cybersecurity and the threat landscape › conferences › fy2019 › annual it conf 5-29-19 › h...
TRANSCRIPT
Cybersecurity and the Threat Landscape
Date:Prepared for:
Cybersecurity and the Threat Landscape
NJAMHA IT Conference, May 29th, 2019
Outline
○ Is your organization taking Cybersecurity seriously?
○ Developing your Cybersecurity Program
○ Threat landscape
○ Strategies to improve security posture
Confidential & Proprietary 2
Is your organization taking Cybersecurity
seriously?
3Confidential & Proprietary
“…Cyber Crime Is The Greatest Threat To Every Company In The World”
Ginni Rometty, IBM
“The are two kinds of companies: those who
have been breached and those who don’t know
they’ve been breached.”
John Chambers, Former Cisco CEO
Confidential & Proprietary 6
0 500 1000 1500 2000 2500 3000 3500
Marriott
Equifax
Adult Friend Finder
Anthem
eBay
JP Morgan
Home Deport
Yahoo
Target Stores
Adobe
US Office of Personnel Management
Sony's Playstation Network
RSA Security
Heartland Payment Systems
TJX Companies
Biggest Data Breaches of 21st Century
# Individuals (millions) Affected
https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
Can Cybersecurity Cause Bankruptcy?
Confidential & Proprietary 7
https://www.nytimes.com/2012/08/23/business/smallbusiness/struggling-to-recover-from-a-cyberattack.html
Can Cybersecurity Impact Patient Safety?
Confidential & Proprietary 8
• Unable to access medical records and other critical systems for several days due to ransomware
• Patients moved to other hospitals• Difficulties providing services without access to critical medial information• Need for rescheduling surgeries and appointments
“60 Percent of Small Businesses Fold Within 6
Months of a Cyber Attack. .”
U.S. Securities and Exchange Commission
https://www.csoonline.com/article/3267715/4-main-reasons-why-smes-and-smbs-fail-after-a-major-cyberattack.html
Cybersecurity in Healthcare
Confidential & Proprietary 10
• According to ISE (Independent Security Evaluators) Patients Health, its report on Securing Hospitals identifies the following assets:
• Patients Health
• Patients Health Record
• According to Ponemon institute (2016), “the most lucrative information for hackers can be found in patients’ medical records” (p.5) as EHRs are on average valued at 50$ on the black market. Thus, patients’ health records are adversaries’ primary target for the purposes of identity theft and other insurance fraud opportunities.
• Availability of Healthcare Services - Critical services & Administrative services
• Intellectual Property
• Reputation
https://www.securityevaluators.com/hospitalhack/
Threat Landscape
Confidential & Proprietary 11
• Healthcare institutions are being increasingly targeted
• High value of assets
• “…the healthcare industry is behind other industries in protecting its infrastructure” (KPMG, 2015)
• Increasingly interconnected systems
Developing A Cybersecurity Program
12Confidential & Proprietary
Cybersecurity vs. Information Security
○ Cybersecurity
• Cybersecurity is the protection of internet-connected systems, including hardware, software and data, from cyberattacks
○ Information Security
• All about protecting the information, which generally focus on the confidentiality, integrity, availability (CIA) of the information
Security Frameworks
○ Computer security guidance for how organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks
Confidential & Proprietary 14
NIST SP 800-53 First published in 1990, National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53) provides guidance to help U.S. federal government agencies comply with Federal Information Processing Standards (FIPS). Although the framework establishes security standards and guidelines for government agencies and federal information systems, it is also widely followed in the private sector. It is considered to generally represent industry best practices.
ISO 27000 Series International Organization of Standardization (ISO) 27000 is a set of broad standards covering an array of privacy, confidentiality and IT security best practices published jointly with the International Electrotechnical Commission (IEC). These standards are designed to help organizations address their risks with appropriate controls. The series includes several subset frameworks specific to various industry types. For example, ISO 27799 defines standards and best practices for the healthcare industry.
COBIT The Information Security Audit and Control Association (ISACA) produced the Control Objectives for Information Related Technology (COBIT) framework in 1996 to focus on risk reduction in financial organizations. It is also commonly used to comply with the Sarbanes-Oxley Act (SOX).
