cybersecurity response program: what to expect when you are … · 2019-07-22 · 7/22/2019 1...
TRANSCRIPT
7/22/2019
1
Cybersecurity Response Program: What to Expect When You Are Expecting (a Breach)
July 23, 2019
To Receive CPE Credits• Individuals
• Participate in entire webinar• Answer polls when they are provided
• Groups
• Group leader is the person who registered & logged on to the webinar• Answer polls when they are provided• Complete group attendance form • Group leader sign bottom of form• Submit group attendance form to [email protected] within 24 hours of webinar
• If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar
7/22/2019
2
Presenters
Johnny Sanders, CISAManaging Consultant, BKD [email protected]
Cy Sturdivant, CISASenior Managing Consultant, BKD [email protected]
Agenda
• Why are we here?• Prevention strategies
• Prepare to prevent breaches• Training your employees – your human firewalls• Monitoring requirements
• Incident response • Team selection• Response plan • Performing exercises
• Conclusion/questions
7/22/2019
3
Latest Statistics Show Less Breaches
0
200
400
600
800
1000
1200
1400
1600
1800
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
446
656
498
662
421471
614
783780
1091
1632
1244
REPORTED BREACHES BY YEAR
Banking Statistics
2017134 breaches reported
3,230,308 exposed records
2018135 breaches reported
1,709,013 exposed records
Source: https://www.idtheftcenter.org/2018-data-breaches/
7/22/2019
4
Breaches Are Costing More & More
Average total cost of a data breach
$3.86 million
Average total cost of a data breach
$3.86 million
Average cost per lost or stolen
record$148
Average cost per lost or stolen
record$148
Likelihood of a recurring breach within two years
27.9%
Likelihood of a recurring breach within two years
27.9%
Mean time to identify a breach
197 days
Mean time to identify a breach
197 days
Mean time to contain
69 days
Mean time to contain
69 days
Average cost per record lost
$148
Average cost per record lost
$148
Up from $3.62 million 2017 was $141 27.7% last year
Companies that contained a breach in
less than 30 days saved more than $1 million vs. those that
took more than 30 days to resolve
Source: Ponemon Institute 2018 Cost of Data Breach Study
Financial Services, You’re Still Number 1!
“Financial services tops the targeted industry charts for the second year in a row. Financial services experienced the highest volume of security incidents & the third-highest volume of cyberattacks”
7/22/2019
5
Despite significant cybersecurity exposures, 85% of small business owners believe their company is safe from hackers, viruses, malware or a data breach
Symantec’s study found that 40% ofattacks are against organizations with fewer than 500 employees
More than 60% of breaches take place at companies with fewer than 1,000 people
Don’t Equate “Small” with “Safe”
Prevention Strategies
7/22/2019
6
What if Cyber-Related BreachesWere an Epidemic?
WannaCry ransomware attack 300,000 infections 150 countries48 hours
• WannaCry ransomware attached through a vulnerability that Microsoft had discovered & issued a security patch for about two months earlier
• Hackers were counting on organizations being slow to apply the security patches • Protecting your company against malware attacks requires you to consistently & proactively protect
yourself
• There are a number of general controls that are helpful in reducing the likelihood of some types of cybersecurity attacks, such as
• Strong patch management• Segmenting critical systems• Adequate user training
• Maintain appropriate IT asset inventories• Application & access controls • Technical monitoring tools
• Multifactor authentication • Limit local administrator privileges• Strong incident response programs
An Ounce of Prevention …
7/22/2019
7
• Vulnerability assessments – comprehensive assessment that checks for• Missing patches or updates• Default settings & passwords• Vulnerable systems
• Internal/external penetration testing – assessment that replicates a hacker to identify• Vulnerable systems• Exploits vulnerabilities• Security warnings• Test intrusion prevention systems
• Social engineering assessment – tests your people using various human techniques• Phishing, pretext calling, on-site visits, etc.
• IT general control review – looks for gaps in control environment• Verifies you are following your GLBA standards, FFIEC guidelines, etc. • Helps ensure ISP is adequate to meet regulatory requirements & implements industry best practices
Prevention – Frequent Testing
Prevent by Training
7/22/2019
8
Prevention: Training & Preparation• People & software will always have vulnerabilities, so what are you
doing to mitigate these risks? • Take control of what is within your control. You are not in control of
hackers, their methods or schedules, but you are in control of risk-reducing actions within your organization
• Two major aspects of prevention that you are in control of: training & preparation
• Most incidents & breaches result from lack of one or both of these
Investing in your most vulnerable firewalls – your human firewalls
All too often, businesses concentrate on securing the network perimeter with firewalls, IDS/IPS devices & then feel confident their institution is protected
Most breaches are the result of compromising people first; 85–90% of all breaches & incidents relate to human error. Most are the result of phishing campaigns
Note: it is important & necessary to deploy technical solutions to detect & prevent malicious activity from installing on a network, but cybersecurity training must be the priority
Prevention: Training
7/22/2019
9
If you view security awareness training for employees as a once-a-year checkbox item that needs to be completed to ensure compliance with industry regulations, chances are your training is not effective
• The threat landscape is changing daily • Cybercriminals change their tactics &
develop new methods of attack • If your security program does not address
evolving methods through refresher training for employees throughout the year, your employees will be more likely to fall for a scam or engage in actions that threaten the security of your data & the integrity of your network
Prevention: Training
Prevent by Monitoring
7/22/2019
10
It is not until you are attacked that you realize the value of effective logging
According to a 2018 SANS Incident Response Survey, 32% respondents were unsure of how many incidents they had not responded to
Prevention by Monitoring
• In an organization, thousands of possible signs or incidents may occur each day, recorded mainly by logging
• A precursor – a sign that an incident may occur in the future• An indicator – a sign that an incident may have occurred or be occurring now
• The main challenges facing organizations often deal with monitoring the relevant events on their systems & networks for signs of a cybersecurity attack
• Organizations often collect a lot of data, but
do not have the resources, technical skills or
awareness to analyze data effectively
Monitoring
7/22/2019
12
136,570,000 housing units in the US1,319,000 house fires0.966%
Incident Response
• 27,000,000 business in the US• 350,000 cyber-related incidents reported (many more not reported) • 1.3% – this includes only business-related incidents, doesn’t include all of
the private incidents
Incident Response
7/22/2019
13
THE END
Is This Your Plan?
