CYBERSECURITY
INVESTIGATIONS
Planning & Best Practices
Michal Ploskonka, CPA
Senior Managing Consultant [email protected]
Lanny Morrow, EnCE
Managing Consultant [email protected] May 4, 2016 Cy Sturdivant, CISA Managing Consultant [email protected]
• Participate in entire webinar
• Answer polls when they are provided
• If you are viewing this webinar in a group
Complete group attendance form with
• Title & date of live webinar
• Your company name
• Your printed name, signature & email address
All group attendance sheets must be submitted to [email protected]
within 24 hours of live webinar
Answer polls when they are provided
• If all eligibility requirements are met, each participant will be emailed their CPE certificates within 15 business days of live webinar
TO RECEIVE CPE CREDIT
• Historical perspective on cyber threats • 2016 cyber threat landscape
• Types of data & industries at risk • Current regulatory environment
• Best practices in cybersecurity preparedness & monitoring • Incident response strategies
HISTORICAL PERSPECTIVE
Actors
–
Thrill seekers
–
Pioneers
–
Teenagers
–
Organized crime
rings
–
State sponsored
CHARACTERISTICS OF CYBERCRIMINALS
• Skilled • Persistent • Sophisticated • Tactical • Well funded • Difficult to detect • Evolving– Technical attacks not needed – Can use deceivingly simple
methods (K.I.S.S) – Use of social engineering
• e.g., Business Email Compromise
EVOLUTION OF CYBER THREATS
Monetary gain/loss Loss of proprietary information Loss of public trust Identity theft Disruption Social engineering Email account hijacking Trojans Viruses
Approach
End Result
2016 CYBER THREAT LANDSCAPE
• The United States is extremely well connected
87% of the population use the internet
The country ranks 2ndglobally for online business-to-consumer
transactions
• Cyberattack is ranked as the # 1 risk for doing business in the U.S., followed by data fraud or theft.
• Constantly evolving technology
• Rapid increase in the number of connected devices • Rapid increase in the volume of stored data
Especially unstructured data
CYBER THREAT LANDSCAPE
“ ”
Robert Mueller, FBI Director
on Cyber Threat Landscape
“There are only two types of companies: those
that have been hacked, and those that will be.
Even that is merging into one category: those
that have been hacked and will be again.”
1. Tax-Refund Fraud 2. Corporate Account
Takeover 3. Identity Theft
4. Theft of Sensitive Data 5. Theft of Intellectual
Property
Source: American Institute of CPAs – October 2013 study
• Notable data breaches
2013 – Target ($252 M in initial costs)
2014 – Home Depot ( $43 M by end of 2014)
2015 – U.S. Office of Personnel Management, Anthem, IRS, Experian (T-Mobile Customers), Ashley Madison
2016 – Hyatt Hotels, Trump Hotel Collection, FDIC, Mossack Fonseca (Panama Papers)
• Business email compromise
Wire/ACH losses
W-2 information
• Ransomware
RECENT DEVELOPMENTS
BUSINESS EMAIL COMPROMISE
Banks are not the focus of the simpler
schemes From October 2013 to December 2014, nonbank businesses lost $215 M through compromised email attacks From January 2015 to August 2015, business losses due to business email compromise increased to $800 M
(of which $747 M in the U.S.)
Combined worldwide losses due to BEC
exceed $2.3 B as of April 2016
TYPES OF DATA & INDUSTRIES AT RISK
DATA AT RISK
• Credit/debit card information via POS systems • Potential Protected Health Information (PHI) • Employee data (PII)
• Social Security numbers
• Connectivity to health provider networks via pharmacies • User names & passwords
• Intellectual property
Blueprints Business plans Trade secrets, etc.
