Tonia Lediju, PhDChief Audit Executive, City and County of San Francisco Nicole Galloway, CPAMissouri State Auditor, State of Missouri Joe Lyons, PhDDir. Security & Strat. Intelligence & Asst. Prof., Saint Louis UniversityBryan Hurd, CISM, CISA, CISSP, NSA-IAM, CCCI, CCFT, SNSCP Vice President, Stroz Friedberg (Aon Company)Steve Flaherty, CPA, CIA, CFEPrincipal Auditor, City and County of San Francisco
Essentials on Cyber Securitywww.gfoa.org • #GFOA2018
112th Annual ConferenceMay 6-9, 2018 • St. Louis, Missouri
Moderator/Speakers:
10:30 – 12:10 • May 9, 2018 • Room 230 Complex
CYBERSECURITY : It’s all about the Data Integrity
Joe Lyons, Ph.D.Director and Assistant Professor
Security and Strategic Intelligence ProgramSaint Louis University
the maintenance of, and the assurance of the accuracy and consistency of, data over its entire life‐cycle.
data integrity
Essential on Cyber SecurityGovernment Financial Officers are FUNDAMENTAL
to Cyber Security
Wednesday, May 9, 201810:30am to 12:10pm
20
Disclaimer
The information contained herein and the statements expressed are of a general nature and may not apply to particular factual or legal circumstances. The materials do not constitute legal advice or opinions and should not be relied upon as such. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
Copyright Notice Copyright © 2017 Aon Corporation. All rights reserved. No part of this document may be reproduced in any form, including video recording, photocopying, downloading, broadcasting or electronic transmission, without prior written consent of Aon Corporation.
Trademarks The trademarks, service marks, trade names, and logos (“Marks”) associated with this presentation are owned by Aon Corporation, or third parties who have authorized their use.Nothing contained on this presentation should be construed as granting any license or right to use any Mark displayed in the presentation without the written permission of Aon Corporation or such third party that may own the Mark. Misuse of any Marks, or any other content, displayed on this website is prohibited.
21
Essentials on Cyber Security
Governments are being hit by an ever-increasing number of cyberattacks that range from targeting citizens’ private information to stealing funds.
Without appropriate measures, including risk management, cyber insurance, and business continuity plans, government data are at risk.
In this session, experts will explain how to defend against online fraudsters and detail creative and innovative solutions to cyber security, even if your government faces budget and staffing constraints.
22
Bryan E. Hurd, CISM, CISA, CISSP, NSA-IAM, CCCI, CCFT, SNSCP
Current: Vice President, Stroz Friedberg
– Director of Intelligence, Microsoft Cybercrime Center– Chief of Operations, Directorate of Terrorist Identities, US National
Counterterrorism Center– FOUNDER US Navy Cyber Counterintelligence Program, NCIS– Creator Defensive Information Operations, U.S. European Command– Senior Exec - Machine Learning and Artificial Intelligence Start Up – Enterprise Intelligence Architect for Defense Intelligence Agency, Mantech– Global Program Director for Computer Forensics, EDS– Senior Analyst, Computer Investigations and Operations, NCIS– Board Certified Antiterrorism Officer, U.S. Navy Antiterrorist Alert Center
24
Who is the Threat? STATE: “There are no enemies...only emerging
allies.” CIA: “We know who the enemy is, but telling you
would endanger the source.” NSA: “We know who the enemy is, but you
aren’t cleared.” Director of National Intelligence “Whomever the
enemy is, we are in charge of stopping them.” US Marines: “Doesn’t matter. Mess with the best,
die like the rest.”US FBI: “The CIA.”
The Big Intel Question -
25
Financial Crime is Going Cyber…
Criminal groups have skilled technical staff in many areas They innovate their
tools and techniques with every technological era.
