It's a Who, What, Where and Why behind cyber risk in today's modern era - how data breaches happen, why they happen, and what you can do to address them.

1. THE 5 WS OF CYBER SECURITY
Tom McIlwham - President @ Brootsoft Inc.
IT'S A WHO, WHAT, WHERE, WHEN & WHY BEHIND CYBER RISK IN MODERN ERA
200 – 5 Donald Street, Winnipeg, MB, R3L 2T4, Canada | www.iRangers.com | P: 1.855.996.4742
Misha Hanin - Solutions Managing Director @iRangers International
BROOTSOFT

2. It's a Who, What, Where, When and Why behind cyber risk in todays modern era
Agenda

3. Tom McIlwham
Why Do I Care?
Tom McIlwham
tom@brootsoft.com
@tommcilwham
http://irng.ca/tmcilwham
Tom McIlwham has over 40 years of I.T and Global business experience specializing in
leveraging information technology to improve business value and delivery.
As a Senior Business Leader, Mr. McIlwham has lead the successful delivery of Business
Development projects, Process optimization, Merger, Acquisition & Divestiture
Integration, Organizational Alignment and Service Delivery Implementations.
He is recognized as both a business development specialist and an agent of change
with his leadership skills and delivery of major initiatives and programs in the
international marketplace for Banks, Insurance Companies, International Airline
Transportation and Financial Services Corporations.
BROOTSOFT

4. Misha Hanin – The Visionary
Why Do I Care?
Misha Hanin
Misha.Hanin@irangers.com
@mishahanin
http://irng.ca/mishahanin
A seasoned business and technology leader with extensive information security
experience (one of the first beta-testers of CheckPoint and RadGuard Firewalls) in the
field of information technology, infrastructure analysis and design, implementing
innovative and leading technologies for International companies around the globe!
One of the nearly 500 trained Microsoft Certified Masters (MCM) in the world
(during 10 years existence of MCM program, just about 500 people in the world
participated in this very intensive training, ONLY 5 from CANADA.)
Amazon AWS Certified Solutions Architect. Working with Cloud technologies since
early 2004, beginning with Google, RackSpace, The Planet (SoftLayer), etc.
Working with IT systems since the early 90’s, beginning with Windows 1.0 !

5. Why Should You Care?
• As Gatekeepers and Custodians of peoples personal information you are
• Morally
• Ethically
• Professionally
• Responsible for that electronically stored information.
• Your are also responsible and accountable to ensure that information is current and
usable to all stakeholders
• It is also your responsibility to ensure that electronic data if corrupted has proactive
backup plans and tested recoverability plans and processes
Data Security

6. Your Responsibilities
• Creating repeatable processes and control objectives to meet the delivery and regulatory mandates
• Security and confidentiality of patient information
• Recoverability and availability of systems
• Operating a TIGHT ship at a reasonable cost
• Meeting or exceeding the expectations of the patients and the policy makers
The overall objective is to establish and ensure cost effective and scaled process and security in alignment with the
business problem to be resolved.
Data Security

7. Some Historical Perspective
NHS issue from 2009
Cyber Security and Data Protection are not new phenomenon

8. Some Historical Perspective
Cyber Security and Data Protection are not new phenomenon

9. Some Recent Facts
WannaCry Ransomware Hack
• The WANNCRY and Calgary University hacks for Ransomware got lots of attention but really did not create an
economic win for the hackers
• The bitcoin exchange at last declaration for Wannacry was around 80k
• More importantly Globally there was lost productivity to the tune of $8bn
• Calgary University paid 15k in bitcoin, but also had to spend an additional several million dollars after the fact to
shore up security in their network and IT ecosystems

10. Who?

11. Click to edit Master title style
Real story...
How You Get Hacked?
A Demo From Real Life!

12. …If your System is Hacked!
and this is just a beginning…

13. Security
Who?
BROOTSOFT

14. NETWORK
SECURITY
Who?

15. COUNTRIES INFAMOUS FOR PROFESIONAL HACKERS
South Korea, India, Pakistan, Argentina and others…
• USA
• Japan
• China
• Russia
• Germany
• France
UK
• Israel

