Strategies for Preventing a Breach and Assessing Your

Strategies for Preventing a Breach and Assessing Your

Strategies for Preventing a Breach and Assessing Your Cybersecurity Risk Management Program Colorado Society of Certified Public Accountants February 8, 2018 Troy Fine - Manager, Risk Advisory Services Dan Desko - Senior Manager, Risk Advisory Services Who is Schneider Downs? One of the top 60 largest accounting and business advisory firms in the United States Established in 1956; headquartered in Pittsburgh, PA Largest regional independently owned, registered public accounting and business advisory firm in Western Pennsylvania, with an office in Columbus, Ohio

Approximately 450 personnel in total, including 42 shareholders Registered with the PCAOB Risk Advisory Services Cybersecurity SOX Section 404 compliance Internal control outsourcing/co-sourcing SOC Reports 2 Troy Fine

Manager, Risk Advisory Services CPA/CITP, CISA Joined Schneider Downs in 2011 Areas of expertise:

SOC 1 and 2 assurance services SOC 2+ assurance services (HITRUST) SOC for Cybersecurity assurance services SOX Section 404 compliance Internal control assessments HIPAA assessments Industry experience: Cloud Computing/Software-as-a-Service, Higher Ed, Banking, Financial Services, Healthcare, Manufacturing, Non-profit AICPA CITP Credential Committee Member 3 Dan Desko Senior Manager of IT Risk Advisory Services at Schneider

Downs CISA (Certified Information Systems Auditor) CISSP (Certified Information Systems Security Professional) CTPRP (Certified Third Party Risk Professional) 14 years of experience; began career working in IT Current Outgoing ISACA Pittsburgh Chapter President Experience in delivering IT Audit, IT Security Services, Penetration Testing and Vendor Risk Management Services to a variety of industries Responsible for product delivery, client satisfaction and quality control 4 Agenda Current State of Cybersecurity

Must-Ask Questions to Prevent Your Organization from Being Breached Methods for Assessing Your Organizations Cybersecurity Risk Management Program Q&A 5 State of Cybersecurity The following slides are highlights of the 2017 Verizon Data Breach Incident Report (DBIR) 6

State of Cybersecurity The important thing to note on this slide is that the majority of breaches occur in one of two ways: 1. Human error 2. Outside hackers Bonus: Combination of the two! The other important takeaway is that the attackers are organized criminal groups; theyre run like businesses

7 State of Cybersecurity Contrary to common belief, not all hacks involve a virus/ malware. 51% of these breaches involved malware: what were the other 49%? Stolen User Credentials

User Error Physical Access Incorrect Privileges 8 State of Cybersecurity A large mass of breaches occur through some sort of email attack such as Phishing. Firewall technology has come a long way, humans are now the weakest link in your security. Traditional AV alone isnt great at spotting malware.

A very large majority of the breaches were financially motivated. A good number of breaches were not discovered by the breached entity, but rather by a third party; Nightmare PR scenario. 9 State of Cybersecurity 10 State of Cybersecurity

Phishing deservedly warrants some additional attention It was found in over 90% of all incidents and breaches. Once phished, a number of things can occur: Installation of software (e.g., ransomware, command and control systems, etc.) Influencing disclosure of sensitive data (e.g., business email compromise) Using the compromised computer or accounts as a foothold and pivot to other more interesting systems Using a compromised email account to then phish internally 11 State of Cybersecurity

According to report from Osterman Research conducted in June among more than 1,000 small and medium businesses -about 22% of businesses with less than 1,000 employees that experienced a ransomware attack in the last year had to stop business operations immediately. About 15% lost revenue.

12 Agenda Current State of Cybersecurity Must-Ask Questions to Prevent Your Organization from Being Breached Methods for Assessing Your Organizations Cybersecurity Risk Management Program Q&A 13 Question One How well do you know your IT environment? Accurate inventory of

devices Accurate inventory of software Accurate inventory of Internet- facing systems 14 Question Two What data do the hackers want and where does it live? Look at not only structured data, but unstructured as well (e.g., spreadsheets, user reports, downloads from ERP or CRM systems) What data lives in your employees email accounts?

15 Question Three If you have identified critical systems and data, how do you further protect access to it? Do you require complex passwords? Do you require two-factor authentication to critical systems and the network? Email VPN ERP CRM 16 Question Four

Are your employees susceptible to being phished? Statistics show the answer is likely yes. Have you tested/trained them? What technical controls have you put in place to stop it? e.g., Advanced Email Protection 17 Question Five

If phishing succeeds, do you have additional protection methods? Advanced endpoint protection complements traditional anti-virus Encryption of data Whitelisting of allowed applications 18 Question Six Does your IT staff

concentrate more on security or operations? Management often believes that their IT staff focuses on security more than they actively do in reality. Reality is that security and IT operations often conflict with each other Having an independent security group or security consulting partner helps bridge the gap 19 Question Seven

Do you know where you are vulnerable? A large amount of breaches take advantage of unpatched operating systems and application software. e.g., Equifax breach leveraged vulnerability in Apache Struts software toolkit. How often does your IT team patch systems and software? Have you run vulnerability scans to test the effectiveness of the patching process? 20

Question Eight Have you simulated an external attack to determine how secure/vulnerable you really are? Penetration tests or ethical hacking exercises are valuable because they help identify issues before the bad guys do. 21 Question Nine

How prepared are you for a breach? Its not a matter of IF, but, WHEN Having a solid incident response plan that is tested may not prevent a breach, but will surely limit the impact Practice common scenarios (e.g., phishing, ransomware, business email compromise, etc.) 22

Question Ten Have you adopted and assessed yourself against a standard security framework? Allows for continuous improvement Set a road map for long-term information security success 23 Extra Credit!

