C yber Pandemic: The Ransomware Threat to Tribal Gaming October 20-22 , 20 2 1 Las Vegas, NV
National Indian Gaming Association Seminar Series Institute Presents:
Cyber-Pandemic: The Ransomware Threat to Tribal Gaming Hybrid Training October 20 – 22, 2021 (Pacific Time) Location: Sonoma A, South Point Hotel & Casino, Las Vegas, Nevada. Virtual: Presented via Zoom AGENDA (Subject to Change)
Wednesday, October 20 8:00am – 9:00am
Onsite Attendee Breakfast
Welcome/Course Introductions
9:00am – 9:30am
DHS Homeland Security Investigations - Cyber Threat Overview Special Agent Michael Adams
9:30am – 10:30am
10:30am – 10:45am
BREAK
How to Protect Tribal Assets from Cyber Security Threats GLI/Bulletproof – Melissa Aarskaug (Presenting via Zoom)
10:45am – 12:15pm
12:15pm – 1:15pm
BREAK
Legal Perspectives – Cyber Security and Privacy EY-Parthenon – Brian Levine (Presenting via Zoom) GableGotwals – Trent Shores
1:15pm – 2:45pm
2:45pm – 3:00pm
BREAK
Public Relations – Effective PRR Response to Cyber Incidents GableGotwals – Trent Shores Gray Analytics – Jay Tow Indian Gaming Esports Association– Ernest L. Stevens, III
3:00pm – 4:30pm
Thursday, October 21 8:00am – 9:00am
Breakfast
Compromised Networks – The Cyber Incident Response Stroz Friedberg - Brian Resler
9:00am – 10:30am
1
10:30am – 10:45am
BREAK
Insider Threats to the Organization Stroz Friedberg – Brian Resler Wipfli LLP – Andrew Hofstetter
10:45am – 12:15pm
12:15pm – 1:15pm
BREAK
Law Enforcement and Regulatory Responses to Cyber Security Incidents Federal Bureau of Investigation – Special Agent Rick Alwine (Las Vegas FBI) National Indian Gaming Commission – Jeran Cox, IT Audit
1:15pm – 2:45pm
2:45pm – 3:00pm
BREAK
Cyber Security Training Programs for the Workforce SilkWeb – Laurel Silk
3:00pm – 4:30pm
Friday, October 22 8:00am – 9:00am
Breakfast
Cyber Threat Intelligence Cyber Team Six Cybercrime Prevention – Patrick Westerhaus C ounterCraft – Luke Wilson Tribal – ISAC – Mike Day (Presenting via Zoom)
9:00am – 10:30am
10:30am – 10:45am
BREAK
Protecting Your Intellectual Property Rights Whiteriver LLC – Michael LeMieux
10:45am – 11:45pm
Closing Remarks National Indian Gaming Association
11:45am – 12:15pm
.
2
HOW TO PROTECT TRIBAL ASSETS FROM CYBER SECURITY THREATS
P R E S E N T E D B Y : Melissa Aarskaug VP of Business Development
2
▪ Global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025.
▪ Damages totaling $6 trillion USD globally in 2021.
STATE UNION OF THE
▪ The latest forecast is for global ransomware damage costs to reach $20 billion by 2021 — which is 57X more than it was in 2015.
▪ We predict there will be a ransomware attack on businesses every 11 seconds by 2021, up from every 40 seconds in 2016.
WHY ARE ATTACKS SO SUCCESSFUL?
30%
time it takes hackers to get in your network 4 MINUTES =
—
time it takes businesses to discover they’ve been breached 99 DAYS =
53%
63%
▪ PHISHING EMAILS
▪ POOR WEBSITE/CLOUD SECURITY
▪ UNPATCHED SOFTWARE
COMMON CYBER CAUSES INCIDENT
▪ POOR MOBILE DEVICE CONFIGURATION
▪ LACK OF EMPLOYEE CYBERSECURITY TRAINING
▪ POOR SECURITY CONFIGURATIONS
▪ CALLER ID SPOOFING
▪ POOR NETWORK/SYSTEM SECURITY
STEP 1: TALK ABOUT IT WITH YOUR PEERS
Discuss the challenges with your peers and acknowledge that there is a problem.
Talk with your peers to learn what other Tribes are doing to mitigate the risks and challenges
A NEW LEVEL OF SECURITY PROTECTION
• User Awareness + Training
• Defense + Offensive Countermeasures
STEP 2: PROPER PLANNING
At the end of the day, Forrester Research says, “it's up to business leaders to create a culture where security is part of everything an organization does. Now is the time to fully assess weak points, current strategies, unplanned-for contingencies, and human error potential before something serious happens.”
