SlideShare a Scribd company logo

Multi-faceted Cyber Security v1

Download as PPTX, PDF
Asad Zaman
Asad Zaman
1 of 28
Copyright 2014 – LP3 September 2014 Asad Zaman MBA, MSc-CyberSecurity
Copyright 2014 – LP3 • IT Security • e-Discovery • Compliance • Legal Risk • Disaster Plans • What can you do? Agenda
Copyright 2014 – LP3 IT Security Lifecycle Basics Inventory Assets Hardware, software, mobile devices, communications links, processes, procedures, checklists, documents, contacts, customer lists Identify Risk Create discrepancy reports and act on them Remediate Risk Assign actions and close them Monitor and triage alerts Log reduction and analysis Execute and Test Backups Data, configurations, processes documentation
Copyright 2014 – LP3 • Steady increase in cyber crime – collection/exploitation • Government and hackers can access your unprotected data • Damage from cyber crime rising dramatically • Critical business issues • Reputation – share value • Fines/penalties – FINRA, SEC • Litigation – client identity theft, negligence, due diligence • Compliance • Business continuity Cyber Criminals – No Rules! 60% of small businesses that get hacked are out of business within 1 year
Copyright 2014 – LP3 Phishing • Fake emails seeking to get credentials • Financial assets: 76% of targets • Spear phishing – by-name emails • Company executives, key decision makers, celebrities, names on company website Red Flag Words: account locked, suspended, verification required, suspicious transaction, protect your computer, funds due to you Countermeasures: • Don’t click on emailed links and attachments – only takes ONE person • Security Awareness Training Source: Symantec study 2007
Copyright 2014 – LP3 Phishing Examples
Copyright 2014 – LP3 Countermeasures: • Encrypt data and know where it goes • Use redundant automated backups and test them Are My Documents Safe? NSA…“full take,” “bulk access” and “high volume” operations onYahoo and Google networks. (WashPost, 4 Nov 13) Work server Home computer
Copyright 2014 – LP3 “click here” emails Business Associate Connections “Please reset my password! Mr. Smith is yelling at me to get this report done now!” – Social Engineering How do hackers crack businesses?
Copyright 2014 – LP3 What is it? • Mandated electronic discovery in litigation or investigations with electronically stored information (ESI) Why do I care? • If you cannot find documents and metadata then you may lose the case – significant financial risk e-Discovery Risk Deliver all documents with the name “John Smith” or “Company XYZ” from 2008 to 2012…
Copyright 2014 – LP3 What should I do? 1. Identify 2. Preserve and Retain 3. Collect 4. Process 5. Review 6. Produce e-Discovery Actions
Copyright 2014 – LP3 Payment Card Industry Compliance
Copyright 2014 – LP3 PCI (Payment Card Industry) DSS WHAT: Standards and requirements for payment card data security Non-legislative – enforceable through fines and penalties Obligation on merchants and service providers WHO: “Payment Card Industry (PCI) Data security requirements apply to all Members (banks), merchants and service providers that store, process or transmit cardholder data.” HOW: Sensitive authentication data cannot be stored Cardholder data must be protected New requirements from PCI DSS 2.0 to 3.0 came out in Nov 2013 Requires Qualified Security Assessor (QSA) validation annually or Self- Assessment Lack of COMPLIANCE: Fines: Up to $500k per incident (VISA), government fines, insurance costs, and litigation Brand reputation: Share price falls, loss of customer confidence Revocation: Inability to process credit card transactions More compliance: Additional PCI validation required
Copyright 2014 – LP3 PCI DSS 2.0 Requirements
Copyright 2014 – LP3 Health Insurance Portability & Accountability Act (HIPAA) Compliance WHAT: • Uniform rules for protecting Health Info • Written or Oral communcations • E-mail, computerized and electronic information (computer records, faxes, voicemail, PDA entries, etc.) WHO: • Comes from a health care provider or a health plan • Could be used to identify an individual • Describes the health care, condition, or payments or demographics of an individual HOW: Physical Safeguards • Computer terminals are not placed in public areas Technical Safeguards • Every associate must keep his/her password confidential Administrative Safeguards • Policy and procedure for release of patient information COMPLIANCE: • $100 fine per day for each standard violation. (Up to $25,000 per person, per year, per standard.) • $50,000 fine + up to one year in prison for improperly obtaining or disclosing health information. • $100,000 fine + up to five years in prison for obtaining or disclosing health information under false pretenses. • $250,000 fine + up to ten years in prison for obtaining health information with the intent to sell, transfer or use for commercial advantage, personal gain or harm.