INDUSTRIES AT RISK
•
Targets
– Businesses • Financial institutions/banks • Insurance companies • Retailers• Health care providers • Manufacturers • Critical industries • Governments • Law firms – Individuals • Everyone
• Key executives & decision makers
• Accounting & finance • Privileged users
REGULATORY ENVIRONMENT
• Computer Fraud and Abuse Act (18 U.S.C §1030) of 1986 • Many cyber crimes prosecuted under traditional statutes • States provide penalties for crimes perpetrated by use of
computers or perpetrated against computers • State security breach notification laws
REGULATORY ENVIRONMENT
• Regulatory requirements may vary by industry
FTC – Section 5(a) provides consumer protection
Health Insurance Portability and Accountability Act (HIPAA) Federal Financial Institutions Examination Council (FFIEC) SEC – Division of Investment Management Guidance No. 2015-02
BEST PRACTICES IN CYBERSECURITY
PREPAREDNESS & MONITORING
CYBERSECURITY PREPAREDNESS –
UTILIZING THE NIST FRAMEWORK
• NIST Framework Helps identify & prioritize actions for reducing cybersecurity risk Tool for aligning policy, business & technological approaches to
managing that risk
Enables organizations to apply principles & best practices of risk management to improve cybersecurity & secure critical
NIST FRAMEWORK CORE FUNCTIONS
•
NIST Core Functions
Standard cybersecurity controls • Five functions
• 22 categories or subdivisions • 98 subcategories
Form “operational culture” that addresses cybersecurity risks
NIST FRAMEWORK OVERVIEW
IDENTIFY
Identify Functions are foundational. These controls help an organization understand how to manage cybersecurity risk to systems, assets, data & capabilities. Relating these to a business context is critical for prioritizing efforts
Categories
Asset Management Business Environment Governance
Risk Assessment
Risk Management Strategy
PROTECT
Protect Functions are the safeguards that ensure delivery of critical infrastructure services. In terms of ensuring resilience, these safeguards help to limit or contain the impact of a cybersecurity event.
Categories:
Access Control Awareness & Training Data Security
Information Protection Processes & Procedures Maintenance
DETECT
Detect Functions identify the occurrence of a cybersecurity event
Categories
Anomalies & Events Security Continuous
Monitoring
Detection Processes
RESPOND
Respond Functions allow an organization to take action on a detected cybersecurity event. The goal of Respond Functions is to contain the impact of a cybersecurity event & remediate vulnerabilities Categories Response Planning Communications Analysis Mitigation Improvements
RECOVER
Recover Functions are for resilience planning
—
particularly the restoration of capabilities or services impaired by acybersecurity event
Categories
Recovery Planning Improvements Communications
CYBERSECURITY PREPAREDNESS EFFORTS
Discuss cybersecurity issues with the Board & Senior Management on a regular basis, at least quarterly
Evaluate evolving cyber threats & vulnerabilities in the risk assessment process for the technologies you use & the products & services you offer
Ensure accountability is assigned to those who make business decisions that may introduce new cyber risks
Ensure ongoing employee awareness training is kept up to date & provided on a routine basis
A cybersecurity program should integrate all aspects of an institutions existing programs.
Be sure to utilize what you already have
• Overall Information Security Program
• Business Continuity & Disaster Recovery, including capacity & performance planning
• Incident Response & Crisis Management Plans • Third-Party Risk Management
DEVELOP A CYBERSECURITY PROGRAM
CYBERSECURITY BEST PRACTICES
Board & Senior Management Responsibilities, Duties & Best Practices
• Ensure adequate strategic plans & budgetary resources are provided • Ensure the information security officer has adequate authority, resources &
independence
• Ensure threat intelligence & collaboration is timely, ongoing, risk focused, reported & actionable
• Develop attainable, measurable & repeatable processes to mitigate risks • Incorporate cybersecurity into the risk-based audit plan
• Maintain accurate asset inventories & be aware of ports of entry (you can’t protect what you don’t know exists)
• Ensure enterprisewide awareness training is performed (educate & motivate) • Ensure BIA, BCP/DR, information security & incident response policies &
procedures address cybersecurity
CYBERSECURITY BEST PRACTICES
• Use e-mail filters, Internet Protocol (IP) filtering & data file integrity checks • Use encryption to protect confidential data
• Implement data loss prevention controls (USB ports, email, etc.) • Do not use default or weak passwords (12 alphanumeric & complex) • Track, report, independently test & update security patches based on a risk
priority schedule (Microsoft & non-Microsoft patches)
• Rename network admin accounts, separate production & admin login privileges & do not share network admin login credentials
