Cybersecurity+From+the+Trenches: Best+Practices Rick ... 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches:

  • View

  • Download

Embed Size (px)

Text of Cybersecurity+From+the+Trenches: Best+Practices Rick ... 2015 FALL CONFERENCE & TRAINING SEMINAR...


    Cybersecurity  From  the  Trenches: Best  Practices

    Rick  Krepelka,  Chief  Operations  Officer   Golden  State  Risk  Management  Authority

    Chris  George,  CEO  and  Chief  Architect Protelligent,  Inc.  

  • • Review  actual  cyber  security  incidents   experienced  by  a  CA  public  risk  pool  

    • Understand  what  was  done  to   mitigate/avoid  incidents  in  the  future

    • Hear  expert  advice  regarding  resources   and  solutions  available  to  provide   security  and  risk  mitigation  

    • Learn  what  you  can  do  now


  • • Small  businesses  are  making  the  leap  to  computerized   systems  and  digital  records,  and  have  become  attractive   targets  for  hackers.    

    • VISA  estimated  nearly  90%  of  credit  card  data  breaches   reported   in  2013  involved  small  business  customers. 1

    • In  2015,  the  Verizon  Communications  Inc.'s  forensic   analysis  unit,  which  investigates  attacks,  small   organizations  reported  694  security  incidents.  83%  with   confirmed  data  loss  (large  organizations  reported   50,081  incidents,  ~1%  with  confirmed  data  loss)

    • Verizon  2015  Data  Breach  Investigations  Report –

    Small  Business  Breaches

  • • While  large  businesses  can  dedicate  resources  to   cybersecurity,  small  businesses  face  the  same   cybersecurity  challenges  and  threats  with  limited   resources,  capacity,  and  personnel.  

    • 44%  of  SMBs  reported  being  the  victims  of  a  cyber-­‐ related  attack,  with  an  average  cost  of  approximately   $9,000  per  reported  attack.1

    • Nearly  59%  SMBs  do  not  have  a  contingency  plan  that   outlines  procedures  for  responding  to  and  reporting   data  breaches.2

    Small  Business  Breaches

    1.2014  Small  Business  Technology  Survey,  National  Small  Business  Association

  • • Ever  increasing  dependency  on   integration  and  cooperation  with  3rd party  partners

    Risk:  3rd Party  Partners

  • • About  Chris  Vickery • How  he  got  the  data • Notification  from  Systema and  Vickery • The  incident  plays  out

    The  Systema Incident

  • • Keep  apprised  of  progress • Notify  cyber  security  insurer • Reportable  or  not  reportable? • Systema’s adjustments

    Our  Response


    • Target’s  big  breach • APTs  (Advanced  Persistent  Threats)

    Recent  Third  Party  Related


    Target’s  Big  Breach  and  APT

    • Target's  attackers  had  carefully  read  the   APT  playbook  and  followed  the  Modus   Operandi,  also  known  as  the  "APT  kill   chain".

  • • Not  positive  where  it  came  from  – possibly  a  downloaded  software  demo  or   website  ad

    • Detected  when  an  internal  user  couldn’t   open  a  file

    Risk:  Crypto  Virus

  • • Physically  disconnected  office  from  the   Internet

    • Physically  disconnected  server  from   network

    • Identify  infected  workstation • Verify  no  other  devices  infected • Ignore  ransom  demand • Restore  from  backup • Educate  internal  users

    Our  response


    Ransomware • What  is  it?

    – Virus  that  encrypts  data  on  your  computer  and   network  drives  (Cryptolocker,  CryptoWall)

    – Asks  for  you  to  pay  money  ($200-­‐$5000)  to  unlock   the  encryption  and  get  your  data  back

    • How  do  we  get  it? – malicious  email  that  appear  legitimate

    • 23%  of  recipients  open  message,  11%  click  on   attachments1

    – Compromised  ads  on  popular  websites 1.Verizon  Communication’s  2015  Data  Breach  Investigation  Report



    • Protecting  ourselves 1. Reliable/tested   file  backups  and  restore 2. Educate  staff  about  phishing  and  ransomware

    • Be  aware  of  email  requests  urgently  asking  you  to  take  action • Never  give  sensitive  personal  or  financial  information  over  email • If  an  offer  seems  too  good  to  be  true,  it  likely  is • Recall  if  you  initiated  an  action  that  the  email  is  asking  you  to  take  (like  

    password  resets,  account  updates,  etc.) • Only  download  software  from  known/trusted  sites • Don’t  open  attachments  in  unsolicited  email • Use  same  precautions  on  your  mobile  device  as  you  would  on  your  

    computer/laptop • Employee  Security  Awareness  Training  and  Education  (SATE)



    • Protecting  ourselves 3. Plan  for  infection/containment/restoration

    • Removed  infected  device  from  the  network • Secure  wipe  of  the  hard  drive • Clean  installation  of  operating  system  and  applications • Restore  of  data  sets

    4. Endpoint  protection • Antivirus/HIPS • Automated  patching   • Strong  Passwords • Pop-­‐up  Blocker • URL  filtering

  • • We  share  sensitive  data  with  members   and  3rd parties  via  Sharefile (Citrix)

    • Our  user  downloads  file  that  contains  an   infected  payload  – even  under  strange   circumstances

    • Email  relay  malware  initiated • Within  a  day,  our  domain  is  blacklisted

    Risk:  Complacent  Users

  • • Indentify infected  workstation • Submit  request  for  deletion  from  lists • Change  all  Sharefile and  critical  system   passwords

    • Educate  internal  users

    Our  response


    Social  Engineering • The  oldest  tool  is  still  one  of  the  most  effective

    – “Watering  hole” – Malvertising – ‘Trusted  resource’  email,  text,  voice – USB/SD  Cards  and  our  Nation’s  Capital

    – “-­‐ishing” • Phishing  (random) • Spearfishing  (targeted) • Vishing (phone  call) • Smishing (SMS  text)

    – Employee  Security  Education  and  Awareness  Training  (SATE)

  • Social  Engineering

  • • PDA  risks • More  than  data  -­‐>  control • Highly  targeted  attacks • Our  members

    Risk:  ???

  • • More  internal  training  and  updates • More  formalized  risk  assessment  and   response  planning

    • Store  some  sensitive  data  off  network   when  practical

    • Ask  vendors  about  their  security • Revamp  internal  policies

    Our  response

  • Protection  and  Response • Murphy's  law   – What  can  go  wrong,  will  – so  we  need:

    – Plans,  procedures,  and  policies • FEMA:  Business  Continuity  and  IT  Disaster  Recovery   Planning –­‐templates

    • FCC:  SMB  Security  Planning  Wizard –


    Host  Intrusion  Prevention  Systems  (HIPS)

    • With  IoT,  cloud  movements,   etc.  attacks  more  focused   on  direct  application  access,  instead  of  gaining   endpoint  control

    • HIPS  is  a  combination  of  firewall,  IDS,  and  anti-­‐ malware  to  monitor  activity  and  behavior  from  the   network  to  the  application