Use of digital technology to further traditional crimes New cyber only crimes Banking Trojans =
fraud Ransomware =
extortion DDoS protection
rackets = extortion
26
Transnational Cyber Crime Activities Ransomware Financial Fraud Identity Theft Human Trafficking Child Exploitation Cyber Terrorism Drug Trafficking / Smuggling
Financial Denial of Service Industrial Espionage Intellectual Property Theft Massive Scale Identity Theft And many more…
Cyber Crime as a Service
27
Our New Reality… Cybercrime is evolving and poses a significant threat to consumers,
businesses and governments Global, organized crime rings have embraced cybercrime as a key
tactic The threats range from malware and botnets used to
– Steal critical financial, national or research data – Infiltrate Critical Infrastructure – Interrupt Critical Services via Ransomware
28
The new reality – Increasingly Bold Nation State Activities
NATION STATE CYBER ESPIONAGE AND INFORMATION WAR INFLUENCES GLOBAL POLITICS AND POLICY
Cyber espionage will continue to influence global politics and will spread to the upcoming elections in Latin America and Europe. Russia, China, Iran, and North Korea will be regions of great concern in 2017, as they continue to develop deep pools of cyber-crime talent.
2017 brought about more attacks from countries seeking to access and exploit sensitive information to realize their national interests, whether to wage an information war or conduct other destabilizing attacks such as disrupting networks or utility grids. Cyber espionage and nation-state cyber warfare will escalate.
2929© 2017 Stroz Friedberg. All rights reserved.
Threat landscape
insider ransomwarehack DDoS
# OF RECORDS
As the threat landscape intensifies, the impact of cyber attacks has increased
30
Automation
The Evolving Cyber Threat
Across all industries, our clients are continuing to invest in deploying digital technologies to stay competitive and drive quality and efficiency objectives
Connectivity
Technological Drivers Business Drivers Risk Drivers
Material DamageBusiness
InterruptionProduct Liability
Data BreachMedia Liability
I.P. Infringement
Evolving Cyber
Equation
31
2017 Cyber Exposure Trends
Increasing data integrity attacks
Regulator focus and pressure for in-house red teaming and cybersecurity talent development
Criminal utilization of IoT devices as botnets and launching points for malware
Nation state cyber espionage and information war influences in global an political policy
Spear-phising and social engineering tactics
Pre-M&A cybersecurity due diligence
32
Water Supply
Public Health
Government
Banking & Finance
Telecommunications
EmergencyServices
Transportation
Power
Law Enforcement
Cyber Attacks on Critical Infrastructure
33
Attacks on Critical SERVICES – US City of Atlanta - 2018
Ransomware cyberattack - $51,000 ransom demand Hearings for those in police custody are canceled until
computer systems are functioning.
“This is an attack on our Government, on all of us” Hired a COMMERCIAL company to help with the breach
OFFLINE ARE - all applications for jobs, paying water bills, paying traffic/parking tickets, police reporting. Many have establishing manual workarounds
Good news – Atlanta's public-safety services such as 911, police, and fire-rescue are unaffected, Also safe were
Hartsfield Jackson International Airport systems (except WIFI) and Atlanta City Payroll Mayor “being a national model of how cities can shore themselves up”
34
Banking Trojans and SWIFT Attacks $101 Million Dollars US Bangladeshi Bank Malware issued unauthorized
SWIFT messages AND to conceal the transfer Lazarus Group = possibly
North Korea Dillinger quote Picture - $200 Million USD
Attacks on SWIFT continue
35
Cyberattack ‘Wake-Up Call’ for Pipeline Industry
• Companies weren’t required to report attack to regulator U.S. Transportation Security Administration (TSA)
•agency urged pipelines to take measures including establishing a cybersecurity plan, limiting network access and changing default passwords.
• Congressman sees ‘bad actors’ looking to weaken U.S
• Did not interrupt flow of natural gas (Targeted I.T. systems not O.T systems)•Interruptions are EXTREMELY DIFFICULT to recover from
36
Cyber Attack on Baku-Tbilisi-Ceyhan (BTC) - 2008
a massive explosion in Refahiye Turkey in 2008.
