simplifying cyber security and today's growing regulatory ...€¦ · •payment card industry...

www.leocybersecurity.com1

Andrew Hay, CTO, LEO Cyber Security

+1.415.940.9660

[email protected]

https://www.leocybersecurity.com

https://twitter.com/andrewsmhay

Tuesday, February 13, 2018

Simplifying Cyber Security and Today's Growing Regulatory Compliance

mailto:[email protected]

https://www.leocybersecurity.com/



About Andrew Hay

• Co-Founder and Chief Technology Officer (CTO) @ LEO Cyber Security

• Former:

• CISO @ DataGravity

• Director of Research @ OpenDNS

• Chief Evangelist & Director of Research @ CloudPassage

• Senior Security (Industry) Analyst @ 451 Research

• Information Security Officer in higher education and financial services

• Blogger, author, and rugby coach


LEO is a seasoned team of cyber trailblazers and creative

practitioners who have the deep experience and operational

knowledge to combat the cyber skills gap.

Through creative solutions we help our customers build and

manage security programs.

About LEO Cyber Security


Summary

Introduction

Agenda

The CU Threat & Compliance Landscape

The Incident Response Life Cycle

Protecting Both The CU & Members


Introduction

• There is often a disconnect between the CU leadership and the IT and security staff in the trenches

• Though the CU may not have experienced a damaging breach in the past, data shows that many CUs may be incapable of effectively mitigating such an event

• So how does a credit union, that is increasingly responsible for the security and privacy of customer and employee information, mitigate a serious and perhaps business-ending data breach?


How Many Times Have You Heard (or Said)…

• “We’ve never been breached before…”

• “Nobody cares about attacking our CU…”

• “We have nothing that an attacker would want…”

• “We can’t afford to invest in…”


Summary

Introduction

Agenda





The CU Threat Landscape


The CU Threat LandscapeVerizon DBIR 2017 – Financial Services

Frequency 998 Incidents, 471 with confirmed data disclosure

Top 3 patternsDenial of Service, Web Application Attacks and Payment Card Skimming represent 88% of all

security incidents within Financial Services

Threat actors 94% External, 6% Internal, <1% Partner (all incidents)

Actor motives 96% Financial, 1% Espionage (all incidents)

Data compromised 71% Credentials, 12% Payment, 9% Personal

Summary

DoS attacks were the most common incident type.

Confirmed data breaches were often associated with banking Trojans stealing and reusing

customer passwords, along with ATM skimming operations.



• Reported CU breaches: 44 (2005 to Present)

• Total records exposed: ~331,476

• Repeat offenders: 3 CUs


The CU Compliance Landscape

• Payment Card Industry Data Security Standard (PCI DSS)

• 1.0 was released on December 15, 2004 (current version is 3.2)

• If a merchant experiences a security breach and is found to be non-compliant with PCI rules, they may be subject to steep fines

• Depending on the circumstances, merchants might have to pay anywhere from $5,000 to $100,000 every month until they address all identified compliance issues

• If they don’t resolve the problem satisfactorily, they may even have their ability to accept cards revoked



• New York's Cybersecurity Regulation (23 NYCRR Part 500)

• Enacted on March 1, 2017

• Applies to all individuals and organizations that are regulated by New York State Department of Financial Services (NYS DFS)

• Impacting any individual or organization that “operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] banking law, the insurance law, or the financial services law”

• Penalties could include:

• License revoked

• $250,000 fine OR 1% of the total assets of such banking organization OR 1% of the total assets of the banking subsidiaries



• European Union’s General Data Protection Regulation (GDPR)

• Goes into effect on May 25, 2018

• The fines for not complying with GDPR are up to 20 million Euros (~$22 million USD) per violation or up to 4% of the organization's annual revenue, whichever is higher

• In terms of breach reporting:

• If a company experiences a data breach, it must report it within 72 hours of the company becoming aware of the incident

• Keep in mind:

• If breach activity is caught early enough that it can be eradicated before any protected data is compromised, it may not need to be reported at all


Summary

Introduction

Agenda





Understanding Incident Response

• Incident response is an organized approach to addressing and managing of a security breach or cyberattack

• Also known as an IT incident, computer incident, or security incident

• The goal is to handle the situation in a way that limits damage and reduces recovery time and costs


NIST Incident Response Life Cycle

• NIST SP 800-61 - Computer Incident Security Handling Guide

• Used to collect, analyze, contain, and document any incident-related data or findings

• Also used to determine the appropriate response to each incident

https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final


Preparation

• Keeping the number of incidents reasonably low is very important

• If security controls are insufficient, higher volumes of incidents may occur, overwhelming the incident response team

• This can lead to slow and incomplete responses, which translate to a larger negative business impact

• e.g., more extensive damage, longer periods of service and data unavailability


Detection & Analysis

• For many CUs, the most challenging part of the incident response process is accurately detecting and assessing possible incidents

• Determining whether an incident has occurred and, if so, the type, extent, and magnitude of the problem

• Signs of an incident fall into one of two categories: precursors and indicators• A precursor is a sign that an incident may occur in the future

