7/22/2019

1

Cybersecurity Response Program: What to Expect When You Are Expecting (a Breach)

July 23, 2019

To Receive CPE Credits• Individuals

• Participate in entire webinar• Answer polls when they are provided

• Groups

• Group leader is the person who registered & logged on to the webinar• Answer polls when they are provided• Complete group attendance form • Group leader sign bottom of form• Submit group attendance form to training@bkd.com within 24 hours of webinar

• If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar

7/22/2019

2

Presenters

Johnny Sanders, CISAManaging Consultant, BKD Cyberjlsanders@bkd.com

Cy Sturdivant, CISASenior Managing Consultant, BKD Cybercsturdivant@bkd.com

Agenda

• Why are we here?• Prevention strategies

• Prepare to prevent breaches• Training your employees – your human firewalls• Monitoring requirements

• Incident response • Team selection• Response plan • Performing exercises

• Conclusion/questions

7/22/2019

3

Latest Statistics Show Less Breaches

0

200

400

600

800

1000

1200

1400

1600

1800

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

446

656

498

662

421471

614

783780

1091

1632

1244

REPORTED BREACHES BY YEAR

Banking Statistics

2017134 breaches reported

3,230,308 exposed records

2018135 breaches reported

1,709,013 exposed records

Source: https://www.idtheftcenter.org/2018-data-breaches/

7/22/2019

4

Breaches Are Costing More & More

Average total cost of a data breach

$3.86 million

Average total cost of a data breach

$3.86 million

Average cost per lost or stolen

record$148

Average cost per lost or stolen

record$148

Likelihood of a recurring breach within two years

27.9%

Likelihood of a recurring breach within two years

27.9%

Mean time to identify a breach

197 days

Mean time to identify a breach

197 days

Mean time to contain

69 days

Mean time to contain

69 days

Average cost per record lost

$148

Average cost per record lost

$148

Up from $3.62 million 2017 was $141 27.7% last year

Companies that contained a breach in

less than 30 days saved more than $1 million vs. those that

took more than 30 days to resolve

Source: Ponemon Institute 2018 Cost of Data Breach Study

Financial Services, You’re Still Number 1!

“Financial services tops the targeted industry charts for the second year in a row. Financial services experienced the highest volume of security incidents & the third-highest volume of cyberattacks”

7/22/2019

5

Despite significant cybersecurity exposures, 85% of small business owners believe their company is safe from hackers, viruses, malware or a data breach

Symantec’s study found that 40% ofattacks are against organizations with fewer than 500 employees

More than 60% of breaches take place at companies with fewer than 1,000 people

Don’t Equate “Small” with “Safe”

Prevention Strategies

7/22/2019

6

What if Cyber-Related BreachesWere an Epidemic?

WannaCry ransomware attack 300,000 infections 150 countries48 hours

• WannaCry ransomware attached through a vulnerability that Microsoft had discovered & issued a security patch for about two months earlier

• Hackers were counting on organizations being slow to apply the security patches • Protecting your company against malware attacks requires you to consistently & proactively protect

yourself

• There are a number of general controls that are helpful in reducing the likelihood of some types of cybersecurity attacks, such as

• Strong patch management• Segmenting critical systems• Adequate user training

• Maintain appropriate IT asset inventories• Application & access controls • Technical monitoring tools

• Multifactor authentication • Limit local administrator privileges• Strong incident response programs

An Ounce of Prevention …

7/22/2019

7

• Vulnerability assessments – comprehensive assessment that checks for• Missing patches or updates• Default settings & passwords• Vulnerable systems

• Internal/external penetration testing – assessment that replicates a hacker to identify• Vulnerable systems• Exploits vulnerabilities• Security warnings• Test intrusion prevention systems

• Social engineering assessment – tests your people using various human techniques• Phishing, pretext calling, on-site visits, etc.

• IT general control review – looks for gaps in control environment• Verifies you are following your GLBA standards, FFIEC guidelines, etc. • Helps ensure ISP is adequate to meet regulatory requirements & implements industry best practices

Prevention – Frequent Testing

Prevent by Training

7/22/2019

8

Prevention: Training & Preparation• People & software will always have vulnerabilities, so what are you

doing to mitigate these risks? • Take control of what is within your control. You are not in control of

hackers, their methods or schedules, but you are in control of risk-reducing actions within your organization

• Two major aspects of prevention that you are in control of: training & preparation

• Most incidents & breaches result from lack of one or both of these

Investing in your most vulnerable firewalls – your human firewalls

All too often, businesses concentrate on securing the network perimeter with firewalls, IDS/IPS devices & then feel confident their institution is protected

Most breaches are the result of compromising people first; 85–90% of all breaches & incidents relate to human error. Most are the result of phishing campaigns

Note: it is important & necessary to deploy technical solutions to detect & prevent malicious activity from installing on a network, but cybersecurity training must be the priority

Prevention: Training

7/22/2019

9

If you view security awareness training for employees as a once-a-year checkbox item that needs to be completed to ensure compliance with industry regulations, chances are your training is not effective

• The threat landscape is changing daily • Cybercriminals change their tactics &

develop new methods of attack • If your security program does not address

evolving methods through refresher training for employees throughout the year, your employees will be more likely to fall for a scam or engage in actions that threaten the security of your data & the integrity of your network

