Connected, More at Risk Addressing Cybersecurity Concerns for Tribal Organizations

1/7/2019

More Connected, More at Risk Addressing Cybersecurity Concerns for Tribal Organizations

January 10, 2019

To Receive CPE Credit › Individuals • Participate in entire webinar • Answer polls when they are provided › Groups • Group leader is the person who registered & logged on to the webinar • Answer polls when they are provided • Complete group attendance form • Group leader sign bottom of form • Submit group attendance form to [email protected] within 24 hours of webinar › If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar

1 1/7/2019

Presenter

Rex Johnson Director [email protected]

Introductions

Rex Johnson, CISSP®, CISA®, CIPT, PMP®, PCIP™ Director

Health Care, Financial Services, Not-for-Profit, Government, Education, Telecommunications & Manufacturing Industries

2 1/7/2019

Breaches Are Continuing …

Reported Breaches by Year 1579 2017 totals: • 1,579 breaches total 1600 • 178,955,069 records exposed 1400 1091

1200 2018 update through Dec. 5, 2018: • 1,138 breaches 1000 783 780 614 • 561,782,485 records 800 471 421 600

400

200

0 2011 2012 2013 2014 2015 2016 2017

Source: ID Theft Center https://www.idtheftcenter.org 2018 – Data Breach Category Y-T-D Summary (12/5/2018)

Incident vs. Breaches

Incident Breach

› Security event that › Incident that results in compromises integrity, the confirmed confidentiality or disclosure—not just availability of an potential exposure—of information asset data to an unauthorized party

Source: Verizon 2018 Data Breach Investigations Report

3 1/7/2019

Breaches Are Costing More & More

Average cost per Likelihood of a Average total cost Companies that lost or stolen recurring breach of a data breach record within two years contained a breach in $3.86 million $148 27.9% less than 30 days saved more than $1 Up from $3.62 million 2017 was $141 27.7% last year million vs. those that took more than 30 days Average cost Mean time to Mean time to savings with an to resolve identify a breach contain IR team 197 days 69 day $14/record

Source: Ponemon Institute 2018 Cost of Data Breach Study

What Are Some of the Cybersecurity Challenges for Tribal Organizations? › Managing two types of business • Federal government • Hospitality › Shadow IT › Mobile devices › Need for more skilled people › Regulatory (such as GDPR)

4 1/7/2019

Tribal Organizations Manage Two Industry Types

Industry Count Percent 500 30.00% Health Care 471 26.69% 450 25.00% Financial Services 219 12.41% 400

Retail 199 11.27% 350 20.00% Education 199 11.27% 300 Government 193 10.93% 250 15.00% Technology 130 7.37% 200 Professional Services 92 5.21% 10.00% Other Industries 68 3.85% 150 100 Industrial 60 3.40% 5.00% Entertainment 46 2.61% 50 Hospitality 36 2.04% 0 0.00% Insurance 22 1.25% Nonprofit 21 1.19% Social Media 9 0.51%

Source: https://www.breachlevelindex.com/

Shadow IT › Shadow IT refers to IT devices, software & services outside the ownership or control of IT organizations › Departments will often do this to • Circumvent bottlenecks • Avoid slow processes • Rely on familiar software • Compatible with mobile devices • Work with legacy applications that are no longer supported › It is easy to attain software as a service (SaaS) solutions Source: Gartner IT Glossary, https://www.gartner.com/it-glossary/shadow

5 1/7/2019

Risks of Shadow IT › Rutter Networking identified • Increased risk of data loss • Increased risk of data breach • Inefficiencies • Cybersecurity risks › Since acquired outside of IT procurement channels, security is often overlooked › Gartner predicts that by 2020, a third of all successful attacks will be against their shadow IT resources

Source: https://www.rutter-net.com/blog/4-security-risks-of-shadow-it

Cherokee Nation

Pete Self, CISSP, MBA, CCISO Director IT Security

6 1/7/2019

Cybercrime Is Still #1 & Growing

Motivations Behind Attacks

2018 through Q3 2016 3.4% 2017 2.4% 4.3% 4.7% 2.5%

14.2% 14.5% 12.7%

9.2%

72.1% 77.4% 82.4%

Source: Hackmageddon, https://www.hackmageddon.com/2018-master-table

Cybercrime: What Happens? › Use is dependent on the type of information stolen › Most stolen information is sold in underground markets • Criminals steal information from organizations & dump them on the dark web in a variety of forums • Vast networks with various services/goods/crimeware for sale • In many less developed nations, hacking is lucrative in comparison to other jobs available

› Ransomware also a profitable means 14

7 1/7/2019

The Dark Web What It Is & What It Isn’t

What Is This “Dark Web?”

Less than › Less than 10% of the internet is accessible 10% of internet through typical search engines › The deep web is a part of the web that contains the most sensitive information › The dark web is the part of the deep web that is intentionally hidden • Requiring an anonymizer to access, e.g., Tor • Uses .onion link; links often shift • Tor – the onion router Source: CISO Platform, • The black market of the internet! http://www.cisoplatform.com/profiles/blogs/surface-web- deep-web-and-dark-web-are-they-different

8 1/7/2019

What Can I Find on the Dark Web?

