It's a Who, What, Where and Why behind cyber risk in today's modern era - how data breaches happen, why they happen, and what you can do to address them.
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅
The 5 ws of Cyber Security
1. THE 5 WS OF CYBER SECURITY
Tom McIlwham - President @ Brootsoft Inc.
IT'S A WHO, WHAT, WHERE, WHEN & WHY BEHIND CYBER RISK IN MODERN ERA
200 – 5 Donald Street, Winnipeg, MB, R3L 2T4, Canada | www.iRangers.com | P: 1.855.996.4742
Misha Hanin - Solutions Managing Director @iRangers International
BROOTSOFT
2. It's a Who, What, Where, When and Why behind cyber risk in todays modern era
Agenda
3. Tom McIlwham
Why Do I Care?
Tom McIlwham
tom@brootsoft.com
@tommcilwham
http://irng.ca/tmcilwham
Tom McIlwham has over 40 years of I.T and Global business experience specializing in
leveraging information technology to improve business value and delivery.
As a Senior Business Leader, Mr. McIlwham has lead the successful delivery of Business
Development projects, Process optimization, Merger, Acquisition & Divestiture
Integration, Organizational Alignment and Service Delivery Implementations.
He is recognized as both a business development specialist and an agent of change
with his leadership skills and delivery of major initiatives and programs in the
international marketplace for Banks, Insurance Companies, International Airline
Transportation and Financial Services Corporations.
BROOTSOFT
4. Misha Hanin – The Visionary
Why Do I Care?
Misha Hanin
Misha.Hanin@irangers.com
@mishahanin
http://irng.ca/mishahanin
A seasoned business and technology leader with extensive information security
experience (one of the first beta-testers of CheckPoint and RadGuard Firewalls) in the
field of information technology, infrastructure analysis and design, implementing
innovative and leading technologies for International companies around the globe!
One of the nearly 500 trained Microsoft Certified Masters (MCM) in the world
(during 10 years existence of MCM program, just about 500 people in the world
participated in this very intensive training, ONLY 5 from CANADA.)
Amazon AWS Certified Solutions Architect. Working with Cloud technologies since
early 2004, beginning with Google, RackSpace, The Planet (SoftLayer), etc.
Working with IT systems since the early 90’s, beginning with Windows 1.0 !
5. Why Should You Care?
• As Gatekeepers and Custodians of peoples personal information you are
• Morally
• Ethically
• Professionally
• Responsible for that electronically stored information.
• Your are also responsible and accountable to ensure that information is current and
usable to all stakeholders
• It is also your responsibility to ensure that electronic data if corrupted has proactive
backup plans and tested recoverability plans and processes
Data Security
6. Your Responsibilities
• Creating repeatable processes and control objectives to meet the delivery and regulatory mandates
• Security and confidentiality of patient information
• Recoverability and availability of systems
• Operating a TIGHT ship at a reasonable cost
• Meeting or exceeding the expectations of the patients and the policy makers
The overall objective is to establish and ensure cost effective and scaled process and security in alignment with the
business problem to be resolved.
Data Security
9. Some Recent Facts
WannaCry Ransomware Hack
• The WANNCRY and Calgary University hacks for Ransomware got lots of attention but really did not create an
economic win for the hackers
• The bitcoin exchange at last declaration for Wannacry was around 80k
• More importantly Globally there was lost productivity to the tune of $8bn
• Calgary University paid 15k in bitcoin, but also had to spend an additional several million dollars after the fact to
shore up security in their network and IT ecosystems
15. COUNTRIES INFAMOUS FOR PROFESIONAL HACKERS
South Korea, India, Pakistan, Argentina and others…
• USA
• Japan
• China
• Russia
• Germany
• France
UK
• Israel
17. Secure
Security
Physical Security
Bio-metric scanners
Motion Sensors
24 hour surveillance
Data Security
Encrypted at Rest and In transit
At Rest AES 256 Encryption
Data stored in region
MS Engineers Can’t access your data
Governmental Compliance – HIPPA, FISMA, FERPA, GLBA, PIPEDA, ISO 27001, SSAE 16, COACH
Financially Backed SLA – 99.9% uptime
8.76 hours per year/43.8 minutes per month/10.1 minutes per week
18. Biggest Factor to Secure Your Data
Security – Real World
YOU
Enforce Strong Passwords
Require Passwords to be changed regularly
Enable Two Factor Authentication
22. Click to edit Master title style
Security
Why?