Prevention: Training

Prevent by Monitoring

7/22/2019

10

It is not until you are attacked that you realize the value of effective logging

According to a 2018 SANS Incident Response Survey, 32% respondents were unsure of how many incidents they had not responded to

Prevention by Monitoring

• In an organization, thousands of possible signs or incidents may occur each day, recorded mainly by logging

• A precursor – a sign that an incident may occur in the future• An indicator – a sign that an incident may have occurred or be occurring now

• The main challenges facing organizations often deal with monitoring the relevant events on their systems & networks for signs of a cybersecurity attack

• Organizations often collect a lot of data, but

do not have the resources, technical skills or

awareness to analyze data effectively

Monitoring

7/22/2019

11

Incident Response Plan

Incident Response

7/22/2019

12

136,570,000 housing units in the US1,319,000 house fires0.966%

Incident Response

• 27,000,000 business in the US• 350,000 cyber-related incidents reported (many more not reported) • 1.3% – this includes only business-related incidents, doesn’t include all of

the private incidents

Incident Response

7/22/2019

13

THE END

Is This Your Plan?

1. Start with creating a strong incident response team. Coordinate efforts between your institution’s various departments or roles to determine the team members. This process should include the CEO, CISO, the head of IT, legal personnel, human resources & the head of communications

2. Select a leader for the incident response team & identify the members of the senior management team who can declare an incident. Typically the CISO

3. Outline a structure of internal reporting to help ensure executives & everyone on the response team is up to date & on track during a data breach

4. Clearly define steps, timelines & checklists to keep the team focused during the stress of a data breach

5. Conduct preparedness exercises for the incident response team

Incident Response Plan – Where to Start?

7/22/2019

14

1. How to address potential damage & limit loss of resources

2. Whether evidence needs to be preserved

3. Criterion when special forensics may be required

• Digital evidence forensics is a very specialized activity

• Organizations usually outsource this function to specialized forensics labs

4. How service availability is affected, such as network connectivity or services provided to external parties

5. Assessment of the time & resources needed to implement the response strategy

6. How to measure the effectiveness of the strategy, i.e., whether it partially or fully contains the incident

7. How long remediation solutions are intended to last, e.g., an emergency workaround might need to be removed after some period of time, or a solution might be permanent

Incident Response Plan –Minimum Requirements

1. Triage/evaluate the cyber event – ensure employees understand how to detect an attack (review FDIC Cyber Challenge Videos)

2. Invoke the incident response plan accordingly

3. Use a quick checklist (first 24 hours)

4. Inform proper authorities (local PD, FBI, FS-ISAC, FDIC, TDFI, etc.)

5. Inform customers if applicable

6. Determine if losses are recoverable – consult legal counsel & review insurance coverage, conformance to internal policies, customer contracts & vendor contracts

7. Evaluate cyber insurance coverage, restrictions, exclusions, etc.

8. Determine lessons learned & procedural changes going forward

Incident Response Plan – Steps Before, During & After

7/22/2019

15

As soon as a cyberattack has been discovered, the clock starts ticking & emotions run high. Often, we see well-thought-out & well-structured plans “on paper” turn into mass confusion, slowing the process & increasing the response time

Many banks have response plans in place, but very few actually practice breach simulations or exercises. Failure to respond to a cybersecurity incident, particularly a serious cybersecurity attack, are typically lacking in terms of• People • Process • Technology • Information

Why Plans Fail – React or Respond?

Incident Response Playbooks• Generally, most incidents falls under one of these categories

• Phishing & spear phishing attacks• Business email compromise

• Malware/destructive malware (including ransomware)

• Improper usage (or unauthorized access)

• Distributed denial of service (DDoS) attack

• Man-in-the-middle attacks (session hijacking, IP spoofing, etc.)

• SQL injection attacks

• You must make sure your plan includes specific checklists/playbooks for each major threat!

7/22/2019

16

• To deal with cybersecurity incidents effectively, many organizations will need to be able to integrate their response strategy far more widely across the organization, not just through the IT department

• IT should be trained & prepared for incident response, but bank staff, the users of this technology, should have plans in place to continue operations, be it paper, standalone hardware & software designed for these events etc.

• All business areas must be included in response planning & training!

Incident Response Team – Training & Preparation

7/22/2019

17

Conclusion

7/22/2019

18

Post-Breach

The Cybersecurity Bill

Before or after the breach ...

The cybersecurity bill will be paid

7/22/2019

19

Resources

• FFIEC Cybersecurity Awareness –http://www.ffiec.gov/cybersecurity.htm

• Bank Info Security – http://www.bankinfosecurity.com/• Financial Services Information Sharing & Analysis Center

(FS-ISAC) – http://www.fsisac.com/• CISA – https://www.us-cert.gov/• The Top Cyber Threat Intelligence Feeds –

thecyberthreat.com/cyber-threat-intelligence-feeds/

Questions?

7/22/2019

20

CONTINUING PROFESSIONAL EDUCATION (CPE) CREDIT

BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org

The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered

CPE Credit

• CPE credit may be awarded upon verification of participant attendance

• For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at training@bkd.com

7/22/2019

21

bkd.com | @BKDCyber

The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered

Thank You!