© 2019 RSM US LLP. All Rights Reserved. UNDERSTANDING the CYBER THREAT LANDSCAPE
Total Page:16
File Type:pdf, Size:1020Kb
© 2019 RSM US LLP. All Rights Reserved. UNDERSTANDING THE CYBER THREAT LANDSCAPE © 2019 RSM US LLP. All Rights Reserved. About your Speaker • 15+ years security and privacy experience • Originally from Brooklyn, New York; move to Florida 2018 Shan Grant • PCI QSA &PA-QSA, CISSP, CISA, Fair Credit Reporting Act (FCRA) Certification Supervisor • Worked and designed compliance programs Security, Privacy & for financial entities, fintechs, healthcare/heathtech, and non-profit Risk Services • Specializing in regulated environments: • Payment Card Industry (PCI) [email protected] • HIPAA https://www.linkedin.com/in/shan-grant/ • CRA (FCRA) • FDIC/FFIEC • Data Privacy • Career Highlight: Worked Cannes Film Festival 3 © 2019 RSM US LLP. All Rights Reserved. GIMME SOME MO’ PRIVACY © 2019 RSM US LLP. All Rights Reserved. History of privacy 5 © 2019 RSM US LLP. All Rights Reserved. Going down privacy lane 6 © 2019 RSM US LLP. All Rights Reserved. How is CCPA different than GDPR? Different consumer rights: Rights Covered GDPR CCPA Right to know and of access X X Right to deletion/erasure X X ≠ Right to restriction of X processing GDPR CCPA COMPLIANCE COMPLIANCE Right to data portability X X Right to object X In addition to compliance, it’s really all Right to opt of out sale X about the data—what type of data and Right to equal service and how it is used. X price Data governance and management Right to opt In (minors under programs should consider mapping for X 16) both. 7 © 2019 RSM US LLP. All Rights Reserved. Privacy Cliff Notes • Nevada Online Privacy Law • New York Privacy Act • Maine Act to Protect of Online Consumer Information • Massachusetts Data Privacy Law • Hawaii Consumer Privacy Protection Act • Maryland Online Consumer Protection Act 8 © 2019 RSM US LLP. All Rights Reserved. THE THREATS 9 © 2019 RSM US LLP. All Rights Reserved. Primary Exploits Leveraged by Cyber Threats . Hacking – Breaking through vulnerability and moving laterally − Network penetration − Data leakage and theft − Social engineering . APT – “Uninvited Guest” − Arrives into your network and stays there under the radar − Harvesting information over time − Typically not found with anti-virus software − Sophisticated . Malware – Code that is designed to do bad things − Execution of malicious code on an infrastructure − Escalate unauthorized privileges − Shut down your network (DDOS) − Encrypt data (Ransomware) 10 © 2019 RSM US LLP. All Rights Reserved. RANSOMWARE-as-a-Service • Let’s talk about GandCrab − On the scene in Jan 2018 − Off the scene mid 2019—complete shutdown − Reported as RaaS All the good things come to an end. For the year of working with us, people have earned more than $2 billion… Earning with us per week $2,500,000. We personally earned more than 150 million dollars per year. We successfully cashed this money and legalized it…. 11 © 2019 RSM US LLP. All Rights Reserved. Ransomware recovery • There’s no guarantee that all the data will be recovered. • Roughly 5–15% loss with a decryptor • Business are down for an average of nine days. • For complete recovery, it could take weeks to years. Consider: • System wipes • Recover from backups • Repeat the process for each server or computer 12 © 2019 RSM US LLP. All Rights Reserved. Facts & Stats • Hackers attack every 39 seconds • 43% of cyber attacks target small businesses (can we find out middle market companies- how they’re subtible—from our cyber survey- here) • 2018 Hackers tole half a billion personal records • 95% of cybersecurity breaches are due to human error • Cyber-criminals and hackers will infiltrate your company through your weakest link, which is almost never in the IT department. • Most companies take nearly 6 months to detect a data breach, even major ones − Equifax, Capital One, and Facebook just to name a few. Information such as passwords, credit card details, and social security numbers may already be compromised by the time you’re notified. 13 © 2019 RSM US LLP. All Rights Reserved. COMBATING THREATS © 2019 RSM US LLP. All Rights Reserved. If you do it at home, you’ll do it at work • Bitwarden • Use a cloud based password safe • 1password • Dashlane − Automatically generates passwords • Lastpass − Prevents reuse of passwords • KeePassXC – not cloud based − Checks for compromised passwords https://www.wired.com/story/best-password- Complicated managers/ Password − Some allow document storage or personal detail storage − It’s in the cloud but you can export it • Use Multifactor Authentication (MFA) Enable MFA − 2 or more of the below • Something you know • Google Authenticator • Authy • Something you have • Yubico Turn on • Something you are Notifications • Consider a VPN provider Why VPN and highly rated providers: https://www.forbes.com/sites/kateoflahertyuk/2019/04/19/h − Research (google) them! eres-why-you-need-a-vpn-and-which-one-to- choose/#6e36315a23c9 • DNS Leakage − Working remotely – hop on corporate VPN © 2019 RSM US LLP. All Rights Reserved. Other cool things about password managers 16 © 2019 RSM US LLP. All Rights Reserved. Social • Review privacy and security • Third-party app authorization – remove when no longer needed. • Consider what you’re posting public vs private • Remember people can screen shot something before you have the chance to take it down • Search yourself 17 © 2019 RSM US LLP. All Rights Reserved. Data retention – can you get rid of it? • Old document • Disable or delete old accounts • Where is your data: − Data hosting (dropbox, box, etc.) − Digital image printing platform − Old email accounts − Old devices 18 © 2019 RSM US LLP. All Rights Reserved. BE VIGILANT BE AWARE 19 © 2019 RSM US LLP. All Rights Reserved. Ransomware Attack Prevention • Cyber Security Tenets are the same − Patch your systems − Limit access to data and systems • Particularly write access • Off Site backups or snap shots backup service • Good AV/anti-malware Trust nothing From Emails to Network Shares 20 © 2019 RSM US LLP. All Rights Reserved. Some personal security suggestions Security, security • Always ask why someone needs your information • Do not use public Wi-Fi • People actually “dumpster dive” Social engineering • “Delivery person,” “corporate IT” • A LinkedIn “recruiter” or “met you at a conference” request to add you to their network Too much information (TMI) • Geolocation tagging in photos or social media posts • Be careful what you post on social media 21 © 2019 RSM US LLP. All Rights Reserved. 22 © 2019 RSM US LLP. All Rights Reserved. 23 © 2019 RSM US LLP. All Rights Reserved. Shan Grant RSM US LLP 100 NE Third Ave., Suite 300 Fort Lauderdale, FL 33301 D: 954.449.8017 [email protected] rsmus.com This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. Internal Revenue Service rules require us to inform you that this communication may be deemed a solicitation to provide tax services. This communication is being sent to individuals who have subscribed to receive it or who we believe would have an interest in the topics discussed. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM, the RSM logo and the power of being understood are registered trademarks of RSM International Association. © 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved. .