EXTERNAL? Infrared camera that caught two individuals with laptop computers walking near the pipeline– Over 60 hours of BTC video surveillance DELETED
Hackers, probably acting under the direction of Russia, had shut down alarms, cut off communications and then super-pressurized the crude oil in the line.
Business impact of the attack = billions of dollars. Also, Australian Sewage Incident - 2001
38
2018 Cybersecurity Predictions – Stroz Friedberg
https://content.strozfriedberg.com/2018-cybersecurity-trends-predictions-report
39
The CFO ScamHave plans in place for Business Email Compromise (BEC)?
A BEC occurs when a “bad actor” impersonates a senior executive and orders expedited transfers of funds to first-time vendors, likely located overseas. The BEC is typically preceded by a phishing scheme or social engineering to gain information from company staff. Accounts are often emptied within hours after the initiation of the wire transfer and the full financial losses tend to fall to the companies.• How can you rapidly confirm requests, especially when rank and urgency
abused in BEC?• How will you communicate in a way that the adversary cannot control?
• Solution starts with FINANCIAL PROCESS controls, not technology!
40
What Can Government Finance Officers Do Today…
To support on the TECHNICAL LEVEL
– According to Essye Miller, Acting CIO and Senior Information Security Officer (SISO), Department of Defense, studies of hacks into DoD networks indicate one area to bring significant protection…
• Start by securing the ENDPOINTS (PCs, Laptops and Devices)• This was where adversaries of all types (from insiders to nation state programs) got their foothold
– But the technical level is not where finance officers will have the most impact…
– It will be at the enterprise business level!
So lets LEVEL IT UP!
42
Don’t Dumb it Down…
• It’s tempting for security professionals to focus all of their attention on the technical details:
– Threats, Vulnerabilities, Exploits, IT Solutions, Indicators of Compromise
But LEADERS should talk about – BUDGET, Mission, Business, Strategy, Regulatory, Legal– Balancing between attackers, defenders, regulators, and citizens
… Level It Up!
43
What Can Government Finance Officers Do Today… FRAMEWORKS
Identify and protect your critical assets and balance sheet by aligning your cyber enterprise risk management strategy with your corporate culture and risk tolerance.
Finance officers can ask for the framework your team is using and then ask for a “business level” explanation of budget allocation in cyber discussions
Discussion Example ONLY – not recommended allocation• 30% to security architecture development and deployment (protect)• 10% to Assess and Test• 10% to Improve• 15% to Detect• 10% to Quantify and Mitigation (Continuity Plans, COOP, Backups, etc.)• 20% to Respond• 5% to Training, Awareness and other areas
What does your financial allocation framework look like?
Goal, Lower Total Mission Impact of Risk
44
Developing Security Program Overview – Think RISK not technology!
• Review existing policies and compare against policy framework• Develop/update policies, standards, procedures and supporting documentation • Develop/update policy framework definitions
• Identify high-level assessment and id gaps in the current information security program to your selected framework
• Conduct risk assessment and develop risk assessment methodology in accordance with requirements
• Based on the asset universe, perform a threat, vulnerability and likelihood analysis on the asset groups
• Prepare risk treatment and remediation plan and identify controls to address high risk areas• List responsible individuals and implementation timelines• Maintain project management oversight and guidance
45
IOT, Cloud, eGov, etc. Ask about security BEFORE it deploys…
As new SYSTEM X is developed or deployed, how much of the DEVELOPMENT project budget was focused on ensuring security?
What security checks and balances are there in our PROCUREMENT processes?
How are we supporting that we have funded deployment of a secure solution?
What funds keep the security of this capability UP TO DATE? Patch vulnerabilities, etc.?
46
What Can Government Finance Officers Do Today… Start with FINANCIAL QUESTIONS
What are we allocating in budget to protect our systems directly? How does this compare to other GFOA members in organizations of my size, complexity
and limited budget resources? Is there collective procurement or negation options for solutions or services?
What is our approach to dependencies from suppliers and third parties?