• An indicator is a sign that an incident may have occurred or may be occurring now

• Most attacks do not have any identifiable or detectable precursors from the target’s perspective


Detection & Analysis

• If precursors are detected, the CU may have an opportunity to prevent the incident from occurring

• Indicators of Compromise (IOCs) are often used to identify prevalent precursors

• IOCs are derived from:

• Threat intelligence feeds or groups

• Past investigations

• Proprietary/tribal knowledge of analysts


Containment, Eradication,

and Recovery

• Containment is important before an incident overwhelms resources or increases damage

• Most incidents require some measure of containment

• Containment provides time for developing a tailored remediation strategy

• Containment strategies vary based on the type of incident


Post-Incident Activity

• Often called the “lessons learned” portion

• A study of incident characteristics may indicate systemic security weaknesses and threats

• As well as changes in incident trends

• This data can be put back into the risk assessment process

• Ultimately leading to the selection and implementation of additional controls


The Full Life Cycle


Summary

Introduction

Agenda





Revisiting…How Many Times Have You Heard (or Said)…

• “We’ve never been breached before…”

• “Nobody cares about attacking our CU…”

• “We have nothing that an attacker would want…”

• “We can’t afford to invest in…”


Counterpoints…

• Do you currently have the visibility or capability to discern this?

• Or has the organization simply been oblivious?

• Has the CU industry been targeted as of late?

• Have your partners or supply chain ever suffered a breach?

“We’ve never been breached before…”


Counterpoints…

• Upon what assumptions are these statements based?• Perhaps the previous slide?

• If compute resources are connected to the Internet you must always assume that at least ONE person wants to exploit or gain access to them

• The survival time is currently around 4 minutes for unpatched systems on the Internet

“Nobody cares about attacking our CU…”


Counterpoints…

• The answer to this is almost always “Yes, we do”

• Money isn’t the only asset an attacker would want

• Other assets include:• Compute resources (a.k.a. Bots)

• Intellectual property

• Financial information

• Intangibles are tangible in an online world

“We have nothing that an attacker would want…”


Counterpoints…

• What is the business tolerance for pain vs. expense?

• How much do the following cost the business:

• Bad press

• Downtime

• Public breach disclosure?

• Opportunistic attack recovery (e.g. Ransomware)

“We can’t afford to invest in…”


Some Unanticipated Costs To Consider

PerceptionWill your CU have a permanent ’black mark’ in

the eyes of potential employees, investors,

and partners?

InnovationWill innovation suffer because your CU is

spending all of its time trying to recover

from a breach?

IP LossLost future earnings by having your CU’s

intellectual property sold/used on the open

market by competitors

ProductivityHow long can you tolerate the

disruption to the operational state of

your CU?

TechnologyWill a breach cause a knee-jerk

purchasing reaction within your CU to

prevent the same thing from happening

again?

Brand DamageCan your CU brand navigate a highly publicized and

damning breach? Will your partners return? Will your

customers?


Quick Wins

• So how can you make incremental improvements without

• Rocking the boat…

• Ripping-and-replacing existing tools...

• Spending a fortune...


Quick Wins

• The easiest way to evoke change is by taking small bites

Large Bites Small Bites

• NIST

• ISO

• COBIT

• ITIL

• CIS

• CSA


CIS Controls for Effective Cyber Defense

• The CIS Controls are a set of internationally recognized measures developed,

refined, and validated by leading IT security experts from around the world

• Represent the most important cyber hygiene actions every organization

should implement to protect their IT networks

• Study by the Australian government indicates that 85% of known

vulnerabilities can be stopped by deploying the Top 5 CIS Controls


Summary

Introduction

Agenda





Summary

• The threat and compliance landscape continues to evolve

• As do the capabilities and prevalence of attackers

• A well documented and executed incident response program will help limit the damage of a breach or cyber incident

• Your members rely on you to proactively protect their interests

• And it doesn’t have to cost a fortune (or, in some cases, anything!)


Further Reading

• LEO Cyber Security Blog• http://leocybersecurity.com/blog/

• Yes, EU Data Regs Will Impact Credit Unions• http://www.cutimes.com/2017/05/05/yes-eu-data-regs-will-impact-credit-unions

• Cost of Data Breach Study• https://www.ibm.com/security/data-breach

• Verizon’s 2017 Data Breach Investigations Report• http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

• Privacy Rights Clearinghouse• https://www.privacyrights.org

• Center for Internet Security• https://www.cisecurity.org

http://leocybersecurity.com/blog/

http://www.cutimes.com/2017/05/05/yes-eu-data-regs-will-impact-credit-unions

https://www.ibm.com/security/data-breach

http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

https://www.privacyrights.org/

https://www.cisecurity.org/


Visit Us At:


LEO Cyber Security

1612 Summit Avenue, Suite

415, Ft. Worth, TX 76102

[email protected]

www.leocybersecurity.com

@LeoCyberSec

Questions?

Thank You!

Andrew Hay, CTO

+1.415.940.9660

[email protected]



simplifying cyber security and today's growing regulatory ...€¦ · •payment card industry...

Documents