Purpose Criminal Penalties Criminal provisions • Could reach up to 10 years in prison • Fines started at $100 and could reach up to $25,000 for all identical violations of the same provision HITECH - Harsher Penalties • Tiers established for civil penalties • Maximum penalty of $1.5 Million • The higher the level of culpability, the higher the penalty  Makes massive changes to privacy and security laws.  Breach Notification requirements (Patient, Department of Health and Human Services, and Media)  Applies to covered health care entities and business associates.  Creates a nationwide electronic health record  Increases penalties for privacy and security violations HITECH (Health InformationTechnology for Economic and Clinical Health Act)
Copyright 2014 – LP3 HIPAA INTHE NEWS Octomom: Hospital workers accessed records out of curiosity - 15 people fired – 8 under disciplinary action Brittany Spears: 13 or more workers fired – 6 workers suspended – 6 doctors face disciplinary action
Copyright 2014 – LP3 What is it? • Potential failure to comply or apply due care in various legal areas Why do I care? • Risk of civil or criminal prosecution • Significant financial impact for defense even if you win a case; losing can put you out of business Legal Risk
Copyright 2014 – LP3 What do I do? • Assess third party vendor and service provider agreements • Document Data Breach Notification and Incident Response Plans • Validate employer/employee privacy practices and technologies • Revise Policies and Procedures • Implement RiskTransfer / Insurance Assessment Legal Risk Mitigation
Copyright 2014 – LP3 What should I do? • Assess Risks • Hurricane, fire, flood, terrorism, disgruntled employee • Identify Critical Resources • Processes, computer systems, information, documents, employee contact info, customer contact lists • Develop Plans and Procedures • Simple step-by-step emergency and restoral procedures • Downtime is lost business—a good plan is valuable • Train andTest • Ensure key staff know the procedures • Execute both tabletop and actual failover testing Disaster Preparation
Copyright 2014 – LP3 • What are the potential identifiable disasters (internal and external)? • How would each affect your critical systems? Disaster Preparation Data Center Fire
Copyright 2014 – LP3 What do I do? 1. Preparation: Set up systems to detect threats and create policies for action; including public info release decisions 2. Threat Identification: Effects it is having on your systems 3. Containment: Limit effects by confining to as few systems as possible; freezing the scene for investigation 4. Eradication: Get rid of whatever the attacker might have left behind – rebuild from original media if possible 5. Recovery: Restore the system back into normal operations, reconnect to the network, restore data from known clean backups if necessary. 6. Follow-up: Root cause identification, deploy countermeasures, improve processes, etc. Cyber Incident Handling
Copyright 2014 – LP3 Multi-Faceted Cyber Security • IT Security – Can hackers modify or steal your data? • e-Discovery – Can you find files you need for legal defense? • Compliance –Will regulators see evidence of due care? • Legal Risk – Does your configuration keep data private? • Disaster Plans – Is your data backed up and restorable? Secure management of critical systems improves all key areas
Copyright 2014 – LP3 1. Do it yourself 2. Ask for help 3. Hire support What should I do?
Copyright 2014 – LP3 Do it yourself 1. Train IT staff on critical security issues with CISSP, SANS GIAC, Microsoft Certified Systems Engineer: Security 2. Patch workstations and laptops 3. Patch servers 4. Update anti-virus and spyware 5. Backup key systems 6. Use firewalls to limit access 7. Train employees regularly 8. Continuously monitor posture
Copyright 2014 – LP3 Ask for help 1. Web information services 2. Local colleges and universities 3. Part-time IT security employees 4. Consultants 5. Virtual CIO/CISO/CPO Protectingtomorrow.org Schools, Business,Vets
Copyright 2014 – LP3 Hire Support…but who? 1. Trust 2. Experience withAdvanced PersistentThreats 3. No software or hardware vendors 4. Industry experience 5. Technically current 199 critical vulnerabilities in a Financial Services Firm
Copyright 2014 – LP3 Thank you! Comments? Questions? Striking the critical balance between protection and performance sales@LP3.com
Copyright 2014 – LP3