A NEW LEVEL OF SECURITY PROTECTION
• Vulnerability Assessment + Penetration Testing (internal & external infrastructure, wireless, web application, mobile application, social engineering) • Threat Risk Assessment (TRA) • Incident Response + Digital Forensics • Remediation Planning to Strengthen Security Plans
STEP 3: ENGAGE A TRUSTED SECURITY COMPANY WHO CAN PARTNER WITH YOU
Having a security partner can be a great solution providing greatest value and knowledge to handle the latest cyber attacks, threats, risks, and vulnerabilities
A NEW LEVEL OF SECURITY PROTECTION
• Managed Security Services | 24/7 Security Monitoring + Incident Management • Ongoing Security Program + Compliance Testing • Security System Management (Firewall, IPS, Antivirus, Access Control) • Virtual CISO = Smart + Strategic Solution to Optimize Security Posture
BULLETPROOF SERVICES FOR TRIBES A new level of security protection
Managed Security Services | Managed Services
Cybersecurity Consulting, Assessments, & Services
Compliance & Certification Audits
Quality Assurance & Testing
eLearning & Training
Questions?
Let’s Chat Melissa Aarskaug, VP of Business Development Melissa.Aarskaug@bulletproofsi.com Bulletproofsi.com/tribal
CONTINUE THE CONVERSATION ON SOCIAL
@Bulletproof, a GLI Company
@bulletproofsi
@bulletproof_IT
DRAFT
Cybersecurity Threat Landscape Presentation by Brian Levine & Trent Shores
National Indian Gaming Association
Introductions
Brian Levine Managing Director Strategy and Transactions, EY-Parthenon
R. Trent Shores Shareholder GableGotwals Counsel
E-mail: brian.levine@ey.com Tel: +1 650-283-6738
E-mail: tshores@gablelaw.com Tel: +1 918-595-4805
Page 2
The Cybersecurity Threat Landscape
Theft of PII
Theft of Proprietary Information
Operational
Attack Clients (e.g., SolarWinds)
Page 3
Threat Actors and Motives
Page 4
Types of Attacks
• Business Email Compromise
• Extortion/Sextortion/Blackmail
• Data Collection or Manipulation
• Blended HUMINT/Cyber and Insider
• Economic Espionage/IP Theft
• Critical Infrastructure Exploitation
• Destructive Cyber Attacks
Page 5
Types of Attacks - Business Email Compromise
Business Email Compromise
Ransomware
Vendor/Supply Chain Attacks
•
How They Work
•
Spoof email account or domain
• "Spearphishing “ or Use of Malware to gain email account info.
• IE: John.Kelly@mail.com vs John.KelIy@maiI.com
•
Gather intel, groom their target
• Conduct fraudulent transaction or legitimate transaction with false credentials
• Wire transfer of funds through various accounts overseas
• Primarily Nigerian and eastern-European organized crime. Also used to fund and gather intel for nation-state groups.
Page 6
Types of Attacks - Ransomware
Business Email Compromise
Ransomware
Vendor/Supply Chain Attacks
Page 7
Types of Attacks – Vendor/Supply Chain Attacks
Business Email Compromise
Ransomware
Vendor/Supply Chain Attacks
Internal
External
Cloud Configuration Errors
Phishing Attacks
Vendor Breach
• •
Training
• • •
Training
• • • • •
TPRM
Secure Cloud Architecture Reviews
Phishing Exercises E-mail Protection Solution DMARC, DKIM, SPF Incident Response Playbook
Defense in Depth Sandbox Testing
•
Cloud Wrappers
Segmentation
• •
Third Party API Vetting
Page 8
Before a breach: What can you do?
Before a Breach
During a Breach
After a Breach
• Third-Party Assessments
• Security and Privacy Best Practices
• Incident Response Plan
• Cyber Insurance
• Immutable Backups
April 2021
Page 9
Working with Law Enforcement
Working with
Law Enforcement
April 2021
Page 10
During a breach: What can you do?
Before a Breach
During a Breach
After a Breach
• Follow Incident Response Plan
• Communications
• Disclosures / Notifications
Page 11
After a breach: What can you do?
Before a Breach
During a Breach
After a Breach
• Understand the full impact
• Understand the bigger picture
• Remediation and future prevention
• Update incident response plan
Page 12
Thank You. Questions?