16. Security
What?
BROOTSOFT

17. Secure
Security
Physical Security
Bio-metric scanners
Motion Sensors
24 hour surveillance
Data Security
Encrypted at Rest and In transit
At Rest AES 256 Encryption
Data stored in region
MS Engineers Can’t access your data
Governmental Compliance – HIPPA, FISMA, FERPA, GLBA, PIPEDA, ISO 27001, SSAE 16, COACH
Financially Backed SLA – 99.9% uptime
8.76 hours per year/43.8 minutes per month/10.1 minutes per week

18. Biggest Factor to Secure Your Data
Security – Real World
YOU
 Enforce Strong Passwords
 Require Passwords to be changed regularly
 Enable Two Factor Authentication

19. EMAILSECURITYSecure – Real World

20. Security
Where?
BROOTSOFT

21. There are 22,000 enterprise
apps today (and growing).

22. Click to edit Master title style
Security
Why?
BROOTSOFT

23. DEFINITION OF SOCIAL ENGINEERING
Security & SOCIAL ENGINEERING
“Successful or unsuccessful attempts to influence a person(s) into either
revealing information or acting in a manner that would result in;
unauthorized access, unauthorized use, or unauthorized disclosure, to
an information system, network or data.”

24. THE HUMAN ELEMENT
Security
"A company may have purchased the best security technologies that money can buy, trained their
people so well that they lock up all their secrets before going home at night, and hired building guards
from the best security firm in the business. That company is still totally Vulnerable. Individuals may
follow every best-security practice recommended by the experts, slavishly install every recommended
security product, and be thoroughly vigilant about proper system configuration and applying security
patches. Those individuals are still completely vulnerable."
Kevin Mitnick.

25. Context For Social Engineering
An easy one
Gray - Not readily available,
but can be obtained without
civil/criminal liability
White - company
publications, public records,
commercial reporting
sources
Black - Obtained through
unethical or illegal means. Can
result in civil and/or criminal
sanctions.
Black = Espionage

26. Social Engineering Tactics
An easy one
Pre-texting
Cloned Websites,
Login screens, asking for your
credentials.
Malware, Trojans
Phishing
Mathematical
Psychology
Neuro-Linguistic
Programming (NLP)

27. Why Is Social Engineering So Effective?
Hacker know what they do
• The Security Field has focused primarily on technical security and protection of physical assets
• Security is only as strong as the weakest link - People are the weakest link
• Why spend time attacking the technology when a person will give you access or information
• Extremely hard to detect as there is no ID’S for “lack of common sense” or more appropriately
ignorance

28. Click to edit Master title style
The IT and Compliance Dilemma
• Tighter reporting, disclosure and evidentiary requirements driven by Canadian CEO/CFO Certification
• ISO 27799 2016 Health informatics – Information security management in health using ISO/IEC 27002
https://www.iso.org/standard/62777.html
• E- Health compliance for Privacy using COACH Guidelines
• Increasingly sophisticated patient community requiring data transparency and expectations of
confidentiality
Compliance Dilemma

29. Click to edit Master title style
The Compliance Trap
Compliance can be Security’s Worst Enemy
“Checking the Box” is not the same as “Secure”
Audit: Do you have a home alarm?
Security: Do you actually turn it on?
Work with experts!

30. Click to edit Master title style
Biggest Concern
Security
What Should & CAN Be Done?

31. Click to edit Master title style
Executive Awareness
Frameworks
• What expertise exists in-house to meet these mandates?
• What tools exist to facilitate the mandates?
• What is my current maturity level?
• What are my peers and industry best practices saying (what does done look like)?
• What is too little and too much?

32. Click to edit Master title style
Defence Framework
Mandatory activities
People
Process
Technology Organization
Effective Policies
• Enforcement of effective policies
• Staff knowledge and skill development
Secure Systems
Technology implementation
for end-to-end security
Effective support structure
Managed Processes
Security is not about products -
it is the effective management of
processes between Policy,
Technology
and Support Structure

33. Click to edit Master title style
Available Best Practices & Frameworks
Frameworks
• BN EN ISO 27799: 2008 Health informatics – Information security management in health using ISO/IEC
27002
• 2010 COACH Guidelines- Special Edition
• ITIL &ITSMF
• CobIT
• Service Desk Institute

