simplifying cyber security and today's growing regulatory ...€¦ · •payment card industry...
TRANSCRIPT
www.leocybersecurity.com1
Andrew Hay, CTO, LEO Cyber Security
+1.415.940.9660
https://www.leocybersecurity.com
https://twitter.com/andrewsmhay
Tuesday, February 13, 2018
Simplifying Cyber Security and Today's Growing Regulatory Compliance
www.leocybersecurity.com2
About Andrew Hay
• Co-Founder and Chief Technology Officer (CTO) @ LEO Cyber Security
• Former:
• CISO @ DataGravity
• Director of Research @ OpenDNS
• Chief Evangelist & Director of Research @ CloudPassage
• Senior Security (Industry) Analyst @ 451 Research
• Information Security Officer in higher education and financial services
• Blogger, author, and rugby coach
www.leocybersecurity.com3
LEO is a seasoned team of cyber trailblazers and creative
practitioners who have the deep experience and operational
knowledge to combat the cyber skills gap.
Through creative solutions we help our customers build and
manage security programs.
About LEO Cyber Security
www.leocybersecurity.com4
Summary
Introduction
Agenda
The CU Threat & Compliance Landscape
The Incident Response Life Cycle
Protecting Both The CU & Members
www.leocybersecurity.com5
Introduction
• There is often a disconnect between the CU leadership and the IT and security staff in the trenches
• Though the CU may not have experienced a damaging breach in the past, data shows that many CUs may be incapable of effectively mitigating such an event
• So how does a credit union, that is increasingly responsible for the security and privacy of customer and employee information, mitigate a serious and perhaps business-ending data breach?
www.leocybersecurity.com6
How Many Times Have You Heard (or Said)…
• “We’ve never been breached before…”
• “Nobody cares about attacking our CU…”
• “We have nothing that an attacker would want…”
• “We can’t afford to invest in…”
www.leocybersecurity.com7
Summary
Introduction
Agenda
The CU Threat & Compliance Landscape
Protecting Both The CU & Members
The Incident Response Life Cycle
www.leocybersecurity.com8
The CU Threat Landscape
www.leocybersecurity.com9
The CU Threat Landscape
www.leocybersecurity.com10
The CU Threat Landscape
www.leocybersecurity.com11
The CU Threat LandscapeVerizon DBIR 2017 – Financial Services
Frequency 998 Incidents, 471 with confirmed data disclosure
Top 3 patternsDenial of Service, Web Application Attacks and Payment Card Skimming represent 88% of all
security incidents within Financial Services
Threat actors 94% External, 6% Internal, <1% Partner (all incidents)
Actor motives 96% Financial, 1% Espionage (all incidents)
Data compromised 71% Credentials, 12% Payment, 9% Personal
Summary
DoS attacks were the most common incident type.
Confirmed data breaches were often associated with banking Trojans stealing and reusing
customer passwords, along with ATM skimming operations.
