MANAGING RISK DAVE MILLIER, CEO, UZADO INC.

WHAT IS RISK? Risk is the potential of gaining or losing something of value (Wikipedia) A situation involving exposure to danger A probability of threat of damage IT Risk: The potential that a given threat will exploit a vulnerability against an asset or group of assets and cause harm to an organization In financial terms: the possibility of losing some or all of an investment

HOW CAN RISK AFFECT US? Financial Impact Reputational Impact Regulatory Impact Employee Trust Client Confidence Impacts our ability to do business

WHAT ARE WE TRYING TO PROTECT? Financial data Intellectual Property Employee data Customer data Real-time transactional information

WHY ARE WE SEEING MORE BREACHES? There’s a thriving underground economy for information Data is the new gold, someone out there is interested in buying it Criminal organizations involved, running hacking like a business Nation states have their own teams of hackers, building sophisticated software to infiltrate other nations (and businesses)

RISKY BEHAVIOURS – BY USERS People are the weakest link Not paying attention to what they’re clicking on Plugging in infected devices Copying data to/from cloud services Implicit trust (don’t stop people in the halls) Don’t report unusual behaviour (systems, network, etc.)

RISKY BEHAVIOURS – BY COMPANIES Not taking even basic efforts to secure their systems and data Not educating their users on basic security Cloud services running rampant – no policy and/or no enforcement Lack of encryption for sensitive information Default access to everything, the trying to figure out what users shouldn’t be doing

HOW DO THE HACKERS GET IN? Social Engineering USB Drop Phishing / Spear Phishing Malware on compromised sites Weaknesses in Operating Systems Weaknesses in Applications Hackers target the weakest link (people, applications, systems, locations)

WHAT AM I SEEING? Audited 100s of companies in the past 20 years, it’s scary out there! Ransomware Social engineering – phishing, physical, remote phone/ requests Employee investigations (retail, legal, manufacturing) data theft Retail chains with all stores using routers, not firewalls for protection Shared passwords for critical systems (POS systems, network devices) No understanding of what’s supposed to be on the network (or just as importantly, what’s NOT supposed to be there)

FINANCIAL 75% of top 20 US commercial banks infected with malware (2016 Financial Cybersecurity Report) Marketwired, PRN, Business Wire (insider trading data)$30m in illegal profits Bangladesh Central Bank, $81 million – online transfers (over $950 million attempted) Scottrade Securities – records of 4.6 million clients JP Morgan Chase – 76,000,000 records

RETAIL Target – 70 million records, 40 million credit cards TJX – 45 million credit cards Home Depot – 53 million records Michaels – 3 million records Oracle MICROS POS System (affecting hundreds of retailers, 330,000 cash registers) Wendy’s (Where’s the Breach?), 1000 restaurants, # of records still unknown

MANUFACTURING Vtech – 11 million children/family records exposed Sony – Playstation network breach Sony – corporate office breach RSA – SecurID 2 factor breach (subsequent breach of 3 defense contractors)

ENTERTAINMENT / HOSPITALITY Sands Casino Chain – Attack from Iran against Sheldon Adelson, $40m-50m recovery Wyndham Resorts - FTC Starwood (Westin, Sheraton, W Hotels) Trump Hotels – 70,000 records, $50,000 fine

ONLINE SERVICES Yahoo500,000,000 Accounts Ashley Madison30,000,000 Accounts eBay145,000,000 Accounts MacKeeper13,000,000 Accounts Hacking TeamHacked, all company records and s stolen and released

GOVERNMENT CRA – Income tax filing NSA – Edward Snowden leak US Military - Bradley/Chelsea Manning US Office of Personnel Management – 21.5 million government employee records Securus – 70 million private phone conversations (inmates) US Voting System – 191 million registered voters Democratic Server hack

UTILITIES Attack against Ukrainian Power Plant Attack against Ukrainian Air Traffic Control System attack against water treatment plant (diversion of water) Control networks on the internet (city wide private networks fully accessible) USB drop, 16 of 20 plugged in, 4 to SCADA network Internet-accessible PLCs for water, electricity, oil and gas

HEALTHCARE $6.2billion in damage in % of orgs hit with 2 or more breaches, 45% more than 5 breaches Anthem breach – 78.8 million records of PII and PHI Hollywood Presbyterian Medical Center – Cryptolocker, $17k Methodist Hospital, Kentucky – Ransomware St. Joseph Health – year long exposure of patient data, $2million HIPAA penalty

LEGAL Various Canadian Law Firms (Potash) Mossack Fonseca - Panama Papers (whistleblower leak), 11 million documents Cravath / Weil Gotshal ( looking for information for insider trading) – represent Wall street banks and Fortune 500 companies Small independent Family Law Firms Trivial social engineering exposures (physical and remote)

REASONABLE EFFORT In the absence of any regulatory requirements, demonstrate that you’ve done something to protect your company, its employees and any digital assets Don’t just say you’re doing it, document what you’re doing, how often you’re doing it, and keep track of what’s being done Periodically (at least annually) do some kind of review and document the results to demonstrate that you’re still doing what you said you were doing

HOW DO WE STOP THEM (OR AT LEAST SLOW THEM DOWN)? PATCH YOUR SYSTEMS!!! Test for vulnerabilities on an ongoing basis, not just once a year Secure SDLC (Software Development Life Cycle) Teach developers about secure coding Employ defense in depth strategy (ie. Don’t just rely on a single solution to secure you, your employees and your systems)

EDUCATE YOUR EMPLOYEES They need to understand WHY you’re asking them to do/not do things Social engineer them before training Explain in ways they can relate (educating about home use really translates to business) Do refresher sessions (quarterly, semi-annually, annually) Do quizzes Have contests, prizes

SUMMARY The risk is real There’s a reasonable chance you will be impacted in some way by hacking Preventative risk management actually works Reduce risk where you can, understand and manage it where you can’t Doing nothing is no longer an option!!!

Breached!

QUESTIONS? Dave Millier, CEO Uzado Inc