Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Copy of Maritime Cybersecurity Center - Cyber Awareness Briefing for

No description
by

Rob Burton

on 10 May 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Copy of Maritime Cybersecurity Center - Cyber Awareness Briefing for

Maritime Cybersecurity Center
Cyber Awareness Briefing for Businesses
Agenda
1. Cybersecurity - Overview, Threats and Best Practices

2. The Four Steps to Cyber and Business Resilience

3. Case Studies
Objectives
Define Cybersecurity
Explain the importance of securing information through best cybersecurity practices
Identify types of information that should be secured
Identify types of cyber threats
Define risk management
List best practices for guarding against cyber threats

Topics
What is cybersecurity?
Why is cybersecurity so important?
What are common cyber threats and crimes?
How do I determine my level of risk?
What can I do to protect my business?

Background
Consider the following:

• Personal information for employees
• Partner information
• Sensitive information for customers/clients
• Financial and sensitive business information

Information needs to be secured in your systems.
Aspects of Information Security
1. Confidentiality - Need to know, trained personnel, secure from non-authorized review

2. Integrity - Ensure your data can't be modified or destroyed

3. Availability - Information should be accessible quickly and reliably



Security Costs
There are costs associated with protecting information

The cost for not protecting information can be much higher than those associated with not protecting it

Notifying victims is costly as well as any litigation that may follow

There might be fines for non-compliance with government regulations

Replacing hardware or updating software may also be costly (Ransomware)


Threat Origins
While there are multiple threats to information security including natural disasters and systems failure, most threats have a human at their origin. We will focus on the threats with human origins.
External Threats

Cybercriminals
Hacktivists
Nation-states
Political Agenda
Amateurs (Children)
Corporate Espionage
Inside Threats

80% of problems (National Institute for Standards and Technology)
Intentional (Insider, theft, damage)
Unintentional (lack of awareness and training on procedures)
Will You Be Rick Rolled?
Website Tampering / Defacement
Theft of computer files
Inappropriate access to computer accounts
Theft of laptops and computers
Interception of emails or internet transactions
Phishing emails that trick you into giving away personal information
Spear phishing emails that deceive a specific group of people into responding
Identity theft
Theft of Data
Distributed Denial of Service Attack or DDoS
An attack on a computer or website
Locks the computer and/or crashes the system
Results in stopped or slowed workflow, prevented communication, and halted e-commerce.
Malicious Code and Viruses
These threats send themselves over the internet to find and send your files, find and delete critical data, or lock up the computer or system.

They can hide in programs or documents, make copies of themselves, and install themselves on your system to record keystrokes to send to collection point.
Before we can address how to prevent attacks, we must first investigate the reasons that small businesses are vulnerable to these kinds of attacks.

Computer hardware and software is outdated and/or insecure
Poor or missing security policies that do not establish security protocols
Missing procedures for securing information
Lazy oversight
Loose enforcement of existing policies
Reasons for Vulnerabilities
Risk
How much risk can you tolerate?
Risk Assessment (more on this later when we discuss business continuity planning)
No risk can be completely eliminated
If the consequence and probability of a breach is high, then your tolerance for risk is low
If the consequence is minor, more risk may be acceptable to you
If the risk is still too high, consult your insurance provider to discuss cyber coverage
Protecting Yourself from Human Vulnerabilities
Step 1:
Create security policies
Ensure policies are comprehensive and up to date
Policies and procedures may change based on evolving threats

Step 2:
Employees know the policies and adhere to them


Determine who will need to know the procedures. Consider:
Employees who use computers in their work
Help desk
System administrators
Managers/executives using specialized software
System maintenance
IT Outsourcing
Who Needs Training?
You should train employees in basic security principles, and training should begin the first day at work

Include security policies and procedures, security threats and cautions, and basic security do’s and dont's in your training
Basics
Training should continue with reminders and tools, including pamphlets, posters, newsletters, videos, rewards for good security, and periodic re-training - because people forget!