Page 13
Compromised Networks – the Cyber Incident Response Cyber-Pandemic: The Ransomware Threat to Tribal Gaming October, 2021
Brian Resler, Vice President Stroz Friedberg, an Aon company
RANSOMWARE – Definition
“Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.”
Source: Cybersecurity and Infrastructure Security Agency, September, 2020 https://www.cisa.gov/stopransomware/ransomware-101
2
RANSOMWARE – Methodology
3
RANSOMWARE – Attack Vectors
4
RANSOMWARE - Trends
Key Observations: Ransomware activity has dramatically outpaced Data Breach/Privacy Event activity . Ransomware up 311% from Q1 2019 to Q2 2021. Eight figure losses are commonplace – business interruption represents the largest component of loss, litigation still to come . Data exfiltration occurred in 77% of ransomware cases per Coveware in Q1 2021. Average downtime in Q1 2021: 23 days per Coveware 5
RANSOMWARE - Trends
▪ Average Cost of a Data Breach - $4.24MM - Up 10% from 2020 ▪ Average Total Cost of a Ransomware Event - $4.62MM - NOT including ransom payment ▪ Average # of Days to Identify and Contain Breach – 287 - Companies with a higher number of remote workers averaged 58 days longer than others
▪ Average Cost of Breach: Hospitality Industry - $3.03MM - Way up from $1.72MM in 2020
Source: IBM Security. Ponemon Institute, Cost of a Data Breach Report, 2021; available at https://www.ibm.com/security/data-breach
6
RANSOMWARE - Trends
▪ Average ransomware payment declined in Q2 2021 - $136,576, down 38% from Q1 2021
▪ Companies with fully deployed security AI and automation saw costs 80 percent lower than companies without such protections
▪ Companies operating in hybrid cloud environments saw lower than average costs associated with data breach ($3.61MM) and containment 77 days faster
Sources: IBM Security. Ponemon Institute, Cost of a Data Breach Report, 2021; available at https://www.ibm.com/security/data-breach; Coveware Update, July 23, 2021, Q2 Ransom Payment Amounts Decline as Ransomware Becomes a National Security Priority ; available at Coveware.com.
7
RANSOMWARE – Trends & Other Threats High-Profile Exploits
Theft of Intellectual Property
Ransomware as a Service (RaaS)
Supply-Chain Attacks
8
RANSOMWARE – Vital Questions for a Business in an IR
▪ How long until we are operational? ▪ What is the status of our backups?
▪ Was any of our data exfiltrated? If so, what? ▪ Should we contact the threat actor, and if so, should we pay? - Can we pay? (OFAC restrictions) ▪ Will we have any reporting requirements? If so, when and what? ▪ Should we notify law enforcement? ▪ Do we need to notify our customers / vendors / suppliers / board of directors? If so, when and how? ▪ Is this covered by, or will it affect, insurance?
9
RANSOMWARE – What an Incident Response Team Wants to Know ▪ Nature of your business ▪ Current network map ▪ Number and locations of endpoints, servers
▪ Operating system(s) / patching history ▪ Firewall / antivirus / EDR / SIEM solutions ▪ Email system employed ▪ Timeframe and granularity of all logging ▪ Use of an MSP for any services ▪ Whether MFA is enabled, when passwords last changed
10
RANSOMWARE – What an Incident Response Team Wants to Know (con’t) ▪ Timeline of incident to date
▪ The number and types of systems affected ▪ Ransomware note / contact with threat actors ▪ Whether any indications data was exfiltrated ▪ Whether any systems have been restored ▪ Recent or pending business events or deadlines ▪ Priority systems: function (i.e., payroll) and content (i.e., trade secrets, PII) ▪ Status of backups ▪ Status and capabilities of local IT team ▪ Insurance status
11
RANSOMWARE – What an Incident Response Team Will Do ▪ Identify initial point of compromise ▪ Identify indicators of compromise (IOCs), malware and tools used by the threat actors ▪ Determine lateral movement by threat actors ▪ Identify vulnerabilities ▪ Retain and engage with negotiation specialist ▪ Establish a timeline from initial breach of network to deployment of ransomware ▪ Identify folders and files accessed, as well as locate any proof of exfiltration ▪ Draft report of investigation ▪ Provide evidence / opinions relevant for legal/business decisions 12
THE IMPORTANCE OF RELATIONSHIPS
▪ Having well-established relationships before an incident greatly reduces the time, cost and stress involved in responding and should include: - counsel - incident response team - managed services provider - PR consultants
13