Recommended

Cyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickCyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickJacqueline Fick
 
Cyber Security 1215
Cyber Security 1215Cyber Security 1215
Cyber Security 1215Firoze Hussain
 
HHS Ransomware and Breach Guidance - Brad Nigh
HHS Ransomware and Breach Guidance - Brad NighHHS Ransomware and Breach Guidance - Brad Nigh
HHS Ransomware and Breach Guidance - Brad NighFRSecure
 
Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCapri Insurance
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
12-19-14 CLE for South (P Garrett)
12-19-14 CLE for South (P Garrett)12-19-14 CLE for South (P Garrett)
12-19-14 CLE for South (P Garrett)Patrick Garrett
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataStephen Cobb
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 

Recommended

Cyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickCyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickJacqueline Fick
 
Cyber Security 1215
Cyber Security 1215Cyber Security 1215
Cyber Security 1215Firoze Hussain
 
HHS Ransomware and Breach Guidance - Brad Nigh
HHS Ransomware and Breach Guidance - Brad NighHHS Ransomware and Breach Guidance - Brad Nigh
HHS Ransomware and Breach Guidance - Brad NighFRSecure
 
Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCapri Insurance
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
12-19-14 CLE for South (P Garrett)
12-19-14 CLE for South (P Garrett)12-19-14 CLE for South (P Garrett)
12-19-14 CLE for South (P Garrett)Patrick Garrett
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataStephen Cobb
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?Stephen Cobb
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3Lancope, Inc.
 
Data protection within development
Data protection within developmentData protection within development
Data protection within developmentowaspsuffolk
 
Creating cyber forensic readiness in your organisation
Creating cyber forensic readiness in your organisationCreating cyber forensic readiness in your organisation
Creating cyber forensic readiness in your organisationJacqueline Fick
 
Mass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy LawMass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy Lawguest8b10a3
 
Legal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsLegal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsSagar Rahurkar
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
IT Policy
IT PolicyIT Policy
IT PolicySensewareInfomedia
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overviewRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
Insider Threat Experiences
Insider Threat ExperiencesInsider Threat Experiences
Insider Threat ExperiencesNapier University
 
Cyber crimes
Cyber crimesCyber crimes
Cyber crimesprincejhulan
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Vijay Dalmia
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 

More Related Content

What's hot

The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?Stephen Cobb
 
Data protection within development
Data protection within developmentData protection within development
Data protection within developmentowaspsuffolk
 
Creating cyber forensic readiness in your organisation
Creating cyber forensic readiness in your organisationCreating cyber forensic readiness in your organisation
Creating cyber forensic readiness in your organisationJacqueline Fick
 
Mass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy LawMass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy Lawguest8b10a3
 
Legal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsLegal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsSagar Rahurkar
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Vijay Dalmia
 

What's hot (20)

The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 
Data protection within development
Data protection within developmentData protection within development
Data protection within development
 
Creating cyber forensic readiness in your organisation
Creating cyber forensic readiness in your organisationCreating cyber forensic readiness in your organisation
Creating cyber forensic readiness in your organisation
 
Mass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy LawMass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy Law
 
Legal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsLegal aspects of handling cyber frauds
Legal aspects of handling cyber frauds
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
IT Policy
IT PolicyIT Policy
IT Policy
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
Insider Threat Experiences
Insider Threat ExperiencesInsider Threat Experiences
Insider Threat Experiences
 
Cyber crimes
Cyber crimesCyber crimes
Cyber crimes
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour
 

Similar to Multi-faceted Cyber Security v1

Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security ProgramRaymond Cunningham
 
005. Ethics, Privacy and Security
005. Ethics, Privacy and Security005. Ethics, Privacy and Security
005. Ethics, Privacy and SecurityArianto Muditomo
 
How to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramFinancial Poise
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information PrivacyPerry Slack
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...Financial Poise
 
3 Steps to Automate Compliance for Healthcare Organizations
3 Steps to Automate Compliance for Healthcare Organizations3 Steps to Automate Compliance for Healthcare Organizations
3 Steps to Automate Compliance for Healthcare OrganizationsAvePoint
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceCobweb
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
 
HIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewHIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewClearDATACloud
 
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...emermell
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityJisc Scotland
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protectionRachel Aldighieri
 
3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICECFG
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Lisa Abe-Oldenburg, B.Comm., JD.
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension Inc.
 

