cybersecurity dental convention sept 6 2018 amw (003) [read …€¦ · cybersecurity how to...
TRANSCRIPT
12/19/2018
1
DEMYSTIFYINGCYBERSECURITY
How to Prepare and Respond
Presentation by:
Amy M. WilliamsBusiness ConsultantWarren Averett Technology Group
Today’s Main Goal:Help you to understand why Cybersecurity
is a Concern in Today’s Society
And more importantly…what to do about it!
12/19/2018
2
12/19/2018
3
12/19/2018
4
12/19/2018
5
12/19/2018
6
FACT:
Businesses will lose $3 Trillion to Cybercrime
by 2020.
Will yours be one of them?
Compiling Results…
Is the Wifi on your Smartphone Turned on?
Why is Technology a Risk?
12/19/2018
7
Why is Technology a Risk?
Software shows, in the last 24 hours….
• 5 people searched the Weather through an app
• 4 people have checked your team in fantasy football
• 2 people made dinner reservations
• 3 people logged into a financial institution app
• 1 person searched and downloaded The Notebook
If the Wifi on your Smartphone was turned on….
DO I HAVE YOUR ATTENTION???
Cyber attacks evolve every day as attackers become more inventive. It’s critical to properly define cybersecurity and take steps to protect your business.
14
Agenda:
Today we will discuss 4 main topics:1. Why you must be concerned about cybersecurity2. The current threats to you and your business3. Why you MUST be proactive, not reactive4. How to mitigate your risk and protect your information
12/19/2018
8
Why you must be concerned about cybersecurity
“We live in a society exquisitely dependent on science and technology, in which hardly anyone knows anything about science and technology.”
16
Why is Technology a Risk?
Carl Sagan, a well known scientist and astronomer,
may have said it best…
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
I happen to prefer this statement by Albert Einstein…
12/19/2018
9
Tell me something:
Do you wait for the heart attack before you exercise? No.
Do you crash the car before you buckle up the kids? Of course not.
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
So why would you wait to protect the data that defines who you are? Until AFTER the damage is done???
‐‐‐John Sileo, Cyber Security expert and award‐winning author
1. Cyber Threats
2. Other Threats (ex: China uses Cyber to enable espionage and attack capabilities to support its national security and economic priorities)
3. Terrorism
Top Risks for the United States
http://www.defense.gov/News/Special‐Reports/0415_Cyber‐Strategy
(per the U.S. Department of Defense)
12/19/2018
10
Source: map.norsecorp.com
The Struggle is Real
Real life Cyber Security Attack Map Date: April 3, 2018
Motivations and Incentives
12/19/2018
11
21
Where Attacks Can Come From
22
Where Attacks Can Come From
12/19/2018
12
23
Where Attacks Can Come From
How does Cyber Security Really Affect My Practice?
12/19/2018
13
In a digital economy, like we live in now…
the person who controls your datacontrols your destiny.
Source: John Sileo, Cyber Security Expert
• Lost laptops• Improper disposal of backup tapes
• Accidental release• Broken business
practices• Un‐shredded documents
• Hacking• Virus / Malware
• Phishing• Spear phishing
• Network intrusion
Negligent release
64% of breaches are accidental
26
Know where your risk comes from:
CAUSES OF DATA LOSS
12/19/2018
14
Top 5 Impacts of a Cyber Security Breach
• Reputational damage
• Theft ‐ While a cyber‐raid on a big‐name bank may net the attacker a sizeable haul, smaller
businesses defenses are typically less sophisticated and easier to penetrate, making them a softertarget.
• Financial losses
• Fines
• Below‐the‐surface (intangible) costsSource: Sungard
What are the current threats
12/19/2018
15
(Lack of) Business Continuity:
There is a difference between having “backups” and having a true disaster recovery plan. A few things to keep in mind:
‐ Recovery procedure development and documentation is key. If it’s not in writing…IT DOESN’T COUNT.
‐ Has your recovery procedure been tested?• Recovery time during the disaster• Post‐testing reporting and review• Regular status reporting
‐ Have your Applications & Data been ranked according to business criticality?
‐ Do you know what your contractually‐guaranteed recovery time and recovery point objectives are?
The Human Factor
12/19/2018
16
Let’s look a little closer…
Email, IM, Comment, or Text Message that appears to come from a legitimate, popular company, bank, school, or institution – “spoofed”
Bottom line: They are designed to fool (or scare) you into giving valuable information.
