Cyber Security Risk Management and Identity Theft · PDF filePEOPLE POLICY TECHNOLOGY ......
Transcript of Cyber Security Risk Management and Identity Theft · PDF filePEOPLE POLICY TECHNOLOGY ......
2017 COMPASS LLC www.COMPASScyber.com
2017 MD SHRM State Conference
Presented by Robert “Bob” Olsen, Chief Executive Officer
MS ITS, MBA, CISSP, CISM
October 16, 2017
Cyber Security – Risk Management and Identity Theft
This presentation may not be reproduced or distributed without prior written approval of COMPASS Cyber Security.
2017 COMPASS LLC www.COMPASScyber.com
Agenda
•Cyber Security Threats Overview
• Practical Tips and Considerations
•Responding to Identity Theft
2
2017 COMPASS LLC www.COMPASScyber.com
Common Misconceptions
• We would never be targeted by a hacker,
• My IT team is responsible for cyber security,
• We do not need to train our employees on security awareness,
• All our data is in the cloud so we are no longer responsible for protecting it.
• “We have cyber liability insurance so we are good”.
3
2017 COMPASS LLC www.COMPASScyber.com
2017 Verizon Data Breach Report
4
2017 COMPASS LLC www.COMPASScyber.com
2017 Verizon Data Breach Report
5
2017 COMPASS LLC www.COMPASScyber.com
Threat Actors – External
• Script Kiddies,
• Ego, victim embarrassment,
• 3rd Party Application Vendor,
• Financial gain, negligence,
•Hacktivists,
• Cause driven - religious, political, environmental.
6
2017 COMPASS LLC www.COMPASScyber.com
Threat Actors – External
•Criminal Hacker,
• Financial gain,
• Extortion,
• High value client targets,
•Nation State,
• Blackmail,
• Espionage,
• Financial gain.
7
2017 COMPASS LLC www.COMPASScyber.com
Threat Actors – Internal
•Negligent Insider,
• Lost mobile device,
• Accesses sensitive data from personal device,
• 3rd Party Vendor,
• HVAC, security, janitorial, etc.,
•Malicious Insider,
• Disgruntled employee(s),
• Bribed or blackmailed employee.8
2017 COMPASS LLC www.COMPASScyber.com
Threats and Business Impacts
• Phishing – loss of data, brand damage,
•BEC – transfer of $, brand damage,
•Ransomware – loss of data and extortion, brand damage,
•DDoS – loss of client access to portal, brand damage,
• Stolen user credentials – unauthorized 3rd
party access, brand damage.
9
2017 COMPASS LLC www.COMPASScyber.com
Threats and Risks Analysis
10
2017 COMPASS LLC www.COMPASScyber.com
Phishing Example
11
Nearly identical email address(JohnHill vs. JohnHilll)
Place she had visitedfrom Facebook
Name of a local bank
Home addressIncluding phone number
2017 COMPASS LLC www.COMPASScyber.com
Threat/Controls Mapping Example
12
PEOPLE POLICY TECHNOLOGY
Culture of Security Least Access Privileges Email Filters
Awareness Training Incident Response Plan Firewall
Mock Phishing BCP/DRP Network Segmentation
Role Based Access Cyber Insurance Patch Management
Data Governance SIEM
IDS/IPS
2017 COMPASS LLC www.COMPASScyber.com
Practical Tips – Policy
• Inventory and classify your data,
• Catalog and classify your data,
• Focus protection measures on most sensitive data,
• Perform annual policy reviews,
• Organization changes,
• Emerging/new technology,
• Newly outsourced/insourced functions,
• Policies should include all departments.
13
2017 COMPASS LLC www.COMPASScyber.com
Practical Tips – People
• People are the weakest link!
• Senior leadership support is critical,
• Lead by example,
• Regularly raise employee security awareness,
• “Drip” method,
• Seminar, webinars, podcasts, security tips, etc.,
• Create a culture of security and make it personal for everyone.
