Helping Businesses Grow & Succeed Florida SBDC at UCF's Cybersecurity for Small Businesses: Protecting Your Digital Assets in 2018 BYTE-SIZE: The Small Business Cybersecurity Program of the FSBDC Network
This presentation is a companion to the publication entitled The Florida SBDC Network Byte-Size Program: Cybersecurity Basics for Small Business . For more information, visit floridasbdc.org/cybersecurity NOTE: These materials are intended to provide information to assist small businesses consider key cybersecurity concepts, to share ideas for reducing cyber risk, and to identify helpful resources from multiple public and private organizations. However, no single technology or program can eliminate all cyber risk nor can they guarantee protection from constantly evolving digital attacks. It is always best to consult IT security and legal professionals to understand your responsibilities and to manage the specific cyber risks associated with your business.
Lee V. Mangold Co-Founder & CEO GoldSky Security Co-Founder & Vice President Florida Cyber Alliance President Information Systems Security Association (CFL Chapter) Board Director @LeeMangold Security BSides Orlando Lee.Mangold@GoldSkySecurity.com (CISSP, CEH, GLSC, ITIL...) Adjunct Professor University of Central Florida Helping Businesses Grow & Succeed
Section 1 CYBERSECURITY BASICS
Trends (2009-2016) Helping Businesses Grow & Succeed
Who are the attackers? • Organized Crime Organizations – Large syndicates of attackers – Hierarchical organizations; Mafia • State-Sponsored Attackers – Government organizations – Russia, China, Iran, North Korea, etc... • Script Kiddies – Use downloaded tools and scripts – Motivated by fame • Other Professionals – Usually experimenting, learning, or shaming • Hacktivists – All-the-above – Motivated by a social cause Helping Businesses Grow & Succeed
Top Threats & Targets • Top Threats • Top Targets • Malware • Medical Industry – Compromising PHI – Specifically Ransomware – Compromising PHI • Social Engineering – Potentially more... • Legal Industry – Phishing emails – Compromising PII – Extortion attempts – Compromising PHI • • 3 rd Party Data Theft Financial & Administrative Services – Compromising PII – Stolen Credentials – Fraud and monetary theft • – 3 rd Party breaches Retail – Monetary theft (PCI) Helping Businesses Grow & Succeed
Helping Businesses Grow & Succeed
Helping Businesses Grow & Succeed
Three Foundational Cybersecurity Principles What Know what your critical data/assets are Where Know where your critical data/assets are How Know how they are protected Helping Businesses Grow & Succeed
CLOUD!! IaaS PaaS SaaS Helping Businesses Grow & Succeed
Types of Attacks Helping Businesses Grow & Succeed
MALWARE • Malicious software – Steal credentials or other information – Steal money – Ransomware – Botnets – Sabotage – Denial of service Helping Businesses Grow & Succeed
PHISHING • Email designed to lure you in to doing something ill-advised – Execute an attachment – Click on a link – Unwittingly give away sensitive information • Some are really good at exploiting human gullibility Helping Businesses Grow & Succeed
Helping Businesses Grow & Succeed
INTERNET OF THINGS (IoT) • Increasingly, tech devices are being targeted – Eavesdropping – Steal data – Botnet agents – DDoS attacks Helping Businesses Grow & Succeed
APPLICATION ATTACKS • Maliciously manipulate application software – Steal data from database server – Run attack scripts on other users’ PCs – Steal user credentials Helping Businesses Grow & Succeed
Remediation Activities Helping Businesses Grow & Succeed
Employee Education • Technology is great, but your most important assets are your employees – First line of defense – Train them on the tools you use – Encourage them to report strange computer activity Helping Businesses Grow & Succeed
Passwords & MFA • Use Strong Passwords or Passphrases • NEVER share your passwords • Don’t re -use passwords • Enable Multi-Factor Authentication where possible! Helping Businesses Grow & Succeed
PROTECTIONS • Policies and policy management • Software updates • Configurations • Security products • Application software controls Helping Businesses Grow & Succeed
DETECTION MEASURES • Event monitoring • Intrusion detection and prevention systems • Threat monitoring • User reports Helping Businesses Grow & Succeed
