Transcript START WITH SECURITY

Not-for-Profit
Leadership Summit XIV
GUARDING THE CROWN JEWELS
Cybersecurity
Steps for Nonprofits
May 2, 2016
Adapted from a program developed by BBB & the
National Cyber Security Alliance.
1
CYBERSECURITY DEFINED:
“The ability to protect or defend the use
of cyberspace from cyber attack.” –
National Institute of Science and Technology (NIST)
Enabling people and businesses to do more online with trust and confidence.
2
APPROACHING CYBERSECURITY
FOR THE SMALL TO MID-SIZE
NONPROFIT
Adapted from a program developed by BBB & the
National Cyber Security Alliance.
3
MOST COMMON CYBERSECURITY RISKS
(Source: Verizon 2015 Data Breach Investigations Report)
4
TOP CYBERSECURITY RISKS
(Year 2014)*
Physical Theft and Loss
Payment Card Skimmers
Point-of-Sale Intrusions
Crimeware
Web App Attacks
Denial of Service Attacks
Cyber-espionage
Insider and Privilege Misuse
Miscellaneous Errors
*Verizon 2015 Data Breach Investigations Report
5
PHYSICAL THEFT AND LOSS
Majority of thefts occur right in the victim’s work area (55% )
Staff-owned vehicles (22%) are common targets for device theft
Devices containing key/substantial data should be accorded a
higher level of protection
Verizon 2015 Data Breach Investigations Report
6
PAYMENT CARD SKIMMERS &
POINT-OF-SALE INTRUSIONS
(Relevant for Both Private and Nonprofit Sectors)
Card readers/skimmers fit inside ATMs and card readers to skim card data,
capture PCI card and PIN numbers
Multi-step attacks involve POS systems PLUS attacks on other systems, e.g.
vendors with access to networks
Social engineering used to trick employees into providing passwords over the
phone
Note: A key liability shift occurred in October 2015 for EMV “chip” cards –
merchants now may be liable for PCI data loss if they fail to use an EMV reader
http://www.emv-connection.com
Verizon 2015 Data Breach Investigations Report
7
MALICIOUS SOFTWARE (CRIMEWARE)
AND WEB APP ATTACKS
Malware infections used to steal or compromise:

Bank records (using stolen credentials)

Trade secrets

System data
Ransomware: Can seek to encrypt an entire hard disk drive until a fee is paid by the
victimized organization for restoration.
Web app attacks: Compromises through stolen login & password information and
access to your account(s) posing as your organization/authorized officers.
Common Methodology Employed: Phishing
 Get credentials  Log in to account  Empty bank account
Verizon 2015 Data Breach Investigations Report
8
SAD BUT TRUE:
INSIDER MISUSE AND HUMAN ERROR
Privilege Abuse: Causes 55% of Breach Incidents
Individuals given access take advantage and cause harm
 Intentionally for financial gain via sale/use of stolen data
 Unintentionally for convenience (e.g., unapproved workarounds)
Human Error: Three Main Categories
Sensitive information reaching the wrong recipient (30%)
Publishing nonpublic data to public web servers (17%)
Insecure disposal of PII (personal/medical data) (12%)
Verizon 2015 Data Breach Investigations Report
9
MISTAKES TO AVOID: COLLECTING &
RETAINING UNNECESSARY INFORMATION
SCALE DOWN
If you don’t have a legitimate organizational need for
sensitive personally identifying information:
Don’t keep it - Don’t even collect it.
If you do have a legitimate organizational need for
the information: Keep it only as long as required &
necessary
10
RECORDS RETENTION POLICY
If you must keep information for business reasons or to
comply with the law, develop a written records retention
policy to identify:
–
–
–
–
11
What information must be kept
How to secure it
How long to keep it
How to dispose of it securely when you no longer require it
A MULTI-STEP APPROACH TO
MANAGING RISKS & REDUCING
VULNERABILITY
12
THE NIST CYBERSECURITY FRAMEWORK
WHAT IS IT?
A collaborative effort between
the government and private
sectors to develop a voluntary
framework – based on
existing standards, guidelines
and practices – for reducing
cyber risks to critical
infrastructure.
13
NIST 5-STEP APPROACH
IDENTIFY assets you need to protect
14
The NIST Cybersecurity Framework
Covers 5 Major Functions
PROTECT assets and limit impact
IDENTIFY
Be able to DETECT security problems
PROTECT
DETECT
Be ready to RESPOND if you have an
incident
RESPOND
Prepare to RECOVER from an incident
RECOVER
APPLYING THIS 5-STEP APPROACH
TO YOUR NONPROFIT
15
SAMPLE SCENARIO: RANSOMWARE
16
5-STEP APPROACH: RANSOMWARE
IDENTIFY
Data
PROTECT
DETECT
RESPOND
Device
Donor/Member/
Office
Daily Backup Ransomware
Short-Term
Client Database: Desktop
to External
Message:
Response:
Contains PII and
Drive
Management
Use of
Contact Info.
Determines That Alternative
Required to
System Will Be
Records/
Efficiently Operate
Down for Several Backup Info.
Your Nonprofit
Days
for Necessary
Information
17
RECOVER
Wipe the Drive
Reload Windows
Reload Database
Application
Load Data from
Backup Drive
CONSIDERATIONS WHEN
USING THE CLOUD
1.
2.
3.
4.
Ensure that Security is Clearly & Specifically Spelled Out in the Contract
Confirm Whether the Provider will Maintain the Servers and Apps and Keep
Them Patched (A Critical Step in Security Maintenance)
Confirm if Firewall Protection and/or Encryption are Provided
Ensure an Adequate Backup and Recovery Strategy
Be Highly Wary of “Free” Services - a Commercial Contract is strongly
advised for legal protection
Note: If using a “free” consumer service, there are generally (almost always)
NO protections to support a Due Diligence/Due Care defense.
18
18
CREATING A “CULTURE OF
SECURITY”-THE HUMAN FACTOR
Training, Training, Training (and don’t
forget…Training): Continual Staff Education
re: Newly Arising Risks and Vulnerabilities Can
Protect Against Phishing and Data Loss
Institute Clear Office Policies and Procedures

