260 likes | 279 Views
Learn about the latest security threats and how to mitigate risks in 2019. Find out key insights from cybersecurity expert Angie Singer Keating. Stay updated and protect your business from cyber attacks.
E N D
Top Ten Security Threats 2019 NACA Conference
Speaker Bio Angie Singer Keating, CEO • CERTIFICATIONS & AFFILIATIONS • Pennsylvania State University – Electrical Engineering Technology • Certified Information Systems Auditor (CISA) by the Information Systems Audit & Control Association (ISACA) • Certified Information Security Manager (CISM) by ISACA • Certified in Risk & Information Systems Control (CRISC) by ISACA • Certified Information Privacy Professional (CIPP) by the International Association of Privacy Professionals (IAPP) • President-Elect of the National Association for Information Destruction (NAID) Board of Directors & Certification Committee Chairperson • Co-Chairperson NAID Electronic Media Destruction Subcommittee • Board Member – Ben Franklin Technology Partners - CNP
Past Years in Review • Ransomware • Sony Pictures, Atlanta, Newark, Baltimore • Sophisticated Cyber Crime • Financial Losses Targeted at Specific Industries (Retail & Healthcare) • Breach Investigation • 1,367 Confirmed Breaches - 63,437 Incidents • Construction Industry • 2016 – Turner Construction – 6,000 employee records breached • 2013 – Target – HVAC Contractor compromised system – 40M-70M customers
Why Do Breaches Occur? 1. http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2019/
How Do Breaches Occur? 1. http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2019/
Who Are The Bad Actors? 1. http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2019/
What Gets Breached? 1. http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2019
Where Is The Attack From? 1. http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2019
Breach Commonalities 96% of attacks were not difficult 85% of breaches took weeks to discover 92% of incidents discovered by 3rd party 97% of incidents were avoidable with simple or intermediate controls Note: Stats vary from year to year by single digits
10. Cyber Liability Insurance Coverage • Many Insurers have suffered huge losses • Policies are including more exclusions • Policy Holders must litigate to attempt to get the coverage they thought they had or may have had previously • More Strict Determinations on Misconduct and Negligence and Reasonable Security • Policy Applications and Questionnaires are more in-depth • Terrorism? • Be sure clients are getting legal counsel review before purchase and prior to each renewal • Be sure clients are truthful in all aspects of the technology and security incident history portions of applications • Determine risks relevant to cyber-terrorism and insure accordingly
9. Denial Of Service Attacks (DDoS) • Botnets that flood servers with millions of packets per millisecond • Makes systems unavailable or can crash the entire internet • Cloud based applications vulnerable • IoT proliferation will exponentially increase attacks • Baby monitors, DVR’s, home security, routers - 2016, Mirai DDoS attack crippled ISP’s and Internet Backbone itself • Disaster Recovery and Business Continuity Plans must be updated to include DDoS attacks • Change default passwords on all internet-connected devices • Always monitor for high bandwidth usage
8. Ransomware Attacks • Data or entire hard drives are encrypted by malware (CryptoLocker) • Encryption key is held by hacker until payment is made with Bitcoin by the victim • If ransom is not paid, data may be lost forever • Ransom may now include demands to infect other devices (Popcorn Time) • Disaster Recovery and Business Continuity Plans must be updated to include ransomware attacks • BACKUP, BACKUP, BACKUP • Identify mission-critical data and systems and analyze risk for ransomware attack
7. Windows 7 Retirement • No more security patches releasedafter 1/14/20 • No more support for Internet Explorer 7 • Purchase Extended Support until Jan. 2023 • Perform risk analysis • Budget for a shorter hardware refresh cycle • Migrate to Microsoft Office 365 – get free Windows 10 Pro licenses (only Win7Pro)
6. Internal IT Staff or Vendors • Small and mid-size organizations most at risk • 0% Unemployment rate for experienced, credentialed security analysts (CISA, CISSP, CISM) • Most IT staff are trained and experienced in operational IT – keeping systems up and running efficiently • Security is now highly specialized by industry, device type, business risk, and information lifecycle • Most IT staff have no time for proactive monitoring and analysis required in all best practices, audit criteria, and security regulations • Consider managed security service providers plus regular IT vendor • Require frequent industry recognized certifications for all security staff and vendors • Require ongoing security education of all security staff • Don’t assume that security is a priority or even included in service level agreements with IT Vendors
5. Lost or Stolen Devices • Laptops, Smartphones, USB drives • Lost backup tapes • Data breach notification, privacy laws, OCR Wall of Shame, litigation, federal regulations? • ENCRYPT NOW – No excuses! • Perform vendor due diligence • Include lost/stolen devices in your incident response plan
4. Cloud – IaaS, PaaS, SaaS • Dude, where’s my data?? • 3rd party, 4th party, resellers? • Timeshare software license? • Retain specialized legal counsel • Data portability • Shared physical or virtual infrastructure • Vendor(s) business viability
3. Phishing and Spear Phishing • Disguised links in email • Social engineering to target specific people • Uses email, social messaging, or web links • URL shortening presents new problems • Train users on scams continuously • Allow only 1 admin to send out security alerts • Patch systems/AV, control user privileges
3. Phishing and Spear Phishing Training Works!
2. Un-Patched Machines, Programs, Firmware • Operating System Patches • Local machines AND servers AND gear • 3rd Party App Patches • Office, AV, Obscure Apps • Old exploits still happening • Force justification for patch delays • Enable automatic updates (if possible) • Perform regular internal scans (Nessus)
1. Windows Server 2008 Retirement • No more security patches releasedafter 1/14/20 • Highly complex migrations • Already in Extended Support • Perform risk analysis • Write and design conversion plans • Go for the easy wins – non mission critical server retirement • Migrate to Microsoft Azure – get 3 more years
Everyone Can Do Something NOW • Unencrypted Mobile Devices • - Encrypt before you leave TODAY! • Use Two-Factor Authentication • - Always, Always, Always!! • Poor Passwords • Move to a passphrase • Use a password keeper
Small Organization Focus Maintain inventory of IT assets Implement Access Control on remote access services Change default credentials on all internet facing devices Trust but VERIFY – Minimum annual security testing
Large Organization Focus Eliminate unnecessary and / or legacy data Monitor logs – outsource / co-source Annually review incident response plans – verify with gap analysis **Trust but VERIFY – security testing with social engineering, ethical hacking and aggressive penetration testing
Qu Additional Resources • Cybersecurity and the Construction Industry - https://www.zurichna.com/en/knowledge/articles/2019/08/cybersecurity-and-the-construction-industry • A Match Made In Cyber Hell - https://www.enr.com/articles/46832-construction-cybercrime-is-on-the-rise • Forbes – Hackers Take Control of Giant Cranes - https://www.forbes.com/sites/thomasbrewster/2019/01/15/exclusive-watch-hackers-take-control-of-giant-construction-cranes/#107472af1d0a
Questions Questions? Angie Singer Keating, CISA, CIPP, CISM, CRISC CEO & Co-Founder 814-684-5505 ext. 100 814-360-2648 (cell) www.reclamere.com http://www.linkedin.com/in/angiesingerkeating follow me on Twitter @VeepGeek