04091124 Master Cybersecurity Training Book

Seminar Institute Commissioner Training – Master Class on Cybersecurity April 9 – 11, 2024

April 9, 2024: 8:00 am – 9:00 am

Breakfast

Welcome/Course Introductions: Billy David, Bo-Co-Pa & Associates

9:00 am – 9:30 am

“ Threat Landscape- Overview 2024 Trends and Forecast to 2025” Earle Hall, CEO AXES.ai and Co-Chairman AI and Cybersecurity Policy Committee, Las Vegas Chamber of Commerce

9:30 am – 10:30 am

10:30 am – 10:45 am BREAK

10:45 am – 12:30 pm “Why Should We Consider Cyber Insurance” Presented by Earle Hall, CEO AXES.ai and Co-Chairman AI and Cybersecurity Policy Committee, Las Vegas Chamber of Commerce

12:30 pm – 2:00 pm

BREAK

“Cybersecurity is a Board Level Leadership Imperative for Building the Security Culture” Presented by Abe Martin CFE, Casino Cryptology

2:00 pm – 3:15 pm

3:15 pm – 3:30 pm

BREAK

“Who Is Responsible To Regulate Cybersecurity?” Presented by Abe Martin CFE, Casino Cryptology and Billy David, Bo-Co-Pa & Associates

3:30 pm- 5:00 pm

April 10, 2024 8:00 am – 9:00 am

Breakfast

How to conduct great tabletop exercises and take them to the next level Presented by Derek J. Olson Wipfli LLP Cybersecurity Consultant

9:00 am – 10:30 am

10:30 am – 10:45 am BREAK

10:45 am – 12:15 pm How to structure and oversee a “Purple team” engagement that validates a casino’s visibility to malicious cyber activity and block attacks like ransomware by Matt Berluti Wipfli LLP CISSP Manager - Cybersecurity Services

12:15 pm – 1:15 pm

BREAK

How to plan and include incident response in the overall business continuity strategy Presented by Derek J. Olson Wipfli LLP Cybersecurity Consultant

1:15 pm – 2:45 pm

2:45 pm – 3:00 pm

BREAK

Securing the human and how to increase a casino’s resistance to social engineering attacks Presented by Matt Berluti Wipfli LLP CISSP Manager - Cybersecurity Services

3:00 pm – 4:30 pm

April 11, 2024 8:00am – 9:00am

Breakfast

Is my Casino at Risk from a Ransomware Attack? Presented by Renita DeStefano, President & CEO Second Derivative, LLC

9:00am – 10:30am

10:30am – 10:45am BREAK

10:45 am – 11:45 pm Top 20 Security Controls for Maximum Casino Cyber Security

Presented by Renita DeStefano, President & CEO Second Derivative, LLC

11:45 am – 12:15 pm Resources, Takeaways, Recap of Events, and next steps for your organization Presented by Renita DeStefano, President & CEO Second Derivative, LLC

4/20/24

Spring 2024 Commissioner Master Class Tuesday 9:30 AM Session Threat Landscape Overview 2024 Trends and Forecast to 2025

4/20/24

Threat Intelligence Sources

• Verizon Data Breach Investigations Report (Annual) • Sophos • Cisco/Splunk • Cybersecurity and Infrastructure Security Agency (CISA) • Federal Bureau of Investigation (FBI)

Splunk – A Cisco Company The CISO Report

4/20/24

Verizon Data Breach Investigations Report 2023

16,312 Incidents – 5,199 Confirmed Breaches

Verizon Data Breach Report, 2023

4/20/24

Backup Compromise • 75% of attempts were successful when the attack started with an exploited vulnerability • 54% of attempts were successful when the attack started with compromised credentials Data Encryption • 67% of attacks resulted in data encryption when the attack started with an exploited vulnerability • 43% of attacks resulted in data encryption when the attack started with compromised credentials

Sophos Unpatched Vulnerabilities: The Most Brutal Ransomware Attack Vector

Paid the Ransom • 71% of organizations that had data encrypted paid the ransom when the attack started with an exploited vulnerability • 45% of organizations that had data encrypted paid the ransom when the attack started with compromised credentials

4/20/24

Recovery Time

Median Recovery Cost • $3M median overall recovery cost for ransomware attacks that start with an exploited vulnerability. That’s four times greater than … • $750K for those that begin with compromised credentials

4/20/24

Trends & Predictions

• 3.5 million unfilled cybersecurity jobs by 2025 • CISO’s will report to the CEO • Zero Day Exploits Doubling • Social Engineering will become #1 • AI will surge as a top attack vector

Questions?????

