5/23/18

1

Traina & Associates is an authorized trade name of Capin Technology LLC, a subsidiary of Capin Crouse LLP.

Corporate Customer Training

Allison Davis, CPA, CISSP, CISA

Overview

• Cyber World

• Top Challenges

• CATO

• Simple Steps to Cybersecurity

5/23/18

2

Cyber World

Cyber everything!

5/23/18

3

Internet of Things (IoT)

Internet of Things (IoT)

5/23/18

4

Internet of Things (IoT)

• Set and forget

• Security?

• Example:

• Fish tank used to hack a casino!

Cybersecurity Defined

Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack

~ Merriam-Webster

5/23/18

5

Ten Years Ago…

Today…

5/23/18

6

In the News

• Data breach May 2017 (discovered July 2017)

• 143 million US consumers (almost half the population)

• Names, SSN, birth dates, addresses, driver's license numbers, credit card numbers (209,000)

• Offered free credit monitoring for a year

5/23/18

7

WannaCry

• May 2017

• Ransomware and worm

• 200,000 computers in 150 countries affected

• Hospitals, banks, telecom companies, etc.

• Demand $300 in Bitcoin PER computer

• Only affected Microsoft Windows computers

• Microsoft released the patch in MARCH 2017!

Bitcoin

5/23/18

8

• February 2018

• 150 million MyFitnessPal accounts

• Usernames, email addresses, scrambled passwords

• MyFitnessPal users required to change passwords

The Dark Web

• Intended

• Corporate whistleblowers

• Political dissidents

• Government-controlled-journalists

• By-product

• Data for sale (PII, credit card numbers, etc.)

• Media exchange for pedophiles, terrorists, etc.

5/23/18

9

Social Engineering

Top Challenges

5/23/18

10

Areas of Concern

Mobile Devices

• Mobile phones

• Smart phones

• Tablets

• Laptops

• Smart watches

5/23/18

11

Mobile Device Uses

Concerns

• Subject to same security threats as computers

• BYOD – corporate data is often on personal device

• Possibly next big area for security breaches

• Fraud will likely only increase

5/23/18

12

Cloud Computing

• Increased CPU

• Increased disk space

• No hardware costs

• No maintenance required

• Access anywhere, anytime!

5/23/18

13

Types of Cloud Computing

• Public

• Private

• Hybrid

Areas of Concern

• Where is data?

• Encryption options

• Authentication options

• Accessibility of data in vendor outage

• Ramifications of cloud vendor breach

5/23/18

14

User Behavior

Biggest User Related Issues

• Social Engineering

• Phishing, vishing, smishing, pharming, whaling

• CATO

• Passwords

• Email

• Lack of training/awareness

5/23/18

15

Phishing

• Info used from other breaches

• Spear-phishing

• CEO fraud/Whaling

• Pre-texting

• Studies show 8-10% employees click, 15% of victims take the bait a 2nd time

• Only 20% report clicking

5/23/18

16

One click… that’s all it takes!

Malware

5/23/18

17

Ransomware

• Ransomware-as-a-Service (RaaS)

• Time limits until file deletion

• Ransoms increase over time

• Ransom amounts based on filenames (sensitivity)

• Decrypt for free if you infect 2 others!

5/23/18

18

Corporate Account Takeover (CATO)

• Corporate identity theft

• Business online credentials stolen

• Malware usually to blame

• Fraudulent transfer of funds

Phishing

Install Malware

Online Banking

Password Sent

Money Stolen

5/23/18

19

CATO

• Small to mid-sized companies

• Lawsuits prevalent

• Preventable

• Customers and banks partner for security

High Use of Wi-Fi

• 71% of all mobile communications flows over Wi-Fi

• Free Wi-Fi expectations among consumers

• 60% feel safe on public Wi-Fi

• Security risks

• Business use

• Providing to customers

• Public Wi-Fi

5/23/18

20

Risks with Wi-Fi Networks

• Unsecured or poorly secured networks in your business

• Used for illegal or illicit activity

• Breach of confidential data

• Using public Wi-Fi

• Fake Wi-Fi hotspots

• Intercepted data

Simple Steps to Cybersecurity

5/23/18

21

Cybersecurity Fundamentals

Layers of Protection

Physical Security

Hardware

Application/System

Data Transmission

5/23/18

22

Simple Steps to Improve Your Cybersecurity

1. Protect passwords

2. Protect systems

3. Protect internet connections

4. Protect people

5. Plan for the worst

1. Protect Passwords

Passwords

5/23/18

23

National Institute of Standards and Technology (NIST)

• New standards published June 2017

• No forced composition rules (like alphanumeric and special characters)

• No required arbitrary changes

• Limit the number of password attempts (account lockout)

• Multi-factor authentication

NIST (Continued)

• Compare passwords against a “blacklist” that rejects passwords

• Used in previous compromises

• Based off dictionary words

• Containing repetitive or sequential characters

• Based off items such as user name, system name, etc.