BROOTSOFT
23. DEFINITION OF SOCIAL ENGINEERING
Security & SOCIAL ENGINEERING
“Successful or unsuccessful attempts to influence a person(s) into either
revealing information or acting in a manner that would result in;
unauthorized access, unauthorized use, or unauthorized disclosure, to
an information system, network or data.”
24. THE HUMAN ELEMENT
Security
"A company may have purchased the best security technologies that money can buy, trained their
people so well that they lock up all their secrets before going home at night, and hired building guards
from the best security firm in the business. That company is still totally Vulnerable. Individuals may
follow every best-security practice recommended by the experts, slavishly install every recommended
security product, and be thoroughly vigilant about proper system configuration and applying security
patches. Those individuals are still completely vulnerable."
Kevin Mitnick.
25. Context For Social Engineering
An easy one
Gray - Not readily available,
but can be obtained without
civil/criminal liability
White - company
publications, public records,
commercial reporting
sources
Black - Obtained through
unethical or illegal means. Can
result in civil and/or criminal
sanctions.
Black = Espionage
26. Social Engineering Tactics
An easy one
Pre-texting
Cloned Websites,
Login screens, asking for your
credentials.
Malware, Trojans
Phishing
Mathematical
Psychology
Neuro-Linguistic
Programming (NLP)
27. Why Is Social Engineering So Effective?
Hacker know what they do
• The Security Field has focused primarily on technical security and protection of physical assets
• Security is only as strong as the weakest link - People are the weakest link
• Why spend time attacking the technology when a person will give you access or information
• Extremely hard to detect as there is no ID’S for “lack of common sense” or more appropriately
ignorance
28. Click to edit Master title style
The IT and Compliance Dilemma
• Tighter reporting, disclosure and evidentiary requirements driven by Canadian CEO/CFO Certification
• ISO 27799 2016 Health informatics – Information security management in health using ISO/IEC 27002
https://www.iso.org/standard/62777.html
• E- Health compliance for Privacy using COACH Guidelines
• Increasingly sophisticated patient community requiring data transparency and expectations of
confidentiality
Compliance Dilemma
29. Click to edit Master title style
The Compliance Trap
Compliance can be Security’s Worst Enemy
“Checking the Box” is not the same as “Secure”
Audit: Do you have a home alarm?
Security: Do you actually turn it on?
Work with experts!
30. Click to edit Master title style
Biggest Concern
Security
What Should & CAN Be Done?
31. Click to edit Master title style
Executive Awareness
Frameworks
• What expertise exists in-house to meet these mandates?
• What tools exist to facilitate the mandates?
• What is my current maturity level?
• What are my peers and industry best practices saying (what does done look like)?
• What is too little and too much?
32. Click to edit Master title style
Defence Framework
Mandatory activities
People
Process
Technology Organization
Effective Policies
• Enforcement of effective policies
• Staff knowledge and skill development
Secure Systems
Technology implementation
for end-to-end security
Effective support structure
Managed Processes
Security is not about products -
it is the effective management of
processes between Policy,
Technology
and Support Structure
33. Click to edit Master title style
Available Best Practices & Frameworks
Frameworks
• BN EN ISO 27799: 2008 Health informatics – Information security management in health using ISO/IEC
27002
• 2010 COACH Guidelines- Special Edition
• ITIL &ITSMF
• CobIT
• Service Desk Institute
34. Click to edit Master title style
Coach Guidelines
Coach Guidelines
• Access to computers is controlled with robust user IDs and complex passwords.
• Set up computer systems to enforce the minimum password strength defined by your password policy
• Do not use shared accounts except in systems that do not contain personal health information or other sensitive data
• Ensure users have the minimum set of system access privileges required to do their job
• Enable automatic, password-protected and timeout-activated screen savers on all computers
• Apply software updates and security patches regularly. Do NOT install software received via unsolicited email. Do install vendor-supplied
updates only.
• Install a firewall device on your network and personal firewall software on all computers and ensure that the firewall is configured
appropriately
• Install anti-virus and anti-spyware software on all computers. Ensure that the anti-virus software is set to automatically receive the latest
virus definitions and scanning engine updates from the service provider and to perform periodic scans of the entire system – for both
computers and servers
• Install a disk or file-system encryption product to encrypt all data on the computer transparently to the user. This is critical for mobile
devices.
• Where feasible, use two-factor authentication for local logon and remote access. In addition to a user name and password (one factor), the
second form of authentication may involve the use of a security token or a biometric scanner
• If staff work remotely, set up a virtual private network (VPN) device or software to ensure the access is secure
35. Click to edit Master title style
What Can Be Done?