LOOKING FORWARD ▪ Enable logging with as much granularity and for as much time as feasible ▪ Enable MFA ▪ Use strong passwords and rotate frequently ▪ Patch all systems and software as soon as practical, but especially firewalls, AV and EDR ▪ Use offline backups if possible, and regularly test them ▪ Regularly deactivate old accounts for employees, vendors and contractors, particularly ones with admin privileges 14
LOOKING FORWARD ▪ Engage in periodic pen testing and IR tabletop exercises ▪ Consider a threat hunt to identify all existing compromises ▪ Regularly update network map ▪ Periodically assess and adjust email rules and configurations ▪ Provide periodic cybersecurity training for all employees ▪ Create a culture of security
15
INSIGHTS
Incident response is a marathon, not a sprint
Policies, practices and security tools need regular review, maintenance and testing
Security is everyone’s concern
A culture of security comes from the top-down
16
QUESTIONS
Brian Resler, Vice President Stroz Friedberg, an Aon company 2001 K Street N.W. Suite 625 N Washington, D.C. 20006 (202) 480-5774 brian.resler@strozfriedberg.com linkedin.com/in/brian-resler-019424191
17
Cyber-Pandemic: The Ransomware Threat to Tribal Gaming October 2021 INSIDER THREATS TO THE ORGANIZATION
Andrew Hofstetter, Director, Wipfli LLP
Brian Resler, Stroz Friedberg, an Aon company
1
INSIDER THREATS – Types of Actors
▪ Includes current and former employees, contractors and vendors
▪ May act intentionally, recklessly, or unwittingly
▪ Motives: financial, frustration or anger with the business, or political or personal beliefs
▪ Remote work challenges
2
PHYSICAL SECURITY
▪ Key: controls / records of access to and use of: - equipment - sensitive areas - monetary instruments - passes/tickets/badges - logging systems (visitor records, cameras, etc.) - visitors
3
CYBER SECURITY
▪ Key: controls / records for access to and use of: - email - systems and data - sensitive information - devices - applications - personal devices / apps - other users’ information or security controls
4
TRAINING AND EXPERIENCE
▪ Key: periodic training, review and acceptance of: - terms of use for: devices, systems, data, access - non-disclosure agreements - non-compete agreements - assignment agreements - security awareness training
5
STORIES AND INSIGHTS
6
QUESTIONS
Andrew Hofstetter, Director Wipfli - Organizational Performance Practice
Milwaukee, WI (951) 923-8144 andrew.hofstetter@wipfli.com
Brian Resler, Vice President Stroz Friedberg, an Aon company Washington, D.C. (202) 480-5774 brian.resler@strozfriedberg.com
7
Homeland Security Investigations HSI
Office Name
Project Cyber Sentinel Network Intrusion and Cybersecurity Outreach
Special Agent John Doe yourinfo@dhs.gov
1
Who We Are
HSI is the principal investigative arm of the U.S. Department of Homeland Security, responsible for investigating transnational crime and threats, specifically those criminal organizations that exploit the global infrastructure through which international trade, travel, and finance move.
37,547 criminals arrested in FY 2019
2
Our Mission HSI investigates, disrupts, and dismantles terrorist, transnational, and other criminal organizations that threaten or seek to exploit the customs and immigration laws of the United States.
103 average criminal arrests per day in FY 2019
3
Global Footprint
HSI consists of more than 9,800 employees who are assigned to offices in over 210 cities throughout the U.S. and 78 international offices in 52 countries across the world.
6,790+ special agents included among 9,800 HSI employees
4
Cyber Crimes
Transnational criminal organizations commonly use cyber technology to facilitate their criminal activity. HSI is a worldwide law enforcement agency at the forefront of darknet and other cyber-related criminal investigations. HSI investigators infiltrate illicit darknet activity, target criminal organizations. and protect the public and our critical infrastructure.
Network Intrusion
Digital Crimes
5
Network Intrusion Investigations The digital exfiltration of intellectual property and export controlled technical data is occurring at an alarming rate. CCU responds to and investigates incidents of cyber intrusion where
the intrusion occurred in furtherance of a violation investigated by HSI.
6
Network Intrusion Outreach & Response HSI agents engage with private industries both proactively and reactively: Proactively • Providing remote and on-site webinars on network intrusion risks, trends, and safeguards. • Providing awareness materials to industry for distribution within their organization.