Similar to Multi-faceted Cyber Security v1 (20)

Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security Program
 
005. Ethics, Privacy and Security
005. Ethics, Privacy and Security005. Ethics, Privacy and Security
005. Ethics, Privacy and Security
 
How to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security Program
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky Breaches
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
 
3 Steps to Automate Compliance for Healthcare Organizations
3 Steps to Automate Compliance for Healthcare Organizations3 Steps to Automate Compliance for Healthcare Organizations
3 Steps to Automate Compliance for Healthcare Organizations
 
week 7.pptx
week 7.pptxweek 7.pptx
week 7.pptx
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor Privacy
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
 
HIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewHIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An Overview
 
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
Making ‘Big Data’ Your Ally – Using data analytics to improve compliance, due...
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information Security
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protection
 
3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
 

Multi-faceted Cyber Security v1

  • 1. Copyright 2014 – LP3 September 2014 Asad Zaman MBA, MSc-CyberSecurity
  • 2. Copyright 2014 – LP3 • IT Security • e-Discovery • Compliance • Legal Risk • Disaster Plans • What can you do? Agenda
  • 3. Copyright 2014 – LP3 IT Security Lifecycle Basics Inventory Assets Hardware, software, mobile devices, communications links, processes, procedures, checklists, documents, contacts, customer lists Identify Risk Create discrepancy reports and act on them Remediate Risk Assign actions and close them Monitor and triage alerts Log reduction and analysis Execute and Test Backups Data, configurations, processes documentation
  • 4. Copyright 2014 – LP3 • Steady increase in cyber crime – collection/exploitation • Government and hackers can access your unprotected data • Damage from cyber crime rising dramatically • Critical business issues • Reputation – share value • Fines/penalties – FINRA, SEC • Litigation – client identity theft, negligence, due diligence • Compliance • Business continuity Cyber Criminals – No Rules! 60% of small businesses that get hacked are out of business within 1 year
  • 5. Copyright 2014 – LP3 Phishing • Fake emails seeking to get credentials • Financial assets: 76% of targets • Spear phishing – by-name emails • Company executives, key decision makers, celebrities, names on company website Red Flag Words: account locked, suspended, verification required, suspicious transaction, protect your computer, funds due to you Countermeasures: • Don’t click on emailed links and attachments – only takes ONE person • Security Awareness Training Source: Symantec study 2007
  • 6. Copyright 2014 – LP3 Phishing Examples
  • 7. Copyright 2014 – LP3 Countermeasures: • Encrypt data and know where it goes • Use redundant automated backups and test them Are My Documents Safe? NSA…“full take,” “bulk access” and “high volume” operations onYahoo and Google networks. (WashPost, 4 Nov 13) Work server Home computer
  • 8. Copyright 2014 – LP3 “click here” emails Business Associate Connections “Please reset my password! Mr. Smith is yelling at me to get this report done now!” – Social Engineering How do hackers crack businesses?
  • 9. Copyright 2014 – LP3 What is it? • Mandated electronic discovery in litigation or investigations with electronically stored information (ESI) Why do I care? • If you cannot find documents and metadata then you may lose the case – significant financial risk e-Discovery Risk Deliver all documents with the name “John Smith” or “Company XYZ” from 2008 to 2012…
  • 10. Copyright 2014 – LP3 What should I do? 1. Identify 2. Preserve and Retain 3. Collect 4. Process 5. Review 6. Produce e-Discovery Actions
  • 11. Copyright 2014 – LP3 Payment Card Industry Compliance
  • 12. Copyright 2014 – LP3 PCI (Payment Card Industry) DSS WHAT: Standards and requirements for payment card data security Non-legislative – enforceable through fines and penalties Obligation on merchants and service providers WHO: “Payment Card Industry (PCI) Data security requirements apply to all Members (banks), merchants and service providers that store, process or transmit cardholder data.” HOW: Sensitive authentication data cannot be stored Cardholder data must be protected New requirements from PCI DSS 2.0 to 3.0 came out in Nov 2013 Requires Qualified Security Assessor (QSA) validation annually or Self- Assessment Lack of COMPLIANCE: Fines: Up to $500k per incident (VISA), government fines, insurance costs, and litigation Brand reputation: Share price falls, loss of customer confidence Revocation: Inability to process credit card transactions More compliance: Additional PCI validation required
  • 13. Copyright 2014 – LP3 PCI DSS 2.0 Requirements
