corporate customer training · 5/23/18 1 traina & associates is an authorized trade name of capin...
TRANSCRIPT
-
5/23/18
1
Traina & Associates is an authorized trade name of Capin Technology LLC, a subsidiary of Capin Crouse LLP.
Corporate Customer Training
Allison Davis, CPA, CISSP, CISA
Overview
• Cyber World
• Top Challenges
• CATO
• Simple Steps to Cybersecurity
-
5/23/18
2
Cyber World
Cyber everything!
-
5/23/18
3
Internet of Things (IoT)
Internet of Things (IoT)
-
5/23/18
4
Internet of Things (IoT)
• Set and forget
• Security?
• Example:
• Fish tank used to hack a casino!
Cybersecurity Defined
Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack
~ Merriam-Webster
-
5/23/18
5
Ten Years Ago…
Today…
-
5/23/18
6
In the News
• Data breach May 2017 (discovered July 2017)
• 143 million US consumers (almost half the population)
• Names, SSN, birth dates, addresses, driver's license numbers, credit card numbers (209,000)
• Offered free credit monitoring for a year
-
5/23/18
7
WannaCry
• May 2017
• Ransomware and worm
• 200,000 computers in 150 countries affected
• Hospitals, banks, telecom companies, etc.
• Demand $300 in Bitcoin PER computer
• Only affected Microsoft Windows computers
• Microsoft released the patch in MARCH 2017!
Bitcoin
-
5/23/18
8
• February 2018
• 150 million MyFitnessPal accounts
• Usernames, email addresses, scrambled passwords
• MyFitnessPal users required to change passwords
The Dark Web
• Intended
• Corporate whistleblowers
• Political dissidents
• Government-controlled-journalists
• By-product
• Data for sale (PII, credit card numbers, etc.)
• Media exchange for pedophiles, terrorists, etc.
-
5/23/18
9
Social Engineering
Top Challenges
-
5/23/18
10
Areas of Concern
Mobile Devices
• Mobile phones
• Smart phones
• Tablets
• Laptops
• Smart watches
-
5/23/18
11
Mobile Device Uses
Concerns
• Subject to same security threats as computers
• BYOD – corporate data is often on personal device
• Possibly next big area for security breaches
• Fraud will likely only increase
-
5/23/18
12
Cloud Computing
• Increased CPU
• Increased disk space
• No hardware costs
• No maintenance required
• Access anywhere, anytime!
-
5/23/18
13
Types of Cloud Computing
• Public
• Private
• Hybrid
Areas of Concern
• Where is data?
• Encryption options
• Authentication options
• Accessibility of data in vendor outage
• Ramifications of cloud vendor breach
-
5/23/18
14
User Behavior
Biggest User Related Issues
• Social Engineering
• Phishing, vishing, smishing, pharming, whaling
• CATO
• Passwords
• Email
• Lack of training/awareness
-
5/23/18
15
Phishing
• Info used from other breaches
• Spear-phishing
• CEO fraud/Whaling
• Pre-texting
• Studies show 8-10% employees click, 15% of victims take the bait a 2nd time
• Only 20% report clicking
-
5/23/18
16
One click… that’s all it takes!
Malware
-
5/23/18
17
Ransomware
• Ransomware-as-a-Service (RaaS)
• Time limits until file deletion
• Ransoms increase over time
• Ransom amounts based on filenames (sensitivity)
• Decrypt for free if you infect 2 others!
-
5/23/18
18
Corporate Account Takeover (CATO)
• Corporate identity theft
• Business online credentials stolen
• Malware usually to blame
• Fraudulent transfer of funds
Phishing
Install Malware
Online Banking
Password Sent
Money Stolen
-
5/23/18
19
CATO
• Small to mid-sized companies
• Lawsuits prevalent
• Preventable
• Customers and banks partner for security
High Use of Wi-Fi
• 71% of all mobile communications flows over Wi-Fi
• Free Wi-Fi expectations among consumers
• 60% feel safe on public Wi-Fi
• Security risks
• Business use
• Providing to customers
• Public Wi-Fi
-
5/23/18
20
Risks with Wi-Fi Networks
• Unsecured or poorly secured networks in your business
• Used for illegal or illicit activity
• Breach of confidential data
• Using public Wi-Fi
• Fake Wi-Fi hotspots
• Intercepted data
Simple Steps to Cybersecurity
-
5/23/18
21
Cybersecurity Fundamentals
Layers of Protection
Physical Security
Hardware
Application/System
Data Transmission
-
5/23/18
22
Simple Steps to Improve Your Cybersecurity
1. Protect passwords
2. Protect systems
3. Protect internet connections
4. Protect people
5. Plan for the worst
1. Protect Passwords
Passwords
-
5/23/18
23
National Institute of Standards and Technology (NIST)
• New standards published June 2017
• No forced composition rules (like alphanumeric and special characters)
• No required arbitrary changes
• Limit the number of password attempts (account lockout)
• Multi-factor authentication
NIST (Continued)
• Compare passwords against a “blacklist” that rejects passwords
• Used in previous compromises
• Based off dictionary words
• Containing repetitive or sequential characters
• Based off items such as user name, system name, etc.