Hybrid Organizations can also leverage a hybrid framework by choosing specific controls from other frameworks to meet their compliance requirements and business needs. Example – HITRUST, HIPAA, FedRAMP.
NIST Framework Core
Confidential & Proprietary 15
NIST Categories
Confidential & Proprietary 16
NIST Controls
Confidential & Proprietary 17
NIST Controls
○ 5 Functions
○ 23 Categories
○ 108 Sub categories
○ 300+ controls
○ All NIST controls and documentation can be downloaded from - https://nvd.nist.gov/800-53
○ Parial list of NIST controls in the following slides
Confidential & Proprietary 18
Confidential & Proprietary 19
Confidential & Proprietary 20
Confidential & Proprietary 21
Confidential & Proprietary 22
Confidential & Proprietary 23
Confidential & Proprietary 24
Managing Information Security Risk
Confidential & Proprietary 25
Tier 1
Organization
Tier 2
Mission / Business Process
Tier 3
Information Systems
• Traceability and Transparency of Risk-Based Decisions
• Organization-Wide Risk Awareness
• Inter- Tier and Intra-Tier Communications
• Feedback Loop for Continuous Improvement
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
Establishing a Cybersecurity Program
Prioritize and Scope
OrientCreate A Current Profile
Risk Assessment
Create A Target Profile
Determine, Analyze, Prioritize
Gaps
Implement Action Plan
Confidential & Proprietary 26
Prioritize and Scope
Confidential & Proprietary 27
Tier 1
Partial
Tier 2
Informed
Tier 3
Repeatable
Tier 4
Adaptable
Risk Management Processes
External Participation
Integrated Risk Management Program
Integrated Risk Management Program
Confidential & Proprietary 28
Orient
Once the scope of the cybersecurity program has been determined for the business line or process, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then consults sources to identify threats and
vulnerabilities applicable to those systems and assets.
1. Develop a comprehensive list of all of your assets that should be covered by your Cyber Security Program
2. Document owners, use cases and documentation around systems utilization
3. Identify regulatory requirements
4. Develop risk models
5. Free Tools https://www.spiceworks.com/, https://www.ocsinventory-ng.org/en/
Confidential & Proprietary 29
Create A Current Profile
○ The organization develops a Current Profile by indicating which Category and Subcategory outcomes from the Framework Core are currently being achieved. If an outcome is partially achieved, noting this fact will help support subsequent steps by providing baseline information
1. Organize a Security Team comprising of technical, systems and business team members.
2. Hire outside consultant or develop inhouse resources.
3. Significant amount of documentation. Leverage a Wiki or content management system.
4. Leverage free training and resources available for NIST and other control frameworks.
Confidential & Proprietary 30
Risk Assessment
○ This assessment could be guided by the organization’s overall risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization. It is important that organizations identify emerging risks and use cyber threat information from internal and external sources to gain a better understanding of the likelihood and impact of cybersecurity events.
Confidential & Proprietary 31
1. Free risk assessment tools –
https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-toolhttps://www.simplerisk.com/
Create A Target Profile
○ The organization creates a Target Profile that focuses on the assessment of the Framework Categories and Subcategories describing the organization’s desired cybersecurity outcomes. Organizations also may develop their own additional Categories an Subcategories to account for unique organizational risks. The organization may also consider influences and requirements of external stakeholders such as sector entities, customers, and business partners when creating a Target Profile. The Target Profile should appropriately reflect criteria within the target Implementation Tier.
Confidential & Proprietary 32
Determine, Analyze, Prioritize Gaps
○ The organization compares the Current Profile and the Target Profile to determine gaps. Next, it creates a prioritized action plan to address gaps – reflecting mission drivers, costs and benefits, and risks – to achieve the outcomes in the Target Profile. The organization then determines resources, including funding and workforce, necessary to address the gaps. Using Profiles in this manner encourages the organization to make informed decisions about cybersecurity activities, supports risk management, and enables the organization to perform cost-effective, targeted improvements.