5/23/18

24

Multifactor Authentication

• Remote access

• Email

• Cloud services

Password Manager

5/23/18

25

2. Protect Systems

Patch Systems

ApplicationsOperating System

5/23/18

26

Malware Management

Know What You Have

5/23/18

27

Protect Mobile Devices

• Encryption

• PIN/biometric

• Anti-malware

• Updates

• Mobile Device Management

• Remote wipe

Backup Systems

• Backup critical data

• Tape, disk, cloud, hot-site

• Regular backups (daily)

• Review backup logs

• Remediate issues

• Good backups are more important than ever with rise in ransomware

5/23/18

28

3. Protect Internet Connections

• Firewalls

• Block content (pornography, gambling, cloud)

• IDS/IPS

• Remote access

• Wireless

Manage Remote Access

• Vendors or employees

• 24x7 or initiated support?

• VPN

• Security controls (account lockout, password expiration, MFA, encryption)

• Access logging procedures

• Review remote access activity

5/23/18

29

Tips for Safe Use of Business Wi-Fi

• Segregation• Encryption• Password management• Management console

security• Monitoring of guest

network

• Other controls• Hours of availability• Broadcast range• Web filtering• SSID broadcasting• MAC address filtering

Tips for Safe Use of Public Wi-Fi

• Verify your connection

• Avoid accessing sensitive data (e.g. banking)

• Turn off sharing

• Use a VPN

• Turn Wi-Fi off when not in use

5/23/18

30

Testing Internet Connections

• Independent Testing

• Periodic vulnerability scanning

• Pen testing

• Timely remediation of findings

4. Protect People

• Determine rules for use - It is KEY for employees to know the rules

• Email, Internet, computer systems, mobile devices

• Training

• CATO

• Manage third parties

5/23/18

31

Secure Email or File Sharing

• Encrypted options for sensitive data

• Sending and receiving

• Automated or manual

• Free versions may not be adequate

• Examples: ShareFile, Dropbox, ZixMail

Training is Key!

• Highlights from policies

• Latest industry threats

• Disaster recovery

• New employees

• Annually for all employees

• Ongoing

5/23/18

32

CATO: Know the warning signs

CATO: Layered Controls = Decreased Risk

• Passwords

• Tokens

• Call or fax backs

• Dual Authorization

• Encryption

5/23/18

33

CATO: Bank/Customer Partnership

• Educational info and materials

• Bank website, branches, personnel

• Annual review of services

• Contact banks immediately if suspicious activity

• Law enforcement

Inherent Risk of Using Third Parties

5/23/18

34

Third-Party Oversight

• Risk assessment prior to signing contract

• Risk rate vendors

• Access to PII

• Business dependency on services

• Security should be as good as yours or better

• Limit or secure remote access

• Manage stale user accounts

Third Party Review

• Annual due diligence

• Financial statements

• Security audit reports

• Disaster planning and testing

• Insurance

• Vendor management

• Incident response

5/23/18

35

5. Plan for the Worst

Responding to Incidents

• Appoint an Incident Response Team

• Have a documented plan

• Contact info for team members, law enforcement, regulatory agencies, insurance, forensics firm, etc.

• Identify types of incidents with appropriate responses and response times

• Address breach notification expectations

• Test the plan – tabletop testing

5/23/18

36

Cyber Insurance

• Review your policies

• Consider areas of loss• Financial loss (you)• Financial loss (customer)• Legal costs• Forensic investigations and remediation• Reputation

• May need additional policies for extortion, liability, privacy breach, business interruptions

© 2017 Capin Technology LLCTraina & Associates is an authorized trade name of Capin Technology LLC, a subsidiary of Capin Crouse LLP.

Thank you.

Allison Davis, CPA, CISSP, CISASenior Manager Traina & Associates

cybersecurity@capincrouse.com

225.308.1712