Presented by:
Date:
Danny Timmins, National Leader Cyber Security
September 26, 2016
MNP Cyber SecuritySudbury
Page 2
• What’s happening in Cyber today.
• Are organizations at Risk?
• Critical Areas of focus for Cyber
Security.
• Strategy to tackle Cyber Security.
Page 3
Page 4
Internet of things is, and will be a
organization Challenge.
Source: Intel.com
Page 5
Cyber Security is a Hot Topic
80% of respondents in a
recent survey discuss cyber
security at most or all
boardroom meetings
Source: 2015 Veracode Cyber Security in the Boardroom
Page 6
It’s increasing yearly?
Page 7
Cyber Security
7
Page 8
• Who does Cyber Attacks?
Page 9
Threat Communities
• Nation States
• Organized Hackers
• Non-Organized Hacker
• Employee: Technical
• Employee: Business
• Malicious former employee
Page 10
• What is the cost per record stolen in Canada?
Page 11
Cost of a Data Breach
Canada at Glance
• 24 Companies (Study conducted by the Ponemon Institute, June 2016)
– Number of exposed or compromised records – Global average size is 23,834
and Canada is 21,200.
– Per Capita cost average for all industries was $158US / $211 CDN - For the
Industrial sector it was $156US – as a side note Health Services was $355US
– The average total organizational cost of a data breach over three years for
Canada was $4.98M US.
Page 12
• What percentage (out of 100) of all malware is Crypto-Ransomware?
Page 13
What’s your risk threshold?
• What if your computers, servers were locked out?
Page 14
What's happening in the world of Cyber Security?
• Nearly 60% of all malware infections are Crypto-ransomware
– CryptoWall3 malware cost victims more than $325 Million and the number is
growing.
• Root Cause: In Canada 54% caused by Malicious and or Criminal Attack.
• Probability of a data breach involving a minimum of 10,000 records is 17% in
Canada vs 25% Globally.
• Privacy of Personal Information – Do you store, save and or send any?
– What does Mandatory Breach Notification Mean in Canada?
Page 15
• What are the odds of success for a phishing attack (x/y)?
Page 16
What's happening in the world of Cyber Security?
• Could the Cyber Enemy be ourselves?
– 1 in 5 phishing emails are clicked on – why?...mostly curiosity.
– A research team dropped 300 USB’s in various locations on a campus, 98% of
them were picked up, 50% plugged them in and accessed the files.
– Passwords…enough said!
• 75% of attacks spread from Victim 0 to victim 1 within one day (24 hrs.)
• In 60% of the breach cases in the Verizon report, attackers are able to compromise an
organization within minutes.
Page 17
Would you click on this?
Phishing Campaigns
Page 18
Maybe this…?
Page 19
Network Cyber Security Check Up
Page 20
Page 21
What’s your risk threshold?
• What if your systems were compromised?
Page 22
What’s your risk threshold?
• Do you have any Intellectual Property(IP)?
Page 23
What’s your risk threshold?
• What if someone was looking at your proposal, bids, RFP’s?
Page 24
What’s your risk threshold?
• Personal Identifiable Information?
Page 25
What’s your risk threshold?
• Supply Chain?
Page 26
Other Notable Risks.
• Research.
• Brand.
• Enrollment for Post Secondary, Municapaties, etc.
• Strategic plans, engineering drawings.
• Life Safety Systems – Command & Control.
• Payment Systems.
Page 27
How do you determine and define what the
Cyber Security Priorities Are?
Threats
Risk Loss
Controls
Page 28
MNPs Approach to Cyber
MNP Suggests:
• Understanding the strength of your controls.
• Assessing your risk based on what threats are acting
against you & what industry sector you are part of.
• Reviewing and understanding the monetary impacts to
your organization, including financial loss, brand loss, etc.
Page 29
+ Endorsed + Pragmatic + Measurable
Critical Security Controls
“The adoption of the 20 Critical Controls is a good foundation for effective cybersecurity, and
that they are a excellent example of how public and private sector organizations can voluntarily
come together to improve security”
- Commander of the US Cyber Command and Director of NSA
Page 30
What are CSC guiding principles?
