stopthinkconnect.org
Webinar:
Creating a Culture of Cybersecurity at Work
stopthinkconnect.org
Agenda
•
Welcome/NCSA Landscape
•
Start With Security: Federal Trade Commission
•
NIST Framework: Better Business Bureaus
•
Critical Infrastructure Cyber Community Voluntary Program (C
3):
U.S. Department of Homeland Security
•
Q&A
stopthinkconnect.org
About National Cyber Security
Awareness Month (NCSAM)
•
NCSAM, recognized every October, provides a platform for
industry, government, nonprofits, schools and the public to raise
awareness about using the Internet and connected devices safely
and securely. NCSAM is led by NCSA and the U.S. Department of
Homeland Security (DHS).
•
The overarching theme of NCSAM is Our Shared Responsibility.
•
All businesses face cybersecurity challenges. This week will
encourage businesses to proactively establish cultures of
cybersecurity through employee education, risk management,
planning and tools.
stopthinkconnect.org
Webinar Speakers
•
Michael Kaiser, Executive Director, National Cyber Security
Alliance
•
Jessica Lyon, Attorney, Division of Privacy and Identity Protection,
Federal Trade Commission
•
Bill Fanelli, Chief Security Officer, Council of Better Business
Bureaus
•
Kelvin Coleman, Branch Chief, Government Engagement,
Cybersecurity & Communications, U.S. Department of Homeland
Security
Don’t collect personal informa1on you don’t need.
Hold on to informa1on only as long as you have a legi1mate business
need.
Restrict access to sensi1ve data.
Limit administra1ve access.
Insist on complex and unique passwords.
Store passwords securely.
Guard against brute force aCacks.
Keep sensi1ve informa1on secure throughout its lifecycle.
Use industry-‐tested and accepted methods.
Segment your network.
Ensure endpoint security.
Train your engineers in secure coding.
Follow plaNorm guidelines for security.
Verify that privacy and security features work.
Test for common vulnerabili1es.
Put it in wri1ng.
Verify compliance.
Update and patch third-‐party soPware.
Securely store sensi1ve files.
Protect devices that process personal informa1on.
Keep safety standards in place when data is en route.
Dispose of sensi1ve data securely.
17 CYBER $3CUR1TY
5 STEPS TO BETTER
BUSINESS CYBER SECURITY
CYBER
$3CUR1TY
18 CYBER $3CUR1TY
*
CYBER $3CUR1TY
A New Cybersecurity
Workshop
Collaboration between the
Better Business Bureaus and
National Cyber Security
Alliance
19 CYBER $3CUR1TY
*
CYBER $3CUR1TY
Workshop Outcomes
Identify the key business assets to protect Recognize the value of having protections in
place before a cyber incident occurs
Realize the need to detect cyber security
problems, and tools to help with detection
Develop a rudimentary plan of what to do
immediately when a cyber incident occurs
Understand the need for an incident recovery
plan and how to develop one
Learn what employees need to know, and
policies they need to follow, to execute the above
20 CYBER $3CUR1TY
*
CYBER $3CUR1TYVerizon: Top Cyber Security
Risks in 2014
Physical Theft and Loss Payment Card Skimmers Point-of-Sale Intrusions
Crimeware
Web App Attacks
Denial of Service Attacks Cyber-espionage
Insider and Privilege Misuse Miscellaneous Errors
21 CYBER $3CUR1TY
*
*
Physical Theft and Loss
Most thefts occur in victim’s work area (55% )
Employee-owned vehicles (22%) are common targets for
device theft
Higher amount of data on a device means higher amount
22 CYBER $3CUR1TY
*
*
Payment Card Skimmers and
Point-of-Sale Intrusions
Card readers/skimmers fit inside ATMs and card readers (in stores, at
gas pumps) to skim card data, capture PCI card and PIN numbers
Liability shift October 2015 for EMV chip and pin cards – merchants now
may be liable if their technology is deemed at fault
Multi-step attacks involve POS systems PLUS attacks on other systems,
e.g. vendors with access to networks
Social engineering used to trick employees into providing passwords
over the phone
23 CYBER $3CUR1TY
*
*
Malicious Software (Crimeware)
and Web App Attacks
Malware infections used to steal or compromise:
Bank records (using stolen credentials)
Trade secrets
System data
Ransomware can encrypt entire hard disk drive until a fee is paid for restoration
Phish customer
è Get credentials è Log in to account è Empty bank account
24 CYBER $3CUR1TY
*
*
Insider Misuse and Miscellaneous Errors
55%
of breach incidents caused by privilege abuse
Individuals given access take advantage and cause harm
– Intentionally for financial gain via sale or use of stolen data – Unintentionally for convenience (unapproved workarounds)
Three main categories:
Sensitive information reaching the wrong recipient (30%)
Publishing nonpublic data to public web servers (17%)
Insecure disposal of personal and medical data (12%)
25 CYBER $3CUR1TY
*
A Structured Approach to
Managing Risks…
The core intent is to present the NIST Cyber Security Framework in a form
that is accessible to small and medium sized businesses.