14
2017 COMPASS LLC www.COMPASScyber.com
Creating a Culture of Security
•Make it personal,
• If this then that examples,
• Tailor training to specific functions:
• Option 1 – Individual departments (HR, finance, legal) and general population,
• Option 2 – Group high risk users (hr, finance, legal) and general population,
• Incorporate reminders into everyday activities.
15
2017 COMPASS LLC www.COMPASScyber.com
House Analogy – Technology
16
Your Residence Your Organization
Locks on doors Passwords, 2 factor authentication
Monitored alarm system Firewall, antivirus, security monitoring
Signage Group policies
Safe for valuables Network segmentation, encryption
Dog Firewall, intrusion detection system, network alarms
Video cameras Security incident & event monitoring (SIEM)
Security guard(s) Security consultants
Police activity reports Threat intelligence
2017 COMPASS LLC www.COMPASScyber.com
House Analogy – People & Policy
17
Your Residence Your Organization
Individual keys Password management; privileged access; access control policy
Alarm system code(s) Role based access; password management
Stranger danger awareness Security awareness training
Check who is at door beforeopening
Role based access (guest/faculty); awareness training
Annual fire drill exercises Phishing exercises, incident response plan
2017 COMPASS LLC www.COMPASScyber.com
Practical Tips – Technology
• Technology should support and enforce your policies,
• Layered defense is the most effective,
• Ensure that you are regularly updating your network devices (laptops, firewalls, servers, etc.),
• Operating systems and applications,
• Understand the risks of your cloud provider(s).
18
2017 COMPASS LLC www.COMPASScyber.com
Identity Theft
• PII and/or PHI used to create a false identity,
• Employees,
• Family members,
• Clients,
• Usage examples include credit cards, false tax return, store loyalty programs, internal impersonation,
• Combination of technical and social engineering tactics being used.
19
2017 COMPASS LLC www.COMPASScyber.com
Identity Theft Fraud Statistics
20
2017 COMPASS LLC www.COMPASScyber.com
Identity Theft Fraud Statistics
21
2017 COMPASS LLC www.COMPASScyber.com
Identity Theft Top 10 States – 2015
22
1. Missouri
2. Connecticut
3. Florida
4. Maryland
5. Illinois
6. Michigan
7. Georgia
8. Texas
9. New Hampshire
10.California
Ranked based upon complaints per 100,000 residents.Source – Insurance Information Institute
2017 COMPASS LLC www.COMPASScyber.com
https://www.identitytheft.gov
Identity Theft Response Steps
23
2017 COMPASS LLC www.COMPASScyber.com
https://www.identitytheft.gov
Identity Theft Response Steps
24
2017 COMPASS LLC www.COMPASScyber.com
https://www.identitytheft.gov
Identity Theft Response Steps
25
2017 COMPASS LLC www.COMPASScyber.com
Summary
• Hackers are targeting all organizations that possess high value data,
• Human resources professionals play a key role in cyber security,
• A risk management approach is the most effective and practical one,
• You must be proactive,
• Cyber security is a team sport.
26
2017 COMPASS LLC www.COMPASScyber.com
Contact Information
Robert (Bob) Olsen
Chief Executive Officer
410-340-3560
LinkedIn: @rolsen3
Twitter: @rlolsen3 and @compasscyber
27
2017 COMPASS LLC www.COMPASScyber.com
Follow Us
WASHINGTON, DC
701 8th Street NW
Suite 400
Washington, DC 20001
BALTIMORE
250 S President Street
Suite 2300
Baltimore, MD 21202
https://www.facebook.com/compasscyber
https://www.linkedin.com/compasscyber
https://twitter.com/COMPASScyber
https://plus.google.com/+COMPASSCyberSecurityBaltimore
https://soundcloud.com/compasscyberguide
https://itunes.apple.com/us/podcast/the-cyberguide/