Written - Use Regular Reminders
Empower Your Staff: An Invaluable Asset for
Detection
19

Avoid Punitive Measures – Encourage
Reporting

Raise Your Odds of a Timely Response
SAMPLE KEY OFFICE POLICIES
FOR YOUR NONPROFIT
ACCEPTABLE USE (of Information
Technology)
Example: All device/network users must read,
agree to, and sign an access and use
agreement.
PASSWORD AND AUTHENTICATION
Example: Passwords must be changed
every 90 days and authentication enabled
on all email accounts.
TRAINING AND AWARENESS
Example: All staff are required to participate in
a regular cybersecurity education program.
PERSONNEL SECURITY
Example: All personnel data must be
protected from viewing or altering by
unauthorized persons.
PHYSICAL SECURITY
Example: All staff devices must be secured
when away from their desk or when traveling.
EMAIL USAGE
Example: Personal or sensitive data may not
be sent in email.
NIST Small Business Cybersecurity Workshop 2015
20
DON’T WAIT FOR A SECURITY INCIDENT: DEVELOP
YOUR ORGANIZATIONAL RESPONSE PLAN NOW
Investigate security incidents immediately and take steps to
close off existing vulnerabilities or threats to personal information.
Promptly assess the degree of Compromise.
Consider whom to immediately notify in the event of an incident, both
inside and outside of your organization - e.g., donors, members, clients,
vendors, law enforcement, and other organizations/entities that may be
affected by the breach.
States and federal regulatory agencies have laws and guidelines
addressing data breaches and requirements with which you must comply.
21
SECURITY: BEST PRACTICES
The Federal Trade
Commission’s Start with
Security Guide offers 10
practical lessons to deal with
security threats, based on
actual settlements reached in
the last decade.
22
FTC’S “START WITH SECURITY” TIPS
1.
Start with Security (You probably
already knew this one).
Secure remote access to your network.
7.
Apply sound security practices when
developing new products.
2.
Control access to data sensibly.
3.
Require secure passwords and
authentication.
8.
Make sure your service providers
implement reasonable security measures.
4.
Store sensitive personal information
securely and protect it during
transmission.
9.
Put procedures in place to keep your
security current and address
vulnerabilities that may arise.
5.
Segment your network and monitor
who’s trying to get in and out.
10.
Secure physical media such as paper
and devices.
FROM: Start with Security: A Guide for Business, FTC
23
6.
1. START WITH SECURITY
Factor security into decisionmaking in every part of your
organization, making conscious
choices about:
 what kinds of information you
collect
 how long you keep it
 with whom you share it
 who can access it
FROM: Start with Security: A Guide for Business, FTC
24
Lead by example to
further that “Culture of
Security” at all
organizational levels
2. CONTROL ACCESS TO
DATA SENSIBLY
Restrict access to
sensitive data to those
who require it to perform
their job functions
Minimize and restrict
administrator privileges
on your network
FROM: Start with Security: A Guide for Business, FTC
25
FTC CASE: TWITTER
MISTAKE TO AVOID:
Granting administrative
access to most employees
increased risk of eventual
breach
3. REQUIRE SECURE PASSWORDS
AND AUTHENTICATION
Store Passwords Securely and Add
2-Factor Authentication (2FA)
 Prohibit weak and shared passwords;
create complex passwords through
mixing letters, numbers, and characters.
 Protect passwords: Do not email or
store in clear text (think Encryption)
Guard Against Brute Force Attacks
– Limit failed login attempts
– Test for backdoor security flaws
FROM: Start with Security: A Guide for Business, FTC
26
FTC CASE: GUIDANCE
SOFTWARE
