16 may 12 webinar - christian brothers services...2016 spring webinar series may 12, 2016 christian...
TRANSCRIPT
5/13/2016
1
© 2016 Christian Brothers Services, Romeoville, IL. All Rights Reserved.No part of this presentation may be reproduced, stored in a retrieval system, or
transmitted by any means without the written permission of Christian Brothers Services.
Christian Brothers Services2016 Spring Webinar Series
May 12, 2016
Christian Brothers Information & Technology Services
2016 SPRING WEBINAR SERIES
Cybersecurity
Opening PrayerOpening PrayerCreator God, through your worldand people that surround us, we
pray that we may grow more awarethis day of your life giving presence.Open our minds and hearts to apply
the knowledge from today’s webinar for the good of all.
We ask these things in Jesus’ Name.Amen
Creator God, through your worldand people that surround us, we
pray that we may grow more awarethis day of your life giving presence.Open our minds and hearts to apply
the knowledge from today’s webinar for the good of all.
We ask these things in Jesus’ Name.Amen
5/13/2016
2
2016 SPRING WEBINAR SERIES
Cybersecurity
Tom DrezChief Privacy Officer/Chief Information
Officer/Chief Security OfficerChristian Brothers Services
Disclaimer
• For informational purposes only
• Not legal advice
• Not a substitute for your own prudent business practices and due diligence
Our Agenda
1. Your likely day‐to‐day world
2. Your potential cyberrisk exposures
3. The current state of cybersecurity
4. Legislation and privacy & security
5. Cyber liability as a concern
6. A best practice approach to cybersecurity
7. Data breach walk through
5/13/2016
3
1. Your Likely Day‐to‐Day World
Your Day‐to‐Day World
‐Vision
‐Mission
‐Strategic Plan
‐Strategic Objectives
‐Work Plans
‐Budgets
5/13/2016
4
Information & Technology Services
• Member Satisfaction
• Delivering Organizational Value
• Risk Management
• Enabling Technologies
• Business Process Management
PRIORITY FOCUS AREAS
Information & Technology Services
• Customer Service
• Operational Efficiency
• Overall Effectiveness
• Security
• Cloud
• Applications
• Mobile
• Social
Organizational Drivers Enabling Technologies
Your Day‐to‐Day World ‐ SUMMARY
• Your strategic plan is working.
• You are living your mission and charism and ensuring they will live on long after you do.
• Your Catholic, faith‐based, 501©3, NFP life is very good.
• What could go wrong!
5/13/2016
5
2. Your Potential Cyberrisk Eposures
Your Potential Cyberrisk Exposures
• Confidential Information
• Proprietary Information
• Individually Identifiable Information
• Website/Social Media/Blog
• Data Network
• Who are your stake holders?
• What types of data do you have on them?
• What is your online presence?
Your Potential Cyberrisk Exposures
• Business Loss/ Disruption
• Reputational Harm
• Identity Theft
• Lawsuits
What are your main concerns from these risks?
5/13/2016
6
Your Potential Cyberrisk Exposures
Members/staff
Donors
Customers
• PII
• PHI
• NPFI
• PCI
$If you don’t need it, don’t collect it and store it.
Your Potential Cyberrisk Exposures
Data Price List
Your Potential Cyberrisk Exposures
• You use people, process and technology to function efficiently and effectively.
• You have at least one pair of wires to the internet.