4/20/24

Why We Should Consider Cyber Insurance

Abe Martin abe@casinocryptology.com 931-CRYPTIC (279-7842) www.casinocryptology.com

April 9, 2024

Is insurance STILL a sucker bet?

4/20/24

Cyber Insurance brokers…

• not to be confused with Agents, who work for an insurance company • help businesses find providers and policies that fit their specific needs • are intended to be independent of insurance companies, therefore able to offer unbiased input • may charge a commission, a broker fee, or both (ASK!) • might not know every detail of every policy or provider

4/20/24

What is Cyber Insurance?

• AKA “cyber liability insurance” • May provide financial protections and/or resources to policy holders in the event of cyber attacks, data breaches and other technology related risks • Types of coverage are critical

Types of coverage:

First-Party Coverage focuses on your organization’s data, including customer and employee information. Look for coverage that (at least) includes: • Investigation fees • legal obligations • Recovery/replacement of data • Communication with customers and PR • Lost income and money lost to extortion and fraud • Crisis management • Fees, fines and penalties

4/20/24

Types of coverage:

Third-Party Coverage focuses on liability claims against your organization. Look for coverage that (at least) includes: • Payments to affected customers • Claims & settlements • Defamation and copyright or trademark infringement • Litigation and regulatory responses • Accounting costs • Other settlements, damages or judgements

Policy components:

• Premiums • Policy limits • Deductibles • Exclusions (zero day/third party) • Loss ratio • Application process • Policy changes • Material misrepresentation • Monitoring remote workers

4/20/24

Pricing and cost Factors:

Generally speaking, a few factors that influence cyber insurance prices: • Type of industry: nature and level of information the business handles • Company size: more employees = more vendors, devices, customers = more “attack surfaces” • Company revenue: yep • Company security: better security = better rate, generally speaking

Claims handling/reporting:

• Clarify input from in-house experts (quickly) • Notify provider sooner that later • Identify and connect with [cyber] specialists provided by coverage • Be ready to work with external experts; insurance, investigators and maybe even negotiators • Maintain detailed documents • Overestimate the road to recovery

4/20/24

Best practices: • Risk assessments/penetration testing • Incident response plans • Cybersecurity training • GOOD data backups • Multi-Factor Authentication (MFA) • Data classification • Identity access management • Strong password policies • Firewalls • Antivirus or Endpoint Detection and Response software Insurance Risk Assessment: • Consider the probability that a given scenario could occur • Consider the impact of that scenario taking place • Intersection of probability and impact can help to guide decisions for insurance coverage as well as other efforts

4/20/24

RISK Assessment exercise:

INSIDER THREAT

The potential for an insider to use their authorized access or understanding of an organization to harm that organization

RISK Assessment exercise:

DATA BREACH

A security incident that exposes confidential, sensitive or protected information to an authorized person

4/20/24

RISK Assessment exercise:

RANSOMWARE

Ransomware blocks the owner from accessing a computer system (network) until a sum of money has been paid.

Key Takeaways:

• Perform risk assessments, include local/industry factors • Audit systems/operations against known security framework(s); NIST, ISO-2700 – changes as needed • Consider using an insurance broker • Be VERY careful, and brutally honest in application • Make claims part of incident response planning

4/20/24

Abe Martin, CFE, CSP abe@casinocryptology.com 931-CRYPTIC (279-7842) www.casinocryptology.com

4/20/24

Cybersecurity is a Board Level Imperative for Building the Security Culture

Abe Martin abe@casinocryptology.com 931-CRYPTIC (279-7842) www.casinocryptology.com

April 9, 2024

Cybersecurity strategy? Is our strategic goal to outrun the bear?

Or just one person?

4/20/24

Cybersecurity strategy?

Theoretically, the longer we go without seeing a black swan, the more likely it is to happen.

Change management:

Top 5 considerations for changing culture: 1. Leadership – people in positions of authority AND the peoples’ champions 2. Involvement – every workgroup with an interest in the operation plays a part 3. Training – consider engagement; fun, game style 4. Metrics – every goal must be measurable, evaluated, discussed and adjusted 5. TIME!

4/20/24

Top-Down Approach:

We gotta walk the talk!

Consider a few options for tech-challenged leadership: • Independent training • Leadership/peer learning groups • A tech coach • Informational content in leadership meeting agendas

Challenge:

During presentation watch for emoji puzzles.The solution to each puzzle is a cybersecurity term. Blurt out answers!