www.leocybersecurity.com12
The CU Threat Landscape
• Reported CU breaches: 44 (2005 to Present)
• Total records exposed: ~331,476
• Repeat offenders: 3 CUs
www.leocybersecurity.com13
The CU Compliance Landscape
• Payment Card Industry Data Security Standard (PCI DSS)
• 1.0 was released on December 15, 2004 (current version is 3.2)
• If a merchant experiences a security breach and is found to be non-compliant with PCI rules, they may be subject to steep fines
• Depending on the circumstances, merchants might have to pay anywhere from $5,000 to $100,000 every month until they address all identified compliance issues
• If they don’t resolve the problem satisfactorily, they may even have their ability to accept cards revoked
www.leocybersecurity.com14
The CU Compliance Landscape
• New York's Cybersecurity Regulation (23 NYCRR Part 500)
• Enacted on March 1, 2017
• Applies to all individuals and organizations that are regulated by New York State Department of Financial Services (NYS DFS)
• Impacting any individual or organization that “operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] banking law, the insurance law, or the financial services law”
• Penalties could include:
• License revoked
• $250,000 fine OR 1% of the total assets of such banking organization OR 1% of the total assets of the banking subsidiaries
www.leocybersecurity.com15
The CU Compliance Landscape
• European Union’s General Data Protection Regulation (GDPR)
• Goes into effect on May 25, 2018
• The fines for not complying with GDPR are up to 20 million Euros (~$22 million USD) per violation or up to 4% of the organization's annual revenue, whichever is higher
• In terms of breach reporting:
• If a company experiences a data breach, it must report it within 72 hours of the company becoming aware of the incident
• Keep in mind:
• If breach activity is caught early enough that it can be eradicated before any protected data is compromised, it may not need to be reported at all
www.leocybersecurity.com16
Summary
Introduction
Agenda
The CU Threat & Compliance Landscape
The Incident Response Life Cycle
Protecting Both The CU & Members
www.leocybersecurity.com17
Understanding Incident Response
• Incident response is an organized approach to addressing and managing of a security breach or cyberattack
• Also known as an IT incident, computer incident, or security incident
• The goal is to handle the situation in a way that limits damage and reduces recovery time and costs
www.leocybersecurity.com18
NIST Incident Response Life Cycle
• NIST SP 800-61 - Computer Incident Security Handling Guide
• Used to collect, analyze, contain, and document any incident-related data or findings
• Also used to determine the appropriate response to each incident
https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
www.leocybersecurity.com19
Preparation
• Keeping the number of incidents reasonably low is very important
• If security controls are insufficient, higher volumes of incidents may occur, overwhelming the incident response team
• This can lead to slow and incomplete responses, which translate to a larger negative business impact
• e.g., more extensive damage, longer periods of service and data unavailability
www.leocybersecurity.com20
Detection & Analysis
• For many CUs, the most challenging part of the incident response process is accurately detecting and assessing possible incidents
• Determining whether an incident has occurred and, if so, the type, extent, and magnitude of the problem
• Signs of an incident fall into one of two categories: precursors and indicators• A precursor is a sign that an incident may occur in the future
• An indicator is a sign that an incident may have occurred or may be occurring now
• Most attacks do not have any identifiable or detectable precursors from the target’s perspective
www.leocybersecurity.com21
Detection & Analysis
• If precursors are detected, the CU may have an opportunity to prevent the incident from occurring
• Indicators of Compromise (IOCs) are often used to identify prevalent precursors
• IOCs are derived from:
• Threat intelligence feeds or groups
• Past investigations
• Proprietary/tribal knowledge of analysts
www.leocybersecurity.com22
Containment, Eradication,
and Recovery
• Containment is important before an incident overwhelms resources or increases damage
• Most incidents require some measure of containment
• Containment provides time for developing a tailored remediation strategy
• Containment strategies vary based on the type of incident
www.leocybersecurity.com23
Post-Incident Activity
• Often called the “lessons learned” portion
• A study of incident characteristics may indicate systemic security weaknesses and threats
• As well as changes in incident trends
• This data can be put back into the risk assessment process
• Ultimately leading to the selection and implementation of additional controls
www.leocybersecurity.com24
The Full Life Cycle
www.leocybersecurity.com25
Summary
Introduction
Agenda
The CU Threat & Compliance Landscape
The Incident Response Life Cycle
Protecting Both The CU & Members
www.leocybersecurity.com26
Revisiting…How Many Times Have You Heard (or Said)…
• “We’ve never been breached before…”
• “Nobody cares about attacking our CU…”
• “We have nothing that an attacker would want…”
• “We can’t afford to invest in…”
www.leocybersecurity.com27
Counterpoints…
• Do you currently have the visibility or capability to discern this?
• Or has the organization simply been oblivious?
• Has the CU industry been targeted as of late?
• Have your partners or supply chain ever suffered a breach?
“We’ve never been breached before…”
www.leocybersecurity.com28
Counterpoints…
• Upon what assumptions are these statements based?• Perhaps the previous slide?
