Financial Planning Association South Carolina “Cyber Resilience” OCTOBER 19, 2018 COLUMBIA, SC
Cyber Resilience Professional Tom Scott New Century Solutions LLC | NCS Cyber Certified Information Systems Security Professional Certified Information Systems Auditor Certified Risk Information Systems Control Project Management Professional Certified Critical Infrastructure Manager 2 | N C S C Y B E R . C O M
SCCYBER.ORG 3 | 3 | N C S C Y B E R . C O M
“The Internet has made the world flat.” 4 | N C S C Y B E R . C O M
Computing is an immature Industry… ➢ Real Internet or www. begins in the early 1980’s. ➢ Just earlier in 1973 the first network (exclusively run by government and educational institutions) had only 100 nodes on it (means 100 different servers were connected). ➢ Late 1980’s, CRAY XMP -1 super computer was touted as fastest computer of all time at 200m calculations per second. ➢ Today’s iPhone 7 is faster. ➢ Windows 10 has 60m lines of code. 5 | N C S C Y B E R . C O M
SCCYBER.ORG 6 | “ E-commerce has led to various challenges and opportunities through new technologies. ” 6 | N C S C Y B E R . C O M
7 | N C S C Y B E R . C O M
8 | N C S C Y B E R . C O M
9 | N C S C Y B E R . C O M
1 0 | N C S C Y B E R . C O M
1 1 | N C S C Y B E R . C O M
MORE HEADLINES ➢ This case (U.S. v. Hong) of cyber meets securities fraud should serve as a wake-up call…around the world: You ARE and WILL BE targets of cyber-hacking, because you have information valuable to would-be criminals . Preet Bharara US Attorney, SDNY ➢ I am convinced there are only two types of companies: those that HAVE been hacked AND those that WILL BE …And even they are converging into one category: companies that HAVE been hacked AND will be HACKED AGAIN… Robert Mueller Director, FBI March 1, 2012 1 2 | N C S C Y B E R . C O M
1 3 | N C S C Y B E R . C O M
Large Data Breaches to Date: ➢ Equifax 146M Users ➢ Yahoo 1.5B Users ➢ E-bay 145M Users ➢ Target 110M Users ➢ Sony 102M Users ➢ JPMC 76M Users ➢ Anthem/BCBS 80M Users ➢ Home Depot 56M Users ➢ OPM 22.5M Users ➢ Ashley-Madison 30.M Users PRIVACYRIGHTS.ORG 1 4 | N C S C Y B E R . C O M
Computer incident response was once the sole responsibility of the IT department, but as it has become clear that the consequences of a computer incident can threaten an enterprise’s very existence, directors are now being held more accountable. Directors have to be aware that a serious computer incident could result in a number of negative consequences for their enterprise, such as reputational damage or regulatory fines 1 5 | N C S C Y B E R . C O M
1 6 | N C S C Y B E R . C O M
1 7 | N C S C Y B E R . C O M
SCCYBER.ORG “ …what we have to remember is those who attack are patient, and those that attack never stop trying. So, if that’s the case, we can never stop working to make sure we keep things safe. “ -- Governor Nikki Haley 1 8 | N C S C Y B E R . C O M
1 9 | N C S C Y B E R . C O M
2 0 | N C S C Y B E R . C O M
75 % 2 5 % 2 1 | N C S C Y B E R . C O M
“ I don’t need a robot army. I intend to use yours.” Dr. Edward Sobiesk US Army CCOE 2 2 | N C S C Y B E R . C O M
70% of Cyber attacks target SMBs 50% of SMBs have experienced a cyber attack 60% of SMBs go out of business within 6 months of suffering a cyber attack ARE YOU A SMB? 2 3 | N C S C Y B E R . C O M
Your Organization 2 4 | N C S C Y B E R . C O M
2 5 | N C S C Y B E R . C O M
2 6 | N C S C Y B E R . C O M
MECKLENBURG COUNTY GOVERNMENT Largest population in North Carolina – over one million residents Includes City of Charlotte and 6 other towns Major county services • Health & Human Services • Criminal Justice Services • Land, Use and Environmental Services • Parks & Recreation • Tax Assessment & Collection $1.7 Billion Operating Budget 2 7 | N C S C Y B E R . C O M
Ransomware attack — December 5, 2017 Mecklenburg County network credentials were compromised by cyber criminal(s) using a social engineering Phishing attack The criminal(s) utilized harvested user sign-on credentials to gain un- authorized access to Mecklenburg County systems The criminal(s) then planted Ransomware to ‘Freeze’ select systems and then demanded payment to ‘Unfreeze’ 48 Servers encrypted — Over 200 systems impacted 2 8 | N C S C Y B E R . C O M
