INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current - - PowerPoint PPT Presentation

introduction
SMART_READER_LITE
LIVE PREVIEW

INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current - - PowerPoint PPT Presentation

Aug 04, 2023 38 likes •370 views

Section 1 Dr. Bruce Burton California Cybersecurity INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and implications Learn from past attacks Understand the NIST Cybersecurity Framework (CSF) &

slide-1
SLIDE 1

12/10/2018 1

INTRODUCTION

Section 1

  • Dr. Bruce Burton

California Cybersecurity Institute

slide-2
SLIDE 2

OBJECTIVES

12/10/2018 2

  • Current cybersecurity statistics and

implications

  • Learn from past attacks
  • Understand the NIST Cybersecurity

Framework (CSF) & potential quick hits

slide-3
SLIDE 3

12/10/2018 3

YOUR ENTERPRISE IS UNDER ATTACK

Section 2

slide-4
SLIDE 4

LOSSES DUE TO INTERNET-RELATED CRIME CONTINUE TO GROW! *

12/10/2018 4

*FBI's Internet Crime Report

slide-5
SLIDE 5

2017 REPORT – SMALL BUSINESS TRENDS

12/10/2018 5

slide-6
SLIDE 6

2017 Report – CA Breach Law

12/10/2018 6

California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy

  • f that security breach notification, excluding any personally identifiable

information, to the Attorney General.

slide-7
SLIDE 7

2017 REPORT – SMALL BUSINESS TRENDS

12/10/2018 7

slide-8
SLIDE 8

2017 REPORT – SMALL BUSINESS TRENDS

12/10/2018 8

slide-9
SLIDE 9

12/10/2018 9

PAST ATTACKS AND WHAT WE CAN LEARN FROM THEM

Section 3

slide-10
SLIDE 10

TARGET DATA BREACH

12/10/2018 10

slide-11
SLIDE 11

BACKGROUND – WHAT HAPPENED?

12/10/2018 11

  • Hackers gained access to Target's networks
  • Compromised servers to allow exfiltration of

customer data

  • Collected personal financial data from POS

terminals on millions of customers

slide-12
SLIDE 12

HOW DID IT HAPPEN?

12/10/2018 12 Unkown Date Target's HVAC vendor's computer systems were infected through a phishing attack 11-30-13 Malicious software was detected on Target servers and Target's security team was notified 12-02-13 Customer credit card information was transmitted out from Target's computer system 12-15-13 Target acknowledges a data breach; 40,000,000 credit card records stolen 12-12-13 Authorities notified Target of the data breach 01-10-14 Target acknowledges 70,000,000 additional customer records were stolen

ALL WARNINGS IGNORED BY TARGET

slide-13
SLIDE 13

IMPACT

12/10/2018 13

  • Millions of impacted customers
  • Tarnished reputation
  • Drop in sales transactions resulted in a RIF
  • Data breach expenses > $100M
  • CEO Resigned
slide-14
SLIDE 14

Personal Information is an Attractive Target

12/10/2018 14

slide-15
SLIDE 15

LESSONS TO BE LEARNED FROM THIS ATTACK

12/10/2018 15

  • Personal financial info is an attractive target
  • Users play an important role in system

security

  • Limiting employee/third party access to

sensitive network assets is key

  • Importance of team training and oversight
  • Don't ignore the warning signs of a breach
  • Be extremely careful if you store sensitive

personal data

slide-16
SLIDE 16

COTTAGE HEALTH DATA BREACH

12/10/2018 16

slide-17
SLIDE 17

BACKGROUND – WHAT HAPPENED?

12/10/2018 17

  • Cottage Health Systems, a medium sized health delivery
  • rganization in the Santa Barbara area learned of a data

breach

  • In the course of investigating the first breach, a second

breach was discovered

  • Both events exposed patients' medical information
  • Fortunately, Cottage Health had a cybersecurity insurance

policy and it covered much of the expense of the data breach

slide-18
SLIDE 18

HOW DID IT HAPPEN?

