Florida SBDC at UCF's Cybersecurity for Small Businesses: Protecting - - PowerPoint PPT Presentation

Helping Businesses Grow & Succeed

Florida SBDC at UCF's Cybersecurity for Small Businesses: Protecting Your Digital Assets in 2018

BYTE-SIZE: The Small Business Cybersecurity Program of the FSBDC Network

NOTE: These materials are intended to provide information to assist small businesses consider key cybersecurity concepts, to share ideas for reducing cyber risk, and to identify helpful resources from multiple public and private organizations. However, no single technology or program can eliminate all cyber risk nor can they guarantee protection from constantly evolving digital attacks. It is always best to consult IT security and legal professionals to understand your responsibilities and to manage the specific cyber risks associated with your business. This presentation is a companion to the publication entitled The Florida SBDC Network Byte-Size Program: Cybersecurity Basics for Small Business. For more information, visit floridasbdc.org/cybersecurity

Helping Businesses Grow & Succeed

Lee V. Mangold

@LeeMangold Lee.Mangold@GoldSkySecurity.com (CISSP, CEH, GLSC, ITIL...)

Co-Founder & CEO GoldSky Security Co-Founder & Vice President Florida Cyber Alliance President Information Systems Security Association (CFL Chapter) Board Director Security BSides Orlando Adjunct Professor University of Central Florida

CYBERSECURITY BASICS

Section 1

Helping Businesses Grow & Succeed

Trends (2009-2016)

Helping Businesses Grow & Succeed

Who are the attackers?

• Organized Crime Organizations

– Large syndicates of attackers – Hierarchical organizations; Mafia

• State-Sponsored Attackers

– Government organizations – Russia, China, Iran, North Korea, etc...

• Script Kiddies

– Use downloaded tools and scripts – Motivated by fame

• Other Professionals

– Usually experimenting, learning, or shaming

• Hacktivists

– All-the-above – Motivated by a social cause

Helping Businesses Grow & Succeed

Top Threats & Targets

• Top Threats
• Malware

– Specifically Ransomware

• Social Engineering

– Phishing emails – Extortion attempts

• 3rd Party Data Theft

– Stolen Credentials – 3rd Party breaches

• Top Targets
• Medical Industry

– Compromising PHI – Compromising PHI – Potentially more...

• Legal Industry

– Compromising PII – Compromising PHI

• Financial & Administrative Services

– Compromising PII – Fraud and monetary theft

• Retail

– Monetary theft (PCI)

Helping Businesses Grow & Succeed

Helping Businesses Grow & Succeed

Helping Businesses Grow & Succeed

Three Foundational Cybersecurity Principles

Know what your critical data/assets are

What

Know where your critical data/assets are

Where

Know how they are protected

How

Helping Businesses Grow & Succeed

CLOUD!! IaaS PaaS SaaS

Helping Businesses Grow & Succeed

Types of Attacks

Helping Businesses Grow & Succeed

MALWARE

• Malicious software

– Steal credentials or other information – Steal money – Ransomware – Botnets – Sabotage – Denial of service

Helping Businesses Grow & Succeed

PHISHING

• Email designed to lure you in to

doing something ill-advised

– Execute an attachment – Click on a link – Unwittingly give away sensitive information

• Some are really good at exploiting

human gullibility

Helping Businesses Grow & Succeed

Helping Businesses Grow & Succeed

INTERNET OF THINGS (IoT)

• Increasingly, tech devices are being

targeted

– Eavesdropping – Steal data – Botnet agents – DDoS attacks

Helping Businesses Grow & Succeed

APPLICATION ATTACKS

• Maliciously manipulate application

software

– Steal data from database server – Run attack scripts on other users’ PCs – Steal user credentials

Helping Businesses Grow & Succeed

Remediation Activities

Helping Businesses Grow & Succeed

Employee Education

• Technology is great, but

your most important assets are your employees

– First line of defense – Train them on the tools you use – Encourage them to report strange computer activity

Helping Businesses Grow & Succeed

Passwords & MFA

• Use Strong Passwords or

Passphrases

• NEVER share your

passwords

• Don’t re-use passwords
• Enable Multi-Factor

Authentication where possible!

Helping Businesses Grow & Succeed

PROTECTIONS

• Policies and policy

management

• Software updates
• Configurations
• Security products
• Application software

controls

Helping Businesses Grow & Succeed

DETECTION MEASURES

• Event monitoring
• Intrusion detection and

prevention systems

• Threat monitoring
• User reports

Helping Businesses Grow & Succeed

RESPONSES

• Incident response

– Advocates for the business – Reduce the losses – Get back in businesses as quickly as possible – Support investigations – Decision support during incident – Crisis communications

Helping Businesses Grow & Succeed

INSURANCE

• Is cybersecurity

insurance right for you?

