Webinar: Creating a Culture of Cybersecurity at Work

stopthinkconnect.org

Webinar:

Creating a Culture of Cybersecurity at Work

stopthinkconnect.org

Agenda

•

Welcome/NCSA Landscape

•

Start With Security: Federal Trade Commission

•

NIST Framework: Better Business Bureaus

•

Critical Infrastructure Cyber Community Voluntary Program (C

):

U.S. Department of Homeland Security

•

Q&A

stopthinkconnect.org

About National Cyber Security

Awareness Month (NCSAM)

•

NCSAM, recognized every October, provides a platform for

industry, government, nonprofits, schools and the public to raise

awareness about using the Internet and connected devices safely

and securely. NCSAM is led by NCSA and the U.S. Department of

Homeland Security (DHS).

•

The overarching theme of NCSAM is Our Shared Responsibility.

•

All businesses face cybersecurity challenges. This week will

encourage businesses to proactively establish cultures of

cybersecurity through employee education, risk management,

planning and tools.

stopthinkconnect.org

Webinar Speakers

•

Michael Kaiser, Executive Director, National Cyber Security

Alliance

•

Jessica Lyon, Attorney, Division of Privacy and Identity Protection,

Federal Trade Commission

•

Bill Fanelli, Chief Security Officer, Council of Better Business

Bureaus

•

Kelvin Coleman, Branch Chief, Government Engagement,

Cybersecurity & Communications, U.S. Department of Homeland

Security

Don’t  collect  personal  informa1on  you  don’t  need.    

Hold  on  to  informa1on  only  as  long  as  you  have  a  legi1mate  business  

need.    

Restrict  access  to  sensi1ve  data.  

Limit  administra1ve  access.    

Insist  on  complex  and  unique  passwords.    

Store  passwords  securely.    

Guard  against  brute  force  aCacks.    

Keep  sensi1ve  informa1on  secure  throughout  its  lifecycle.    

Use  industry-­‐tested  and  accepted  methods.    

Segment  your  network.    

Ensure  endpoint  security.    

Train  your  engineers  in  secure  coding.    

Follow  plaNorm  guidelines  for  security.    

Verify  that  privacy  and  security  features  work.    

Test  for  common  vulnerabili1es.    

Put  it  in  wri1ng.  

Verify  compliance.  

Update  and  patch  third-­‐party  soPware.    

Securely  store  sensi1ve  files.    

Protect  devices  that  process  personal  informa1on.    

Keep  safety  standards  in  place  when  data  is  en  route.    

Dispose  of  sensi1ve  data  securely.    

17 CYBER $3CUR1TY

5 STEPS TO BETTER

BUSINESS CYBER SECURITY

CYBER

$3CUR1TY

18 CYBER $3CUR1TY

*

CYBER $3CUR1TY

A New Cybersecurity

Workshop

Collaboration between the

Better Business Bureaus and

National Cyber Security

Alliance

19 CYBER $3CUR1TY

*

CYBER $3CUR1TY

Workshop Outcomes

  Identify the key business assets to protect   Recognize the value of having protections in

place before a cyber incident occurs

  Realize the need to detect cyber security

problems, and tools to help with detection

  Develop a rudimentary plan of what to do

immediately when a cyber incident occurs

  Understand the need for an incident recovery

plan and how to develop one

  Learn what employees need to know, and

policies they need to follow, to execute the above

20 CYBER $3CUR1TY

*

Verizon: Top Cyber Security

Risks in 2014

  Physical Theft and Loss   Payment Card Skimmers   Point-of-Sale Intrusions

Crimeware

  Web App Attacks

  Denial of Service Attacks   Cyber-espionage

  Insider and Privilege Misuse   Miscellaneous Errors

21 CYBER $3CUR1TY

*

*

Physical Theft and Loss

Most thefts occur in victim’s work area (55% )

Employee-owned vehicles (22%) are common targets for

device theft

Higher amount of data on a device means higher amount

22 CYBER $3CUR1TY

*

*

Payment Card Skimmers and

Point-of-Sale Intrusions

Card readers/skimmers fit inside ATMs and card readers (in stores, at

gas pumps) to skim card data, capture PCI card and PIN numbers

Liability shift October 2015 for EMV chip and pin cards – merchants now

may be liable if their technology is deemed at fault

Multi-step attacks involve POS systems PLUS attacks on other systems,

e.g. vendors with access to networks

Social engineering used to trick employees into providing passwords

over the phone

23 CYBER $3CUR1TY

*

*

Malicious Software (Crimeware)

and Web App Attacks

Malware infections used to steal or compromise:

Bank records (using stolen credentials)

Trade secrets

System data

Ransomware can encrypt entire hard disk drive until a fee is paid for restoration

Phish customer

è Get credentials è Log in to account è Empty bank account

24 CYBER $3CUR1TY

*

*

Insider Misuse and Miscellaneous Errors

55%

of breach incidents caused by privilege abuse

Individuals given access take advantage and cause harm

–  Intentionally for financial gain via sale or use of stolen data –  Unintentionally for convenience (unapproved workarounds)

Three main categories:

Sensitive information reaching the wrong recipient (30%)

Publishing nonpublic data to public web servers (17%)

Insecure disposal of personal and medical data (12%)

25 CYBER $3CUR1TY

*

A Structured Approach to

Managing Risks…

The core intent is to present the NIST Cyber Security Framework in a form

that is accessible to small and medium sized businesses.