• Control executable file authorities (least privileged access)
• Conduct internal & external vulnerability scans to ensure systems are hardened
• Update anomaly detection tools regularly & understand configurations • Use log analyzers (Security Information & Event Management – SIEM tools) to
wade through the false positives & assign responsibility for log review
• Identify “Crown Jewels”
• Plan before something bad happens • Set a response protocol
• Establish an internal response team
• Identify your external resources in advance
Legal counsel (notification requirements)
IT security experts
Digital forensics
Public Relations
BREACH RESPONSE STRATEGIES
CANDIDATES FOR “DREAM TEAM”
IT & risk management Operations management Internal counsel External counsel Outside Consultants: -Incident response -Digital forensics -Forensic investigations Law enforcement Insurance company Data center
Assemble team & designate leader Classify/ declare the incident Determine notification requirements Investigate & document Contain damage Recover & build on experience
RESPONSE PROTOCOL
“Locking down” systems is first priority
Second priority is to forensically preserve affected systems
Phishing schemes for ransomware, wire transfers or information harvesting
• Very low likelihood of tracing to offender “Inside job” or collusion
• More likely to be traced
Forensic preservation involves creating full image copies of affected systems
Insurance companies often require some level of investigation & expert opinion
Forensic documentation is key
• Interviews by experienced professionals to ascertain chain of events & identify potential inside issues
• Investigate & document
Collect, analyze, protect & preserve evidence
Chain of custody rules
Inventory compromised systems & information
Document date, time, system, detailed event description, contact information, identification of the asset, etc.
Identify & document threat actor tactics, techniques & procedures
Report all findings to the incident response team
• This information may be valuable to law enforcement
INVESTIGATION PHASE
NEVER TOO PREPARED …
Need backups for each team member
Perpetually updated contact information
Review vendors (contracts, policies, contacts, bonding, security)
“Fire drill” – Unexpected test incident to test systems. Superior to other forms of testing
Unique tests – “dumpster diving” the trash, after-hours workstation checks, periodic “fake” phishing emails, installed software, internet history, USBs, etc.
SPECIAL TOPICS IN CYBERSECURITY
• Best Practices
Entry point – often phishing
Education is key to preventing the “fatal click”
In lieu of payment, restore from backups
Backup policy should include special class of “essential operating items.” These should be backed up daily
Restoring from a smaller set of essential files saves lots of time & money, reduces down time
Notify local law enforcement, this is particular focus right now
Paying the ransom will only encourage future attempts
• Not necessarily a cybersecurity attack but same consequences
Employee(s) compromise sensitive, proprietary or intellectual property-type information
Motivation is often to open a competing business, join with a competitor, damage reputation or to sell information to others
Common methods include (1) removable device, (2) email or (3) upload to cloud storage
Monitoring systems should accommodate internet & email activity involving file uploads or transfers
Periodic email review or flagging particular keywords recommended
“Whitelisting” USB devices recommended
More common than DoS attacks & other types of threats, but far less understood or planned for
THEFT OF TRADE SECRETS
• Policies relatively new • Everyone needs one
(backstop essential) • Consider types of losses
Business interruption
Additional expenses
Your financial losses
Losses to third parties
• Negotiate coverages
RESOURCES
• National Institute of Standards & Technology’s “Framework for Improving Critical Infrastructure Cybersecurity”
• FTC’s “Start with Security” Guide
• “Best Practices for Victim Response & Reporting of Cyber Incidents” drafted by the Cybersecurity Unit of the U.S. Department of Justice (Computer Crime & Intellectual Property Section)
• Internet Crime Complaint Center
• Secret Service – Electronic Crimes Task Force
CONTINUING PROFESSIONAL EDUCATION (CPE)
CREDITS
BKD,LLPis registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.learningmarket.org.
The information in BKD webinars is presented by BKD professionals, but applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor before acting on any matters covered in these webinars.
•
CPE credit may be awarded upon verification
of participant attendance
•
For questions, concerns or comments
regarding CPE credit, please email the BKD
Learning & Development Department at
[email protected]
FOR MORE INFORMATION
THANK YOU!
Lanny Morrow | 816.221.6380 | [email protected] Cy Sturdivant | 615.988.3600 | [email protected] Michal Ploskonka | 630.282.9495 | [email protected]