Types of Sites on the Dark Web

Paste Sites Forums Marketplace Large data dumps that Discussion forums that cover Anything is for sale are never removed information that could be • Drugs useful to a hacker • Stolen credit cards • Common vulnerabilities • Personal identities • Information about • Passports organizations • Driver’s licenses • Health insurance cards • Other compromised Social Media/Chat Search Engines information Rooms Just like regular search • Dates A place for hackers to sites, but for the dark share information more web privately

9 1/7/2019

Midpoint Question › How much could I get for your credit card on the dark web?

About $1

Joker’s Stash is the most Carding Forum popular “carding” forum on the dark web. Credit cards, just $1 each!

10 1/7/2019

Health Insurance Card for Sale

Health insurance card sold for just over $62

Health Insurance Card for Sale

11 1/7/2019

Hackers for Hire

How Do I Know What a Hacker Would Take?

12 1/7/2019

Types of Cybersecurity Assessments

› Penetration testing: assesses the external &/or internal network to search for vulnerabilities. Does not collect data › Social engineering: focuses on the human element of security (phishing, tailgating, etc.) › Physical security: considers the physical aspects of your cybersecurity. Includes secured rooms, entry & exit points, clean desk, etc.

Red Team Assessments › An attack simulation that mimics the real activities a hacker would take in your environment › Still provides the network penetration testing results › Collects data & information a hacker would want › Ability to place notional malware & threats › Also known as purple team or digital attack simulations

13 1/7/2019

Breach Life Cycle › Attacks are generally carried out in four stages › These four stages are often referred to as the “breach life cycle” › The further the progression, the greater the risks Infiltration

• Infiltration: breaking in & establishing foothold Propagation Exfiltration • Propagation: in the network & moving around

• Aggregation: collecting data & critical information Aggregation • Exfiltration: taking the information outside of the organization

Breach Life Cycle in Action MINIMAL MAXIMUM IMPACT IMPACT

TIME TO DETECTION & RESPONSE

1 2 3 4

1. Infiltration 2. Propagation 3. Aggregation 4. Exfiltration

14 1/7/2019

How the Red Team Works

Leadership engages red team Red team hackers break in (infiltrate) Red team propagates & aggregates Once detected, red team shows exfiltration data Provides feedback to security team Publishes the report

Red Team Benefits › Simulated attack scenarios from real-world threats › Demonstrates true offensive techniques to organizations › Identify return on investment for cybersecurity solutions › True ‘quantitative’ risk analysis › Focuses on what’s valuable, data & assets › Designed to improve a security team › Still get the penetration test report plus more

15 1/7/2019

Mitigation Steps

Recommendations – Basics › Know your inventory • What do you want to protect? • Who do you want to protect it from? • How likely is it that you will need to protect it? • How bad are the consequences if you fail? • Classification of inventory

16 1/7/2019

Recommendations – Basics

› Educate your team • Technology is no substitute for employee education • Include the board, executives & vendors • Knowledge is power • Do not discourage false-positive reporting • Document & distribute security policies • Develop & rehearse a robust incident response program

Recommendations – Basics › Patch your systems • Applications • Databases • Operating systems – servers, workstations, etc. • Anti-virus/anti-malware – engines & signatures • Third-party applications

17 1/7/2019

Recommendations – Basics › Limit access • Control use of administrative privileges • Limit access based on need-to-know (least privilege) • Limit & control remote access • Do not share credentials • Consider multifactor authentication • Limit the use of portable media • Don’t forget physical security • Encryption is key, especially when data leaves your organization 35

Recommendation – Basics › Limit access • Human factor is still the weakest link • Remember physical security & limiting access when the following arrive › UPS › Coming in from corporate IT › Service people or technicians › Exterminator › Flower delivery

18 1/7/2019

Recommendations – Basics › Plan, prevent & prepare • Lock your laptop whenever you are away from your workstation • Filter out suspicious email addressed to employees • Be careful how you share company information • Develop cyber incident response program (CIRT) • Consider cyber insurance

Recommendations – Basics › Backup • Implement a regularly scheduled backup program that meets your business & records retention requirements • Put some distance between your primary & secondary sites • For critical applications, perform a full restoration or fail-over test at least annually • Backup & restore not only data, but also the applications • Understand the differences between cloud storage & cloud backup

19 1/7/2019

Personal Recommendations › Always ask why someone needs your information › Avoid clicking links within unsolicited emails or text messages; go to the legitimate site & type in URL • https://www.bankofamerica.com – correct • http://www.bankofmerica.com – incorrect › Be aware of cyber fatigue in your organization › Use strong passwords & change them often › Avoid geolocation tagging in photos or tweets › Don’t talk publicly about your company: happy hours are perfect targets

DHS Resource Page › US-CERT page to assist state, local, tribal & territorial (SLTT) › Provides best practices › SLTT Toolkit › Downloadable resources › Includes some resources that are geographically specific › https://www.us-cert.gov/ccubedvp/sltt

20 1/7/2019

The Next Generation › CyberPatriot is the National Youth Cyber Education Program › Created by the US Air Force & sponsored by Northrop Grumman › Inspires K-12 students towards careers in cybersecurity or other science, technology, engineering & mathematics (STEM) › Preparing youth with skills critical to our future

Source: https://www.uscyberpatriot.org/ & http://www.northropgrumman.com/CorporateResponsibility/Pages/CyberPatriot.aspx

21 1/7/2019

Continuing Professional Education (CPE) Credit

BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org

CPE Credit

› CPE credit may be awarded upon verification of participant attendance › For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at [email protected]

22 1/7/2019

bkd.com | @BKDGov @BKDCyber

The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered