Cybersecurity Update: Latest Impacts on Aerospace & Defense - PDF document

The Aerospace & Defense Forum Arizona Chapter March 9, 2017 Cybersecurity Update: Latest Impacts on Aerospace & Defense Presented d by: Brandon Gunter Senior Manager, Cybersecurity Services Brandon.Gunter@mossadams.com (206) 302-6475 THE STATE OF CYBERSECURITY TODAY It’s no longer a question of whether a 50% network will be compromised, but when a network will be compromised. COMPANIES that experienced at least one security incident Source: Ponemon Institute 500+ billion $6.5 million $445 billion Total number of personal Average cost a company Total cost of data breaches records stolen or lost. pays for a data breach. and cybercrime worldwide. Source: “The Future of Cybercrime Source: Ponemon Institute Source: 2014 joint study by & Security: Financial and Corporate antivirus software maker McAfee Threats & Mitigation” from Juniper and the Centerfor Strategic and and Cimantic Corp.’s 2015 Annual InternationalStudies ThreatReport 2 1

The Aerospace & Defense Forum Arizona Chapter March 9, 2017 Attack Targets • Attacks today are sophisticated 55% SPEAR PHISHING • Multiple access points to networks, Campaigns targeting employees increase mobile devices, etc. • Not typically targeting systems – they go after the people 35% increase Source: Symantec’s Internet Security Threat Report 2016 3 Common Cyberattacks Common Cyberattack Approaches This is an e-mail that asks for information—IT system access data or bank details—in the hopes SPEAR PHISHING of someone innocently responding and providingit. WHALING This method is the same as spear phishing but targets C-level executives. Hackers gain access to a system using malicious software, then encrypt sensitive data and hold it RANSOMWARE hostage—along with your ability to conduct business—until a demand issatisfied. This includes many different types of devices that perform a single function at low processing INTERNET OF THINGS power and lack security functions. 4 2

The Aerospace & Defense Forum Arizona Chapter March 9, 2017 RECENTCYBERATTACKS 2013 DECEMBER 2013 Target had 70 million customer identitiesstolen. 2014 JULY–AUGUST 2014 JPMorgan Chase discovered unauthorized individuals accessed more than 90 of its secure servers over a two-month period. The result was the loss of personal financial information for at least 76 million households. NOVEMBER 2014 Sony Pictures found that e-mail systems were accessed and embarrassing discussions were made public with costly consequences. 2015 JANUARY 2015 Anthem Blue Cross Insurance Companies , the nation’s second largest insurer, disclosed a breach in which the identities of 80 million customers were potentiallystolen. FEBRUARY 2015 Intuit had to warn its TurboTax customers to hold off from filing tax returns to ensure hackers couldn’t steal their refunds. 2016 FEBRUARY 2016 Hollywood Presbyterian Medical Center paid a hacker $17,000 in bitcoin after a ransomware attack encrypted its electronic medical record system, effectively locking the hospital out of its records for aweek. 5 The Price of Your Data � Social Security Number (SSN): $1-$5 � Credit Card Number: $5-$8 (must have name, type, expiration date, and CCV) � Premium Card Number: $30-$40 (must have SSN, address, DOB, plus name, type, expiration date, and CCV) � PayPal Account: $20-$300 � Medical Record: $50 � Treasure trove of personally identifiable information (PII) � Barrier to entry for an attacker is low (free tools, cheap card skimmers, cheap programs) � Interconnectivity of systems and a lot of attack vectors, including cloud-based systems 3

