1 / 38

Managing Cybersecurity Risks for Non-Profits

Managing Cybersecurity Risks for Non-Profits. Jeff Olejnik, Partner Risk Advisory Services. Agenda. Cybersecurity Threat Landscape Business Risks Top Hacker “Attack” Techniques 12 Tips to Protect Your Organization Tools and Resources Q&A. Wipfli Cybersecurity Practice.

stasia
Download Presentation

Managing Cybersecurity Risks for Non-Profits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing Cybersecurity Risks for Non-Profits Jeff Olejnik, Partner Risk Advisory Services

  2. Agenda • Cybersecurity Threat Landscape • Business Risks • Top Hacker “Attack” Techniques • 12 Tips to Protect Your Organization • Tools and Resources • Q&A

  3. Wipfli Cybersecurity Practice Comprehensive Governance,Risk,Compliance, and Testing 3

  4. Notable Data Breaches

  5. Business Has Changed Compliance Outsourcing Mobile apps Big Data BYOD

  6. Cyber Risk Trends • Big business – More highly skilled hackers (cyber gangs/organized crime) who are financially motivated • Cyber crime is currently outpacing traditional crime in the United Kingdom in terms of impact, spurred on by the rapid pace of technology and criminal cyber capability, according to the UK’s National Crime Agency • The bad guys are getting better • Tool kits • Crimeware as a service

  7. Cyber Risk Trends • New platforms create new cyber attack opportunities • The Internet of Things (IoT) • Cars • Smart home devices (e.g., security systems) • Medical devices (e.g., scanners, insulin pumps, implantable defibrillators) • Embedded devices (e.g., webcams, Internet phones, routers)

  8. Casino Fish Tank Hack • Hackers compromise vulnerability in an Internet-enabled tank • Moved laterally to gain access to “high-roller” database • Exfiltrated data to server in Finland

  9. Small Does Not = Safe

  10. Cybersecurity Business Risks Damage to Critical Business Relationships Unauthorized access to client data could be devastating to relationships. Impact of Breach on Growth Strategy A breach that involves your donor database could derail capital campaigns and future giving from loyal donors. Risk to Operations & ServiceOperational stability could be impacted by a cyberattack and impact delivery of service and care. Brand & Reputational Risk Current security posture could be embarrassing to executives and may damage the our brand. Compliance & Regulation Non-compliance with client and prospect cybersecurity requirements would impact ability to compete.

  11. Account Hijacking Mules receive stolen funds and retain percentage Email Received by Victim or Victim Visits a Legitimate Website Attachment contains malware, or malicious script is on website Mules Money Transferred to Fraudulent Companies Cycle Repeats Mules Workstation Compromised Victim is infected with credentials-stealing software, and banking credentials are stolen Stolen Funds Mules Hacker Engages Hacker receives banking credentials, remotes into victim’s computer via a compromised proxy, and logs on to victim’s online banking service Money laundered Money moved offshore

  12. Cyber Risk Trends – Business Email Compromise (BEC) Scams • Attacker targets a senior executive (e.g., CEO, CFO) • Attacker gains access to victim’s email account or uses a “look-alike” domain to send a message tricking an employee to perform a wire transfer • Wire transfers are typically $100,000 or higher • Businesses should adopt two-step or two-factor authentication for email

  13. Cyber Risk Trends – Ransomware Example • Employee opens email • Personal files (and data on shared drives) encrypted • Ransom demand to provide key to decrypt • Ransom demand increases after 72 hours pass Ransomware increased more that 90% in 2017

  14. Cloud Security • Use multi-factor authentication • Use O365 cloud app security • Enable mailbox audit logging • Enforce password complexity • Configure Office 365 ADFS to be “Trusted” or “Closed”

  15. Accounts Payable Change Scam • AP department contacted by fraudster appearing to be client to update ACH payment instructions via email, letter, or telephone. • Out-of-band authentication to verify the legitimacy of request should be in place.

  16. Extortion Hello Jeff Olejnik   I want you to take this letter seriously. I have been thinking for a long period of time whether it's worth writing this letter or not to you and decided that you have the right to know. I will be short. I've got an order to kill you, because your activity causes trouble to a particular person. I studied you for a long period oftime and decided to give you a second chance, despite the specifics of my job, the rules of which don't allow me that, as this will kill my reputation (more 9 years of perfect order executions) in my circles. But i decided to break a rule since this is my last order (hope so).  In general, let's Get down to business. I want you to pay 0.8 Btc. I only accept Bitcoin. Information how to forward you can find in Google. Here are my payment details below:  1JWEzqR3fSoiXaGF22dCXQmr5f3e3A8Zk9  When i'll receive funds I will send you the name of the man order came from, as well as all the evidence i have. You can use this information with the authorities. I would not recommend you to call police, because you have a little time (two days) and the police will not have enough time to investigate this matter. Responding to this letter doesn't make any sense, because i use one-time mailbox, because i care about my anonymity. I'll let you know as soon as i'llgetfunds. I sincerely regret that you became my target.