Network credentials stored
in clear text helped hacker
access credit card
information.
4. STORE SENSITIVE PERSONAL
INFORMATION SECURELY & PROTECT
DATA DURING TRANSMISSION
Ensure employees handling
sensitive data understand
how to protect it in each
situation
Encrypt sensitive information
stored on your network and
keep it encrypted during
transmission
FROM: Start with Security: A Guide for Business, FTC
27
FTC CASE: SUPERIOR
MORTGAGE
Sensitive customer data
encrypted on collection at
website, was decrypted
and emailed to branch
offices
MISTAKE TO AVOID:
Careless Transmission of Information
If you encrypt your customers’ financial data on your web
site, DO NOT then decrypt it and email it over the internet
to another office in regular text.
Regular email is NOT a secure method for sending
sensitive data.
Encrypt any transmission that contains information to
be shielded from fraudsters or ID thieves.
28
5. SEGMENT YOUR NETWORK
AND MONITOR WHO’S TRYING TO
GET IN AND OUT
Remember that not all computers
need to communicate. Identify all
connections to computers/servers
maintaining sensitive/personal
information (e.g., Internet,
computers at branch offices &
wireless devices/smartphones/
tablets/laptops)
Continuously monitor your
network activity
FROM: Start with Security: A Guide for Business, FTC
29
FTC CASE: DSW
Computers were not
prevented from
connecting across instore and corporate
networks - SEGMENT
6. SECURE REMOTE ACCESS
TO YOUR NETWORK
Before Enabling Remote Access
– Assess client/vendor data security
practices (compare their standards to
your organization)
– Ensure all relevant employee
computers/devices are secure
– Restrict access to known IP
addresses OR grant temporary
access as needed and required
FROM: Start with Security: A Guide for Business, FTC
30
FTC CASE: LIFELOCK
No antivirus programs
installed on employee
computers used to
remotely access its
network
7. APPLY SOUND SECURITY
PRACTICES WHEN DEVELOPING
NEW PRODUCTS (e.g., Your
Organization is Developing
it’s own App)
Do your due diligence: Your
software developers must be trained
in secure coding practices
Ensure third-party app developers:
– Follow platform security guidelines
(iOS/Android)
– Verify privacy and security features
– Test for common vulnerabilities
FROM: Start with Security: A Guide for Business, FTC
31
FTC CASE: TRENDnet
Employees were not
trained in secure coding
practices, enabling
vulnerabilities in
software they provided
8. ENSURE SERVICE PROVIDERS
IMPLEMENT REASONABLE
SECURITY MEASURES
Include reasonable security
requirements in service provider
contracts for data processing
Verify compliance during the course
of the contract
FROM: Start with Security: A Guide for Business, FTC
32
FTC CASE: UPROMISE
No verification of security
features in browser toolbar
led to clear-text
transmission of sensitive
customer information
(despite contracting for
this security)
9. PUT PROCEDURES IN PLACE
TO KEEP SECURITY CURRENT
AND ADDRESS VULNERABILITIES
Update and Patch 3rd Party Software
 Urgent situations require immediate
action, but a patching schedule helps
reduce risks
Act Quickly on Credible Warnings
 Without a process and effective channel
for handling security alerts, reported
risks may never be addressed
FROM: Start with Security: A Guide for Business, FTC
33
FTC CASE: FANDANGO
Security warning wrongly
categorized as customer
service request was
ignored
10. SECURE PAPER,
PHYSICAL MEDIA & DEVICES
Protect Mobile and Storage Devices
on the Move
 Don’t leave devices in vehicles or unattended
Secure Paper Records
 Don’t leave sensitive documents in open office
areas
 Don’t store membership records in your garage
Dispose of Sensitive Personal Data Securely