Email Methods:• Deceptive Subject Line• Forged Sender’s Address• Genuine Looking Content• Disguised Hyperlinks
Website Methods:• Genuine Looking Content• Form – Collection of Information• Incorrect URL, not disguised
Phishing attempts
12/19/2018
17
Keep on Phishing
And why exactly would a trucking company be delivering my wireless bill???
Example #1
Example #2
Example #3
If you don’t know me…
…I don’t know you.
Passwords
• Do not physically store them in obvious places. Or preferably in writing at all.
• Create strong passwords.• Make them long• Include a special mix of characters, numbers, upper and lowercase letters. • Make your password reminders something only you know
• Change your passwords regularly. • This should be done as a first step if you believe your information has been
stolen or compromised.
• Do not reuse old passwords or phrases. This makes it easy tofor hacker to guess based on your password history.
In 2017, Yahoo revealed that all of it’s approximately 3 billion user accounts were affected by a previously disclosed data breach that took place in 2013. The data that was compromised may have included phone numbers, email addresses, passwords, and birthdates.
12/19/2018
18
Passwords
• Use a password manager
• Set up two‐factor authentication.
Taking the steps described above may not completely prevent someone with malicious intent from gaining access to your information, but it can help to mitigate the potential damage.
Computer viruses are small programs or scripts that can negatively affect the health of your computer.
Keylogging is the practice of using a software program or hardware device to record all keystrokes on a computer keyboard.
Viruses / Keylogging
Example:InsuranceCompany
12/19/2018
19
What to know:
Often begins with Phishing email
Triggered with clicking a link or opening an attachment
Encrypts all files
Usually want payment in cryptocurrency
What to understand:
It can cripple your business until / while remediation occurs
It can cause MAJOR problems even after resolution
Things to think about:
How much does prevention save you? (Play it into the future)
Ransomware
“We have cyber already covered by our IT department. They say we are fine.”
“We do an annual penetrationtest. We’re covered.”
“We don’t have a budget for this.”“We have a robust intrusion detection and effective cyber
program we put in place years ago.”
“We don’t have sensitive data so we don’t need a cyber risk managementprogram.”
“Our management and board don’t fully understand or support a cybersecurity program.”
Excuses, Excuses…
12/19/2018
20
Why you MUST be proactive…
NOT reactive!
Personal Identifiable Information of Clients/Donors/Supporters/Consumers
– Credit cards, debit cards, payment info
– Social Security #s, ITIN’s (Individual Tax Identification Numbers), taxpayer records
– Bank and investment account information
– Protected Healthcare Information (PHI), e.g. medical records, test results
– Drivers License / passport details
– Non‐PII, like email addresses, phone lists, address
Employee Information
– Employers have at least some of the above information on all of their employees
Corporate Confidential Information
– Sub‐contractors and Independent Contractors
– Information received from commercial clients as a part of commercial transactions or services
– B2B exposures like projections, forecasts, M&A activity, trade secrets, financial statements
Many people think that without credit cards or PHI, they don’t have a data breach risk. However…
Can you think of any business without any of the above kinds of information?
PII(Personal Identifiable Information)
PHI(Protected Health Information)
40
Information at Risk:
12/19/2018
21
Fact #1: An entity that operates in cyberspace is likely to experienceone or more security events or breaches at some point in time,regardless of the effectiveness of the entity's cybersecurity controls.
Point: Understanding this tenet is essential to dispelling usermisconceptions that an effective cybersecurity risk managementprogram will prevent all security events from occurring.
In other words… It’s not IF. It’s WHEN and HOW BAD?!
41
AICPA SOC for Cybersecurity
Fundamental Tenets of Cybersecurity:
Fact #2: There ARE inherent limitations in a cybersecurity riskmanagement program. An entity may achieve reasonable, but notabsolute, assurance that security events are prevented. For those notprevented, it helps to proactively make sure events are detected,responded to, mitigated against, and recovered from on a timely basis.
Point: An effective cybersecurity risk management program is one that:
1. enables the entity to detect security events on a timely basis and
2. allows the organization to respond to and recover from such events with minimal disruption to the entity's operations.
42
AICPA SOC for Cybersecurity
Fundamental Tenets of Cybersecurity:(continued)
12/19/2018
22
How to mitigate your risk and protect your information.
1. Don’t be tricked into giving away confidential information
a) Don’t respond to emails or phone calls requesting confidentialcompany information
b) Always keep in mind that bad guys are successful because they areconvincing.
c) Recent news stories out of Canada reported scammers were trickingpeople into giving away information with fake tech support callsclaiming to help.
d) Keep on guard and report any suspicious activity to IT.
