Welcome to the cybersecurity leadership and management course. Today we will be discussing cybersecurity strategy, alignment framework to the financial/healthcare industries and we will discuss some lessons learned. My name is Cicero Chimbanda, and I am your instructor for this course. Cybersecurity strategy alignment framework in the financial and healthcare industries. We will be evaluating the effectiveness of aligning a cybersecurity strategy in a financial or a healthcare company. In this course, we will discuss the following key topics; regulations in the financial and healthcare industry overview. We will discuss some lessons learned in a specific case for financial industry. We will then apply a framework to those lessons learned. We will then discuss the healthcare industry use case and the lessons learned, and then we will apply the framework to that use case. Let's begin. Cybersecurity regulations in the financial and healthcare industry. Regulatory statutes that focus on the financial industry and in healthcare are of the utmost importance. As we know, the critical nature of the financial industry with its fiduciary care for its clients in financial-economic interests. We also know that a healthcare must keep personal, sensitive data of its patients with its utmost care. They are part of a more heavily regulated areas in the United States. Financial industries have regulatory statutes and bodies that regulate these industries. For example, in the financial industry, we have the Security Exchange Commission and we've talked about it in a previous course, which is a regulatory body that manages financial and banking. It has laws or acts that protect privacy and the consumer financial information, safeguarding of personal information, and penalties can be administered or enforced that can be up to a million dollars if companies breach or don't follow this particular laws. The FINRA is also another agency, which is the financial industry regulatory authority. It has supervisory control systems or laws that put reporting requirements to financial industries and penalties or violations can be given in fines and suspension, or even ban the financial institution from its body. We're all familiar with these two bodies. As I've worked in the financial industry, we readily had annual audits that we needed to adhere to in the cybersecurity space, that we needed to basically be accountable to certain business continuity practices throughout the year. We had to properly be accountable for certain controls to our mission-critical systems. It's very important that a chief information security officer understands the requirements and be accountable to these regulatory bodies in the financial industry. Well, similarly in the healthcare industry, it's heavily regulated. There are certain laws and these are just samples. There are many other laws that we've looked at in a previous course, but we're just looking at a few of them. HIPAA is the Health Insurance Portability and Accountability Act, which was administered in 1996, where the largest fines to date has been more than $16 million and has increased dramatically. In 2018, the total number of fines reached up to $28 million. Another act which is the Patient Safety and Quality Improvement Act, which was 2005, which ensures that patient's privacy at all levels are adhered to, there's confidentiality. The law is authorized by the Healthcare Research and Quality and also publish patient's safety records and analyses that patient safety is of the utmost. The Office of Civil Rights, which is the OCR, enforces the law in healthcare industries. As we look at the impact of cybersecurity in the financial industry, we see that cybercrime is expected to reach $6 trillion in 2021. It is also said that an average number of a cyber breach is about $3.7 million. A Verizon report in 2020, stated that 24 percent of the breaches in 2020 that were affected were financial industries, 12 percent, were in the public sector, governmental, 15 percent of the breaches were involved in healthcare industries, 15 percent were in the retail, and 34 percent any other. Cyber risk in the financial and health care are only going to increase. In fact, financial institutions, in an article written by Insight in Cecil Mag, revealed that banking and financial sectors are primary targets for ransomware attacks and are constantly hit more than other sectors because of it's obviously bigger budgets and investments. Financial firms are investing higher budgets into protecting their infrastructures. Health care institutions are known to be the high attack for ransomware and top breaches affecting 27 million patient records sold in the dark net in 2019, according to an article. But health care and financial industries are not only worried by cyber attacks, but they also must watch through natural disasters. Impact of a natural disaster can impede a financial institution's borrowers making loans or payments can increase, loss and rates can go up. Borrowers can be affected concurrently. FDIC listed some of the top 10 natural disasters from 2005 up to 2019. Natural disasters can also impede healthcare industries. Hospitals, as you can imagine, patients can be highly impacted in a natural disaster. In fact, an MD doctor stated, if you're not prepared for sudden surges in the demand of acute emergency care, then you will compromise not only in the incoming disaster patients, but also existing emergency departments in hospitalized patient. Let's look at the top 10 disasters since 2005 in