34. Click to edit Master title style
Coach Guidelines
Coach Guidelines
• Access to computers is controlled with robust user IDs and complex passwords.
• Set up computer systems to enforce the minimum password strength defined by your password policy
• Do not use shared accounts except in systems that do not contain personal health information or other sensitive data
• Ensure users have the minimum set of system access privileges required to do their job
• Enable automatic, password-protected and timeout-activated screen savers on all computers
• Apply software updates and security patches regularly. Do NOT install software received via unsolicited email. Do install vendor-supplied
updates only.
• Install a firewall device on your network and personal firewall software on all computers and ensure that the firewall is configured
appropriately
• Install anti-virus and anti-spyware software on all computers. Ensure that the anti-virus software is set to automatically receive the latest
virus definitions and scanning engine updates from the service provider and to perform periodic scans of the entire system – for both
computers and servers
• Install a disk or file-system encryption product to encrypt all data on the computer transparently to the user. This is critical for mobile
devices.
• Where feasible, use two-factor authentication for local logon and remote access. In addition to a user name and password (one factor), the
second form of authentication may involve the use of a security token or a biometric scanner
• If staff work remotely, set up a virtual private network (VPN) device or software to ensure the access is secure

35. Click to edit Master title style
What Can Be Done?
• Combat Social Engineering
• Understand the Threat
• Train your staff!
• Engage With Security
• Understand what “IT”
really means
• Take Charge
• Understand Current Legal
Requirements
• Avoid The Compliance Trap
• Be Your Own CISO
• Work with EXPERTS!
Work with experts!

36. Click to edit Master title style
It’s actually safe the business
Operational Countermeasures
Awareness Training
Classifying Information
Security Monitoring & Alert System
Callback process before Disclosing Sensitive
Info
Verifying the Need for Information Access
Verifying Identities and Purposes
Nondisclosure/Non-compete for Employee
Agreements and business partners
Prepublication Reviews for Employees
Review of Corporate Releases
Strict Guidelines

37. This is NEVER going to happen to me !!!!!!
Backup & Disaster Recovery

38. USB Disk On Key
Removable USB Hard Drive
Removable Device
Not going to happen to me

39. Click to edit Master title style
Removable Device Control
USB Disk On Key
Removable USB Hard Drive
Personal Smart Phones

40. DR without the secondary site
Backup & DR
Backup targets
Storage – AWS S3, Azure, Google
DR
DRaaS
Replication
Azure Site Recovery
Veeam Cloud Connect
Zerto Virtual Replication
Know your limits
No encrypted disks
No VMs with UEFI/EFI boot
vSphere 6.5? Hold on!
Disk not larger than 1 TB
Veeam Cloud Providers

41. Apps and data you need accessible from anywhere
Digital Workspace

42. What you have to deal with today
Clinical Reality
Managed Services, Providers, Licenses, Technicians, Contracts, After Hours Work, Maintenance, Downtime …

43. Focus on what’s important, not your IT
Digital Workspace
EMR
Apps
Files
Private
Data
Tools
Email
Digital
Workspace
Portal
Desktop
Secure, Modern & Simple Clinical Cloud Service

44. Apps and data you need accessible from anywhere
Digital Workspace
LOB
Apps
SaaS
Apps
Files
Private
Data
Tools
Email
Digital
Workspace
Portal
Desktop
The universal connector
DWaaS
Apps
Desktops
Workspace close to data & workloads
Citrix VMware Microsoft

45. Conclusion
"Security is always going to be a cat and mouse game because there'll be
people out there that are hunting for the zero day award, you have people that
don't have configuration management, don't have vulnerability management,
don't have patch management. "
Kevin Mitnick

46. We are experts
Who We Are?
Particular
expertise in
counter
HUMINT
Provides
training,
consulting,
metoring,
testing and
regulasr
assessments
100% focused
on information
protection,
counter
intelligence,
counter
espionage
No conflict of
interest
We also cover:
Penetration
testing
Cyber security
Physical
security
Technical
security
Penetration Testing and Global Security Consulting

47. Research &
Strategy
How else we can help?
IMPOSSIBLE only means you haven’t found the solution yet
Security
Solutions
Cloud
Adoption
Analysis &
Optimization
Subscription
Services