CPEs, with 24 of those being skills-based training & labs (annually)
• Retake Certification Exam in year 3
CSX Specialist
• CSX Practitioner, followed by specialization in:• Identify
• Protect
• Detect
• Respond
• Recover
CSX Specialist
• Training Classes (5-Day)
• Pass corresponding Exam for specialty desired
• Fees: Member - $590, Non-Member-$775
• Continuing Education:• 30 CPEs, with 24 being skills-based training & labs
• Recertification test in year 3
CSX Expert
• Mastery in even most complex cyber security incidents
• Certification• Pass the CSX Expert Exam
• Fees: Members - $640, Non-Member $825
• 30 CPEs with 24 from skills-based training & labs
• Retake examination in year 3
Gauging Interest
Number of people / companies interested in obtaining:
• CSX Fundamental Certification?• 2-Day Chapter-Based training
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Q&ADamon S. Hacker, MBA, CCE, CISA
Vestige Digital Investigations
Cleveland | Columbus | Pittsburgh330.721.1205