The Aerospace & Defense Forum Arizona Chapter March 9, 2017 Rising Information Security Risks: Cost Increases by Size and Industry The cost per record varies by industry : Total cost of a breach varies by the size of the breach: Average cost =$217/record (US Data) Average cost = $6.53 Million (US Data) Source: Research Report, 2015 Cost of Data Breach Study: United States , Ponemon Institute (2015) WHALING EXAMPLE Phishing Hi Joe SPEAR PHISHING DEFENSE STRATEGY Mary CEO Sophisticated attacks usually begin here. It’s important to remember there isn’t an February 29, 2016 at 10:44 AM A social engineering attack preys on the all-encompassing solution to combat To: Joe.CFO@example.com psychological willingness of employees to spear phishing or whaling. Prior to an HiJoe divulge a company’s confidential digital attack, these defenses should be inplace: Are you in the office? Kindly let me information. These attacks involve an know because I need you to send out e-mail from a hacker who appears to be an important payment for me today. End-User Security Training an individual or business you know. Never forget that people are your first line The target tends to be an unaware or Thank you, of defense. Mary CEO untrained employee who may be willing to give up desirable information—their Sent from my iPhone TechnicalControls system password or company account This includes e-mail system security, details, for example. including antispam, URL scanning, and In this example, someone named Mary is attachment stripping. e-mailing Joe, the CFO of a company,to WHALING urgently request payment. What shouldJoe do? When the target is C-level executives, it’s Internal Process Controls known as whaling. C-level e-mail fraud Have at least two sets of eyes and approval Joe’s first step should be to slow down and think takes place when a hacker requests that for requests that meet a certain threshold. about the validity of a request when it comes in. members of an organization’s finance He should take the time to hover over any function disburse or wire funds to a third- hyperlinks to see where it’s going or check the party in an e-mail that looks like it comes e-mail address carefully to be sure it isn’t a fabricatedaccount. from senior management. (See example atright.) 8 4

The Aerospace & Defense Forum Arizona Chapter March 9, 2017 Successfully Thwarting a Spear Phishing Attack � Slow down, stop, and think about the validity of the request PEOPLE ARE PEOPLE ARE � End user security awareness training – people THE FIRST LINE THE FIRST LINE are the first line of defense OF DEFENSE OF DEFENSE � Have internal process controls in place (e.g., at least two sets of eyes and approval for a request that meets a certain threshold) � Technical controls: e-mail system security, including antispam, URL scanning, and attachment stripping, is not a complete solution 9 Ransomware Also known as, Scareware DEFENSE STRATEGY Allows hackers to access an employee’s computer, There are administrative and technical controls to employ in this situation. encrypt sensitive data and demand some form of payment to decrypt it. Often begins with a spear Administrative Controls TechnicalControls phishing attack, it infects the system and can � � End-user security awareness training Frequent backups and snapshots of propagate from there. databases � Internal process controls � � Test backups for key systems Disaster recovery and business � continuity plans Up-to=date antivirus and system McAfee Labs researchers saw software through frequent patching � Contact information for local law enforcement, the FBI, and service � Near real-time monitoring services, 4 million providers such as firewall information networks instances of ransonware in the 2 nd quarter of 2015 and expect this number to continue growing. 10 5

The Aerospace & Defense Forum Arizona Chapter March 9, 2017 Ransomware Example • Hospital in California threatened with attack on their Medical Records • Electronic Medical Record (ERM) system down for more than a week. • Ransom request paid by CEO Hollywood Presbyterian Medical Center February 2016 40 Bitcoins $17,000 = 11 Successfully Thwarting a Ransomware Attack PREPARATION CHECKLIST Administrative Controls � IT infrastructure assessment - Ensure proper • End user security awareness training controls are in place and security is defined • Internal control processes for network resources • Disaster recover / business continuity � Test your systems - Infrastructure Ensure you have contact information for law • architecture, design and validation for enforcement, FBI and service providers business continuity plan/disaster recovery requirements � Prepare your people - Establish policies and procedures Technical Controls � Active monitoring, alerting, management, • Ensure end-user security / access is sufficient to and issue remediation - Detection should be perform job function – audited regularly immediate to limit the spread of the infection • Proper backup methods are necessary – ensure � Monthly software updates and security offline copies of critical data patching • Up-to-date anti-virus and system software through � Mobile device management frequent patching (e.g. firewall information networks) 6