1. Defenses should focus on addressing the attack activities occurring today.
2. Enterprises must ensure consistent controls across the enterprise to effectively negate attacks.
3. Defenses should be automated where possible.
4. Specific technical activities should be undertaken to produce a more consistent defense.
5. Root cause problems must be fixed in order to ensure the prevention or timely detection of
attacks.
6. Metrics should be established that facilitate common ground for measuring the effectiveness of
security measures.
Page 31
Inventory of Authorized and Unauthorized Devices
Inventory of Authorized and Unauthorized Software
Secure Configurations for Hardware and Software on
Mobile Devices, Laptops, Workstations, and Servers
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Access Control
Data Recovery Capability
Security Skills Assessment
Application Software Security10
9
8
7
6
5
4
3
2
1 Limitation and Control of Network Ports, Protocols, and
Services
Controlled Use of Administrative Privileges
Boundary Defense
Maintenance, Monitoring, and Analysis of Audit Logs
Controlled Access Based on the Need to Know
Account Monitoring and Control
Data Protection
Incident Response and Management
Secure Network Engineering
Penetration Tests and Red Team Exercises20
19
18
17
16
15
14
13
12
11
Critical Security Controls
Page 32
Generic Attack Methodology
Every cyber attack follows a standard attack methodology
“Kill” Chain
Lockheed Martin est. 2011
Reconnaissance Exploitation PersistenceActions on the
Objective
generic attack methodology
Why these controls?
Page 33
Base Line Data can show improvement over time.
Page 34
Risk Methodology
Measure Analyze Plan Maintain
Control
Strength
Threat
Capability
Control
Strength
Threat Event
Frequency
Quantify the Loss
Page 35
Threat AnalysisConsiderations for risk analysis
CSC Results Nation States
Non-organized
Hacker
Destructive Malware
Control Strength
What Safeguards are
currently in place?
Threat Capability
What is the capability
of the threat agents?
Verizon DBIR
statistics
Threat Event Frequency
What are your industry
specific statistics?
Fines / Reputation
OpenFair
Quantify the Loss
What are the primary and
secondary loss magnitudes?
Page 36
Page 37
Page 38
Example of Prioritization
Control
• Medium
• Low
• Medium
Risk Loss
• High
• Medium
• Medium
Threat Landscape
• Low
• Medium
• High
Priority
• 3
• 2
• 1
Page 39
Goal Based and Measurable
Maturity averages from similar organization
An all-encompassing maturity dashboard with key
analytics
Focused allocation of budget and resources
Immediate and prioritized risk reduction
strategies
A prioritized & risk based roadmap customized to
your unique organization
Page 40
Center for Internet Security states that if you implement
these 5 strategies you will reduce your risk by 85%
• Inventory of Authorized and Unauthorized Devices
• Inventory of Authorized and Unauthorized Software
• Secure Configurations for Hardware and Software
• Continuous Vulnerability Assessment and Remediation
• Controlled Use of Administrative Privileges
CIS Critical Security Controls
Page 41
Inventory of Authorized and Unauthorized Devices
• Some of the Controls needed:
– Deploy an automated asset inventory discovery tool.
– Ensure that all equipment acquisitions automatically update the
inventory system.
– Maintain an asset inventory of all systems connected to the network.
– Use client certificates to validate and authenticate systems.
Page 42
Inventory of Authorized and Unauthorized Software
• Some of the Controls needed:
– Devise a list of authorized software and version.
– Deploy application whitelisting technology.
– Deploy software inventory tools throughout the organization.
Page 43
Secure Configurations for Hardware and Software
• Some of the Controls needed:
– Establish standard secure configurations of your operating systems
and software applications.
– Store the master images on securely configured servers.
– Perform all remote administration secure channels.
– Use file integrity checking tools to ensure that critical system files
have not been altered.
Page 44
Continuous Vulnerability Assessment and Remediation
• Some of the Controls needed:
– Run automated vulnerability scanning tools against all systems on
the network.
– Correlate event logs with information from vulnerability scans.
– Perform manual vulnerability scanning .