  • 14. Copyright 2014 – LP3 Health Insurance Portability & Accountability Act (HIPAA) Compliance WHAT: • Uniform rules for protecting Health Info • Written or Oral communcations • E-mail, computerized and electronic information (computer records, faxes, voicemail, PDA entries, etc.) WHO: • Comes from a health care provider or a health plan • Could be used to identify an individual • Describes the health care, condition, or payments or demographics of an individual HOW: Physical Safeguards • Computer terminals are not placed in public areas Technical Safeguards • Every associate must keep his/her password confidential Administrative Safeguards • Policy and procedure for release of patient information COMPLIANCE: • $100 fine per day for each standard violation. (Up to $25,000 per person, per year, per standard.) • $50,000 fine + up to one year in prison for improperly obtaining or disclosing health information. • $100,000 fine + up to five years in prison for obtaining or disclosing health information under false pretenses. • $250,000 fine + up to ten years in prison for obtaining health information with the intent to sell, transfer or use for commercial advantage, personal gain or harm.
  • 15. Purpose Criminal Penalties Criminal provisions • Could reach up to 10 years in prison • Fines started at $100 and could reach up to $25,000 for all identical violations of the same provision HITECH - Harsher Penalties • Tiers established for civil penalties • Maximum penalty of $1.5 Million • The higher the level of culpability, the higher the penalty  Makes massive changes to privacy and security laws.  Breach Notification requirements (Patient, Department of Health and Human Services, and Media)  Applies to covered health care entities and business associates.  Creates a nationwide electronic health record  Increases penalties for privacy and security violations HITECH (Health InformationTechnology for Economic and Clinical Health Act)
  • 16. Copyright 2014 – LP3 HIPAA INTHE NEWS Octomom: Hospital workers accessed records out of curiosity - 15 people fired – 8 under disciplinary action Brittany Spears: 13 or more workers fired – 6 workers suspended – 6 doctors face disciplinary action
  • 17. Copyright 2014 – LP3 What is it? • Potential failure to comply or apply due care in various legal areas Why do I care? • Risk of civil or criminal prosecution • Significant financial impact for defense even if you win a case; losing can put you out of business Legal Risk
  • 18. Copyright 2014 – LP3 What do I do? • Assess third party vendor and service provider agreements • Document Data Breach Notification and Incident Response Plans • Validate employer/employee privacy practices and technologies • Revise Policies and Procedures • Implement RiskTransfer / Insurance Assessment Legal Risk Mitigation
  • 19. Copyright 2014 – LP3 What should I do? • Assess Risks • Hurricane, fire, flood, terrorism, disgruntled employee • Identify Critical Resources • Processes, computer systems, information, documents, employee contact info, customer contact lists • Develop Plans and Procedures • Simple step-by-step emergency and restoral procedures • Downtime is lost business—a good plan is valuable • Train andTest • Ensure key staff know the procedures • Execute both tabletop and actual failover testing Disaster Preparation
  • 20. Copyright 2014 – LP3 • What are the potential identifiable disasters (internal and external)? • How would each affect your critical systems? Disaster Preparation Data Center Fire
  • 21. Copyright 2014 – LP3 What do I do? 1. Preparation: Set up systems to detect threats and create policies for action; including public info release decisions 2. Threat Identification: Effects it is having on your systems 3. Containment: Limit effects by confining to as few systems as possible; freezing the scene for investigation 4. Eradication: Get rid of whatever the attacker might have left behind – rebuild from original media if possible 5. Recovery: Restore the system back into normal operations, reconnect to the network, restore data from known clean backups if necessary. 6. Follow-up: Root cause identification, deploy countermeasures, improve processes, etc. Cyber Incident Handling
  • 22. Copyright 2014 – LP3 Multi-Faceted Cyber Security • IT Security – Can hackers modify or steal your data? • e-Discovery – Can you find files you need for legal defense? • Compliance –Will regulators see evidence of due care? • Legal Risk – Does your configuration keep data private? • Disaster Plans – Is your data backed up and restorable? Secure management of critical systems improves all key areas
  • 23. Copyright 2014 – LP3 1. Do it yourself 2. Ask for help 3. Hire support What should I do?
  • 24. Copyright 2014 – LP3 Do it yourself 1. Train IT staff on critical security issues with CISSP, SANS GIAC, Microsoft Certified Systems Engineer: Security 2. Patch workstations and laptops 3. Patch servers 4. Update anti-virus and spyware 5. Backup key systems 6. Use firewalls to limit access 7. Train employees regularly 8. Continuously monitor posture
  • 25. Copyright 2014 – LP3 Ask for help 1. Web information services 2. Local colleges and universities 3. Part-time IT security employees 4. Consultants 5. Virtual CIO/CISO/CPO Protectingtomorrow.org Schools, Business,Vets
  • 26. Copyright 2014 – LP3 Hire Support…but who? 1. Trust 2. Experience withAdvanced PersistentThreats 3. No software or hardware vendors 4. Industry experience 5. Technically current 199 critical vulnerabilities in a Financial Services Firm
  • 27. Copyright 2014 – LP3 Thank you! Comments? Questions? Striking the critical balance between protection and performance sales@LP3.com

Editor's Notes

  1. 12
  2. 14