Backups: Server team stood up a new database environment & restored database backups for various systems which ran overnight Gained additional insights from various sources regarding potential risks & benefits of paying ransom. Engaged Experts (Microsoft, FBI, Fortalice, TrendMicro, Others) Based on risk / benefit analysis and input from numerous discussions with County Executive Leadership, decision was made and communicated that: Mecklenburg County would not pay https://www.nytimes.com/2017/12/06/us/mecklenburg-county-hackers.html 2 9 | N C S C Y B E R . C O M
What Went Well ▪ Treated as a County crisis – Not an IT issue ✓ Daily command center engaged throughout ▪ Communication strategy came from the Top – early and timely frequency (email & telephony was essential) ▪ Had strong back-ups and ability to restore ▪ Had practiced IT and Department COOP’s (table top exercises) ▪ Had strong relationship with Forensic IT companies (on the job within hours) ▪ Had Cyber Insurance ▪ Got Lucky – No Data Loss 3 0 | N C S C Y B E R . C O M
Lessons Learned? ▪ If you have valuable data (personal, HIPPA, PCI), provide critical infrastructure services, or have the ability to pay, you are a cybersecurity target – You are probably being watched and tested as we speak. ▪ Cyber criminals are highly sophisticated and persistent – in our case, they spent considerable time looking for a way in – moved quickly once in. ▪ Your employees will fall for phishing (no matter how much training you do). ▪ Your employees are unaware of file sharing and other social media risks – you may be surprised at how much unauthorized file sharing is going on: personal storage, Dropbox, etc. 3 1 | N C S C Y B E R . C O M
Lessons Learned ▪ If (when) you are hacked, be aware that your IT access will be blocked (inbound and outbound) by 3 rd parties. You will need to prove to each provider that it is safe to restore access (can take weeks) ▪ Banks ▪ State, Federal, Local systems (even cities and towns within the County) ▪ You will be inundated with assistance and advice (these were unanticipated management communication challenges) ▪ Be prepared for counter attacks 3 2 | N C S C Y B E R . C O M
3 3 | N C S C Y B E R . C O M
SCIDSA South Carolina Insurance Data Security Act 3 4 | N C S C Y B E R . C O M
Key Dates January 1, 2019 Agencies are required to notify the SC DOI Director, no later than 72 hours after determining that a cyber Security event has occurred. July 1, 2019 Agencies are required to have established a comprehensive, written Information Security program by July 1, 2019. Section 38-99-20 July 1, 2020 SCIDSA Agencies are required to have vetted their supply chain’s implementation of administrative, technical and physical controls to safeguard their Information Systems storing agency Non-Public Data. Section 38- South Carolina 99-20(F) Insurance Data February 15, 2020 Agencies operating in South Carolina must submit a Security Act written statement certifying to the SC DOI Director, a written statement certifying that the insurer complies with the requirements set forth in the Act. Section 38-99-20(H)(2)(1) 3 5 | N C S C Y B E R . C O M
Key Requirements ➢ Risk Assessment ➢ Comprehensive Written Information Security Program, including an Incident Response Plan SCIDSA ➢ Chief Information Security Officer appointed to oversee the Information Security Program South Carolina ➢ Annual reporting by CISO to Board of Directors or Insurance Data Security Act Owner(s) ➢ Annual reporting to SC Department of Insurance 3 6 | N C S C Y B E R . C O M
Is Outsourcing Compliance Right For You? Insurance agents routinely identify and calculate risks when developing a client's policy, be it health, auto, or life. * Assessing cybersecurity risks follows a similar path of identifying risks and corresponding threats by SCIDSA answering these questions: ➢ What are the known risks within your business? South Carolina ➢ What are your business's unidentified risks? Insurance Data ➢ What are the existing and evolving threats? Security Act ➢ What are you doing to effectively counter threats? ➢ Are you managing the risks to your business? *Dragoon Security Group 3 7 | N C S C Y B E R . C O M
Recommend
More recommend