• Combat Social Engineering
• Understand the Threat
• Train your staff!
• Engage With Security
• Understand what “IT”
really means
• Take Charge
• Understand Current Legal
Requirements
• Avoid The Compliance Trap
• Be Your Own CISO
• Work with EXPERTS!
Work with experts!
36. Click to edit Master title style
It’s actually safe the business
Operational Countermeasures
Awareness Training
Classifying Information
Security Monitoring & Alert System
Callback process before Disclosing Sensitive
Info
Verifying the Need for Information Access
Verifying Identities and Purposes
Nondisclosure/Non-compete for Employee
Agreements and business partners
Prepublication Reviews for Employees
Review of Corporate Releases
Strict Guidelines
37. This is NEVER going to happen to me !!!!!!
Backup & Disaster Recovery
38. USB Disk On Key
Removable USB Hard Drive
Removable Device
Not going to happen to me
39. Click to edit Master title style
Removable Device Control
USB Disk On Key
Removable USB Hard Drive
Personal Smart Phones
40. DR without the secondary site
Backup & DR
Backup targets
Storage – AWS S3, Azure, Google
DR
DRaaS
Replication
Azure Site Recovery
Veeam Cloud Connect
Zerto Virtual Replication
Know your limits
No encrypted disks
No VMs with UEFI/EFI boot
vSphere 6.5? Hold on!
Disk not larger than 1 TB
Veeam Cloud Providers
41. Apps and data you need accessible from anywhere
Digital Workspace
42. What you have to deal with today
Clinical Reality
Managed Services, Providers, Licenses, Technicians, Contracts, After Hours Work, Maintenance, Downtime …
43. Focus on what’s important, not your IT
Digital Workspace
EMR
Apps
Files
Private
Data
Tools
Email
Digital
Workspace
Portal
Desktop
Secure, Modern & Simple Clinical Cloud Service
44. Apps and data you need accessible from anywhere
Digital Workspace
LOB
Apps
SaaS
Apps
Files
Private
Data
Tools
Email
Digital
Workspace
Portal
Desktop
The universal connector
DWaaS
Apps
Desktops
Workspace close to data & workloads
Citrix VMware Microsoft
45. Conclusion
"Security is always going to be a cat and mouse game because there'll be
people out there that are hunting for the zero day award, you have people that
don't have configuration management, don't have vulnerability management,
don't have patch management. "
Kevin Mitnick
46. We are experts
Who We Are?
Particular
expertise in
counter
HUMINT
Provides
training,
consulting,
metoring,
testing and
regulasr
assessments
100% focused
on information
protection,
counter
intelligence,
counter
espionage
No conflict of
interest
We also cover:
Penetration
testing
Cyber security
Physical
security
Technical
security
Penetration Testing and Global Security Consulting
47. Research &
Strategy
How else we can help?
IMPOSSIBLE only means you haven’t found the solution yet
Security
Solutions
Cloud
Adoption
Analysis &
Optimization
Subscription
Services
Editor's Notes
Social Engineering - Human aspects of competitive intelligence
It's a Who, What, Where and Why behind cyber risk in todays modern era - how data breaches happen, why they happen, and what you can do to address them.
Tom
Tom
At a reasonable cost and a pragmatic approach
Overkill is not required and very expensive to maintain
Tom
http://www.independent.co.uk/news/uk/politics/nhs-loses-thousands-of-medical-records-1690398.html
Tom
http://www.independent.co.uk/news/uk/politics/nhs-loses-thousands-of-medical-records-1690398.html
Tom & Misha
Misha
Misha
Misha
Network Security
It’s a very vast area of any organisation network. It build from a numerous systems that you might heard a few times before
MishaD
Misha
Tom
This is what we think is needed (minimum recommended requirements)
Misha
Misha
The last but not the least important… DLP for your precious emails.
How many times you find yourself sending an email to the wrong person? If this email didn’t contain any critical information for management partners but picture and a kitten, we can live with it. However, if it was your SIN number, Credit Card number or any other “Personal Information” – this could end badly.
To “assist” you in this fight for your data comes a DLP system that can monitor, block or redirect your emails that contains confidential information and keep it locked inside organization.
DLP systems mostly based on keywords and Credit cards, passport, ID, IBAN algorithms and many more.
It can analyse the data in cleartext, and if you require it, can block or redirect encrypted with passwords files/archives.
At the moment, when the DLP systems find any of parameters stated previously, it can notify user that he is doing something wrong and to give him a second chance to rethink about his actions, or it can notify his manager with all the details of his action and the information that the employee is trying to send outside and let him decide what to do in this case.