Do you know what vendors have access to, or store, your data? You can outsource certain business operations, but you cant outsource the risk. Ask business service providers for a SOC report or similar attestation report regarding their security controls to gain transparency. 24

Agenda Current State of Cybersecurity Must-Ask Questions to Prevent Your Organization from Being Breached Methods for Assessing Your Organizations Cybersecurity Risk Management Program Q&A 25 Assessing Cybersecurity Risk SOC for Cybersecurity Examination Assurance engagement performed by an independent CPA firm Examined against suitable control criteria i.e., SOC 2 Trust Services Criteria

Results in a Cybersecurity Risk Management Examination Report that consists of: Management's description of the entity's cybersecurity risk management program Managements assertion CPAs opinion on the effectiveness of the entitys cybersecurity risk management program Report covers a specific time period 26 Assessing Cybersecurity Risk Cybersecurity Maturity Assessment Evaluate your cybersecurity risk management

program against industry best practices NIST Cybersecurity Framework ISO 27001 HITRUST PCI-DSS Results in a Cybersecurity Maturity Assessment Report that consists of: Completed cybersecurity risk assessment report Prioritized list of control gaps with recommended plans of action

27 Assessing Cybersecurity Risk External Footprint Analysis Use commonly available open source tools, scanners and databases to obtain a blueprint of the network and its Internet profile Black box approach Gather data about hosts Results in a report that consists of: List of identified hosts, including operating systems, applications, domain names, IP ranges May discover hosts or applications that management was not aware existed

28 Assessing Cybersecurity Risk Vulnerability Assessment Provides a comprehensive view of potential security flaws in an environment Check for misconfigurations, unpatched services, open ports and other architectural mistakes Results in a report that consists of: Summary of identified vulnerabilities Vulnerabilities ranked by criticality Remediation plans 29

Assessing Cybersecurity Risk Penetration Test Builds on the external footprint analysis and vulnerability assessment Simulate actions of an internal/external attacker and attempt to exploit vulnerabilities and misconfigurations Attempt to use multiple attack vectors Expose unpatched systems Phishing for compromise Physical access USB flash drive drop

Results in a report that consists of: Summary of vulnerabilities Results of exploitation attempts Criticality rankings Remediation strategies 30 Assessing Cybersecurity Risk Phishing Assessments

Simulate realistic phishing campaigns Results in a report that consists of: Summary of customized phishing campaign Results about users actions, including: Percentage of employees who opened the email Percentage of employees who clicked on the link/ attachment Percentage of employees who provided account details 31 CITP Credential A CITP is a CPA: Credentialed by the AICPA Recognized for the unique ability to provide business

insight by leveraging knowledge of information relationships and supporting technologies Specializing and demonstrating specific skills, expertise and experience in the following areas: IT Assurance IT Risk Data Analytics Security & Privacy Business Solutions

Emerging IT Trends 32 Questions? Contact Information Troy Fine [email protected] - 412-6975238 Dan Desko [email protected] - 412697-5285 Visit our blog for more information on cybersecurity: https://www.schneiderdowns.com/our-thoughts-on 33

Recently Viewed Presentations

  • Discipleship Across the Lifespan

    Discipleship Across the Lifespan

    8 Tie them as symbols on your hands and bind them on your foreheads. 9 Write them on the doorframes of your houses and on your gates. Deuteronomy 6:4-6 The Book of Deuteronomy Chapters 1-4: Recollection of the journey from...
  • PowerPoint プレゼンテーション

    PowerPoint プレゼンテーション

    Introduction. The use of wearables and body sensor devices is rapidly growing in the Internet of Things (IoT). Wireless Body Area Networks (BAN) offer a means of connectivity, facilitating the sharing of data, interaction and interoperability within smart environments, such...
  • Comparing several means: ANOVA (GLM 1)

    Comparing several means: ANOVA (GLM 1)

    What Does ANOVA Tell Us? Null hypothesis: Like a . t-test, ANOVA tests the null hypothesis that the means are the same. Experimental hypothesis: The means differ. ANOVA is an omnibus test. It test for an overall difference between groups....
  • 12-inch Mortars for close range work. There were

    12-inch Mortars for close range work. There were

    Looking down the barrel of a 16-inch rifle. Wow!! Some of you may remember that there were two 16" projectiles (bullet) in front of the "Surfside Theater" (later a museum) by Amador Officers Club Beach. These projectiles were huge and...
  • Diapositivo 1 - download.microsoft.com

    Diapositivo 1 - download.microsoft.com

    A Terra - estudos e representações/ População e Povoamento. Historial do projecto. Escola EB Cidade de Castelo Branco. ... O VCT é colocado previamente, pela professora, na plataforma Moodle e os alunos, a partir da página Web da escola, acedem...
  • Literárna moderna

    Literárna moderna

    Odkrýva slabé miesta v morálke, ideáloch a v zmysle života; hlavná postava románu Dr. Landík sa usiluje vniesť ideu demokratizmu dôsledne do života, a to je prameňom jeho utrpenia a konfliktných situácií. odmieta karierizmus a nachádza uspokojenie v skromnom živote...
  • What really matters for adolescents in mathematics lessons?

    What really matters for adolescents in mathematics lessons?

    Antonio Gramsci... forming (the child) as a person capable of thinking, studying and ruling - or controlling those who rule. Went into teaching with these ideas from books I HAD read - to change society, to change the life chances...
  • Developing a culture of routine outcomes measurement ...

    Developing a culture of routine outcomes measurement ...

    NHS Friends and Family test (F&F) ... LSF, King's Fund, Pilotlight. Challenges and Opportunities - Wider system. Future in Mind / Five Year Forward View: Young people's services up to 25 yrs - implications for transition and consistency of care.