– It depends – Policies exist – Read the fine print and comply with their requirements – Answer their questions candidly – Understand what is and is not covered

Helping Businesses Grow & Succeed

INSURANCE 101

Key questions:

• Bundled vs. Stand

alone?

• What are the

policy exclusions?

• How much

coverage should I purchase?

• Who is the breach

response firm?

Bundled

• Bundled cyber

policies often

• ffer limited

coverage, not broad protection

• Have gaps
• and more

exclusions.

• Usually are an

endorse- ment to other liability policies.

• Can result in

greater exposure

Electronic Data Processing (EDP)

• EDP policies

are not cyber coverage.

• They usually
• cover:
• Data

processing equipment.

• Hardware

replacement.

• Property

coverage.

Stand-Alone

• Stand alone

cyber policies

• ffer the most

protection.

• Normally
• cover:
• Third party

liability.

• Breach

Response.

• Notification.
• Restoration.
• Business

interruption.

• Reputation

risk.

Stop-Loss (DIC)

• DIC plans are

for larger

• rganizations

with greater risk profiles.

• They provide:
• Catastrophic

backstop

• Covers gaps
• Meant for

large Losses when underlying coverage is exhausted.

Danger Zone Safe(r) Zone

CASE STUDIES IN CYBERSECURITY

Section 2

Helping Businesses Grow & Succeed

Breach Case Studies

• Insurance Company

– COO’s Email Account Credentials Phished – Account Data stolen from Email & Storage – Data exfiltrated to unknown destinations in Russia – Had to notify 3600+ individuals, pay for credit monitoring, etc...

• Healthcare Practice

– Hard Drive Stolen during A/C Maintenance – Owners extorted, police involved – Had to notify 37,000+ individuals

• CPA & Patent Firm

– User sent a fake Docusign link, logged in, downloaded malware – Forwarded the email to colleagues – Data exfiltrated to unknown destinations in Russia

Helping Businesses Grow & Succeed

Breach Case Studies

• TerraCom and YourTel America (2014)

– Failed to protect PII of customers – 300,000 identities at risk – Settled with FCC for $3.5M

• Verizon (2017)

– Failed to protect PII of customers – 3rd party IT contractor left data unprotected in AWS

• Undisclosed Carrier

– Hackers gained unauthorized access to SIP trunks – Hundreds of thousands in fraudulent charges billed to customers – Company had no idea how to track or prevent the attacks

Helping Businesses Grow & Succeed

Case Study: Mossack Fonseca

Helping Businesses Grow & Succeed

Case Study: Mossack Fonseca

WordPress Website Plugin: Revolution Slider Plugin: WP-SMTP plugin Plugin: ALO EasyMail Exploited Email Passwords Email Passwords Email Server Log In Get Mail! Drupal Web Portal https://Portal.Mossfon.com Outdated; Several Critical Vulnerabilities Exploited Get Data!

Helping Businesses Grow & Succeed

Misconfiguration

Configuration Management

– Are all your systems provisioned to a baseline standard? – Are all your systems audited REGULARLY? – Could you audit your systems if you had to? – Who has access to what data and how is it protected?

Helping Businesses Grow & Succeed

3rd Party Problems

• How do you know your 3rd parties are secure?
• What data do you share with them? Do you

know?

• How often have you (or can you) audit 3rd

parties?

• Have THEY been breached already?

Helping Businesses Grow & Succeed

Mismanagement

• Have you formed a security team or a formal

security effort?

• Do you have procedures in place to help prevent

breaches?

• What do you do when you HAVE a breach? Would

you know?

• Are you practicing risk management in IT and

Security?

Helping Businesses Grow & Succeed

Seek out best practices!

Begin practicing security risk management

1

Work across IT (and all domains) to identify the “what, where, how”

2

Establish baseline security standards

3

Have a plan and seek help where you need it!

4

CYBERSECURITY COMPLIANCE

(AND RISK MANAGEMENT)

Section 3

Helping Businesses Grow & Succeed

Cybersecurity Management IS Risk Management

Helping Businesses Grow & Succeed

NIST Cyber Security Framework

NOT A STEP-BY-STEP PROCESS

Helping Businesses Grow & Succeed

Cyber Risk Management Objectives

• What are my BIGGEST areas of risk?
• What are my potential mitigation strategies?
• What is the cost-benefit of implementing various

mitigation strategies?

• What is the cost of doing nothing?

Helping Businesses Grow & Succeed

NIST 800-30 – Security Risk Assessment

Helping Businesses Grow & Succeed

Security - vs - Compliance

Security Protecting what’s important

• Confidentiality
• Data Integrity
• Availability

Compliance Following the rules

• 800-151
• HIPAA
• FIPA and other PII regs
• PCI
• GLBA, etc...

