INTELLIGENT CYBERSECURITY Introductions Dean Sapp, CISO Braintrace, Inc.

INTELLIGENT CYBERSECURITY Introductions Dean Sapp, CISO Braintrace, Inc.

INTELLIGENT CYBERSECURITY Introductions Dean Sapp, CISO Braintrace, Inc. 220 S. 200 E., Suite 300 SLC, UT 84111 801-803-7902 Braintrace Intelligent CyberSecurity Father of five great kids,

student, author, security researcher, Spartan racer, and doer of hard things. Security Certifications: CISSP, CISA, CIPP/US, ITILv3, GCCC, GCIH, GSIP, GPEN, GAWN, GSLC, GCPM, GWAPT, G2700, GLEG, GSOC Copyright2017 Braintrace, Inc. UCIP

CyberSecurity Risk Management Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Top five cyber attacks we see causing losses 1. 2. 3. 4. 5.

Business Email Compromise (BEC) / Wire Fraud Ransomware attacks WannaCry/Petya/Others Unauthorized email and document access Mobile phone compromise Targeted social engineering Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Sources 1. 2017 Verizon Data Breach Report (2016

findings) 2. 2017 Cost of Data Breach Study: Ponemon Institute 3. 2016 Rand Institute, Cost and Causes of Cyber Incidents Report Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Sources

1. 2017 Verizon Data Breach Report (2016 findings) 2. 2017 Cost of Data Breach Study: Ponemon Institute 3. 2016 Rand Institute, Cost and Causes of Cyber Incidents Report Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc.

Sources 1. 2017 Verizon Data Breach Report (2016 findings) 2. 2017 Cost of Data Breach Study: Ponemon Institute 3. 2016 Rand Institute, Cost and Causes of Cyber Incidents Report Braintrace Intelligent CyberSecurity

Copyright2017 Braintrace, Inc. Classic cons are still effective FBI Unified Crime Reporting lab statistics. Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Classic cons have evolved Many of the classic cons have been adapted to modern technology Get rich quick schemes

Nigerian Prince Scam mail fraud Current versions include ransomware & tax return fraud Persuasion tricks Request for urgent business relationship or wire payments (BEC) Check fraud Credit card fraud / ATM fraud Extortion Webcam hacks and social media slander Braintrace Intelligent CyberSecurity

Copyright2017 Braintrace, Inc. Cyber crime is big business Cyber crime is growing at an alarming rate Wire fraud / SWIFT client theft In February, 2016 thieves attempted to steal $951 million from the Central Bank of Bangladesh. All but $81 million was recovered. Business E-mail Compromise (BEC) How does a BEC work? The FBI recently calculated $3 billion in losses from US companies over the past

few years from wire fraud. Hacking at unprecedented levels Estimated breach costs in 2015 exceed $39.1 billion. Many companies never recover. Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Almost everyone is a target What do the crooks really want? All your monies! Preferably in Bitcoin

Or your stuff (inventory, used computers, devices, anything they can monetize) EFT/wires/bank account numbers Credit card numbers/health records Intellectual property (Panama Paperswatch out law firms!) copyrights patents trademarks

mergers and acquisition data Insider trading information Executive dossier (ds) Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Verizon report contributors 60+ agencies! Collaborating and sharing data! Braintrace Intelligent CyberSecurity

Copyright2017 Braintrace, Inc. Verizon executive summary Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Verizon executive summary Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc.

Who was targeted in 2016? Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Who was targeted in 2016? Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc.

Incident classification patterns Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Cost to a business According to the Ponemon Institute: In 2016, data breaches cost the most in the US and Germany The average cost per capita of a data breach is $225 per recordand the average total organizational cost in the US was $7.35 million. -The most valuable individual records for the crooks to steal for identity theft purposes are medical records. They are also the most

expensive breaches at $380 per record. 2017 Ponemon Breach Report Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Cost per record in the U.S. 2017 Ponemon Breach Report Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc.

Cost per breach in the U.S. ~ $200,000 2016 RAND Breach Report Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Cost per breach in the U.S. ~ $200,000 2016 RAND Breach Report Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc.

