Regine BonneauRick DumanVice President CEO & Founder

Maintaining Security and Regulatory Compliance During A Pandemic

Cybersecurity Updates and Recommendations COVID Related Phishing COVID Ransomware Remote Workforce Threats

Compliance Updates and Recommendations COVID Related Compliance Updates HIPAA PCI

Closing / Q&A

.

• Expertise: Company founded in 2001 with experienced team• Development: Cybersecurity Focused Research and Development • Proprietary Technology: Patented & Patent Pending Technology

Preventing Breaches inline and in Real-time• Security Experts: US Based SOC, Highly Trained Engineers, US Citizens

PEOPLE PROCESS TECHNOLGY

C Y B E R S E C U R I T Y

. Why is this Important?

https://www.helpnetsecurity.com/2020/04/10/covid-19-fears/

.

Example – UK Themed SMS Phishing

Source: https://www.us-cert.gov/ncas/alerts/TA18-201A

.

Authority - Is the sender claiming to be from someone official?

Urgency - Are you told you have a limited time to respond?

Emotion - Does the message make you panic, fearful, hopeful, or curious?

Scarcity - Is the message Offering something in short supply?

.

Source: cvedetails.com

Why is Vulnerability Management Important?

.

RDP Use has risen on account of COVID

• Known vulnerabilities (2019)

• Easily Detectable via scan

• Susceptible to Brute Force

• Dark Web Stolen Credentials

Identify and Patch Vulnerabilities

Block or limit RDP access from Internet

Make it harder to Brute Force

Monitor Dark Web for Stolen Credentials

Steps to reduce RDP Risk

Citrix:CVE-2019-19781

Pulse Connect Secure:CVE-2019-11510CVE-2019-11539

Fortinet:CVE-2018-13379CVE-2018-13382CVE-2018-13383

Palo Alto:CVE-2019-1579

Vulnerabilities exploited in VPN products used worldwide

What you need to know

As of 4/9/20 - These vulnerabilities continue to be exploited

Exploit code for these vulnerabilities is publicly available online.

https://www.zdnet.com/article/coronavirus-microsoft-directly-warns-hospitals-fix-your-vulnerable-vpn-appliances/?&web_view=true

.

• Daily Use grew from 10M to 200M in March• Privacy Issues identified (Facebook)• Zoom-Bombing• Zoom Security Bugs• Zoom doesn’t use end-to-end encryption as advertised• App was leaking user’s email and photos to via feature

bug• Zoom Accounts found on Dark Web• Multiple Organizations and business have now banned

Zoom• Hackers selling Zoom Exploits $5K-$30K

https://www.cnet.com/news/zoom-every-security-issue-uncovered-in-the-video-chat-app/

.

https://www.techrepublic.com/article/covidlock-ransomware-exploits-coronavirus-with-malicious-android-app/

https://www.domaintools.com/resources/blog/covidlock-update-coronavirus-ransomware

.

• Do you trust Ransomware Operators?

• “Accidental” Ransomware

• Are you in Healthcare?

Breach Timeline

Compromise50% in minutes18% in hours17% in days

Data Exfiltration32% in minutes24% in hours22% in days

Containment42% in days28% in weeks10% in months

Discovery< 2% in minutes20% in days37% in months20% in years

Initial Attack

2019 Verizon Data Breach Investigations Report

60% of breaches take months to discover.

traffic expire in November 2016, and the hackers’ presence in the

company’s network went undetected for 78 days.

U.S. Senate Report 03/06/19

let a tool used for monitoring malicious web

Confirm AV and Endpoint Protection is up to date

Run Vulnerability scans update/patch systems as needed

Review AND React to security alerts ideally 24x7

Security Awareness Training WITH Phishing Simulation for employees

Monitor Dark Web for stolen credentials

Ensure backups are configured properly and verify network segmentation of backups

Enable Multi-Factor authentication (MFA) where possible

Use encrypted communications

Enable VPN for remote workers

Implement SIEM to ensure proper logging

Let’s Take Questions Submit Your Question Via

The Participant’s Panel

.

Government agencies who use third-party brokers to procure medical equipment and PPE are most affected by the fraud. Recent reporting from multiple sources indicates an increase in financial fraud schemes. Criminals are exploiting the high demand for PPE and ventilators, global supply chain disruptions, and worldwide manufacturing shortages of medical supplies created by the COVID-19 pandemic. In several schemes, criminals impersonated legitimate PPE and ventilator suppliers to contact third-party brokers who unwittingly facilitate the transactions with hospitals and other medical facilities.

