Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other...
Transcript of Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other...
![Page 1: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/1.jpg)
Cybersecurity Threats to Nonprofits
Chris Debo Senior Manager, IT Audit August 14, 2014
![Page 2: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/2.jpg)
What is Cybersecurity?
• NIST definition: – “The process of protecting information by preventing,
detecting, and responding to attacks. “ – Key: PROTECTING INFORMATION ---------->
• Threats not limited to Internet hackers – Social engineering – Phishing – Disgruntled employees – Human error
2
• Theft • Misuse • Manipulation • Damage • Loss
![Page 3: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/3.jpg)
Learning Objectives
1. Understand Cybersecurity 2. Assess Current State of Cybersecurity Threats 3. Effectively Assess Risk 4. Build an Execute a Plan to Mitigate Risk 5. Navigate Barriers to Success 6. How to Monitor and Evolve 7. Evaluate Need for Cybersecurity Insurance
3
![Page 4: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/4.jpg)
What Cybercrimals Steal – And Why
• Bank credentials – Theft of funds
• Personally Identifiable Information (PII) – Identity theft
• Debit/credit card data – Access to credit, sale of data
• Intellectual property, data, other content – Blackmail, sale of data, avoid paying IP royalties, sabotage
4
![Page 5: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/5.jpg)
Verizon Data Breach Report
![Page 6: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/6.jpg)
Verizon Data Breach Report – Biggest Takeaways
• Employees at core of most attacks – Stolen credentials primary cause 80% of time – 78% of intrusions “relatively easy”
• Social engineering most common attack vector – Phishing – Gaining unauthrorized physical access (“tailgating”) – Targeted telephone calls – Personal solicitation attempts – Distribution of rogue devices – “Dumpster diving”
![Page 7: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/7.jpg)
Verizon Data Breach Report – Other Takeaways
• 92% of breaches came from outside the organization – 55% from organized crime – 19% affiliated with other state agencies
• 75% of breaches driven by financial motives • 76% exploited weak or stolen credentials • 69% discovered by external parties • 66% took months or more to discover • 75% of attacks were opportunistic (companies not
targeted directly)
7
![Page 8: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/8.jpg)
Verizon Data Breach Report – Industry Dispersion
8
![Page 9: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/9.jpg)
Verizon Data Breach Report – Attack Origin
9
![Page 10: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/10.jpg)
Verizon Data Breach Report – Malware Sources
10
![Page 11: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/11.jpg)
Attackers Time to Exploit Vulnerability versus…
Source: Verizon Risk
11
![Page 12: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/12.jpg)
…Organization’s Ability to Defend
Source: Verizon Risk
12
![Page 13: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/13.jpg)
Notable Data Breaches in US History
• 2013 Target – 110 million customers (40 million credit cards)
• 2013 Adobe Systems – 130 million customers • 2011 Sony – 77 million customers • 2008 Heartland Payment Systems – 130 million
customers • 2007 TJX Companies – 94 million customers (46 million
credit card) • 1984 TRW/Sears – 90 million customers
Source: CNN Money
![Page 14: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/14.jpg)
Target Breach
14
![Page 15: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/15.jpg)
Target Response to Hack • Target had already deployed $1.6 million malware detection tool (FireEye).
– Round-the-clock monitoring from security specialists in Bangalore • November 30: FireEye detects loading of exfiltration software.
– Target security team in Minneapolis notified – No action taken
• Mid-December: Security experts monitoring underground markets for stolen data detect large influx of credit card information. – US Department of Justice notified
• December 12: Target notified by Department of Justice of potential breach.
• December 15: Target confirms breach. • December 19: Target releases public statement confirming breach. • March 5: Target CIO Beth Jacob resigns
15
![Page 16: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/16.jpg)
Target Control Failures
16
![Page 17: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/17.jpg)
Target Breach – Inherent Flaws
17
• Flaws in system design – Lack of network segmentation – Lack of encryption of credit card data while stored
in RAM • Flaws in internal control
– Lack of third-party oversight and compliance – Lack of monitoring and reaction
![Page 18: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/18.jpg)
Is Your Organization Prepared?
Source: IIA Tone at the Top; April 2014
![Page 19: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/19.jpg)
Information Security’s Role in Combatting Threats
• Design and implement security plan • Respond to threats • Maintain vigilance and level of knowledge • Identify, understand and respond to changes in the
operating environment • Provide timely, accurate and complete information to
Internal Audit
19
![Page 20: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/20.jpg)
Management’s Role in Combatting Cyber Threats
• Set tone at the top • Evaluate and approve strategy • Assess and evaluate the functioning of plan • Communicate findings and monitor remediation
activities • Build advisory relationship with IS • Maintain frequent collaboration and interaction with IS • Maintain level of diligence and knowledge about cyber
security
20
![Page 21: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/21.jpg)
Steps for an Effective Cybersecurity Strategy
1. Adopt a Framework 2. Understand the Environment 3. Assess Risk 4. Build and Implement a Cybersecurity Plan 5. Audit the Environment - Planning and Scoping 6. Audit the Environment – Execute the Audit 7. Identify/Remediate Vulnerabilities 8. Monitor/Refresh
21
![Page 22: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/22.jpg)
1. Adopt a Framework - Examples • ISO 27000 Series • Department of Energy
– Cybersecurity Capability Maturity Model (C2M2) • Electronic Subsector (ES-C2M2) • Oil and Gas Subsector (ONG-C2M2)
• National Institute of Standards and Technology (NIST) – Cybersecurity Framework – Roadmap for Improving Critical Infrastructure Cybersecurity
• National Initiative for Cybersecurity Education (NICE) – Capability Maturity Model (CMM)
• ISACA - Transforming Cybersecurity Using COBIT 5
![Page 23: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/23.jpg)
1. C2M2 Maturity Levels
23
![Page 24: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/24.jpg)
1. C2M2 – Recommended Approach
24
![Page 25: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/25.jpg)
1. Areas Covered in C2M2
• Risk Management • Asset, change, and configuration management • Identity and access management • Threat and vulnerability management • Situational Awareness • Information sharing and communications • Event and incident response, continuity of operations • Supply chain and external dependencies management • Workforce management • Cybersecurity program management
25
![Page 26: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/26.jpg)
1. NIST Framework Objectives
![Page 27: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/27.jpg)
1. NIST Framework Objectives - Continued
• Identify – Asset Management – Governance – Risk Assessment
• Protect – ITGCs (Access Control) – Awareness and Training – Data Security – Information/Asset Protection – Maintenance – Protective Technology
27
• Detect – Monitoring
• Respond – Planning – Communications – Analysis – Mitigation
• Recover – Improvement
![Page 28: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/28.jpg)
1. NIST Framework Implementation
![Page 29: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/29.jpg)
2. Understand the Environment
• Operating environment • Hardware type and location • Applications • Databases • File systems • Security • Network architecture • Third-parties • Middleware
29
![Page 30: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/30.jpg)
2. Start with Asset Identification • Identify all assets:
– Databases – Files – Servers – Applications – Hardware – Web sites
• Asset classification – Location – Owner – Usage – Type – Status – Risk level
30
![Page 31: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/31.jpg)
3. Assess Risk • Identify risks (interviews, artifact review) • Assign risk ranking • Determine risk tolerance • Address areas at or above threshold • Isolate/note threats covered by standard ITGCs • Look at external and internal threats, and differentiate
between them • Added emphasis on areas inherent to cybersecurity (see
CSC) • Identify recent/ongoing changes in the environment
![Page 32: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/32.jpg)
3. Assessing Risk: Common Mistakes
• Not understanding the environment (see step 2) • Avoiding unfamiliar technical content • Underestimating the complexity of cybersecurity
threats and/or overestimating internal audit’s knowledge of network architectures
• Not allocating sufficient time for a comprehensive review
• Making assumptions about IS’s level of knowledge/proficiency (taking them at their word)
![Page 33: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/33.jpg)
3. Technical Proficiency: What’s Wrong With This Picture?
33
![Page 34: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/34.jpg)
3. Typical Network Security Questions
• Security policy?
• Network diagram?
• Firewall and intrusion detection/prevention?
• DMZ?
• Anti-virus/malware?
• Server hardening standards?
• Vulnerability scan and penetration test performed?
• Logging and monitoring?