Helping Businesses Grow & Succeed

Three Foundational Cybersecurity Principles

Know what your critical data/assets are

What

Know where your critical data/assets are

Where

Know how they are protected

How

Helping Businesses Grow & Succeed

Legal Frameworks (Federal)

• Government Contractors

– 800-151 Compliance (and more...)

• Healthcare

– Health Insurance Portability and Accountability Act (HIPAA)

• Financial Institutions

– Gramm-Leach-Bliley Act (GLBA)

• Credit Unions

– Various FFIEC / NCUA Regulations

• Federal Agencies

– Homeland Security Act (FISMA)

• Public Companies

– Sarbanes-Oxley Act (SOX, Section 302 & 404)

• International

– General Data Protection Regulation (GDPR) – EU-PrivacyShield

Helping Businesses Grow & Succeed

Florida Information Protection Act

• Each covered entity shall take reasonable measures to protect and

secure data in electronic form containing personal information.

• A covered entity shall provide notice to the department of any breach of

security affecting 500 or more individuals in this state What is PII

• First & Last Name and one of:

– SSN – Financial Account Number – Government ID number – Health Information or Insurance ID

• Username or Email Address, including password or security questions

– Encrypted passwords are not considered PII!

Helping Businesses Grow & Succeed

Other States

• 48 States with Data Breach and/or Data

Privacy Laws

– Excludes Alabama and South Dakota

• District of Columbia
• Puerto Rico
• US Virgin Islands
• Guam

Helping Businesses Grow & Succeed

NIST SP 800-171 Compliance

• Describes information protection requirements

for:

– Non-Federal Organizations holding Controlled Unclassified Information (CUI) – 22 Categories of CUI Data

Helping Businesses Grow & Succeed

What is CUI?

22 Categories of Controlled CUI

• Agriculture
• Controlled Technical Info
• Critical Infrastructure
• Emergency Management
• Export Control Research
• Financial Data
• Geodetic Information
• Immigration
• Information Systems Vulns
• Intelligence Data or Records
• International Agreements
• Compulsory Tax Information
• Law Enforcement Data
• Legal Data
• Natural and Cultural Resources
• NATO-Related Data
• Nuclear Data
• Patent Information
• Privacy Information
• Procurement and Acquisition
• Proprietary Business Data
• SAFETY Act Information
• Statistical/Census Data
• Some Transportation Data

Helping Businesses Grow & Succeed

Controlled Technical Info

• Research and engineering data
• Engineering drawings and associated lists
• Specifications, standards, process sheets
• Manuals
• Technical reports
• Technical orders
• Data sets
• Studies and analyses and related information
• Computer software executable code and source code
• etc...

Helping Businesses Grow & Succeed

800-151 Requirements

• 14 Families of Controls

– Access Control – Media Protection – Awareness and Training – Personnel Security – Audit and Accountability – Physical Protection – Configuration Management – Risk Assessment – Identification and Authentication – Security Assessment – Incident Response – System and Communications Protection – Maintenance – System Information Integrity

Helping Businesses Grow & Succeed

Control Example

From NIST SP 800-53

Helping Businesses Grow & Succeed

Control Example

From NIST SP 800-53

Helping Businesses Grow & Succeed

Next Steps...

• Download & Read NIST SP 800-171

– https://nvlpubs.nist.gov/nistpubs/SpecialPublicati

• ns/NIST.SP.800-171.pdF
• Plan for Implementation of Controls

– Assess for applicability and impact

• Implement controls like a project
• Continually assess your security!

CYBERSECURITY RESOURCES

Section 4

Helping Businesses Grow & Succeed

RESOURCES AND PLANNING

Information:

• Florida Small Business Development

Center Network:

http://floridasbdc.org/cybersecurity

• US Chamber of Commerce

https://www.uschamber.com/cyber

Threat Reporting & Alerts:

• FBI IC3: https://www.ic3.gov
• Secure Florida: http://secureflorida.org

Note: Additional resources may be found in the Florida SBDC Network’s Byte-Size program publication: Cybersecurity Basics For Small Business

Planning Materials:

• US Small Business Administration (SBA):

https://www.sba.gov/business- guide/manage/prepareemergencies-disaster- assistance

• SBA Learning Center

at:https://www.sba.gov/tools/sba-learning-

center/training/cybersecurity-small-businesses

• National Institutes for Standards &

Technology (NIST):

http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.76 21r1.pdf

Helping Businesses Grow & Succeed

RELATED TIPS

• Get to know your law

enforcement

– Who are they, what resources do they have? – Meet them in person (prior to needing to) – Consider FBI’s Infragard