12/10/2018 18

  • 3rd party supplier removed electronic security protections

from one of Cottage Health's servers

  • Poor oversight over IT service suppliers
  • Violation of other basic security principles
slide-19
SLIDE 19

IMPACT

12/10/2018 19

  • Huge amount of bad publicity
  • Listed on the HHS "wall of shame" website
  • Numerous lawsuits on behalf of impacted patients
  • $2M fine from the state of CA
  • Requirement to significantly upgrade their security practices
slide-20
SLIDE 20

IMPACT - CONTINUED

12/10/2018 20

  • Insurer sues Cottage Health for $4.125

million plus attorneys' fees

  • Alleges that hospital failed to take reasonable

steps to protect data

  • The devil is in the details
slide-21
SLIDE 21

LESSONS TO BE LEARNED FROM THIS ATTACK

12/10/2018 21

  • Ignorance is not bliss... know your state laws
  • Deliberate vs. accidental – self-inflicted wound
  • Ensure that your customer's data is protected in accordance

with industry standard security practices

  • Importance of training and organizational response
  • Review and negotiate cybersecurity policy terms – the devil is

in the details

  • Beware of broadly worded cybersecurity/data protection

exclusions

  • Guard against a misrepresentation defense
slide-22
SLIDE 22

PUPPY PALACE – CYBER ATTACK EXAMPLE

12/10/2018 22

slide-23
SLIDE 23

12/10/2018 23

slide-24
SLIDE 24

THE HOW AND WHAT

12/10/2018 24

What Happened?

  • Appears that the business was attacked

and customer/employee info was stolen How?

  • Through a phishing attack

What Impact?

  • May trigger disclosure requirement
  • Future bad publicity
  • Potential negative business impacts
slide-25
SLIDE 25

LESSONS TO BE LEARNED

12/10/2018 25

  • Importance of training – employees are your

first line of defense

  • Importance of good cyber hygiene
  • Value of encrypting sensitive information
  • Limitations of law enforcement help
  • Importance of cybersecurity insurance

60 percent of small companies are unable to sustain their businesses over six months after a cyber attack*

*U.S. National Cyber Security Alliance

slide-26
SLIDE 26

12/10/2018 26

COST-EFFECTIVE STEPS FOR CYBER RESILIENCY

Section 4

slide-27
SLIDE 27

ORGANIZE YOUR CYBERSECURITY DEFENSE IN LINE WITH THE NIST CSF

12/10/2018 27

The NIST Cybersecurity Framework (NIST CSF) provides a policy framework of computer security guidance for how private sector

  • rganizations in the United States can assess

and improve their ability to prevent, detect, and respond to cyber attacks

slide-28
SLIDE 28

12/10/2018 28

Identify

  • Asset

management

  • Business

environment

  • Governance
  • Risk assessment
  • Risk

management strategy Protect

  • Access Control
  • Awareness and

training

  • Data Security
  • Information

protection and procedures

  • Maintenance
  • Protective

technology Detect

  • Anomalies &

events

  • Security

continuous monitoring

  • Detection

process Respond

  • Response

planning

  • Communications
  • Analysis
  • Mitigation
  • Improvements

Recover

  • Recovery

Planning

  • Improvements
  • Communications

NIST Cyber Security Framework (CSF)

slide-29
SLIDE 29

A Word of Caution about Email/Password Accounts

12/10/2018 29

  • The practice of reusing passwords is common but risky!
  • The website https://haveibeenpwned.com/ provides insight into both

data breaches and password capture

slide-30
SLIDE 30

APPLYING THE NIST CSF

12/10/2018 30

https://www.nist.gov/cyberframework/small-and-medium-business-resources

slide-31
SLIDE 31

IN CLOSING...

12/10/2018 31

Common sense and the right actions can significantly reduce your risk of attack!

slide-32
SLIDE 32

Coming Soon…

12/10/2018 32

slide-33
SLIDE 33

QUESTIONS??

12/10/2018 33