34
![Page 35: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/35.jpg)
3. Enlisting the Help of Security Professionals • Benefits of Utilizing External Specialists
– Cost – Expertise – Independence – Ability to focus – Benchmarking relative to other organizations
• Assessing Specialist Ability – Certifications – Examples – Experience – References 35
![Page 36: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/36.jpg)
4. Build a Plan - Utilize Existing Control Frameworks as a Guide Council on Cybersecurity Top 20 Critical Security Controls (v5)
Area Critical Security Control Asset Management
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
Monitoring and Response
3. Maintenance, Monitoring, and Analysis of Audit Logs
4. Incident Response and Management Wireless/BYOD 5. Wireless Device Control
![Page 37: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/37.jpg)
4. Utilize Existing Control Frameworks as a Guide (cont) Council on Cybersecurity Top 20 Critical Security Controls (v5)
Area Critical Security Control Logical Access 6. Limitation and Control of Network Ports,
Protocols, and Services 7. Controlled Use of Administrative
Privileges 8. Controlled Access Based on the Need to
Know 9. Account Monitoring and Control
Network Design 10. Boundary Defense 11. Secure Network Engineering
![Page 38: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/38.jpg)
4. Utilize Existing Control Frameworks as a Guide (cont) Council on Cybersecurity Top 20 Critical Security Controls (v5)
Area Critical Security Control Server and Device Hardening
12. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
13. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Human Resources 14. Security Skills Assessment and Appropriate Training to Fill Gaps
![Page 39: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/39.jpg)
Area Critical Security Control Vulnerability and Pen Testing
15. Continuous Vulnerability Assessment and Remediation
16. Penetration Tests and Red Team Exercises
Application Security
17. Malware Defenses 18. Application Software Security
Data Management 19. Data Recovery Capability 20. Data Protection
4. Utilize Existing Control Frameworks as a Guide (cont) Council on Cybersecurity Top 20 Critical Security Controls (v5)
![Page 40: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/40.jpg)
4. Align Control Objectives with Controls
40
Control Objective Controls Attacks and breaches are identified and treated in a timely and appropriate manner.
• Confirm monitoring and specific technical attack recognition solutions.
• Assess interfaces to security incident management and crisis management processes and plans.
• Evaluate the timeliness and adequacy of attack response.
![Page 41: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/41.jpg)
4. Categorize Controls Based on Type of Risk
41
Source: ISACA
![Page 42: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/42.jpg)
4. Categorize Controls Further (Org. Example)
42
Source: ISACA
![Page 43: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/43.jpg)
5. Audit - Planning and Scoping
• Define the scope and clear boundaries – Vulnerability and penetration testing?
• Elaborate on audit objectives by adding audit activities
• Break down into manageable audits and reviews • Allocate resources responsible for audit execution
– Align skills/experience to risk and activity – Allot sufficient time to perform a comprehensive
review based on risk 43
![Page 44: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/44.jpg)
6. Perform the Audit
• Communicate high/critical findings immediately • Look for changes/deviations from the expected
state • Collaborate with IS but don’t let them know exactly
when certain tests will be performed • Review with IS as-you-go
44
![Page 45: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/45.jpg)
6. Useful Network Assessment Tools • Netcraft.com (website IP address and configuration) • NMAP (network address and port scanner) • Nipper (firewall/appliance configuration scan) • Vulnerability Scanners
– PCAT – Nessus – Nexpose – OpenVAS
• Penetration Test – Metasploit – w3af
• Iasa.disa.mil/stigs (Security Technical Implementation Guides) • Nist.gov
– Security Configuration Checklists Program – National Vulnerability Database
45
![Page 46: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/46.jpg)
7. Identify/Remediate Vulnerabilities
• Review with IS and validate finding • Assign risk rating • Development a remediation plan with IS
– Establish action plan – Assign responsibility – Assign timeline
• Update documentation/communication as necessary • Review findings with management
46
![Page 47: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/47.jpg)
8. Monitor/Refresh
• Evaluate IS compliance with established action plans
• Communicate deviations from action plans with management
• Monitor existing IS and business activities that may impact action plans or inherent risks
• Strive for continuous monitoring to ensure rapid communication and remediation cycles