Top 10 IT Security Item “TO DO” List
12/19/2018
23
2. Don’t use an unprotected computer
a) When you access sensitive information – especially from a non‐securecomputer – you put the information you’re viewing at risk.
b) Malicious software exists that allows people to easily snoop on whatyou are doing online when accessing unprotected sites.
c) If you’re unsure if the computer you are using is safe, don’t use it toaccess corporate or sensitive data.
Top 10 IT Security Items
3. Don’t leave sensitive information lying around the office
a) Don’t leave printouts containing private information on your desk orin an unsecured area. It’s easy for a visitor to glance at your desk andsee sensitive documents. (example: mortgage company)
b) Keep your desk tidy and documents locked away. Shred them whenno longer needed.
c) Do not write out your passwords and “hide” them under yourkeyboard or put them on a sticky note stuck to your monitor.
Top 10 IT Security Items
12/19/2018
24
4. Lock your computer and mobile when not in use.
a) Always lock your computer ( +L) when you step away and / ormake sure your company has auto‐lockouts for user devices.
b) Always lock your mobile phone when you’re not using it.
c) Don’t leave either type of device sitting anywhere they could gettaken.
Best practice recommendation: put Endpoint Device Management (EDM)and Mobile Device Management (MDM) on any devices that havecompany information.
Top 10 IT Security Items
5. Stay alert and report suspicious activity
a) Keep in mind, suspicious activity isn’t always obviously suspicious.(Example: Vendor onsite to “fix” something. Check credentials.)
b) Train your employees on what to look for and create a culture wherethey can feel free to voice concerns.
c) A recent news story reported that a supermarket manager, who wasrandomly befriended by a mysterious woman on Facebook, ended upon a “date” with two men who overpowered him and robbed hisstore.
d) Always report any suspicious activity to IT. If something goes wrong,the faster it is addressed, the more quickly it can be resolved.
Top 10 IT Security Items
12/19/2018
25
6. Password‐protect and “Provision” sensitive files & devices.
a) Always password‐protect sensitive files on your computer, USB, flashdrive, smartphone, laptop, etc.
b) Use an encryption for email, devices, and phones. Have remote wipecapabilities in place.
c) Grant access to sensitive files and information only to needed parties.
Top 10 IT Security Items
7. Always have stringent password requirements.
a) Many people use obvious passwords like “password” or their petnames or obvious character sequences on the qwerty keyboard like“asdfg”.
b) Implement complex user‐password requirements that make it difficultfor someone to break in and steal data. Create complexity byincluding different letter cases, numbers and even punctuation.
c) Try to use different passwords for different websites and computers.That way if one gets hacked, your other accounts aren’t compromised.
d) Have password expiration dates and limit the ability to recyclepasswords.
Top 10 IT Security Items
12/19/2018
26
7.1 Password Suggestions (continued)
1. Make it something you can visualize
MyF@v0r!T350nG (myfavoritesong)
2. DO NOT share it with coworkers
3. DO NOT store it locally or on the internet
4. Change it often (according to written company policy)
5. Do not have shared or “admin” accounts with shared password credentials
Top 10 IT Security Items
8. Be cautious of suspicious emails and links.
a) Company emails are valuable to attackers. They allow them to fakeemails from “real” people. Do not publish email addresses on yourwebsite or make them readily available.
b) Always delete suspicious emails and be wary of emails from peopleyou don’t know. Never click the links before verifying the sender.
c) Opening these emails or clicking on links in them can compromiseyour computer without you even knowing. Hackers can “sit” in yoursystem for YEARS prior to ever instigating an event.
d) Always hover over the sender’s name to verify the address lookscorrect prior to opening and / or responding.
Top 10 IT Security Items
12/19/2018
27
9. Don’t plug in personal devices withoutthe ok from IT.
a) Don’t plug in personal devices such as USBsand smartphones without permission from IT.Even a brand new device can be infected witha nasty virus.
b) Devices can be compromised with codewaiting to launch as soon as you plug theminto a computer.
c) Talk to your IT resource about your devicesand let them make the call.
Top 10 IT Security Items
10. Don’t install unauthorized programs on your workcomputer.
a) Malicious applications often pose as legitimate programs, tools, oreven antivirus software.
b) They aim to fool you into infecting your computer or network.
c) If you like an application or think it will aid your productivity, have ITlook into it for you first.
Top 10 IT Security Items
12/19/2018
28
Assessment of Risk
Risk Management is a process, not a destination!
‐ A process, ongoing and flowing through an entity
‐ Affected by people at every level of an organization
‐ Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk
‐ Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite
‐ Able to provide reasonable assurance to an entity’s management and board of directors
QUESTIONS?
Amy M. Williams
205-460-3983
Demystifying Cybersecurity