Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5...
Transcript of Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5...
![Page 1: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/1.jpg)
Presented by:
Carly Devlin
Ryan Peters
Moderated by:
Deidra Wiley
![Page 2: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/2.jpg)
TODAY’S PRESENTERS
Carly DevlinManaging Director, Columbus Office
Clark Schaefer Consulting
Ryan PetersPractice Manager, Healthcare
Clark Schaefer Hackett
![Page 3: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/3.jpg)
Presented by:
Carly Devlin
Ryan Peters
Moderated by:
Deidra Wiley
![Page 4: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/4.jpg)
AGENDA
• Understanding Cyber Risk
• Cyber Threats
• Case Studies
• Managing Cyber Risk
• Cybersecurity Tools
• Questions
![Page 5: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/5.jpg)
UNDERSTANDINGCYBER RISK
![Page 6: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/6.jpg)
What is Cyber Risk
▪ Failure to mitigate this risk may cause:
- Disruption of systems/business processes
- Loss of confidential data
- Financial loss
- Fraudulent reporting and metrics
- Damage to reputation
Any risk of financial loss, disruption, or damage to the reputation of an organization from a failure of its information technology systems.
Source: The Institute of Risk Management
![Page 7: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/7.jpg)
Cybersecurity Industry Facts
Cyber Crime Damage:
$6 trillion annually by 2021
Cybersecurity Spending:
Will exceed $124 billion in 2019
Unfilled Cybersecurity
Jobs:
3.5 million by 2021
Human Attack Surface:
6 billion people by 2022
Global Ransomware
Damage Costs:
Will reach $11.5 billion in 2019
Source: CSO
![Page 8: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/8.jpg)
Cybersecurity Definitions
Threat:
Circumstance or event with the
potential to adversely impact
organizational operations,
organizational assets, and/or
individuals, through an information
system via unauthorized access,
destruction, disclosure,
modification of information, and/or
denial of service.
Threat Actors Actor Motives
National Governments Cyber warfare/espionage
Terrorist Groups Spread terror
Organized Crime Financial gain
Hacktivists Political agenda
Hackers Notoriety/financial gain
Insider Threats Revenge/financial gain
![Page 9: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/9.jpg)
CYBER THREATS
![Page 10: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/10.jpg)
Security Incident Survey
2018 Verizon Data Breach Report: Healthcare
Frequency 750 incidents, 536 with confirmed data disclosure
Top 3 PatternsMiscellaneous Errors, Crimeware, and Privilege Misuse represent 63% of
incidents within Healthcare
Threat Actors 43% External, 56% Internal, 4% Partner, 2% Multiple Parties (breaches)
Actor Motives 75% Financial, 13% Fun, 5% Convenience, 5% Espionage (all incidents)
Data Compromised Medical (79%), Personal (37%), Payment (4%)
![Page 11: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/11.jpg)
Our Clients: Most Common Cyber Threats
Phishing
Ransomware
Human Error
Software Vulnerabilities
Internet of Things (IoT)
![Page 12: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/12.jpg)
Threat Horizon and Industry Outlook
▪ Ransomware continues to plague the Healthcare industry (accounts for 85% of all malware).
▪ Social attacks (phishing and pretexting) will continue to be a matter of concern for the healthcare industry.
▪ Laptops, other portable devices, and paper documents continue to consistently go missing from healthcare organizations each year.
![Page 13: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/13.jpg)
CASE STUDIES
![Page 14: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/14.jpg)
Attack #1 – HealthEquity
Attack Victim HealthEquity
Attack Date October 2018
Description
The data of about 190,000 customers was breached
for about a month after a hack on two employee email
accounts.
Cost Unknown – class action lawsuit filed
![Page 15: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/15.jpg)
Attack #2 – UnityPoint Health
Attack Victim UnityPoint Health
Attack Date March 2018
Description
A phishing attack on the health system’s business
email system breached the data of 1.4 million patients.
The email system was hit with a series of highly
targeted phishing emails that looked as if they were
sent from an executive within the organization.
Cost Unknown – class action lawsuit filed
![Page 16: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/16.jpg)
Attack #3 – Health Management Concepts
Attack Victim Health Management Concepts
Attack Date July 2018
Description A ransomware attack on HMC quickly turned into a data
breach, when hackers were inadvertently provided a file
containing personal data of 502,416 members.
Cost Unknown
![Page 17: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/17.jpg)
Attack #4 – LifeBridge Health
Attack Victim LifeBridge Health
Attack Date September 2016
Description
The health system learned of the data breach of
500,000 patients in March 2018 after discovering
malware on a server that hosts EMR data for the
system’s affiliated physician group and the shared
registration and billing system for other LifeBridge
providers.
Cost Unknown – class action lawsuit filed
![Page 18: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/18.jpg)
MANAGING CYBER RISK
![Page 19: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/19.jpg)
Managing Cyber Risk
Mitigation vs. Elimination of Risk
![Page 20: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/20.jpg)
New Healthcare Cybersecurity Guidance
▪ December 28, 2018 – HHS announced the release of the “Health Industry
Cybersecurity Practices: Managing Threats and Protecting Patients” guidance.
▪ Focuses on 5 primary cyber threats to the healthcare industry and identifies best
practices to address each:
▪ Includes suggested practices for small, medium, and large organizations
Phishing AttacksRansomware
Attacks
Loss or Theft of Equipment or
Data
Insider, Accidental or
Intentional Data Loss
Attacks Against Medical Devices That May Affect Patient Safety
![Page 21: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/21.jpg)
Use of a Security Framework
A series of documented processes that are used to define policies and procedures
around the implementation and ongoing management of information security controls
in an enterprise environment.
