DIGITAL RESPONSIBILITIES IN INFORMATION SECURITY Clyde Hague CISM

DIGITAL RESPONSIBILITIES IN INFORMATION SECURITY Clyde Hague, CISM, CISSP, CRISC NCAA Information Security Officer

TOPICS FOR DISCUSSION What is the ultimate goal? Current environment Trends and Threats Back to the Basics Who is Responsible? Group discussion Questions

WHAT IS THE ULTIMATE GOAL? Use a risk based approached to develop, implement, and monitor processes designed to protect the confidentiality and integrity, with appropriate access, of customer, employee, and corporate information, in compliance with the organization’s policies and standards.

NCAA ENVIRONMENT Approximately 400 employees and 300 contractors NCAA Issued Smartphones based on need (no BYOD) Many travelers NCAA Issued laptops Three distinct environments that are connected NCAA Network Environment NCAA External Datacenter Environment Cloud/Vendor Hosted Environments Cloud focused strategy Work directly with over 1200 institutions of higher learning Work directly with many business partners such as Turner Broadcasting Follow a layered security strategy Information Security Program and Policy based on COBIT Security Controls aligned to the NIST Cybersecurity Framework

WHO WOULD STEAL NCAA DATA? Just about anyone: Hacktivists University Students and Supporters Illicit Organizations (Criminal Groups, Gamblers and Gambling Organizations) Hackers Why? It does not matter if we have valuable data, it matters whether the criminals think we might. To steal data to make money To make a statement To embarrass

CURRENT THREAT ENVIRONMENT Employees – The weak link, but is it really all their fault? 98% of attacks rely on social engineering 91% of successful data breaches started with a spear phishing attack 80% of hacking related breaches leveraged either stolen passwords and/or weak or guessable passwords Staff use of Shadow IT has effectively caused many organizations to lose control of their data

CURRENT THREAT ENVIRONMENT Phishing: 1 in 14 users will normally be tricked into clicking a link or opening an attachment Phishing volume grew, on average, 33% across the five most-targeted industries in 2017 The United States receives 81% of phishing attacks Email is still the #1 delivery vehicle for most malware, including ransomware 95% of phishing attacks that led to a breach were followed by some sort of software installation

CURRENT THREAT ENVIRONMENT Ransomware: Ransomware is 1 Billion+ dollar criminal business in 2017 Total ransomware instances grew 56% in the past four quarters Vulnerabilities: 99% of vulnerabilities exploited are known for at least a year Approximately 80% of companies that had either a breach or a failed audit could have prevented the issues with a software patch or configuration change Data Loss: Shadow IT is rampant meaning many organizations have effectively lost control of their data 53% of breaches are discovered by external groups About 10% of breaches were discovered by the organization’s security team

CURRENT THREAT ENVIRONMENT Breach Insurance Claims: PII, PCI and PHI accounted for 99% of all records exposed in insurance claims The median cost of third-party breaches was comparable to in-house events, but exposed twice as many records Ransomware/Cyber Extortion affected every sector with maximum breach costs in excess of $500, 000 Lost or stolen devices more than doubled in claims from 2016 to 2017 Paper records stolen or lost almost tripled from 2016 to 2017

CYBERSECURITY TRENDS THAT MATTER Big and frequent breaches will continue Why? Basic security controls are not being implemented and monitored Cybersecurity will start to become a required competency for executives Why? Big and frequent breaches will continue causing questions of management responsibility making executives an easy target for blame Money will be balanced from primarily prevention to prevention, detection and response Why? You can’t protect everything, so protect what is important and know if you have been compromised Companies with high risk data will reconsider their cloud strategy Why? Cloud is only as secure as you are willing to make it; security is still your responsibility.

CYBERSECURITY TRENDS THAT MATTER Data breaches in the cloud will make cloud security a top priority and will drive the development of data security governance programs – CASB services are maturing Why? Your data in the cloud has to be protected at the same or higher levels as on your network Machine learning that detects and corrects vulnerabilities, suspicious behavior and zero-day attacks will come on-line combining human and machine reaction to threats and attacks Why? There is 0% unemployment in the information and cyber security field. Help is needed now Ransomware will continue rapid growth and development Ransomware as a service will be especially popular with the less technically minded criminal Ransomware encryption of IOT’s will likely be introduced; e. g. : encryption of a connected pacemaker!! The normal defense of a good backup will be overcome by the criminals

CYBERSECURITY TRENDS THAT MATTER Passwords will continue to be phased out as a main/only source of authentication Why? Passwords are a false sense of security, forms of multi-factor authentication will take its place BYOD will be reconsidered Why? It is a convenience initiative, doesn’t save your IT team time, doesn’t save much money and raises your risk level for data exposure, and now, New families of mobile malware to steal credentials for account takeover Cybersecurity Insurance will be expanded and become more demanding Why? Organizations have not purchased enough coverage and insurance companies will grow tired of covering client security errors National Cybersecurity Legislation may finally be coming Why? Too many big breaches GDPR is coming - are you impacted?

GET BACK TO THE BASICS "Organizations will continue to increase spending on new solutions, but will struggle to keep up with basic security hygiene such as patching. Hackers will continue to penetrate environments leveraging known vulnerabilities where patches have existed for quite some time. " Beyond Trust, Cybersecurity Predictions for 2018, November 20, 2017 "Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year. " Forbes. com, Top 10 Security Predications Through 2020, Gartner, August 18, 2016 “ 97% of Critical Microsoft vulnerabilities would be mitigated by removing admin rights across the enterprise. ” Avecto 2014 Microsoft Vulnerabilities Report

GET BACK TO THE BASICS Prevent – stop it before it gets in Continual and tested info sec training Patch and update; rinse and repeat Cloud Security Configuration Strict user access controls, including physical Use multi-factor authentication where it should be used Mobile Device Management System Detect – figure out if it got in Monitor what needs to be monitored including physical Change Management Program Use a Cloud Access Security Broker for your valuable data

GET BACK TO THE BASICS Respond – take care of it after it gets in Incident Response Plan Business Continuity Plan Cybersecurity Insurance Policy Stay up to date on the current and trending environment Regular “Usable” Information Security Metrics for Management

Two examples and One big trend Equifax Meltdown and Spectre General Data Protection Regulation (GDPR)

WHO IS RESPONSIBLE? Information Security? IT? Web designers? End-users? Management and The Board?

WHO IS RESPONSIBLE? Information Security? Yes IT? Web designers? End-users? Management and The Board?

WHO IS RESPONSIBLE? Information Security? Yes IT? Sure Web designers? End-users? Management and The Board?

WHO IS RESPONSIBLE? Information Security? Yes IT? Sure Web designers? Yep End-users? Management and The Board?

WHO IS RESPONSIBLE? Information Security? Yes IT? Sure Web designers? Yep End-users? Absolutely Management and The Board?

WHO IS RESPONSIBLE? Information Security? Yes IT? Sure Web designers? Yep End-users? Absolutely Management and The Board? YES! This is a basic risk management tenant As even basic security is not being addressed, more companies are finding that legally, management and the board are ultimately responsible for the failures of a company when the topic is information and cyber security. It is not enough to put it in someone’s job description, management has to make sure it gets done.

GROUP DISCUSSION QUESTIONS What information security and cybersecurity information do you need and how often? How should a high risk information security threat be quantified to management to gain the appropriate attention?

THANK YOU Contact info: Clyde Hague, CISM, CISSP, CRISC NCAA Information Security Officer chague@ncaa. org 317 -917 -6060