Reactively
• Providing investigative analysis to help determine the origin of the attack in order to identify and arrest threat actors.
7
Data Breaches and Current Trends
8
The Cyber Threat The Attack Process
Data Exfiltration can occur anytime and multiple times after exploitation
War driving Network mapping Port scanning Vulnerability scanning
Establishing accounts Backdoors C2
Metasploit (Automated scanning/attack tool)
Scanning
Keeping Access
Attacker attempts to gain access, undermine an application or deny a service
Attacker steals the data and attempts to hide the presence of the breach
Attacker conducts open source investigation to learn about the target
Attacker attempts to maintain access by establishing user accounts, backdoors/C2
Attacker surveys the target to find vulnerabilities
Reconnaissance
Exploitation
Covering Tracks
Manipulating/deleting logs Malicious code
WHOIS lookup DNS interrogation
Undermine an application Deny a service
Firewall, IDS/IPS, Server, OS
Your websites Social media The “GOOGLE Machine”
9
Results of an Attack
Incident
• A security event that compromises the integrity, confidentiality, or availability of an information asset Breach • An incident that results in the confirmed disclosure — not just potential exposure — of data to an unauthorized party
In 2020, the Verizon incident response team reported over 157,525 incidents and 3,950 confirmed data breaches.
* Statistics from 2020 Data Breach Investigations Report.
10
The Cost of a Hack
Data breaches caused by malicious attacks are the most common and expensive. • Every 39 seconds there is a hacker attack; these attempts are not necessarily successful • Hackers steal 75 records every second (Breach Level Index) • Global average total cost of a data breach in 2020 is $3.86 million • Healthcare has the highest industry average cost at $7.13 million • 280 days is the average time to identify and contain a data breach
* Statistics from IBM’s “Cost of a Data Breach Report 2020”.
11
Breaches – Attack Findings
Who’s Behind the Breaches?
Who are the Victims?
Perpetrator(s)
%
Industry Breached
%
External Actors
70%
Contained in days or less
81%
Organized Criminal Groups
55%
Involved large business victims 72% Personal data was compromised 58% Involved small business victims 28%
Internal Actors
30%
Had 4 or more attacker actions
4%
Partners
1%
Multiple Parties
1%
What Tactics are Utilized?
Other Commonalities
Type of Breach Tactic
%
Type
%
Hacking
45%
Financially motivated
86%
Social Attacks
22%
Web applications were involved
43%
Malware
17%
Utilized stolen or used credentials 37% Malware incidents were ransomware 27% Involved phishing 22%
Errors were Causal Events
22%
Privilege Misuse
8%
Physical Actions
4%
* Data is based on 2020 Data Breach Investigations Report. Data breaches may be associated with multiple attacks, actors, and/or actions.
12
Patterns within Healthcare
Patterns in Healthcare Industry Breaches
Unsurprisingly health data is the type of data most commonly breached in the healthcare industry; however, both personal data and credentials are also stolen in healthcare industry attacks. Miscellaneous errors are the most common issue that result in a breach. • Examples include sending email or mail with sensitive data to the incorrect person. As more and more organizations open patient portals and create new and innovative ways of interacting with their patients, they create additional lucrative attack surfaces. This has led to the rise of web application attacks.
Types of Data Compromised
%
Personal
77%
Medical
67%
Credentials
18%
Other
18%
In 2020, the Verizon incident response team reported 3,950 breaches in the healthcare industry.
* Data is based on 2020 Data Breach Investigations Report - Healthcare. Data breaches may be associated with multiple types of compromised data.
13
Patterns within Financial, Insurance, and Retail Industries
Traditionally Point of Sale (PoS) was the dominant concern for data breaches. Today there is a rising trend of exploiting web applications as institutions, retailers, and individuals increase their reliance on saving valuable data to the cloud, such as email accounts and business-related processes.
The majority of attacks are perpetrated by financially motivated external actors.
Patterns in Financial and Insurance Industry Breaches
Patterns in Retail Industry Breaches
In 2020, the Verizon incident response team reported 148 breaches in the retail industry.
Types of Data Compromised
%
Personal
49%
Payment
47%
Credentials
27%
Other
25%
Types of Data Compromised
%
In 2020, the Verizon incident response team reported 448 breaches in the financial and insurance industries.
Personal
77%
Credentials
35%
Other
35%
* Data is based on 2020 Data Breach Investigations Report. Data breaches may be associated with multiple types of compromised data.