• If compute resources are connected to the Internet you must always assume that at least ONE person wants to exploit or gain access to them
• The survival time is currently around 4 minutes for unpatched systems on the Internet
“Nobody cares about attacking our CU…”
www.leocybersecurity.com29
Counterpoints…
• The answer to this is almost always “Yes, we do”
• Money isn’t the only asset an attacker would want
• Other assets include:• Compute resources (a.k.a. Bots)
• Intellectual property
• Financial information
• Intangibles are tangible in an online world
“We have nothing that an attacker would want…”
www.leocybersecurity.com30
Counterpoints…
• What is the business tolerance for pain vs. expense?
• How much do the following cost the business:
• Bad press
• Downtime
• Public breach disclosure?
• Opportunistic attack recovery (e.g. Ransomware)
“We can’t afford to invest in…”
www.leocybersecurity.com31
Some Unanticipated Costs To Consider
PerceptionWill your CU have a permanent ’black mark’ in
the eyes of potential employees, investors,
and partners?
InnovationWill innovation suffer because your CU is
spending all of its time trying to recover
from a breach?
IP LossLost future earnings by having your CU’s
intellectual property sold/used on the open
market by competitors
ProductivityHow long can you tolerate the
disruption to the operational state of
your CU?
TechnologyWill a breach cause a knee-jerk
purchasing reaction within your CU to
prevent the same thing from happening
again?
Brand DamageCan your CU brand navigate a highly publicized and
damning breach? Will your partners return? Will your
customers?
www.leocybersecurity.com32
Quick Wins
• So how can you make incremental improvements without
• Rocking the boat…
• Ripping-and-replacing existing tools...
• Spending a fortune...
www.leocybersecurity.com33
Quick Wins
• The easiest way to evoke change is by taking small bites
Large Bites Small Bites
• NIST
• ISO
• COBIT
• ITIL
• CIS
• CSA
www.leocybersecurity.com34
CIS Controls for Effective Cyber Defense
• The CIS Controls are a set of internationally recognized measures developed,
refined, and validated by leading IT security experts from around the world
• Represent the most important cyber hygiene actions every organization
should implement to protect their IT networks
• Study by the Australian government indicates that 85% of known
vulnerabilities can be stopped by deploying the Top 5 CIS Controls
www.leocybersecurity.com35
www.leocybersecurity.com36
www.leocybersecurity.com37
www.leocybersecurity.com38
www.leocybersecurity.com39
Summary
Introduction
Agenda
The CU Threat & Compliance Landscape
The Incident Response Life Cycle
Protecting Both The CU & Members
www.leocybersecurity.com40
Summary
• The threat and compliance landscape continues to evolve
• As do the capabilities and prevalence of attackers
• A well documented and executed incident response program will help limit the damage of a breach or cyber incident
• Your members rely on you to proactively protect their interests
• And it doesn’t have to cost a fortune (or, in some cases, anything!)
www.leocybersecurity.com41
Further Reading
• LEO Cyber Security Blog• http://leocybersecurity.com/blog/
• Yes, EU Data Regs Will Impact Credit Unions• http://www.cutimes.com/2017/05/05/yes-eu-data-regs-will-impact-credit-unions
• Cost of Data Breach Study• https://www.ibm.com/security/data-breach
• Verizon’s 2017 Data Breach Investigations Report• http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
• Privacy Rights Clearinghouse• https://www.privacyrights.org
• Center for Internet Security• https://www.cisecurity.org
www.leocybersecurity.com42
Visit Us At:
https://www.leocybersecurity.com
LEO Cyber Security
1612 Summit Avenue, Suite
415, Ft. Worth, TX 76102
www.leocybersecurity.com
@LeoCyberSec
Questions?
Thank You!
Andrew Hay, CTO
+1.415.940.9660
https://www.leocybersecurity.com
https://twitter.com/andrewsmhay