Information is Beautiful http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. The 9 Largest Breaches Huffington Post 9. The Home Depot (2014) 56 Million records 8. Target (2013) 70 Million Records 7. JP Morgan Chase (2014) 76 Million records 6. Sony PSN (2011) 77 Million records

5. Anthem (2015) 80 Million records 4. TJX (2003) 94 Million records 3. Heartland (2008) 130 Million records 2. eBay (2014) 145 Million records 1. US business hacks (2012) 160 Million records from multiple companies by one hacker group (victims included Nasdaq, JetBlue, JC Penny, 7-11 and many others) Source: http://www.huffingtonpost.com Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc.

Total cost is hard to pinpoint It may be a combination of detection and cleanup, victim recovery services and litigation expenses 2016 RAND Breach Report Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. How much could it cost your business? The only way to know with

confidence is to get a cyber risk assessment completed Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Attacks we see most often BEC Email compromises Account / Password Theft Phishing Attacks Ransomware Attacks from missing patches

IoT Attacks Mobile device compromise General hacking, whatever is easiest Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Business email compromise (BEC) Since 2013, 14,032 US companies have lost ~960M Average loss of $68,415 Since January 2015, 1,300% increase in losses All 50 states, and 100 countries impacted.

Majority of the money going to banks in China. A large local financial company was targeted Hacked the CEOs business email account Sent an email with wire transfer instructions to Accounts Payable Manager. Instructions to wire $175,000 over the weekend for an urgent and time sensitive deal. Follow up email to wire an additional $240,000 to the same bank. http://www.tripwire.com/state-of-security/latest-security-news/business-email-compromise-scams-have-cost-victims-3b-report-feds/ Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc.

Password theft / credential theft Passwords are the primary way attackers get into corporate networks Sometimes the hackers will just ask for user passwordswhy work hard when you dont have too? Would you give me your password for a piece of chocolate? What about a candy bar? Not even for some bacon? What if I gave you 100 bucks? What about $25,000? People will often give out their passwords Including someone acting like the IT department, the help desk, or to the highest bidder.

If not, the hackers may try to guess them if they are short or simple. Or they might just go search the dark web for a password that is common across personal and business accounts. Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Phishing risks If they cant guess your password, they likely will go phishing! Phishing is the most successful way to compromise a computer and then gain access to a users account and password Dozens of phishing tools have been written to help the bad guys conduct phishing campaigns

Some phishing variants: whaling spear phishing (91% of the phishing attacks) clone phishing phone phishing (my nephew UghUncle Dean, I need some help) Results often include stolen passwords, ransomed computer, wire fraud, and potentially a cyber breach

Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Documents and Browsers! Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Crime as a Service (CaaS)

Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Crime as a Service (CaaS) Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Missing Patches If you have it on your network, patch it! Computer Hardware

Computer Software

Operating Systems Browsers Plugins Applications SCADA systems Firewalls, Routers Websites IoT Devices Smart phones and Tablets Printers Braintrace Intelligent CyberSecurity

Copyright2017 Braintrace, Inc. Patching is our Achilles heel! 2017 Verizon Data Breach Reports Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc. Threat areas to review Braintrace Intelligent CyberSecurity

Copyright2017 Braintrace, Inc. Five things to start doing tomorrow 1. Harden your email systems a) Turn on DKIM, SPF, DMARC b) Digitally signing your email and quarantine unsigned emails for review 2. Lock down your firewall a) Block Blacklisted IPs (inbound and outbound) b) Geo-block if possible (inbound and outbound) 3. Secure your endpoints and servers a) Use a very good endpoint product with the security features enabled

b) Turn on the local firewall, and turn off PowerShell and native tool access 4. Turn on multi-factor authentication for most valuable systems a) Especially email and systems to move money 5. Patch your stuff! Braintrace Intelligent CyberSecurity Especially public facing systems! Copyright2017 Braintrace, Inc. What should we do over the next 12 months? 1.

2. 3. 4. 5. 6. 7. 8. 9. Get a cyber risk assessment and penetration test Start using 2FA strong authentication for everything Continue to patch your systems (especially public facing ones) Consider managed security services

Deploy next generation endpoint protection Set up an active breach detection system Use a next-generation firewall Encrypt your data and use offline backup options Investigate CyberSecurity insurance options Braintrace Intelligent CyberSecurity Copyright2017 Braintrace, Inc.

Recently Viewed Presentations