26 CYBER $3CUR1TY
*
The NIST Cyber Security Framework
A collaborative effort
between the government
and private sector to
develop a voluntary
framework – based on
existing standards,
guidelines and practices
– for reducing cyber risks
to critical infrastructure.
27 CYBER $3CUR1TY
*
NIST 5-Step Approach
Identify
assets you need to protect
Protect
assets beforehand to limit impact of
an incident
Be able to
detect
security problems quickly
Be ready to
respond
immediately to an
incident to keep the business running
Prepare to
recover
and get back to normal
operations
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
28 CYBER $3CUR1TY
*
*
Leaky Faucet Plumbing Scenario: Ransomware
As Dave comes back from lunch, he sees this on his
computer screen. What now??
29 CYBER $3CUR1TY
*
*
5-Step Approach: Ransomware
IDENTIFY PROTECT DETECT RESPOND RECOVER
Data Device Warehouse System Contains Inventory data required to run the business
Dave’s Desktop Daily backup on external drive Ransomware message Owner determines that system will be down for several
days Track transactions on paper Takes computer for repair
Wipe the drive Reload Windows Reload warehouse
application Load data from
backup Load paper transactions
30 CYBER $3CUR1TY
*
*
Resources Available for
National Cyber Security Awareness Month
NCSA and BBB are creating collateral for
businesses to supplement the workshop including:
Technology Checklist
5-Step Guide to Protect Your Business
Online Resource Index
Available at:
Welcome to the community.
#ccubedvp
Directives in Executive Order 13636:
• NIST to develop a Cybersecurity Framework
• A voluntary program for critical infrastructure cybersecurity to promote use of the
Framework
• A whole of community approach to risk management, security and resilience.
• Joint action by all levels of government and the owners and operators of critical
infrastructure
“Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity.”
- White House Executive Order 13636
C
3
VOLUNTARY PROGRAM OVERVIEW
GOALS FOR 2015
#ccubedvp
1. Harmonizing Cybersecurity Risk Management Strategies 2. Building Relationships among Cybersecurity Stakeholders 010110110001 110100110110 001110100101 3. Creating a National Cybersecurity Culture2015 ACTIVITIES
1 – Harmonizing Cybersecurity Risk Management Practices
•
Sector-Specific Plans
•
Sector Outreach and Partnership Division (SOPD) Framework Guidance
2 – Building Relationships among Cybersecurity
Stakeholders
•
Monthly Webinar series
•
Small and mid-sized business (SMB) Roadshow
3 – Creating a National Cybersecurity Culture
•
Promoting industry resources
•
Knowledge sharing and collaboration
•
Enhancing the C
3Voluntary Program’s website
CENTRAL WEBSITE FOR RESOURCES
Over 40 resources currently featured, including the
Cyber Resilience Review (CRR)
Pages are organized by stakeholder group
• Academia; Business; Federal; State, Local, Tribal,
and Territorial (SLTT)
• New Stakeholder Page: Small and Midsize
Business (SMB)
Resources are aligned to Framework core function
• Identify, Protect, Detect, Respond, Recover
www.us-cert.gov/ccubedvp ccubedvp@hq.dhs.gov
RESOURCES & EVENTS for BUSINESS
#ccubedvp
The C3 Voluntary Program is focusing in on assisting small and midsize businesses (SMB)
with their cybersecurity practices through:
• A nationwide SMB Roadshow
• A dedicated 2016 regional event for SMB, startups, accelerators, and venture
capital firms
• The creation and promotion of a SMB Cybersecurity Toolkit
Objective: Increase awareness, identify industry
needs, and support the creation of self-sustaining “resilient communities” among the SMB community around cybersecurity and risk management.
SMB TOOLKIT
#ccubedvp
1. Table of Contents
2. Begin the Conversation:
Understanding the Threat Environment
3. Getting Started: Top Resources for
SMB
4. Cybersecurity for Startups
5. C³ Voluntary Program Outreach and
Messaging Kit
6. SMB Leadership Agenda
THIRD PARTY RESOURCES FOR SMB
#ccubedvp
Stop.Think.Connect. Toolkit
• Online toolkit with information specific to SMBs
Small Business Administration (SBA) Training
• 30-minute introduction to small business cybersecurity
Federal Small Biz Cyber Planner
• Tool to help business create custom cybersecurity plans
Internet Essentials for Business 2.0
RESOURCES FOR SMB LEADERSHIP
#ccubedvp
•
Leadership Team Agenda
•
Outreach & Messaging Kit
•
Sample Leadership Message
•
Sample Newsletter Article
HOW TO GET INVOLVED
Take advantage of C
3Voluntary Program resources:
• Visit the C3 Voluntary Program website at
• Familiarize yourself with the Cybersecurity Framework
• Download the Cyber Resilience Review (CRR), or contact DHS for an on-site assessment
• Spread the word across your community
• Connect with the C3 Voluntary Program:
www.us-cert.gov/ccubedvp
#ccubedvp
stopthinkconnect.org
stopthinkconnect.org