  17. I know what you’ve been doing online!  I have your password “As you may have noticed, I sent you an email from your account. This means that I have full access to your account: At the time of hacking your account (jolejnik@wipfli.com) had this password: erinXXXXX” I have dirt on you! “At the moment, I have harvested a solid dirt... on you... I saved all your email and chats from your messangers. I also saved the entire history of the sites you visit.  Oh, yes .. I'm know your secret life, which you are hiding from everyone. Oh my God, what are your like... I saw THIS ... Oh, you dirty naughty person ... :) Pay me or else! Transfer $838 to my Bitcoin cryptocurrency wallet: 1GXazHVQUdJEtpe62UFozFibPa8ToDoUn3

  18. Recent Events Bluekeep– June 17, 2019 • According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP enabled.[1] After successfully sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs.This exploit, which requires no user interaction, must occur before authentication to be successful. • BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could propagate to other vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.

  19. Recent Events Iranian “wiper” attacks - CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. Iranian regime actors and proxies are increasingly using destructive "wiper" attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network. CISA Director Christopher C. Krebs – June 22, 2019

  20. Rising Costs • The total average cost of a data breach was $3.62 million ($141 per record), down 10% from previous year. The size of data breach increased 1.8% to more than 24,000 records. Source: Ponemon 2017 Cost of Data Breach • Cyber crime will cost businesses over $2 trillion by 2019; 89% of all cyber attacks involve financial or espionage motives. Source: Juniper Research • 32% of companies said they were the victims of cyber crime in 2016. Source: PwC Economic Crime Survey 2016 • Average time attackers stay hidden on network is over 140 days. Source: Microsoft

  21. Protect Your Organization!

  22. CYBERSECURITY FORUM FOR SENIOR EXECUTIVES Tip 1 - Know What You Are Protecting • Customer database • Client personally identifiable information (PII) • Account information • Credit card • Driver’s license • Intellectual property • Business plans • Employee records • Financial information

  23. Tip 2 - Practice Good Security Hygiene • Complex passwords • Firewall, Anti-virus, Anti-malware • Backup data • Patch and update • Limit administrator rights

  24. Tip 3 - Perform Security Assessment or Penetration Test If your password is 123456, you deserve to be hacked.

  25. Tip 4 - Train Your Employees You have to learn the rules of the game, and then you have to play better than everyone else. - Albert Einstein

  26. Tip 5 - Develop and Test Response and Continuity Plans

  27. Tip 6 - Encrypt Whenever Possible In use, at rest and in transit.

  28. Tip 7 - Manage Mobile Devices

  29. Tip 8 - Use Multi-Factor Authentication

  30. Tip 9: Don’t Skip Detection and Response

  31. CYBERSECURITY FORUM FOR SENIOR EXECUTIVES Tip 10 - Prepare to Respond to Client Requests and Compliance Mandates • Security policies • SOC 2 reports • Due diligence package

  32. Tip 11 – Be Proactive with your Board of Directors • Communicate Risk and Strategies • Employee Security Training and Awareness • Prepare for Board Questions • What are our top cybersecurity risks? • How are we managing these risks? • How are employees and customers made aware of their role related to cybersecurity? • Are external and internal threats considered when planning cybersecurity program activities? • How is security governance managed at the company? • In the event of a serious breach, has management developed a robust response protocol? • What cybersecurity insurance is in place, and what does it cover? • Report on Progress

  33. Tip 12 - Review Cybersecurity Insurance

  34. Rapid Cyber Risk Scorecard -Non-intrusive Cyber Risk Scan • Non-intrusive scan • Visibility to cyber risk posture • First step of Cyber Kill Chain • Hacker reconnaissance • Fully automated • Less than 15% false Positive and Negative • 10 Categories • DNS Health • Email Security • Leaked Credentials • IP / Domain Reputation • Digital Footprint • - Fraudulent Domains • - Patch Management • Website Security • Web Ranking • Information Disclosure

  35. Web Vulnerability Databases Social Media Hacktivist Shares DNS Internet-wide Scanners FTP Passive Scan Area No scan in this area SMTP Security Services Leak Sources Public Whois Databases Hacker Sites

  36. Wrap Up and Q&A

  37. Tools and Resources • 30 Tips in 30 Days e-Book– www.Wipfli.com/30tips • Wipfli Cybersecurity - www.wipfli.com/cybersecurity • Weekly Alerts • Monthly e-Newsletters / Blogs • Ransomware: Avoiding a Hostage Situation -https://www.wipfli.com/insights/articles/cons-ransomware-avoiding-a-hostage-situation • Equifax Data Breach – Is Your Identify at Risk? -https://www.wipfli.com/insights/articles/cons-equifax-data-breach-is-your-identity-at-risk • StaySafeOnline.org • Better Business Bureau – Data Security Made Simpler - http://www.bbb.org/data-security/ • FTC Interactive Business Guide For Protecting Data - http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html

  38. Contact Information Jeff Olejnik, Partner Wipfli LLP 952.230.6488 jolejnik@wipfli.com www.linkedin.com/in/jeffolejnik

More Related