cost. This is again, the statistics are rounded up. Hurricane Katrina in 2005, cost over $125 billion. A category 5, 1,800 fatalities hit Bahamas, and Florida, and Louisiana. Hurricane Harvey in 2017, $125 billion, was a category 4, 100 fatalities, mostly hit in Florida, Puerto Rico, and Caribbean. Again, these two were the most costly natural disaster events in the United States. Number three, was Hurricane Maria at a cost of $92 billion overall, category 5, 3,100 deaths mostly hit in Puerto Rico. Hurricane Sandy 2012, $70 billion, category 3, 250 fatalities mostly hit Cuba, New York, and New Jersey. I actually happened to have experience mitigating in Hurricane Sandy. I was responsible for our office in New York and we had employees in New York and Jersey at the time. Luckily, through our due diligence in overseeing the redundancy, operations of our financial institution, we had duplicate routing in mission critical systems duplicated in the Midwest so that when Hurricane Sandy hit, and we were down for about two months with no Internet connections going out to lower Manhattan, all the operations continued to operate successfully because of the redundant systems that were in the Midwest and also functionally, we had operations and personnel that can continue the work in the Midwest while things were shut down in New York. Hurricane Irma, $50 billion worth of damage in 2017, and 300 fatalities. Hurricane Florence, $24 billion of damage, 60 fatalities. Hurricane Irene, in 2011, $14.2 billion worth of damage, 50 fatalities. Hurricane Matthew, in 2016, $10 billion. It actually had 600 fatalities, mostly hit in Haiti, Cuba, in US Eastern Coast. Hurricane Gustav, $8.5 billion worth of damage and 150 fatalities. Lastly, Hurricane Isaac, which was $3.1 billion worth of damage, mostly in Louisiana, 50 fatalities. I show this to show that as a cybersecurity personnel professional, whether you're a chief security officer or if you're in the task force, business continuity, disaster recovery, is also of the utmost importance as we will look at some examples. A use case in the financial industry, lessons learned. We will look at a financial industry cybersecurity event. This was done to Capital One, which is a financial industry. In 2019, there was a data breach exfiltration, where 106 million records were leaked or stolen by Capital One. This was an incident that affected about 100 million people in United States and about six million in Canada. In 2019, this was known as the largest category of information access for consumers and small business that were breached. There were credit cards and also personal identifiable information that were known to be leaked. The technology that was used to breach this was Amazon's Web Application Firewall, Identity Access Management for S3, the Virtual Private Cloud. These were some of the breaches happened. It was known as an insider threat, a person named Paige Thompson, she had a.k.a named Erratic. The attacker was a former employee of a web hosting company, and she knew how to run certain tasks, coding to exfiltrate data. Some of the lessons learned from this particular breach, proper configuration of security appliance. We know that Capital One was breached, where the web application firewall that was deployed and it was not properly configured. Properly configuring security appliances is very important. Least privilege. When one rolls out applications and gives privileges, it is important to give a least privilege, just giving privileges that's enough for the person to perform their job role. This was not done in Capital One perspective because the individual had escalated privileges to certain areas that they didn't need to have. Server-side request forgery and the public Cloud, the hacker exploited a server-side request, which is SSRF, a vulnerability in the Web Application Firewall. It's important to make sure that the undesirable action of SSRF is afforded, not being able to use certain URLs so that exfiltration of sensitive data does not happen. There is lessons learned in the importance of Cloud specific security. Even though when you're using a Cloud provider, you rely on Amazon's or whichever Cloud provider security, but it's important that the customer understands it's responsible for part of their own security. You can't just rely on the Cloud provider to provide all this security. The importance of log monitoring, Capital One learned that it was important to keep certain logs, monitor logs, and have alerts that would communicate if there was any breach or any abnormal activity are going on in the network. Lastly, there's lessons learned of the value of responsible disclosure process. One of the ways that the attacker, this insider threat person, was founded was that she published her activities on social sites; GitHub, in Twitter, and Meetup, and the social responsible disclosure program that Capital One had, basically someone published or notified the Capital One of the activity that was done, and that's how this particular disclosure was found out. Applying the cybersecurity NIST framework to this financial use case. We'll look at the NIST, which is the National Institute of Standards and Technology. It has the framework that uses the five phases. Phase 1 is to identify, and then Phase 2 is to protect, Phase 3 is to detect, four is to respond, and then five is to recover. Well, how are we going to apply the lessons learned? Looking at the specific areas that we looked at in the Capital One data breach, lesson learned 1, a proper configuration