Procurement entities have reported million-dollar losses due to the solicitation and subsequent non-delivery of purchase orders of ventilators after victims provided payment. In at least one case in late March 2020, an alleged criminal defrauded a state government agency of approximately $32 million by non-delivery of ventilators. A third-party broker, who was hired by the agency to procure ventilators from medical equipment suppliers, was scammed by criminals posing as a legitimate Chinese supplier and requested an upfront payment to two Hong Kong-based bank accounts. The criminals’ internet protocol addresses and phone numbers resolved to Nigeria

Property of RB Advisory LLC - Copyright 2020

Regine Bonneau is the Founder and CEO of RB Advisory, LLC, which provides cyber risk management, security assessments, compliance services, forensic audits, and privacy consultations for private sector and government clients. She founded RB Advisory after years of working in the risk management and compliance industries.

Ms. Bonneau is a leading expert and practitioner in governance, risk management, compliance, and cybersecurity. Ms. Bonneau believes in order to create an effective governance, compliance and security culture there needs to be an understanding of each aspect of the phenomena in enterprise risk management and governance with insight and commitment at every level of an organization. Her career spans 20 years with a focus on people, process, and technology in the healthcare, financial, legal, government and energy sectors from small to large enterprises.

SBE: Small Business EnterpriseM/WBE: Minority Woman Business Enterprise

DBE: Disadvantage Business EnterpriseLDBE: Local Disadvantage Business Enterprise

Services

CYBERSECURITY

Cyber Risk AssessmentsGap AnalysisVulnerability ManagementPenetration TestingCybersecurity Strategy PlanM&A Due DiligenceVirtual CISO (vCISO)

RISK MANAGEMENT

Cyber Risk Management PlansCyber Liability InsuranceIT Security AuditsIncident Response PlanThird Party Risk ManagementCyber Risk for Small BusinessCloud ManagementChange Management

COMPLIANCE

Governance, Risk, CompliancePrivacy Consultations: Safeguards, US Privacy Shield, & EU’s GDPR Federal and State Regulations: Compliance/PrivacyNIST 800-171/CMMCEducation & Awareness TrainingPolicies & Procedures

This has forced information security teams to shore up security in the face of a majority virtual workforce and increased attacks, on top of their day-to-day responsibilities of managing risk and meeting compliance.

2020 was slated to be a benchmarking year for many industries in terms of cybersecurity compliance:

• Cybersecurity Maturity Model Certification (CMMC) version 1.0 released by the Department of Defense for defense contractors

• New regulations set to go into effect:- The New York Department of Financial Services- The much-anticipated California Consumer Privacy Act

Now, with security teams being pulled in many directions they are being faced with hardening security as well as meeting these standards – or are they?

Property of RB Advisory LLC - Copyright 2020

COVID-19 Pandemic landscape is changing rapidly.

COVID-19 Compliance Update

COVID-19 has placed healthcare systems and hospitals under the most strain.

Department of Health and Human Services has relaxed enforcement of the HIPAA Security Rule to accommodate:

- Telehealth due to usage of less secure video conferencing tools

- Emergency area (per Public Health Emergency Declaration)- Hospitals that have implemented a disaster protocol- Up to 72 hours

Property of RB Advisory LLC - Copyright 2020

HIPAA Security Rule

We will go back to normal upon the termination of the Presidential or

Secretarial declaration.

People- Implement a security awareness program- Ensure home networks are secured and employees are not sharing

information with unauthorized individuals

Process- Ensure that at-home/remote workers use a multi-factor authentication- Restrict physical access to media containing payment card data,

Technology- Require all personnel to use only company-approved hardware devices- e.g.,

mobile phones, telephone handsets, laptops, desktops, and systems.- Ensure that all desktop/terminals, in remote/at-home working environments:

Have personal firewalls installed and operational.Have the latest version of the corporate virus-protection software and definition files.Have the latest approved security patches installed.Are configured to prevent users from disabling security controls.

Property of RB Advisory LLC - Copyright 2020

PCI DSS

- Education and Awareness Training- Keep Your Anti-Virus and Anti-Malware up-to-date- Conduct Vulnerability Scans- Strick Enforcement of Multi-Factor Authentication for Both Employees and Patients- Monitor

Perform Risk Assessment:

Property of RB Advisory LLC - Copyright 2020

Areas of Cybersecurity Strength

Property of RB Advisory LLC - Copyright 2020

Empowering Companies to Successfully Manage Global

Cybersecurity Risks, Vulnerabilities and

Compliance Requirements

Regine BonneauCEO/FounderCell: 954.330.6015rbonneau@rbadvisoryllc.comhttps://rbadvisoryllc.com

Property of RB Advisory LLC - Copyright 2020