Lack of training is one of the most significant information security weaknesses in most organizations
Continuation Training
Best Practices
What should you actually train your employees on? How can you keep your information safe? You should address:

Safe internet practices
Safe email practices
Safe desktop practices
Internet Practices
Do not surf the web with an administrative account
Do not download software from unknown pages
Do not download files from unknown sources
Do not respond to popup windows requesting you to download drivers
Do not allow any websites to install software on your computer
Protect passwords, credit card numbers, and private information in web browsers and conduct online business and banking on secure connections
Email Practices
Be careful when opening attachments

Don't reply to unsolicited emails

Don't click on links in an email
Protecting Your Systems
In order to protect yourself against viruses, spyware, trojans, and malware:
Install anti-virus software
Company-wide detection tools
Company-wide process
Assign responsibility in writing
Up-to-date search definitions
lnclude employee's home systems
1. US Office of Personnel Management

2. FBI Portal Breach

3. Ashley Madison

4. TalkTalk

5. Anthem

6. Carphone Warehouse

7. Multiple US financial institutions and media companies

8. Vodafone

9. Samsung Electronics

10. Hilton Worldwide
Hardware and Software
Hardware and software protections require:

Secure internet connection and change passwords
Change passwords periodically
Use software firewalls
Patch operating systems and applications
Secure wireless access points
Backup Procedures
Backup procedures are extremely important
Your goal should be the ability to restore systems and data to what existed before any threat is realized
Make back-up copies of important information and restore weekly or daily
Store a backup copy off-site for safe keeping
You should also test your backups to make sure that they actually work
Also keep in mind the importance of disposing of old computers and media securely
Next Steps
Step 1 - Conduct an analysis of information security needs
Step 2 - Assess the cost of losing your information
Step 3 - Create a plan to protect your information
Step 4 - Implement your plan through policies, training, and hardware and software controls

The Four Steps to Resilience
1. Planning – this is where you identify threats specific to your business and address them with plans.

2. Implementation – this is where you implement the plans that were created in Step 1.

3. Testing and Exercises – this Step requires you to test and/or exercise those plans to ensure they work and everyone knows their roles and responsibilities.

4. Program Improvement – this is where you modify the plans and process based on real events or based on results from Step 3.

Business Continuity Management Life Cycle
Step 1 - Planning
Planning phase should take an “all hazards” approach. There are many different threats or hazards.
Your planning process should also identify scenarios to consider for emergency planning.
Strategies for prevention/deterrence and risk mitigation should be developed as part of the planning process.
Threats or hazards that are classified as probable and those hazards that could cause injury, property damage, business disruption or environmental impact should be addressed.
In developing an all hazards preparedness plan, potential hazards should be identified, vulnerabilities assessed and potential impacts analyzed.
The risk assessment identifies threats or hazards and opportunities for hazard prevention, deterrence, and risk mitigation.
Step 1 - Planning continued...
For each hazard there are many possible scenarios that could unfold depending on timing, magnitude and location of the hazard.
As you conduct the risk assessment, look for vulnerabilities—weaknesses—that would make an asset more susceptible to damage from a hazard.
Vulnerabilities include deficiencies in building construction, process systems, security, data storage and backup, third-party vendors, protection systems and loss prevention programs.


BIA - Business Impact Analysis
The business impact analysis (BIA) identifies time sensitive or critical processes and the financial and operational impacts resulting from disruption of those business processes.

The BIA also gathers information about resources requirements to support the time sensitive or critical business processes.

This information is useful in making informed decisions regarding investments to offset risks and avoid business disruptions.
This is part of the planning step
Step 2 - Implementation
Identifying and assessing resources, writing plans, developing a system to manage incidents and training employees so they can execute plans.

Senior management should consider developing, at a minimum, an Emergency Response Plan, a Crisis Communication Plan, a Business Continuity Plan, and an IT Disaster Recovery Plan or even a specific Cyber Security Plan if your business requires one.
Step 3 - Testing and Exercises
There are many benefits to testing and exercises:

Train personnel; clarify roles and responsibilities
Reinforce knowledge of procedures, facilities, systems and equipment
Improve individual performance and organizational coordination and communications
Evaluate policies, plans, procedures and the knowledge and skills of team members
Reveal weaknesses, conflicts, and resource gaps
Comply with local laws, codes and regulations
Gain recognition for the emergency management and business continuity program
Exercises are a great method to:

Evaluate the preparedness program
Identify planning and procedural deficiencies
Test or validate recently changed procedures or plans
Clarify roles and responsibilities
Obtain participant feedback and recommendations for program improvement
Measure improvement compared to performance objectives
Improve coordination between internal and external teams, organizations and entities
Validate training and education
Increase awareness and understanding of hazards and the potential impacts of hazards
Assess the capabilities of existing resources and identify needed resources
Step 3 - Exercises
Step 4 - Program Improvement
Review
Make Changes
Validate
Document
Lessons-to-be-Learned
Case Study
Rob Burton
Managing Director
(401) 236-1363 x714
rob.burton@preparedex.com
www.preparedex.com

Molly Donohue Magee
Acting Executive Director
(401) 378-8485
mmagee@maritimecybersecurity.org
www.maritimecybersecurity.org
Contact Information
Thank You
Full transcript