26 CYBER $3CUR1TY

*

The NIST Cyber Security Framework

A collaborative effort

between the government

and private sector to

develop a voluntary

framework – based on

existing standards,

guidelines and practices

– for reducing cyber risks

to critical infrastructure.

27 CYBER $3CUR1TY

*

NIST 5-Step Approach

Identify

assets you need to protect

Protect

assets beforehand to limit impact of

an incident

Be able to

detect

security problems quickly

Be ready to

respond

immediately to an

incident to keep the business running

Prepare to

recover

and get back to normal

operations

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

28 CYBER $3CUR1TY

*

*

Leaky Faucet Plumbing Scenario: Ransomware

As Dave comes back from lunch, he sees this on his

computer screen. What now??

29 CYBER $3CUR1TY

*

*

5-Step Approach: Ransomware

IDENTIFY PROTECT DETECT RESPOND RECOVER

Data Device Warehouse System Contains Inventory data required to run the business

Dave’s Desktop Daily backup on external drive Ransomware message Owner determines that system will be down for several

days Track transactions on paper Takes computer for repair

Wipe the drive Reload Windows Reload warehouse

application Load data from

backup Load paper transactions

30 CYBER $3CUR1TY

*

*

Resources Available for

National Cyber Security Awareness Month

NCSA and BBB are creating collateral for

businesses to supplement the workshop including:

Technology Checklist

5-Step Guide to Protect Your Business

Online Resource Index

Available at:

Welcome to the community.

#ccubedvp

Directives in Executive Order 13636:

•  NIST to develop a Cybersecurity Framework

•  A voluntary program for critical infrastructure cybersecurity to promote use of the

Framework

•  A whole of community approach to risk management, security and resilience.

•  Joint action by all levels of government and the owners and operators of critical

infrastructure

“Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity.”

- White House Executive Order 13636

C

3

_{VOLUNTARY PROGRAM OVERVIEW}

GOALS FOR 2015

#ccubedvp  

2015 ACTIVITIES

1 – Harmonizing Cybersecurity Risk Management Practices

•

Sector-Specific Plans

•

Sector Outreach and Partnership Division (SOPD) Framework Guidance

2 – Building Relationships among Cybersecurity

Stakeholders

•

Monthly Webinar series

•

Small and mid-sized business (SMB) Roadshow

3 – Creating a National Cybersecurity Culture

•

Promoting industry resources

•

Knowledge sharing and collaboration

•

Enhancing the C

Voluntary Program’s website

CENTRAL WEBSITE FOR RESOURCES

Over 40 resources currently featured, including the

Cyber Resilience Review (CRR)

Pages are organized by stakeholder group

•  Academia; Business; Federal; State, Local, Tribal,

and Territorial (SLTT)

•  New Stakeholder Page: Small and Midsize

Business (SMB)

Resources are aligned to Framework core function

•  Identify, Protect, Detect, Respond, Recover

www.us-cert.gov/ccubedvp ccubedvp@hq.dhs.gov

RESOURCES & EVENTS for BUSINESS

#ccubedvp  

The C3 _{Voluntary Program is focusing in on assisting small and midsize businesses (SMB)}

with their cybersecurity practices through:

•  A nationwide SMB Roadshow

•  A dedicated 2016 regional event for SMB, startups, accelerators, and venture

capital firms

•  The creation and promotion of a SMB Cybersecurity Toolkit

Objective: Increase awareness, identify industry

needs, and support the creation of self-sustaining “resilient communities” among the SMB community around cybersecurity and risk management.

SMB TOOLKIT

#ccubedvp  

1.  Table of Contents

2.  Begin the Conversation:

Understanding the Threat Environment

3.  Getting Started: Top Resources for

SMB

4.  Cybersecurity for Startups

5.  C³ Voluntary Program Outreach and

Messaging Kit

6.  SMB Leadership Agenda

THIRD PARTY RESOURCES FOR SMB

#ccubedvp  

Stop.Think.Connect. Toolkit

•  Online toolkit with information specific to SMBs

Small Business Administration (SBA) Training

•  30-minute introduction to small business cybersecurity

Federal Small Biz Cyber Planner

•  Tool to help business create custom cybersecurity plans

Internet Essentials for Business 2.0

RESOURCES FOR SMB LEADERSHIP

#ccubedvp  

•

Leadership Team Agenda

•

Outreach & Messaging Kit

•

Sample Leadership Message

•

Sample Newsletter Article

HOW TO GET INVOLVED

Take advantage of C

_{Voluntary Program resources:}

•  Visit the C3 Voluntary Program website at

•  Familiarize yourself with the Cybersecurity Framework

•  Download the Cyber Resilience Review (CRR), or contact DHS for an on-site assessment

•  Spread the word across your community

•  Connect with the C3 Voluntary Program:

www.us-cert.gov/ccubedvp

#ccubedvp  

stopthinkconnect.org

stopthinkconnect.org

Resources

•

https://staysafeonline.org/ncsam

•

http://www.dhs.gov/ccubedvp

•

https://www.bbb.org/data-security

•

https://ftc.gov/datasecurity