– Deploy automated patch management tools and software update
tools.
– Establish a process to risk-rate vulnerabilities.
Page 45
Controlled Use of Administrative Privileges
• Some of the Controls needed:
– Minimize administrative privileges.
– Use automated tools to inventory all administrative accounts.
– Before deploying any new devices in a network, change all default
passwords.
– Use multifactor authentication for all administrative access.
– Administrators should be required to access a system using a fully
logged and non-administrative account.
Page 46
Other Important Strategies
• Incident & Crisis Management.
• Education.
• Increase early detection and alerting.
Page 47
Education
• Do your team’s have awareness of Cyber Security and the potential harm to the
organization?
• Does the organization have policies & practices?
• Do you practice simulations to drive awareness?
Page 48
Are you prepared for Cyber Incident?
• Do you have a policy in place if a Cyber Attack happens?
• Have you tested this policy during the past year?
• Are various groups within the organization participating?
• Do you have a spoke person primed to speak to the Cyber Attack?
Page 49
Increase early detection and alerting
• Does your alerting and detection do the following:
– Detect emerging threats.
– Help contain and mitigate losses and further exploitation.
– Automate and correlate large amounts of inputs and data.
– Monitor 24/7 with the ability to respond.
Page 50
• Over 50 Cyber Security Professionals across the Country and growing.
• Our team of Cybersecurity specialists hold extensive industry specific
certifications including: CISSP, CISA, OSCP (Penetration testing), GPEN,
CEH, Payment Card Industry (PCI QSA and PCI ASV), CCSK (Cloud
Security), OpenFAIR (risk analysis), Critical Security Controls (CSC).
• Strong niche/vertical orientation – Government, Municipalities, Public
Safety, Health Services, Financial Services, Resource Sector, Education,
Retail, Public Sector, Real-estate, etc.
• Our focus area’s Technology Installation, Configuration, Management, PCI,
Pen-Testing, Maturity Health Check, Security Risk Review, and much more.
Who are we…MNP’s Cyber Security Team
50
Page 51
How we help our clients
Service Area Context
Cyber Security Defensive Controls
(Products)
We help architect through dialog & white boarding then install & configure
Defensive Security Controls – Once completed we hand off for Customer to
Manage.
Managed Cyber Security Services We manage the clients Cyber Security Defensive Controls. We are
basically an extension to their team, with dedicated Cyber Security Admin’s
& VCISO’s, we know your network inside & out.
Red Team (Offensive Cyber Security
Services)
We assess an organization’s resiliency to a cyber attack. We use some or
all of the following to test the resiliency: Penetration Testing (Application,
Mobile & Perimeter), Phishing, Vishing, Physical, Wireless, USB Keys, etc.
Cyber Security Health Check - MTA Our Health Check is called a MTA (Maturity & Threat Analysis) provides a
clear picture of your overall cyber maturity score, identifies key risks and
outlines where resources & budget should be allocated, helping guide your
organization in its risk reduction strategies.
Page 52
How we help your clients
Service Area Context
PCI – Payment Card Industry ANY organization that stores, processes or transmits credit card data MUST be
PCI Compliant. If your client is doing more than 1 million transactions using
and payment method and or more than 250K through e-commerce they could
use our help.
Executive Level Cyber Security
Training
Customized security awareness program designed with a focus on
specific threats, geared towards C-level and Executive level members
of the organization, as well as board level members.
Incident Response Under Cyber Attack? Incident response is what organizations require
should they fall victim of a cyber attack. It best to prepare before it
happens and we can help either way.
Cyber Security Policy Development A comprehensive review evaluating your organizations current policy
framework against a number of controls such as the ISO27002, CSC
20 and PCI DSS.
Page 53
53
Page 54
Case Study: Building Operator – Penetration
TestingServices we provided:
1. Project Management
2. Report that includes the findings
of the testing, including
vulnerabilities discovered and
recommendations for further
security measures.
3. Both external and internal
environments’ tested
4. One Web Application tested
Problem: Can the building & applications
be exploited externally & what type of
vulnerabilities exist.
Service: Engaged MNP to perform an
internal and external network/OS layer
penetration test on a building network
systems in order to identify vulnerabilities.