RESPONSES • Incident response – Advocates for the business – Reduce the losses – Get back in businesses as quickly as possible – Support investigations – Decision support during incident – Crisis communications Helping Businesses Grow & Succeed
INSURANCE • Is cybersecurity insurance right for you? – It depends – Policies exist – Read the fine print and comply with their requirements – Answer their questions candidly – Understand what is and is not covered Helping Businesses Grow & Succeed
INSURANCE 101 Key questions: • EDP policies • Stand alone • DIC plans are • Bundled cyber are not cyber cyber policies for larger • Bundled vs. Stand policies often Electronic Data Processing (EDP ) Stop-Loss (DIC) coverage. offer the most organizations offer limited Stand-Alone protection. with greater Bundled coverage, not risk profiles. alone? broad protection • Normally • They usually • They provide: • cover: • cover: • Have gaps • What are the • and more • Catastrophic • Third party exclusions. • Data backstop liability. • Usually are an policy exclusions? processing • Covers gaps • Breach equipment. endorse- ment • Meant for to other liability • Hardware Response. • How much policies. • Notification. large Losses replacement. • Can result in when • Property • Restoration. underlying greater coverage. • Business coverage should I coverage is exposure interruption. exhausted. • Reputation purchase? risk. • Who is the breach response firm? Danger Zone Safe(r) Zone Helping Businesses Grow & Succeed
Section 2 CASE STUDIES IN CYBERSECURITY
Breach Case Studies • Insurance Company – COO’s Email Account Credentials Phished – Account Data stolen from Email & Storage – Data exfiltrated to unknown destinations in Russia – Had to notify 3600+ individuals, pay for credit monitoring, etc... • Healthcare Practice – Hard Drive Stolen during A/C Maintenance – Owners extorted, police involved – Had to notify 37,000+ individuals • CPA & Patent Firm – User sent a fake Docusign link, logged in, downloaded malware – Forwarded the email to colleagues – Data exfiltrated to unknown destinations in Russia Helping Businesses Grow & Succeed
Breach Case Studies • TerraCom and YourTel America (2014) – Failed to protect PII of customers – 300,000 identities at risk – Settled with FCC for $3.5M • Verizon (2017) – Failed to protect PII of customers – 3 rd party IT contractor left data unprotected in AWS • Undisclosed Carrier – Hackers gained unauthorized access to SIP trunks – Hundreds of thousands in fraudulent charges billed to customers – Company had no idea how to track or prevent the attacks Helping Businesses Grow & Succeed
Case Study: Mossack Fonseca Helping Businesses Grow & Succeed
Case Study: Mossack Fonseca WordPress Website Drupal Web Portal Exploited Exploited Plugin: Revolution Slider https://Portal.Mossfon.com Email Passwords Get Data! Plugin: WP-SMTP plugin Email Passwords Plugin: ALO EasyMail Outdated; Several Critical Vulnerabilities Get Mail! Log In Email Server Helping Businesses Grow & Succeed
Misconfiguration Configuration Management – Are all your systems provisioned to a baseline standard? – Are all your systems audited REGULARLY? – Could you audit your systems if you had to? – Who has access to what data and how is it protected? Helping Businesses Grow & Succeed
3 rd Party Problems • How do you know your 3 rd parties are secure? • What data do you share with them? Do you know? • How often have you (or can you) audit 3 rd parties? • Have THEY been breached already? Helping Businesses Grow & Succeed
Mismanagement • Have you formed a security team or a formal security effort? • Do you have procedures in place to help prevent breaches? • What do you do when you HAVE a breach? Would you know? • Are you practicing risk management in IT and Security? Helping Businesses Grow & Succeed
Seek out best practices! 1 2 3 4 Begin practicing Work across IT (and Establish baseline Have a plan and security risk all domains) to security standards seek help where management identify the “what, you need it! where, how” Helping Businesses Grow & Succeed
Section 3 CYBERSECURITY COMPLIANCE (AND RISK MANAGEMENT)
Cybersecurity Management IS Risk Management Helping Businesses Grow & Succeed
NIST Cyber Security Framework NOT A STEP-BY-STEP PROCESS Helping Businesses Grow & Succeed
Recommend
More recommend