4/20/24

Security methodology:

Controlling access and permissions are perhaps the two most critical elements.Two common approaches are:

Principles of Lease Privilege (PoLP)

Zero Trust

Strong Authentication:

• Passwords: ISO 27001 requires organizations to create strong passwords that have a mix of letters, numbers, and special characters.The passwords must be at least 8 characters long and should not contain personal information such as first names, last names, or dates of birth. Passwords must also be renewed regularly; at least every 90 days. • MFA – Multi-factor Authentication: access requires something we know (password) and something we have (phone, email, etc. • Should we hold vendors/service providers to the same standards?

4/20/24

Observation skills:

The majority of all (recent) breaches have been attributed to human error. Regardless of a vast array of security tools and precautions a single click can open the door for cyber attacks.

Being observant and cautious has never been more important to an organization’s security!

Smishing & Vishing:

• Remember JDLRs • Save known vendors & service provider info to your contacts and only reply through those channels

4/20/24

Phishing:

Phishing – email headers:

4/20/24

Phishing – email headers:

4/20/24

Phishing – email headers:

4/20/24

Phishing – email headers:

4/20/24

Spoofing:

Access important sites via saved bookmarks

Key Takeaways:

• 5 ways to improve change: leadership, involvement, training, metrics and time • Walk the walk, leadership training/resources • Push those authentication rules • Work your observation skills and defenses: • Phishing, Smishing & Spoofing

4/20/24

Abe Martin, CFE, CSP abe@casinocryptology.com 931-CRYPTIC (279-7842) www.casinocryptology.com

4/20/24

How to structure and oversee a purple team engagement to validate casino visibility to malicious cyber activity and block attacks like ransomware April 10, 2024

Matt Berluti Manager – Cybersecurity Services

Presenters

4/20/24

Setting the foundation

Overview

Purple team overview – how it’s different

Maximizing security investments with purple team exercises

Critical practices to include in your purple team exercises

Closing thoughts and Q&A

3 3 4 01 4

Setting the foundation

4/20/24

Red teams attack.

Blue teams defend.

Purple teams combine the best of both.

Basic terminology

Vulnerability scanning

Penetration test

External

§ Automated scan

§ Active attempts to

§ VA or pen testing focused on assets reachable from the public internet

looking for software with known vulnerabilities

exploit vulnerabilities and security weaknesses

Internal

Red team exercise

Purple team exercise

§ VA or pen testing focused on assets behind your firewall(s)

§ Coordinated external and internal pen test

§ Training exercise to validate that your security tools provide visibility to malicious activities; tests your ability to detect attacks

leveraging logical, physical, and social engineering attack vectors targeting specific objectives; tests your ability to impede attacks

4/20/24

How it all fits together

7 7 8 02 8

Purple team overview – How it’s different from other security tests

4/20/24

01 02 03

Staged scenarios

Stage attack scenarios in your environment to maximize efficiency of the engagement

Purple team characteristics

Customized to your threat model

Leverage MITRE ATT&CK framework to design procedures specific to your infrastructure and most valuable digital assets

Collaborative vs. adversarial

Attacking force working directly with your security team

Ability to rerun attack steps and demonstrate how malicious activity appears in security logs and tools

Learning experience

• Understand what attacks look like in real-time and through your own security tools • See firsthand what it looks like when someone bypasses security tools like anti-virus or MFA on your VPN

Purple team characteristics

Safe place to experiment

• Run through various scenarios to identify visibility gaps • Tweak scenarios to validate different perspectives

• Make adjustments to

monitoring tools and rerun scenarios to validate improvements

4/20/24

Designed to prove detection

Purple teams aren’t designed to test preventative safeguards. Assumes defenses fail and test your detection tools and processes.

How it’s different from other security tests

Collaborative & educational

Traditional pen tests happen without direct IT/Security involvement. Purple teams have them actively included.

Staged to create efficiency

In pen tests, most of the time is spent on trial and error trying to bypass defenses. Purple teams stage the attacks to be more efficient.

Scattered Spider at MGM

§ MGM was breached by Scattered Spider ransomware gang on September 11, 2023 § Scattered Spider identified employees on LinkedIn and used social engineering against the IT helpdesk to obtain credentials § Once inside of the network, Scattered Spider deployed the ALPHV/BlackCat ransomware to access customer PII and ransom the casino’s operations § For 10 days, MGM operated without technology

§ Used paper receipts for casino winnings § Gave guests physical keys for hotel rooms § Resulted in a $100 million loss per MGM’s SEC filing

4/20/24