Bank
32%
14
Attack Vectors
15
Social Attacks
Phishing and pretexting are the most common type of social media attack. Email continues to be the most common attack vector (96%). • Phishing is often used as the lead action of an attack and is followed by malware
Top Social Varieties in Incidents
How Many Phishing Test Campaigns Were Reported at Least Once
installation and other actions that ultimately lead to exfiltration of data.
• The good news is that social and security awareness training appears to be effective as click rates are low and reporting rates are rising.
16
Hacking
Hacking falls into 3 distinct groups:
1. Utilizing stolen or brute-forced credentials
2. Exploiting vulnerabilities
3. Utilizing backdoors and Command and Control (C2) functionality Over 80% of hacking breaches involve the use of brute force or lost/stolen credentials. Oftentimes these credentials are used in conjunction with attacks against web applications.
* Statistic from 2020 Data Breach Investigations Report.
17
Ransomware
Ransomware is a type of malicious software or malware that encrypts data making it unusable. The cyber criminal holds the data hostage until the ransom is paid.
Most common infection vectors:
• Email phishing campaigns
•
Containing malicious file or link
• Remote Desktop Protocol (RDP)
• RDP is a network protocol that allows individuals to control resources and data over the internet. • Cyber criminals use methods to obtain credentials, once accessed can deploy malware to systems
• Software Vulnerabilities
18
Post Data Exfiltration
19
What Happens Post Data Exfiltration?
Once a threat actor obtains data and scans the data for important/valuable information, they will either utilize this data for their own personal gain or sell it to a 3 rd party. Credit cards and payment details are the most sought-after marketplace goods on the deep and dark web. • 3 rd parties, or “brokers”, will buy the card details from a marketplace and resell them to a “carder”. • Carders will spend as much funds as possible before the respective owner and/or bank discovers the compromise. • Oftentimes carders will buy online gift cards and then use these to purchase electronics, which can be quickly resold due to high demand.
20
The Cyber Criminal Underworld – Exploiting Network Access
Sell Access Threat actor
Gain Access Threat actor breaches the network and works on escalating their access to administrator privileges and putting a value on the access. Buyer’s Choice Buyer now has network access and can plan and execute their attack. Examples include: Ransomware attack, data exfiltration, espionage, malware deployment, and phishing attacks.
markets the sale of the access on deep
and dark web markets and forums.
Borrowed Time The buyer is now
conducting their attack and it is a matter of time until they are located and their access revoked.
This can take minutes, days, or even years.
21
The Cyber Criminal Underworld – Commercial and PII Fraud
Sell Threat actors sell the credit card and identity data through fraud rings on the deep and dark web.
Steal Threat actors steal credit card and identity data utilizing botnets, malware, Trojans, phishing, keylogging, et cetera.
Convert to Cash Fraud rings use e-
Commit Fraud Fraud rings use the personal information for fraud on e-commerce and banking sites.
commerce, classified ads, and drop zones to convert physical goods into cash.
Examples include: account takeovers, money transfer, card not present transactions.
22
Defending Against and Responding to Data Breaches
23
Defending Against Social Attacks
How effective is an organization’s employee awareness campaign? • “We have tried posters, online training, cyber awareness coffee mugs, in person seminars, pen testing…”
The awareness solution:
• 78% of people don’t click a single phish all year • 4% of people (on average) in any given phishing campaign will click • Perhaps try and find those 4% of people ahead of time and plan for them to click
Awareness by itself is not the solution
24
Best Practices for Securing Your Data Organizations can minimize their risk of cyber attacks by:
• Updating and patching systems
• Conducting continuous vulnerability scans and monitor accounts • Backing up data and configurations; create system images; and save these offline • Utilizing network monitoring, proxies, and multi-factor authentication • Enabling email and web browser protections • Implementing a security awareness and training program • Reviewing and exercising incident response plans
25
What to Do When Breached When a breach occurs best practice is to: • Isolate the infected computer immediately • Isolate or power-off affected devices that have not yet been completely corrupted • Immediately secure backup data or systems by taking them offline • Contact law enforcement immediately
26
HSI Intrusion Response HSI Special Agents receive technical certified training and have the legal authority to respond to a cyber intrusion. We will work to closely with your organization to gather valuable evidence related to the intrusion. Intrusion investigations are conducted in a manner that causes little or no disruption to normal operations. Apprehending cyber criminals and the recovery of data is a priority for HSI intrusion investigations. 27
Protecting the Homeland with Honor, Service, and Integrity
Q A &
28