5/13/2016
7
Your Potential Cyberrisk Exposures ‐SUMMARY
• You have data that others want
• You have an electric fence with front doors, back doors and windows
• You want to protect your organization and stay out of the headlines, and for your CEO and CIO to keep their jobs (& stay out of jail)
3. The State of Cybersecurity
Your Day‐to‐Day World … is now larger
Cyberrisk
Cybersecurity
Cyber liability
5/13/2016
8
Based on:
‐‐ 100,000+ incidents
‐‐ 2,260 confirmed data breaches
Confirmed data breaches:
• ~80% from external actors
• 80% had a financial motive
• 9 incident classification still reign supreme
9 main threat actors
5/13/2016
9
CBS Security Awareness Education
‐‐ C‐Level Attacks
‐‐ $ Transfers
‐‐W2 data
5/13/2016
10
CBS Security Awareness Education
Observed Every October
5/13/2016
11
Top 4 Threats to Data
1. Lost Hardware
2. Network Penetration
3. Insider Threat
4. Physical Access
The New Normal
• Human firewalling will remain ineffective to sophisticated social engineering and phishing attacks
• Application vulnerabilities are an issue
• Online “Dark Markets” proving cheaper and faster automated tools to hackers
• Cyberattacks are the new battlefield, especially for nation states
Changes in Security Models
• Traditional perimeter defense approach being replaced with a multi‐layered approach to driving towards proactive intelligent security
• Security intelligence becoming critical to aggregate and analyze information
• New models emerging for identity and trust
• Encrypt, encrypt, encrypt
• Security Awareness Education now daily not annually
5/13/2016
12
Activities to Manage & Mitigate Cyberrisks
Complete an IT risk assessment
Review IT governance model
Review IT policies, standards, procedures and guidelines
Review identity management and access controls
Review operations center monitoring & management tools
Enhance infrastructure
Inventory all IT hardware, software and data assets
Review and update your security awareness program
Bake security into application acquisition and development
Conduct 3rd party vendor security assessment
Repeat for continuous improvement
The State of Cybersecurity ‐ SUMMARY• There are two kinds of organizations: Those that have been hacked, and those that don’t know they’ve been hacked.
• It’s not IF you will have a breach, it’s WHEN.
• You can be right 999 times out of 1,000. The hacker needs to be right just once.
• There is no silver bullet, but you can and must mitigate your risks.
• You are only as strong as your weakest link!
4. Legislation and Privacy & Security
5/13/2016
13
State Data Breach Notification Laws
• 47 states have laws requiring notification in the event of a breach of personal information (not AL, NM, SD)
• The laws vary in terms of what constitutes personal information along with notification timing, etc.
• Examples: SSN, first & last name, driver’s license #, account number, credit & debit card #, medical information
• Can cover everything from electronic data to all forms.
Federal Notification Laws
Breach Notification Laws Are Continuously Changing
• California recently passed new laws effective 1/1/16:
• Very specific wording and font:
• What happened
• What information was involved
• What are we doing
• For more information
• Post conspicuous notice on website
• Breach login credentials negate electronic notice
• Defined encryption
• Added to definition of personal information
5/13/2016
14
Privacy & Security LegislationSUMMARY
• Laws are continually being passed
• Be aware of those that apply to your organizations
• Be aware of compliance requirements and penalties
• Would be nice if Congress passed one comprehensive law
5. Cyber Liability as a Concern
Cyber Liability as a Concern
5/13/2016
15
Cyber Liability as a Concern
Cyber Liability as a Concern
Cyber Liability as a Concern
5/13/2016
16
Cyber Liability as a Concern
Considering Cyber Liability Coverage
Insuring Clauses
• Privacy liability
• Network security liability
• Network extortion
• Internet media liability
• Business policies (CGL) may not adequately cover cyber‐risks
• Review your policy within the context of cyberrisks
• Cyber liability coverage growing rapidly
• Underwriting a mix of customized art and science
Considering Cyber Liability Coverage ‐ SUMMARY
• Cyberrisks exist and may not be covered by your CGL policy
• Data breach costs can be very significant
• Cyber liability policies exist and are growing
• Review your CGL policy against cyberrisks
• Don’t over OR underinsure
5/13/2016
17
6. A Best Practice Approach to Cybersecurity
Security Levels
Network Level Protection
Computer Level Protection
Data LevelProtection
• Access to data to staff on an as‐needed basis at varying levels
• Appropriate levels of approval needed to gain access
• Limit access to sensitive data (e.g. SSN, account balances, etc.)
Security: Data‐Level Protection
5/13/2016
18
• Redundant multi‐vendor antivirus software at both desktop and server levels
• Proactive threat protection
• Prohibit ability for staff to load software
• Force computers to lock after period of inactivity
• Require “complex” passwords 12 characters, upper, lower, numeric, symbol
Security: Computer‐Level Protection
• Redundant Firewalls control traffic and prevent unwanted inbound access
• Intrusion Prevention System monitors inbound and outbound traffic and notifies IT of attempted security breaches
• Website Activity Monitor prevents access to restricted sites and monitors usage
• Security Information and Event Management (SIEM) provides real‐time analysis of security alerts generated by our network
• Secure VPN Server creates access to internal resources
• Website SSL Certificates ensures encryption between client and web server traffic
Security: Network‐Level Protection
Wi‐Fi
• Do you know all of your Wi‐Fi access points?