-
5/23/18
24
Multifactor Authentication
• Remote access
• Email
• Cloud services
Password Manager
-
5/23/18
25
2. Protect Systems
Patch Systems
ApplicationsOperating System
-
5/23/18
26
Malware Management
Know What You Have
-
5/23/18
27
Protect Mobile Devices
• Encryption
• PIN/biometric
• Anti-malware
• Updates
• Mobile Device Management
• Remote wipe
Backup Systems
• Backup critical data
• Tape, disk, cloud, hot-site
• Regular backups (daily)
• Review backup logs
• Remediate issues
• Good backups are more important than ever with rise in ransomware
-
5/23/18
28
3. Protect Internet Connections
• Firewalls
• Block content (pornography, gambling, cloud)
• IDS/IPS
• Remote access
• Wireless
Manage Remote Access
• Vendors or employees
• 24x7 or initiated support?
• VPN
• Security controls (account lockout, password expiration, MFA, encryption)
• Access logging procedures
• Review remote access activity
-
5/23/18
29
Tips for Safe Use of Business Wi-Fi
• Segregation• Encryption• Password management• Management console
security• Monitoring of guest
network
• Other controls• Hours of availability• Broadcast range• Web filtering• SSID broadcasting• MAC address filtering
Tips for Safe Use of Public Wi-Fi
• Verify your connection
• Avoid accessing sensitive data (e.g. banking)
• Turn off sharing
• Use a VPN
• Turn Wi-Fi off when not in use
-
5/23/18
30
Testing Internet Connections
• Independent Testing
• Periodic vulnerability scanning
• Pen testing
• Timely remediation of findings
4. Protect People
• Determine rules for use - It is KEY for employees to know the rules
• Email, Internet, computer systems, mobile devices
• Training
• CATO
• Manage third parties
-
5/23/18
31
Secure Email or File Sharing
• Encrypted options for sensitive data
• Sending and receiving
• Automated or manual
• Free versions may not be adequate
• Examples: ShareFile, Dropbox, ZixMail
Training is Key!
• Highlights from policies
• Latest industry threats
• Disaster recovery
• New employees
• Annually for all employees
• Ongoing
-
5/23/18
32
CATO: Know the warning signs
CATO: Layered Controls = Decreased Risk
• Passwords
• Tokens
• Call or fax backs
• Dual Authorization
• Encryption
-
5/23/18
33
CATO: Bank/Customer Partnership
• Educational info and materials
• Bank website, branches, personnel
• Annual review of services
• Contact banks immediately if suspicious activity
• Law enforcement
Inherent Risk of Using Third Parties
-
5/23/18
34
Third-Party Oversight
• Risk assessment prior to signing contract
• Risk rate vendors
• Access to PII
• Business dependency on services
• Security should be as good as yours or better
• Limit or secure remote access
• Manage stale user accounts
Third Party Review
• Annual due diligence
• Financial statements
• Security audit reports
• Disaster planning and testing
• Insurance
• Vendor management
• Incident response
-
5/23/18
35
5. Plan for the Worst
Responding to Incidents
• Appoint an Incident Response Team
• Have a documented plan
• Contact info for team members, law enforcement, regulatory agencies, insurance, forensics firm, etc.
• Identify types of incidents with appropriate responses and response times
• Address breach notification expectations
• Test the plan – tabletop testing
-
5/23/18
36
Cyber Insurance
• Review your policies
• Consider areas of loss• Financial loss (you)• Financial loss (customer)• Legal costs• Forensic investigations and remediation• Reputation
• May need additional policies for extortion, liability, privacy breach, business interruptions
© 2017 Capin Technology LLCTraina & Associates is an authorized trade name of Capin Technology LLC, a subsidiary of Capin Crouse LLP.
Thank you.
Allison Davis, CPA, CISSP, CISASenior Manager Traina & Associates
225.308.1712