Confidential & Proprietary 33
Implement Action Plan
○ The organization determines which actions to take to address the gaps, if any, identified in the previous step and then adjusts its current cybersecurity practices in order to achieve the Target Profile. For further guidance, the Framework identifies example Informative References regarding the Categories and Subcategories, but organizations should determine which standards, guidelines, and practices, including those that are sector specific, work best for their needs.
Confidential & Proprietary 34
Governance
○ Roles and Responsibilities
• This includes individuals, IT staff, security professionals, management
○ Segregation of duties
• Provides assurance that actions are performed in compliance of policies.
• e.g., You don’t have individuals responsible for granting access perform account reconciliations
• You don’t have users with administrative access, reviewing logging.
○ Oversight
• Management’s role in monitoring security, often represented by reporting of KPIs, KRIs
• Key performance indicators
• Key risk indicators
Monitoring
○ Need to ensure that controls remain viable
• Self Assessments
• Testing
• Issues
• Audits
• Staff reporting
○ Assist in early detection of potential issues
• Look for trends, increased bandwidth usage, failed login attempts, etc.
○ Due to technology complexity, more automation in place to assist.
• Cannot be effectively done without automation
• Data too voluminous to manually identify anomalies
Threat Landscape
37Confidential & Proprietary
Hacker Stats At-A-Glance
Cisco 2018 Annual Cybersecurity Report
Carbon Black
Internet Security Threat Report
Symantec’s 2019 Internet Security Threat Report takes a deep dive into insights from the world’s largest civilian global intelligence network, revealing:
○ Formjacking attacks skyrocketed, with an average of 4,800 websites compromised each month
○ Ransomware shifted targets from consumers to enterprises, where infections rose 12 percent
○ More than 70 million records stolen from poorly configured S3 buckets, a casualty of rapid cloud adoption
○ Supply chains remained a soft target with attacks ballooning by 78 percent
○ “Smart Speaker, get me a cyber attack” — IoT was a key entry point for targeted attacks; most IoT devices are vulnerable
Cisco 2018 Annual Cybersecurity Report
Additional Highlights
○ The financial cost of attacks is no longer a hypothetical number:
• According to study respondents, more than half of all attacks resulted in financial damages of more than $500,000, including, but not limited to, lost revenue, customers, opportunities, and out-of-pocket costs
https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard.html
Staying Tuned To Threat Landscape
Computer Emergency Readiness Team Coordination Center (CERT/CC)
https://www.kb.cert.org/vuls/
National Vulnerability Database https://nvd.nist.gov/
Vendor Sites Example
https://docs.microsoft.com/en-us/security-updates/
Improving Security Posture Through
Effective Strategies
44Confidential & Proprietary
“One of the main cyber-risks is to think they don’t exist. The other is to try to treat all potential risks. (Fix the basics, protect first what matters for your business and be ready to react properly to pertinent threats. Think data, but also business services integrity, awareness, customer experience, compliance, and reputation).”
Stephane Nappo, Global Chief Information Security Officer at OVH. 2018 Global CISO of the year.
Confidential & Proprietary 45
Defense in Depth – Architectural Protections
Confidential & Proprietary 46
How Do Organizations get Attacked?
○ Phishing
○ Social Engineering
○ Denial of Service (DoS)
○ Vulnerability Probing
○ Dedicated Targeted Attacks
Confidential & Proprietary 47
What can organizations do to combat the
threats:
○ Education – security is not the responsibility of just individuals with security in the title –it is everyone’s responsibility
• Awareness Sessions
• Table Top Exercises
• Testing
○ Patch – maintain systems with up to date maintenance levels.
• Security updates need to be tested and deployed frequently.
What can organizations do to combat the
threats:
○ Monitor – many tools available to let organizations know when something unusual is occurring.
• Tools require someone to review and react
○ Scan – Perform regularly scheduled vulnerability scans of the environment
• Mature organizations use scanning to validate their controls, not necessarily to identify weaknesses.
○ Most importantly – See Something, Say something
Confidential & Proprietary 49
Confidential & Proprietary 50