The test will attempt to exploit identified
vulnerabilities in order to gain access to
network devices, applications, accounts,
and information in a manner other than
intended.
Page 55
Case Study: PCI – Post Secondary
Services we provided:
1. Project Management
2. Report that includes the findings of
each phase. Including discovery
and recommendations for further
PCI measures.
3. Report which is sent to PCI
Problem: They were looking to meet PCI
Compliancy.
Service: Engaged MNP to perform 1)
Scope Discovery and Reduction, 2)
Readiness Assessment & Gap Analysis, 3)
Remediation (if need), 4) Assessment to
perform a full PCI DSS assessment and
provide a Report on Compliance (RoC) or
Self Assessment Questionnaire (SAQ).
Page 56
Case Study: Health Sector – SIEM
Win Factors: Our depth of
experience with SIEMs, our past
engagements with the client,
and our positive relationship with
them
Problem: Needed a system to alert them of
improper activity
What: Implement and install an AlienVault
Security Information & Event Management
(SIEM). A SIEM monitors and alerts the
client when activity on the network is not
right
Page 57
Case Study: Retail – Firewall Solution
Win Factors:
Our existing relationship with the client
who fought to keep the engagement
with MNP versus transferring to a US
competitor and our strong relationship
and support from our partner -
Checkpoint
Problem: Looking to refresh their older
Firewalls
What: Implement a Checkpoint Firewall
solution and provide professional services
for installation and migration of the client’s
aging firewall infrastructure
Page 58
Case Study: Technology – MTA
Win Factors: Our strong presentation
of the MTA to the client and how it
could address and support their future
IT security strategies, MNP’s
understanding of the Innovapost
infrastructure, and our pricing model
that addresses the client’s growing
cost-sensitivities
Problem: Wanted to understand how to
better allocate resources and budget better
for Cyber Security
What: Complete an MTA for the client. A
Maturity and Threat Analysis provides a
clear picture of your overall cyber maturity
score, identifies key risks and outlines
where resources should be allocated,
helping guide your organization in its risk
reduction strategies.
Page 59
Case Study: Post Secondary – Defensive Controls
Services we provided:
1. Project Management
2. Suggestions through dialog and white
boarding to upgrade their technology
3. Procurement & Delivery of the Product
4. Install, configuration and hand off of
working technology in their
environment
Problem:They needed to refresh some of
their existing Cyber Security Defensive
Controls (Products) and build in new
technology to make their business safer.
Service: We first helped them look at what
they had through dialog & white boarding
and suggested some changes. We were
asked to bid on the products and services
for Next Generation Firewalls, Web
Application Firewall and Vulnerability
Scanning.
Page 60
Case Study: Retail – Managed Services
Services we provided:
1. Project Management
2. 24/7 Support, upgrades,
patches, license tracking, real-
time incident response
3. Cyber Security Administration &
Virtual Chief Information
Security Officer (vCISO)
Problem: Managing all of their Internal
Wireless Systems for all Malls in Canada
Service: MNP Provides Managed Wireless
Cyber Security Services which are an
extension to their Team. We do this across
all Malls Nationally. We preform all
add/moves/changes to the devices,
monitor all alerts, respond and manage any
incidents and help develop the Security
Policy Management for the devices.
Page 61
Personal Cyber Security Check List
Create strong PW – use a minimum of 8 characters(Capitals, numbers,
special characters).
Use Two step verification where ever able.
Keep you systems updated with latest software.
Run Anti-Virus, Anti-Malware.
Back Up your systems (local, cloud..)
Have your computer or mobile set to auto lock out.
Never click on something you don’t know.
Don’t add people to your profiles that you don’t know.
Sensitive browsing should only be done from a trusted device or WIFI.
Page 62
Contact Us:
Tel: 905.607.9777
Tel Toll Free: 866.370.8575
Email: [email protected]
Website: www.nci.ca
95 Topflight Drive
Mississauga, ON
L5S 1Y1
Danny Timmins
National Leader
CyberSecurity
T: 905.607.9777 ext.230C: 647.202.6243