1. Start with creating a strong incident response team. Coordinate efforts between your institution’s various departments or roles to determine the team members. This process should include the CEO, CISO, the head of IT, legal personnel, human resources & the head of communications
2. Select a leader for the incident response team & identify the members of the senior management team who can declare an incident. Typically the CISO
3. Outline a structure of internal reporting to help ensure executives & everyone on the response team is up to date & on track during a data breach
4. Clearly define steps, timelines & checklists to keep the team focused during the stress of a data breach
5. Conduct preparedness exercises for the incident response team
Incident Response Plan – Where to Start?
7/22/2019
14
1. How to address potential damage & limit loss of resources
2. Whether evidence needs to be preserved
3. Criterion when special forensics may be required
• Digital evidence forensics is a very specialized activity
• Organizations usually outsource this function to specialized forensics labs
4. How service availability is affected, such as network connectivity or services provided to external parties
5. Assessment of the time & resources needed to implement the response strategy
6. How to measure the effectiveness of the strategy, i.e., whether it partially or fully contains the incident
7. How long remediation solutions are intended to last, e.g., an emergency workaround might need to be removed after some period of time, or a solution might be permanent
Incident Response Plan –Minimum Requirements
1. Triage/evaluate the cyber event – ensure employees understand how to detect an attack (review FDIC Cyber Challenge Videos)
2. Invoke the incident response plan accordingly
3. Use a quick checklist (first 24 hours)
4. Inform proper authorities (local PD, FBI, FS-ISAC, FDIC, TDFI, etc.)
5. Inform customers if applicable
6. Determine if losses are recoverable – consult legal counsel & review insurance coverage, conformance to internal policies, customer contracts & vendor contracts
7. Evaluate cyber insurance coverage, restrictions, exclusions, etc.
8. Determine lessons learned & procedural changes going forward
Incident Response Plan – Steps Before, During & After
7/22/2019
15
As soon as a cyberattack has been discovered, the clock starts ticking & emotions run high. Often, we see well-thought-out & well-structured plans “on paper” turn into mass confusion, slowing the process & increasing the response time
Many banks have response plans in place, but very few actually practice breach simulations or exercises. Failure to respond to a cybersecurity incident, particularly a serious cybersecurity attack, are typically lacking in terms of• People • Process • Technology • Information
Why Plans Fail – React or Respond?
Incident Response Playbooks• Generally, most incidents falls under one of these categories
• Phishing & spear phishing attacks• Business email compromise
• Malware/destructive malware (including ransomware)
• Improper usage (or unauthorized access)
• Distributed denial of service (DDoS) attack
• Man-in-the-middle attacks (session hijacking, IP spoofing, etc.)
• SQL injection attacks
• You must make sure your plan includes specific checklists/playbooks for each major threat!
7/22/2019
16
• To deal with cybersecurity incidents effectively, many organizations will need to be able to integrate their response strategy far more widely across the organization, not just through the IT department
• IT should be trained & prepared for incident response, but bank staff, the users of this technology, should have plans in place to continue operations, be it paper, standalone hardware & software designed for these events etc.
• All business areas must be included in response planning & training!
Incident Response Team – Training & Preparation
7/22/2019
18
Post-Breach
The Cybersecurity Bill
Before or after the breach ...
The cybersecurity bill will be paid
7/22/2019
19
Resources
• FFIEC Cybersecurity Awareness –http://www.ffiec.gov/cybersecurity.htm
• Bank Info Security – http://www.bankinfosecurity.com/• Financial Services Information Sharing & Analysis Center
(FS-ISAC) – http://www.fsisac.com/• CISA – https://www.us-cert.gov/• The Top Cyber Threat Intelligence Feeds –
thecyberthreat.com/cyber-threat-intelligence-feeds/
Questions?
7/22/2019
20
CONTINUING PROFESSIONAL EDUCATION (CPE) CREDIT
BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org
The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered
CPE Credit
• CPE credit may be awarded upon verification of participant attendance
• For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at [email protected]
7/22/2019
21
bkd.com | @BKDCyber
The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered
Thank You!