of security appliance. We can see that the proper configure of security appliances fits in in the protect phase, making sure that this application has the proper configuration because it was improperly configured. Lesson learned 2, which is the principle of least privilege, this would fall into the detect, where when you see individuals logging in or accessing certain areas, it needs to be notified, somebody has to know and it has to be detected, there has to be a detection like IDS, Intrusion Detection System, for example. Server-side request forgery in public cloud. This would be the identifying, having the ability to notice if there are any server-side requests, if there are forgery in the public cloud, and this must be identified early on. The importance of cloud-specific security. Again, you can't just rely on the service provider to give you all the security, you must provide your own in-protection, for example, profile-specific protection. The importance of log monitoring. Again, this is part of the detecting phase technology where it can alert or notify if there's any suspicious activity. Lastly, the ability to have disclosure process, this is the response. If there's any sort of activity, being able to look at websites and having bounty hunters or other communities that can alert you of any type of incident response. Lastly, you look at a use case in the healthcare industry. In the healthcare industry, there was a cybersecurity event where the American Medical Collection Agency in 2019 had a data breach where 25 million patient records were exfiltrated. This was done by a third-party vendor. This was an unauthorized party, accessed data from vendor partners. The American Medical Collection Agency work with certain partners. It impacted Quest Diagnostics, LabCorp, CareCentrix, and Sunrise Laboratory networks and databases, biotechnology systems, the Internet applications, this was a ransomware attack. This fell into where HIPAA violations were breached. In fact, there was seven million individuals that were notified that this particular hack happened. The expenses for this particular hack was about $3.8 million that was spent. Also, this went up to the level of two US senators and Attorney General from Illinois and Michigan launched investigations. There was health care providers. There were lawsuits that were provided or given because of this breach. It was a very serious breach in 2019. Some of the lessons learned from this breach is that companies can be held liable for their suppliers in a data breach. It's well-known that suppliers, because they have sensitive data they can be liable, so a vendor management program is very important as you're working with partners. Businesses need to continually monitor their IT operations for suspicious activity. It was the data breach like the ransomware typically carried covertly and if they had continually monitored assigns, different activities they would have found. It took seven months for this breach to be found. Companies must notify victims affected by the breach in a timely manner. HIPAA requires that in all 50 states that whenever there's a breach that individuals are notified that the breach right away. This was poorly handled. They said first that the victims there hadn't been any personal data and then they came back and they found out that there was some data that was exfiltrated. Again, this is why there were some lawsuits to this particular data breach. Also lessons learned data breach. Data breaches often lead to loss of the business in worse. Having cyber insurance is very important. Missing out on future business opportunities , in this case, the entity ended up filing bankruptcy and often businesses can go out of business during a breach. Then building up and protecting customer trust in advance, so data breaches, you can lose customers. It's important again, to make sure that you have these in places before a data breach occurs. Let's look at a use case where we will apply a framework to the health care. In this case, we'll use the ITIL, Information Technology Infrastructure Library. It has several service areas. The service strategy, service design, service transition, service operations, and then it has continuous service improvement. Using the lessons learned from the AMCA, American Medical Collections breach we can see that the company can be held liable for their suppliers data breaches. This is where in your service design you want to make sure that it has the proper due diligence as it's reviewing and looking at it's service providers. Lessons learned 2, is business needed to continually monitor the IT operations for suspicious activity. In service operations needs to make sure that you incorporate the necessary appliances or technology controls for service operations in monitoring for suspicious activities. Lessons 3, companies must notify the victims affected by a breach in a timely manner. Again, in service transition it is important that you notify your customers, your clients, your stake holders of any breach or any type of negative activity on their account. Cyber insurance data breach are costly in bankruptcy filing. Again, part of the strategy of service is to make sure that you have things like cyber insurance. Lastly, building and protecting customers trust in advance continual service improvement. Making sure that you are constantly looking at ways to improve and better build trust to your clients and customers. This concludes this portion of the course. Thank you. We'll see you in the next course.