47
![Page 48: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/48.jpg)
8. Static Compliance Model
48
![Page 49: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/49.jpg)
8. Continuous Compliance
49
![Page 50: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/50.jpg)
Recommendations - Tone at the top
Create and reinforce the perception/understanding of cybersecurity threats
• Established, supported and communicated by senior management
• Establish awareness that controls and processes have been specifically designed to prevent attacks – New hire orientation – Ongoing awareness and communication – Visible to the organization
50
![Page 51: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/51.jpg)
Recommendations - Protecting Your Network
• Restrict Remote Access • Enforce Password and Lockout Policies • Block Malicious Web Content • Deploy Anti-Virus Software • Monitor Network Activity • Educate Employees • Restrict and Review User Access
51
![Page 52: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/52.jpg)
Protecting Your Network - Continued
• Encrypt Devices • Harden Your Servers and Workstations • Network Security Best Practices
– Firewall – Segmentation
• Perform Independent Assessment of Network Vulnerabilities
• Monitor and Evaluate Third-Party Service Providers
52
![Page 53: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/53.jpg)
Other Recommendations
• Educate and involve the audit committee • Integrate cyber risk strategy into the organization’s
strategic plan • Have a team dedicated to managing cyber threats • Automate as much as possible • Collaborate internally AND externally • Evaluate the need for insurance as a “safety net” to
other internal and external safeguards
53
![Page 54: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/54.jpg)
54
What is a privacy incident going to cost me? Summary of Ponemon Institute’s 2012 Annual Cost of a Data Breach Report:
• Average cost and per record cost declined for the first time but remain significant, $5.5 million and $194, respectively.
• Direct costs are estimated at $59 per record. (legal counsel, notification letters, credit monitoring, etc.) The primary driver is legal defense costs.
Cost by industry class Per record
Average $194
Education $112
Retail $185
Healthcare $301
Financial Institutions $353
![Page 55: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/55.jpg)
55
Type of Breach Expense Estimated Expense Amounts Estimated Total Cost
eDiscovery Litigation $100,000 + $1 per Record $1,100,000
Forensics Investigation $20,000 + $20 per Record $220,000
Public Relations $20,000 Flat Rate Estimate $20,000
Call Center 1M * $0.50 per person * 15% $75,000
Attorney Review of State Notification laws and State AG’s Flat Rate Estimate $10,000
Notification of 1M persons 1M * $1 per person $1,000,000
Optional Credit Monitoring 1M * $10 per person * 15% (Avg. of only 10%-20% accept it) $1,500,000
ID Fraud Remediation 1M * $1 per person $1,000,000
AG Fines & Penalties Average $100 to $300 per Record with a Cap. of $500,000 $500,000
FTC Fines and Penalties Estimate based upon required audits for 10 years at $75k per Audit $750,000
PCI Fines $1.62 per Record $1.620.000
Legal Defense/Damages $5 per Record $5,000,000
Total Cost - $12,795,000
Data Breach Calculator/Cat. Modeling Tool Number of Records Lost/Stolen: 1,000,000 in States Requiring Notification Data Taken: Social Security Numbers Number of Years of Credit Monitoring: 1 Year
![Page 56: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/56.jpg)
56
Unplanned Cash Flows & Insurability
• State and/or federally mandated notification costs • Brand preservation:
– Voluntary notification, credit monitoring, public relations expense
• Defense and indemnity expense from 3rd party allegations • Regulatory defense costs • Regulatory & PCI fines and penalties • Forensic investigation, data restoration expenses, assets
damage • Business income loss & extra expense
![Page 57: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/57.jpg)
57
Cyber/Privacy Liability Insurance Can Protect Against:
• Privacy violations – electronic and non-electronic • Intellectual property infringement • Security breaches • Internet, network programming errors and omissions • Business interruption causing loss of revenue and extra expense • Destruction, disclosure and theft of electronic data • Fines and penalties and punitive damages • Post-Event crisis management expenses • Regulatory defense, fines and penalties coverage • Cyber extortion
![Page 58: Threats to Nonprofits - Schneider Downs CPAs · 2014-08-20 · Verizon Data Breach Report –Other Takeaways • 92% of breaches came from outside the organization – 55% from organized](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f1f5c7e0b3e483dfd351f6a/html5/thumbnails/58.jpg)
Questions
58
Chris Debo, CISA [email protected] 614-586-7108 Steven Earley, CISA, CISSP, CRISC, CFSA, ITILv3, MCP [email protected] 614-586-7115