Cybersecurity Risk, Remediation, Response Nathan Gibson, CCE, CEH

Today’s Presentation  Introduction  Governance  Cyber Risk  Remediation Strategies –Passwords –Phishing –Security Updates  Incident Response  Challenge  Summary

Definitions  Information Security –The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.  Cybersecurity –The ability to protect or defend the use of cyberspace from cyber attacks

Terms  Phishing  Threat Actor  Malware  OCR

Governance  Leadership –Executive Leadership –Board Accountability –Incident Response Team Confidentiality & Security Team (CST) Computer Emergency Response Team (CERT)  Frameworks –NIST Cybersecurity Framework –NIST 800-Series Guidance –SANS 20 Critical Security Controls

Compliance Secure

Next Steps Cyber Risk Risk Remediation Response

Cyber Risk  Criminal Attacks Up 125%  Medical Identity Theft Doubled –1.4M to more than 2.3M  Average of $13,500 to Restore Credit

Cyber Risk  The Numbers... –Medical record: $10 - $50 –Mother’s Maiden Name: $6 –Social Security Number: $3 –Date of Birth: $3 –Credit Card: $1.00  Risks –Patient safety (medical record) –Coverage (routine physical to major surgery) –Fraudulent claims –Credit accounts

Cyber Risk Phishing Phishing (TBD) Phishing

Cyber Risk OCR Breach Portal: October, Breaches (Hacking), >115M Patients

Cyber Risk  Verizon Data Breach Report –23% of recipients open phishing messages –11% click on attachments –97% of exploits target 10 CVEs –Mobile malware not a primary threat –Threat Actors 80% of breaches reviewed (external) 17% of breaches reviewed (internal) 3% of breaches reviewed (partners)

Cyber Risk  Risk Assessment –NIST Rev. 1 Conducting Risk Assessments –NIST Managing Information Security Risk –Vulnerability Assessments –Stored and Transmitted

Cyber Risk  Stored –Databases –Thumbdrives –Workstations –File Servers –Medical Devices  Transmitted – –VPN (clients) –Site-to-Site VPN Tunnel –Secure Web Front-End  Know your data!  Don’t overlook non-sensitive systems

Cyber Risk  Tools –Security Risk Assessment (SRA Tool) professionals/security-risk-assessment-tool Additional resources oTop 10 Tips for Cybersecurity in Health Care –HIPAA Security Rule Toolkit

Next Steps Remediation Strategies Risk Remediation Response

Remediation Strategies  Accept –Within organizational risk tolerance  Avoid –Risk exceeds organizational risk tolerance  Mitigate –NIST –20 Critical Security Controls  Share or Transfer –Outsourcing –Cyber Insurance

Remediation Strategies  Cyber Insurance –Breach Costs (forensics, notification, identity protection) –Privacy Protection (regulatory) –Multimedia Protection –Cyber Extortion  Analysis –Incident History –Ponemon Study: $204 per record –Verizon Data Breach Report

Remediation Strategies  Verizon Data Breach Report –Cost Per Record

Remediation Strategies  Example Safeguards –Encryption –Malware Protection –Microsoft & Third Party Updates –Physical Access Controls –Intrusion Detection & Prevention –Policies & Procedures –Disaster Recovery & Business Continuity –Incident Response –Two-Factor Authentication –Strong Password Enforcement

Next Steps Video Passwords

 Which one is more secure? take the survey Xq!5#7pK 8 characters 3 days to crack 15 characters 49 million years to crack

Passwords  Passwords –Minimum of 8 characters (10-52 seconds) –Upper & lower case ( minutes) –Numbers (3-15 hours) –Special characters (3-5 days)  Passphrases –Minimum of 15 characters (13,000 years) –Upper & lower case (435 million years) –Numbers (6 billon years) –Special characters (157 billion years)

Passwords  Two-Factor Authentication –Password, Pin –Hard Token, Soft Token, Certificate

Phishing  Security awareness and training

Phishing  Phishing tests –Social Engineering Toolkit (SET) –Simple Phishing Toolkit –SpearPhisher

Phishing Test

Security Updates  Windows Updates –120 Windows Updates, Per Server, Per Year –12,000 Windows Updates Per Year (per 100 Servers)  Microsoft Updates –Office –SQL  Third Party Updates –Adobe –Oracle (Java)

Next Steps Incident Response Risk Remediation Response

Incident Response  Incident Response Team  Reporting & Tracking  Breach Assessment –Notification Requirements  Law Enforcement & NCCIC  Disaster and Contingency Planning

Incident Response  National Cybersecurity and Communications Integration Center (NCCIC) –US-CERT (United States Computer Emergency Readiness Team) –ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) –NCC (National Coordinating Center) –COC (NCCIC Cyber Operations Center) –DTA (Discovery and Technical Analysis) –MM (Mission Management)

Challenge #1  Vulnerability Assessment Report –US-CERT: Top 30 Targeted High Risk Vulnerabilities –

Challenge #2  Malware Report –Virus definitions –Detection history –Rogue system detection

Challenge #3  Security Update Status Report –Microsoft updates –Third party software

Challenge #4  Security Awareness and Training –Training certifications/verification –Review/update content –Phishing test  Free Resources –CyberAwareness Challenge (Federal Version) –Identifying and Safeguarding PII –Privacy and Security Training Games

Summary  Risk  Remediation  Response

Additional Information  Verizon Data Breach Report (2015) –  National Institute of Standards and Technology (NIST) – –800-Series Guidance:  OCR Breach Portal –  NCCIC – integration-center  US-CERT – –Incident Reporting:

Additional Information  Cybercrime and the Healthcare Industry (EMC & RSA) – healthcare-industry-rsa-wp.pdf  Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data (Ponemon Institute) – privacy-security-incidents-of-healthcare-data  Cyber-Risk Oversight Handbook – 8

Contact Information Have a question, comment, or suggestion? Contact Nathan Gibson at: ext. 2236