All the systems that we spoke about today are coming to assist us in our daily battles to protect our precious data and to try and keep it inside the walls or our organization, however, the most important factor in our victory is the employees education and training. We need to remind our employees on safety at work (I am not talking about wearing a safety hamlet in the office), I am talking about not opening emails from unknown sources, visiting website that can exploit their computer and our network later, not opening files (music, pictures etc.) from home on our workstation and the last thing – not to store organizational information on private cloud storage.
Misha
Misha
M
M
“Successful or unsuccessful attempts to influence a person(s) into either revealing information or acting in a manner that would result in; unauthorized access, unauthorized use, or unauthorized disclosure, to an information system, network or data.”
Tom
M
M
The most direct, efficient and effective form of attack
One simple goal: generate an emotional response
Takes Many Forms:
Phishing/Spearphising
Physical Intrusion
Remote
Odds are strongly in Hacker’s favor
M
Tom
Very please to connect with all of you and get involved in the evolution of I.T. in the Health sector
The good news on all of these compliance components is that the Industry has already provided Frameworks, Models and Best Practices to help deploy and implement
The book has already been written, you just have to read and make sure you meet the objectives and requirements
Misha
Tom
Most of these mandates do not require a full time employee to be on staff, or the tools inhouse why would you when used infrequently
You would be surprised at the lack of adoption in the Medical sector to these requirements, but change is coming and early adopters may experience some pain initially getting to grips with it
Misha
Tom
Tom
Technical controls are those mechanisms employed within the digital infrastructure that enforce policy. They include user controls, network access, remote access, system access, application access, malware control, and encryption.
We have taken this and many other requirements into consideration and whereby it is not banking standard it certainly meets TODAYS needs and a view of where COACH may go tomorrow based on previous experience in other industry sector, so a little ahead of the game to ensure you are not playing catch up all the time.
Misha & Tom
Tom
Tom
Misha
Many organization are working with removable devices on a daily basis. Commonly, removable devices are the main threat for corporate espionage and information loss.
We see here the famous USB Mass storage device, in other words – Disk on Key and his friend – USB Hard Drive. Many operations are still requiring physical data transfer and due to his small size it tends to be lost or stolen and imagine if your company’s financial report was on it or some classified blueprints of a new product? It can cause quite a lot damage to the company and reputation of cause. From the other side, you don’t want your employees to bring their own drives with picture from their last vacation in Mexico and plug it in to their desktop and spread the joy of malware that was sitting on their home computer waiting to be injected to the organization network. Oh, you must be thinking to yourself now: “We have AV in our company & it will protect us from evil” – not all AVs are capable of protecting your assets from sophisticated malware creators and not all AV vendors are adjustable for todays threats. Therefore, we need some system that will control the access permissions for removable devices. These systems are preloaded in to OS kernel and cannot be tempered by user trying to stop the services, deleting the files etc. The system protects this computer by granting access to the devices based on Hardware ID, manufacturer, serial number or the encryption status of the device (which we are going to talk in a bit).
Now, for the smartphones. We can even configure the policy this way that it even won’t charge the phone connected to USB port.
This way, even key loggers can be blocked and reported to the management.
Many organization are working with removable devices on a daily basis. Commonly, removable devices are the main threat for corporate espionage and information loss.
We see here the famous USB Mass storage device, in other words – Disk on Key and his friend – USB Hard Drive. Many operations are still requiring physical data transfer and due to his small size it tends to be lost or stolen and imagine if your company’s financial report was on it or some classified blueprints of a new product? It can cause quite a lot damage to the company and reputation of cause. From the other side, you don’t want your employees to bring their own drives with picture from their last vacation in Mexico and plug it in to their desktop and spread the joy of malware that was sitting on their home computer waiting to be injected to the organization network. Oh, you must be thinking to yourself now: “We have AV in our company & it will protect us from evil” – not all AVs are capable of protecting your assets from sophisticated malware creators and not all AV vendors are adjustable for todays threats. Therefore, we need some system that will control the access permissions for removable devices. These systems are preloaded in to OS kernel and cannot be tempered by user trying to stop the services, deleting the files etc. The system protects this computer by granting access to the devices based on Hardware ID, manufacturer, serial number or the encryption status of the device (which we are going to talk in a bit).
Now, for the smartphones. We can even configure the policy this way that it even won’t charge the phone connected to USB port.
This way, even key loggers can be blocked and reported to the management.