Security Frameworks
ISO
NIST
![Page 22: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/22.jpg)
ISO/IEC 27001: 2013
▪ Established by:
The International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC)
▪ Designed to:
Provide requirements for an information security management system (ISMS)
▪ Overview:
Specifies the requirements for establishing, implementing, maintaining, and continually
improving an information security management system within the context of an
organization. It also includes requirements for the assessment and treatment of
information security risks tailored to the needs of the organization. The requirements are
intended to be applicable to all organizations, regardless of type, size, or nature.
![Page 23: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/23.jpg)
NIST Cybersecurity Framework
▪ Established by:
The National Institute of Standards and Technology (NIST)
▪ Designed to:
Be a US government-ordered, cybersecurity framework
▪ Overview:
A structure for the nation’s financial, energy, healthcare, and other critical systems to
better protect their information and physical assets from cyber attack. NIST provides a
common language with which to address and manage cyber risk in a cost-effective way
based on business needs, without additional regulatory requirements.
![Page 24: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/24.jpg)
NIST Cybersecurity Framework (CSF)
▪ Three Parts:
– Framework Core
– Framework Implementation Tiers
– Framework Profiles
Allows organizations to:
▪ Describe current cybersecurity posture
▪ Describe target state for cybersecurity
▪ Identify and prioritize opportunities for improvement
▪ Assess progress towards target state
▪ Communicate using common language among internal and external
stakeholders about cybersecurity risk
![Page 25: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/25.jpg)
CSF Core
![Page 26: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/26.jpg)
CSF Core
![Page 27: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/27.jpg)
CSF Tiers/Profiles
▪ Tiers
–Tier 1: Partial
–Tier 2: Risk Informed
–Tier 3: Repeatable
–Tier 4: Adaptive
▪ Profiles
–Current profile (“as is”)
–Target profile (“to be”)
![Page 28: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/28.jpg)
CSF – Applying the Framework
1. Prioritize & scope
2. Orient
3. Create a current profile
4. Conduct a risk assessment
5. Create a target profile
6. Determine, analyze &
prioritize gaps
7. Implement action plans
Rep
eata
ble
![Page 29: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/29.jpg)
CSF – Benefits and Challenges
▪ Benefits:
–Voluntary
–Expose new risks
–Sharing, collaboration
–Layered approach
▪ Challenges:
–Not “set it and forget it”
–Requires “buy-in”
–Communicating risks
–Large, complex organizations
–Lack of quantifiable metrics
![Page 30: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/30.jpg)
OTHER CYBERSECURITY TOOLS
![Page 31: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/31.jpg)
NIST 800-53
▪ Security and Privacy Controls for Federal Information Systems
and Organizations
▪ 18 security areas
–Management/enterprise
–Operational
–Technical
▪ 8 privacy areas
![Page 32: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/32.jpg)
NIST 800-53: Example Control
![Page 33: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/33.jpg)
NIST 800-53: Benefits and Challenges
▪ Benefits:
–Comprehensive
–Supplemental guidance useful
–Baselines allow risk-based approach
–Supported by 53A, allowing for corresponding assessment
–Cross references throughout and to other NIST SPs
▪ Challenges:
–Comprehensive! (Complex)
–Focus on Federal systems
• Private entities? State/Local government?
–Focus on information systems
• IoT devices, industrial control systems, weapons systems
![Page 34: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/34.jpg)
NIST 800-61: Computer Security Incident Handling Guide
▪ Organizing a Computer Security Incident Response Capability
-Understanding Events and Incidents
-Incident Response Policy, Plan, Procedures
-Incident Response Team Structure
▪ Handling an Incident
-Preparation
-Detection and Analysis
-Containment, Eradication, and Recovery
-Post-Incident Activity
![Page 35: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/35.jpg)
NIST 800-61: Benefits and Challenges
▪ Benefits:
-Easy to understand for detection, analyzing, prioritizing, handling
incidents
-Provides checklists, scenarios, examples, recommendations
▪ Challenges:
-Less focus on establishing incident response program
-Doesn’t provide specific template for Incident Response Policy or
Plan
![Page 36: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/36.jpg)
1800 Series: Cybersecurity Practice Guides
SP 1800-1 July 2015 Securing Electronic Health Records on Mobile Devices
SP 1800-2 August 2015 Identity and Access Management for Electric Utilities
SP 1800-3 September 2015 Attribute Based Access Control
SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds
SP 1800-5 October 2015 IT Asset Management: Financial Services
SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security
SP 1800-7 February 2017 Situational Awareness for Electric Utilities
SP 1800-8 May 2017 Securing Wireless Infusion Pumps in Healthcare Delivery Organizations
SP 1800-9 August 2017 Access Rights Management for the Financial Services Sector
SP 1800-10 Not yet released Identity and Access Management
SP 1800-11 September 2017 Data Integrity: Recovering from Ransomware and Other Destructive Events
SP 1800-12 September 2017 Derived Personal Identity Verification (PIV) Credentials
![Page 37: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/37.jpg)
QUESTIONS?
Carly DevlinManaging Director
Clark Schaefer Consulting
Ryan PetersPractice Manager, Healthcare
Clark Schaefer Hackett
![Page 38: Presented by · SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds SP 1800-5 October 2015 IT Asset Management: Financial Services SP 1800-6 November 2016 Domain](https://reader036.fdocuments.us/reader036/viewer/2022081607/5ed2deabe4da3f772200d1f3/html5/thumbnails/38.jpg)
THANK YOU!
Carly DevlinManaging Director
Clark Schaefer Consulting
Ryan PetersPractice Manager, Healthcare
Clark Schaefer Hackett