 Don’t toss sensitive records into dumpsters
 Require secure disposal/destruction of disk drives
FROM: Start with Security: A Guide for Business, FTC
34
FTC CASE: GOAL
FINANCIAL
Employee sold surplus hard
drives with unencrypted
sensitive information of
34,000 customers
MISTAKE TO AVOID:
Careless Physical Security
Remember: Data compromise can still happen the old-fashioned
way: lost or stolen paper documents.
Often the best defense is a locked door or an alert employee.
Store paper documents, flash drives, and backups containing
personally identifiable information in a locked room/file cabinet.
Limit access to employees with a legitimate organizational need.
35
WHAT IS “PROPER” DISPOSAL?
Reasonable and appropriate practices to prevent
unauthorized access to – or use of – personally
identifiable information.
“Reasonable” = Based on data sensitivity, costs and
benefits of disposal options & technology changes
When legally appropriate, shred/pulverize sensitive
papers so they cannot be read or reconstructed
36
WHAT IS “PROPER” DISPOSAL?
Destroy or erase sensitive electronic files or media
so they cannot be read or reconstructed
Old computers/portable storage devices: consider wipe
utility programs - designed to overwrite the hard drive
to prevent files from being recovered.
37
WRAP-UP
5 Steps to Better Organizational Cybersecurity
IDENTIFY: Take inventory of key technologies you use and know what
information you need to rebuild your infrastructure from scratch. Inventory the key
data you use and store, and keep track of likely threats.
PROTECT: Assess what protective measures you need to have in place to be
prepared for a cyber incident. Put protective policies in place for technologies, data
and users, and ensure contracts with cloud and other technology service providers
include the same protections.
DETECT: Put measures in place to inform you of current or imminent threats to
system integrity, or loss or compromise of data. Monitor disk health and utilization
and network errors. Train users to speedily report threats or incidents.
RESPOND: Know what you need to do to contain an attack or incident, and
maintain organizational operations in the short term.
RECOVER: Know what you need to do to return to normal organizational
operations after an incident. Be sure your Recovery Plan protects sensitive data,
and your organization’s reputation, over the long term.
38
FINAL THOUGHTS
There is no one-size-fits-all approach to data security - what’s right for
you depends on the nature of your organization and type of information
you collect and retain.
Some of the most effective basic security measures - personnel
training, complex passwords, securing sensitive paperwork, etc. - are of
negligible cost.
REMEMBER: It’s more cost-effective in the long run to invest in better
data security than to lose trust & goodwill, defend yourself in legal
actions, and face other consequences of a data breach.
39
HELPFUL CYBERSECURITY RESOURCES
BBB Cybersecurity website:
www.bbb.org/cybersecurity
VERIZON Data Breach Investigations Report
www.verizonenterprise.com/DBIR/2015/
FTC Start with Security Resources and Information
www.ftc.gov/datasecurity
NATIONAL CYBER SECURITY ALLIANCE Resources
www.stopthinkconnect.org
Two-Factor Authentication (2FA) Information
www. stopthinkconnect.org/2stepsahead/resources
40
HELPFUL BBB RESOURCES
BBB Charity Accountability Program
ny.give.org and give.org
Metro NY BBB Foundation:
Heather Layland, Director, Charity Accountability Program
[email protected]
212.358.2823
BBB Serving the Mid-Hudson
newyork.bbb.org and bbb.org
Brian Rauer, Executive Director
[email protected]
914.333.0550 x205
41
THANK YOU!
------------------------QUESTIONS?
42