• Are they using the latest security?
• Throw away WEP devices
• Use WPA/WPA2 with complex PSK’s
•BEWARE OF PINEAPPLES!
• Always use your cell phone or hot spot first before FREE Wi‐Fi
• Use computer firewall, VPN and VDI
5/13/2016
19
7. A Data Breach Walk Through
Pension Board ABC (PB‐ABC)
• Non‐profit Benefits Organization that provides retirement and health benefits to the ABC Group
• PB‐ABC provides services to:
• 100,000 active participants
• 25,000 inactive participants
• 15,000 retirees
Data Breach
• On September 15, 2014, the PB‐ABC was contacted by the FBI to inform them that they had discovered during a recent investigation that PB‐ABC's data had been stolen, sold and was used in seven known identity theft incidents
• PB‐ABC was totally surprised by the FBI's discovery and report of data theft. They fully cooperated with law enforcement and launched an immediate internal investigation into the incident
5/13/2016
20
Investigation
• The investigation uncovered that, sometime in June 2014, an attacker utilized a SQL injection vulnerability on the website of the PB‐ABC to deposit malware on the database server
• The malware was not detected by their security software because it had not been updated to the latest release
• Their IT department noticed the malware on Monday morning, June 9, when the security software was updated to the latest release
Investigation• They utilized security software to immediately remove the malware from their website
• However, unbeknownst to them, the malware had already successfully propagated to their internal production database server and then went dormant
• One month later, on July 6, the malware was activated, and it dumped the entire contents of their participant database to an external server out on the internet
• This data included name, address, email address, social security number, date of birth and account balance for 140,000 participants
Investigation
• The internal investigation was completed on September 18, 2014. The Senior Management team gathered and was informed of this detail by the Chief Information Officer
5/13/2016
21
Data Breach Protocol
• Best practices call for an organization to have a Data Breach Protocol or Plan, just like having a Business Continuity Plan
• If Pension Board ABC had a Data Breach Protocol, it might look like the following:
Data Breach Protocol
CEO• Notifies Pension Board’s Board of Trustees
CFO• Notifies Insurance Broker of breach – acts as liaison to broker for the claim processing and activities
General Counsel or Legal Consultant• Take point on ensuring compliance with any applicable breach notification law(s)
Data Breach Protocol
COO or Communications Dept. Head• Oversees development of communications plan to affected constituents and media, as required
COO or Customer Service Dept. Head• Coaches Call Center on response protocols for inquiries by participants or media
5/13/2016
22
Data Breach Protocol
CIO or Head of Information Technology Dept.
• Engages external forensics firm to assist in analysis of breach and method of elimination
• Review all other similar and related systems to make sure any similar vulnerabilities have been addressed
• Review procedures, protocols and security tools –change any and all of these to ensure a repeated breach doesn’t occur
Data Breach Protocol
Additional Note
• If data breach were personnel‐caused rather than a technology breach (e.g., staff member accidentally emailed report containing bulk SSNs to an outside entity), technology forensics would be replaced with internal procedures review and possible Human Resources involvement and remediation with education
Recap
• Your likely day‐to‐day world
• Your potential cyberrisk exposures
• The current state of cybersecurity
• Legislation and privacy & security
• Cyber liability as a concern
• A best practice approach to cybersecurity
• Data breach walk through
5/13/2016
23
For Questions Regarding
Contact:
Cybersecurity
Tom Drez [email protected]
800.807.0200 x 2930
For the link to the handouts from today’s webinar email:
5/13/2016
24
To sign up for any of our spring webinars:
cbservices.org/educationalresources.php
© 2016 Christian Brothers Services, Romeoville, IL. All Rights Reserved.No part of this presentation may be reproduced, stored in a retrieval system, or
transmitted by any means without the written permission of Christian Brothers Services.