How do we prioritize the systems, services or capabilities that receive increased budget for protection?
47
Incident Response – BEFORE, During and After
Have we budgeted to conduct table tops or incident walk through? Do we have the contracts in place for services we may need during or after an
incident?
What budgetary resources and approvals will be needed to respond to an incident?
What levels of service are expected? How are those services paid for? From which budget?
What are the priorities for recover and restoration of critical services?
48
Don’t Dumb it Down…
• It’s tempting for security professionals to focus all of their attention on the technical details:
– Threats, Vulnerabilities, Exploits, IT Solutions, Indicators of Compromise
But LEADERS should talk about – Diplomacy, Mission, Business, Strategy, Regulatory, Legal– Balancing between attackers, defenders, regulators, and consumers
… Level It Up!
Essential on Cyber SecurityGovernment Financial Officers are FUNDAMENTAL
to Cyber Security
Bryan E. [email protected]
CITY & COUNTY OF SAN FRANCISCO
Office of the ControllerCity Performance UnitSteve Flaherty, CPA, CIA, CFE 05.09.2018
Essentials on Cyber SecurityAn Auditor’s Perspective
51What Are We Really Talking About?
cybersecuritynoun cy·ber·se·cu·ri·ty \ ˈsī-bər-si-ˌkyu̇r-ə-tē \
measures taken to protect a computer or computer system (as on the Internet) against unauthorized access
or attack
Popularity: Top 40% of words
“Audit” Popularity: Top 30% of words
Source: merriam‐webster.com
With each passing year, not only has the sheer volume of threats increased, but the threat landscape has become more diverse.
Ransomware
• There were an average of 1,242 ransomware detections per day in 2017
Crypto Jacking
• Coin Mining detections have increased by 8,500% in 2017
52
Some Bad News
Your Jurisdiction
Doxing – Exposing and publishing one’s identity and personal information online
DDoS – Distributed Denials of Service is the use of multiple computers to generate excessive amount of network traffic with the intent of rendering a service unusable
Web Defacement - Making unauthorized changes to a targeted website
53
Some Bad News
55
But Really, Why Should I Care?
$ Regulatory Fines $
$ Legal Costs $ $ Remediation $
Average Cost of an Attack: $1.3 million
Source: https://www.csoonline.com/article/3227065/security/cyber‐attacks‐cost‐us‐enterprises‐13‐million‐on‐average‐in‐2017.html
56
But Really, Why Should I Care?
• Not my money
• Not my data
• They can’t take their business elsewhere
Avoid bad job consequences!
57
Is There Any Good News?
Local governments can use people, processes, and technology to improve cybersecurity without spending a lot of money.
59
The People
• Get Executive and Senior Management buy‐in
• Start here!
• Staff training and awareness• Repeat this regularly!
• Hire for experience, qualifications, and attitude
• Easier said than done!
• Collaborate!
60
The Processes
• Adopt a cybersecurity policy and framework
• Align your security framework with your organization
• Continually review processes and communicate• Things change quickly
62
The Processes
The NIST Cybersecurity Framework is designed to complement existing business and cybersecurity operations. It can serve as the foundation for a new cybersecurity program or a mechanism for improving an existingprogram.
Can’t adopt a framework?
No checkbox – evaluate risks
Does your organization have policies on:• Use of government equipment?• Password length?• How often passwords are changed?• Personal electronic items?• Employee cybersecurity training?• Vendor cybersecurity training?• Cloud-based services?• Breach recovery?
64
The Processes
• Do not skip People and Processes!• Own the program, not the tool
• Focus on the basics:• Are you patching?• Are permissions in place?• Is your password “password”?• Can you identify anomalies?• Do you know what’s on your networks/systems?• Can you recover and restore?
• Identify vulnerabilities and penetration test
65
The Technology
• Take a holistic approach – people, processes, and technology
• Establish a framework
• Identify risks based on your operation – no checkboxes
• Begin mitigation
66
Final Thoughts
Top Related