The document discusses security awareness and the growing threat of cyber attacks and data breaches. It notes that malware has become more sophisticated, targeting data and businesses rather than just PCs. The impacts of data breaches can include high costs for businesses. It recommends practicing defense in depth across networks, endpoints, and security tools to balance risk and costs. Cyber/privacy breach insurance can help cover liabilities and costs imposed by laws and regulations in the event of a security incident.

1. April 26th, 2016
Security Awareness
Security is the degree of resistance to, or protection from, harm.
…if security breaks down, technology breaks down

3. • Current Security Landscape
• The Impact of Data Breach or Data Loss
• Raise everyone’s overall awareness
• Security risks
• Techniques to reduce risk
• Changes in Strategy
• What we should and can be doing?
Goal for Today
Protecting People, Property and Business Assets

4. “The AV-TEST Institute registers over 390,000 new
malicious programs every day”
Security is a Growing Concern
https://www.av-test.org

5. Malware has Changed
Then
• Low Business Impact
• Less Sophisticated
• Targeted PC’s
Now
• High Business Impact
• High Sophistication
• Targets Data
High Visibility Low
ThenOrganizationalRiskNow

6. Active malware trends
over the last 10 years
Security is a Growing Concern

7. Malware development trends
over the last 10 years
Security is a Growing Concern

8. • Businesses ability recover
• Brand damage
• Associated Costs
The Impact of Data
Breach or Data Loss

9. Cost of
Breaches
32% of organizations have reported cyber-crime

10. Attackers Evolve, Adapt and Accelerate
• Attackers are nimble, opportunistic,
cooperative, skilled and relentless
• Their motivation, resiliency, and creativity
drives great adaptability
• Acceleration in their methods, tools, and
targets (technology, people, processes)

11. Attackers Evolve, Adapt and Accelerate
• Dark markets and services grow
• New data breach targets emerge
• Attacks will drive down the technology stack
• Data
• Apps
• Operating Systems
• Firmware
• Hardware
• Ransomware and “CEO email” fraud rises

12. • 80% of Infections stem from massive e-
mail attacks
• Phishing vs Spear Phishing
• Attackers are aware of 3rd party
relationships between large targets and
smaller service providers
Phishing

13. Phishing

14. Phishing

15. Phishing

16. Phishing

17. Services for sale

18. Need a credit card ?

20. Another
Scary
Fact

22. Background
Security goes back
as far a man kind.

23. The Traditional Approach to Security
Internet
Firewall
Antivirus

24. Early Defense in Depth

25. Defense in Depth Example
Internet
Firewall
Antivirus
Antispyware
Intrusion Prevention
Antivirus &
Antimalware

26. Defense in Depth
The idea behind “Defense in
Depth” is to defend your data
and systems against any
particular attack, using several
independent methods
Perimeter
Internal
Network
Endpoint
•Firewall
•CGSS
•IPS
•Policies
•Access Rights
•Monitoring
•Antivirus
•Anti Malware
•Cloud Security

27. Why is all this
important?

28. The United States
is the most
targeted country
in the world.
Fireeye Cyber Threat Map

29. Who are we trying to
protect from?
• Nation States
• Insiders
• Organized Crime
• Other Companies
• Thrill Seekers
• Notoriety
• Political Activists

30. How do they do it?
• Poorly configured systems using default passwords
and settings which are weak
• Exploit known vulnerabilities which are easy to find
• Metasploit
• CGE (Cisco Global Exploiter)
• Password cracking tools to break weak passwords
• Social engineering / Email
• Planting infection in web sites
• Real examples

31. • Train Network Users to have a healthy level of skepticism
• Keep Software up to date
• Least privileged access
• Encrypt Data in transit & on mobile devices
• Segment & Isolate Networks
• Documented and Tested DR Plan
• Regular tests/auditing to ensure measures are effective
• Data Loss Protection tools
Tools and Techniques Summary

32. • Seek an optimal balance of Risk/Cost for your business
• Understand what we are protecting
• Treat security as on going concern
• Not a set it and forget it
• Ongoing Security Awareness Training
Summary

33. Will Anyone Out There Take on the Rest of My Risk?

34. Why Cyber/Privacy Breach Liability
Insurance?
• Both the federal government, and each of the 50 states, impose certain actions upon
persons/entities/businesses/agencies who maintain personal information on systems or
computers in the event of a breach or suspected breach.
• “Certain actions” could include written notice to all impacted individuals, purchase of individual
identification protection for 1 year (“Lifelock”), credit report monitoring for each impacted
individual, and monetary responsibility for financial losses to the impacted individuals.
• There is NO insurance coverage for any of these items absent a cyber/privacy breach liability
policy.
• The existence of statute and the absence of insurance creates an unfunded potential liability.

35. What Perils Will Cyber/Privacy Breach
Insure For?
• Liability imposed by statute
• Regulatory defense and penalties
• PCI fines and expenses
• Notification of Individuals expenses
• Legal services/crisis management/public relations services.
• Cyber extortion
• Specific coverage parts can be bought “ala carte” or are offered as a
“bundle” depending on specific need.

36. What Perils will Cyber/Privacy breach
NOT Insure for?
• Failure to perform professional duties in a satisfactory
manner. (Ex: systems designs, software build).
• Loss of digital assets (data).
• Loss of revenue (unless specifically added to the cyber policy).
• First party theft of money/securities.

37. Premium Drivers
• Revenues/Size of the organization or business.
• # of records/contacts in the possession of the entity.
• Past claim history.
• Industry group (low risk versus high risk).
• Limits of insurance purchased/deductibles taken.
• Specific coverage parts purchased.
• Presence of systems safeguards/professional handling of IT exposures.

38. Availability of Insurance
• Evolving market…some new entrants, some have left the market.
Some names you will recognize (AIG), some you will not (Beazley).
• Insurance policy, generally, has been adding more coverage in
recent years.
• Insurance pricing, generally, has declined a bit in recent years.
• Application process remains fairly simple: complete a written
application (2 to 10 pages), and provide any requested
documentation.
• If application is denied, carriers will tell you why.

39. Claim Examples
• Accounting firms: Systems are hacked…private info stolen.
• Ad Agency: Disgruntled employee provides ‘per click’ data to a
competitor of the firm’s client. Client sues for breach of
contract/confidentiality.
• Not For Profit Group: Loss of a donor list.
• Country club/golf course: Credit card transactions are hacked.
Loss of cash and private information.
• Hacking from outside/”inside job”/carelessness.

40. Cyber/Privacy Breach Insurance Impacts
• In 2011, 35% of all Zurich Ins. Co. survey respondents bought cyber
insurance; by 2015, the figure was 61%.
• Of cyber attacks experienced by 252 sample employers, 99% were
viruses/worms/trojans (high end) with 35% caused by malicious
insiders (low end). (Poneman Institute 2015 Study)
• Average claim cost due to cyber events were $1,388 per capita for
small firms; $431 per capita for large firms. (Poneman Institute 2015 Study)

41. THANK YOU TO OUR SPONSORS!

42. Live Hacking Demo