Cybersecurity: Practical Considerations for Small Firms Wednesday, November 9 2:15 p.m. – 3:15 p.m. As more small firms use online services and applications, the risk of becoming a target of cybercriminals increases. This session provides an overview of the latest cybersecurity threats that small firms face, and provides preventative measures that compliance officers and financial advisers can take to protect their practice. Join industry panelists and FINRA staff as they share effective practices to protect your firm’s data. Panelists discuss real-life examples of cyber breaches and lessons learned from the breach. Moderator: David Kelley Surveillance Director FINRA Kansas City District Office Panelists: Allan Goldstein Chief Financial Officer, Chief Operations Officer and Chief Compliance Officer Trade Informatics LLC Basil Joseph Chief Financial Officer and Chief Compliance Officer Van Clemens & Company, Inc. Lisa Roth President Tessera Capital Partners, LLC © 2016 Financial Industry Regulatory Authority, Inc. All rights reserved. 1 Cybersecurity: Practical Considerations for Small Firms Panelist Bios: Moderator: Dave Kelley is the Surveillance Director based out of the FINRA Kansas City District office, and has been with FINRA for more than five years. Mr. Kelley also leads FINRA’s Regulatory Specialist team for Cyber Security, IT Controls and Privacy. Prior to joining FINRA, he worked for more than 19 years at American Century Investments in various positions, including Chief Privacy Officer, Director of IT Audit and Director of Electronic Commerce Controls. He led the development of website controls, including customer application security, ethical hacking programs and application controls. Mr. Kelley is a Certified Public Accountant and Certified Internal Auditor, and previously held the Series 7 and 24 licenses. Panelists: Allan Goldstein has been the CFO, COO and CCO of Trade Informatics since 2007, and is responsible for all compliance and regulatory matters as well as day-to-day operational and financial management of the firm. Mr. Goldstein has worked in the securities industry since 1985, when he began as a Specialist Trading Assistant on the NYSE trading floor. He later operated as an independent floor broker at the NYSE serving as CCO, CFO and FINOP with the floor based “Direct Access” institutional brokerage Safir Securities. Mr. Goldstein has additional experience as an Institutional Sales Trader in global equities and fixed income with Friemark Blair & Co., as Chief Compliance Officer at Bear Hunter Structured Products, and Compliance Officer at Bear Wagner Specialists, as part of a team designing its electronic market making business on the Archipelago Exchange. Mr. Goldstein has served on FINRA’s District Committee, Regulatory Advisory Committee and currently serves on the SFAB. He earned his bachelor degree and MBA in Finance and Statistics from the Stern School of Business at New York University. Basil Joseph is the Chief Financial Officer and Chief Compliance Officer of Van Clemens & Company, Inc. With over 29 years of securities industry experience working mostly at small sized firms, Mr. Joseph has acquired a broad based knowledge of all aspects of brokerage management and operations. Since 2013 Mr. Joseph has been a member of FINRA’s Technology Advisory Committee, and is a registered FINRA arbitrator. Mr. Joseph has a B.A. in communications from the University of Minnesota. Lisa Roth serves as the President, AML Compliance Officer and Chief Information Security Officer of Tessera Capital Partners. Tessera is a limited purpose broker dealer offering new business development, financial intermediary relations, client services and marketing support to investment managers and financial services firms. Ms. Roth holds FINRA Series 7, 24, 53, 4, 65, 99 Licenses. Previously, Ms. Roth has served in various executive capacities with Keystone Capital Corporation, Royal Alliance Associates, First Affiliated (now Allied) Securities, and other brokerage and advisory firms. Ms. Roth serves on FINRA's Membership Committee, is a member of the Board of the Third Party Marketer's Association, and FINRA's Series 14 Item Writing Committee. Ms. Roth was unanimously selected by her peers to serve as the Chairman of FINRA's Small Firm Advisory Board for one of a total of four years of service on the Board from 2008-‐ 2012. Ms. Roth has also served as a member of the PCAOB Standing Advisory Group, and is an active participant in other industry forums, including speaking engagements and trade associations. Ms. Roth is also the president of Monahan & Roth, LLC, a professional consulting firm offering consulting, expert witness and mediation services on financial and investment services topics including regulatory compliance, product due diligence, suitability, supervision, information security and related topics. Previously, Ms. Roth founded ComplianceMAX Financial Corp. (purchased by NRS in 2007), a regulatory compliance company offering technology and consulting services to more than 1000 broker-‐ dealers and investment advisers. Ms. Roth's leadership at CMAX led to the development of revolutionary audit and compliance workflow technologies now in use by some of the US's largest (and smallest) broker-‐ dealers, investment advisors and other financial services companies. Ms. Roth has been engaged as an expert witness on more than 150 occasions, including FINRA, JAMS and AAA arbitrations, and Superior Court and other litigations, providing research, analysis, expert reports, damages calculations and/or testimony at deposition, hearing and trial. As a member of the FINRA Board of arbitrators, Ms. Roth has been named to more than 20 panels as a hearing officer. Ms. Roth resides in CA, but is a native of © 2016 Financial Industry Regulatory Authority, Inc. All rights reserved. 2 Pennsylvania, where she attained a Bachelors of Arts Degree and was awarded the History Prize from Moravian College in Bethlehem, PA. Outside the workplace, Ms. Roth competes in rowing events as a member of the San Diego Rowing Club. © 2016 Financial Industry Regulatory Authority, Inc. All rights reserved. 3 Small Firm Conference November 9-10, 2016 • Phoenix, AZ Cybersecurity: Practical Considerations for Small Firms Panelists Moderator David Kelley, Surveillance Director, FINRA Kansas City District Office Panelists Allan Goldstein, Chief Financial Officer, Chief Operations Officer and Chief Compliance Officer, Trade Informatics LLC Basil Joseph, Chief Financial Officer and Chief Compliance Officer, Van Clemens & Company, Inc. Lisa Roth, President, Tessera Capital Partners, LLC FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 1 To Access Polling Click on the Schedule icon on the home screen Choose the Cybersecurity: Practical Considerations for Small Firms session Click on the polling icon: FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 2 Issues and Solutions for Small Firms Meeting Regulatory Expectations for BDs Rules impacting cyber security Exam results related to cyber security Issues Impacting Small Firms Achieving conformity with peer companies Addressing client concerns and expectations Solutions for Small Firms Practical guidance Resources and tools FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 3 Polling Question #1 Has your firm experienced a cyber related incident in the past year? A. Yes – Phishing B. Yes – 3rd Party Wire C. Yes – Other Issue D. Multiple Incidents E. No FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 4 Recent Cybersecurity Issues • • • • • Hackers target smaller firms as cybersecurity controls not as strong Payoff ($$$) can be big (identity theft, fraudulent transactions, etc.) Greater reputational risk for smaller firms in competitive environment Number of attacks are on the rise (estimated 2016 > 2015) Sophistication of attacks, and # of tools available, is increasing FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 5 Cybersecurity Issues – Phishing Email FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 6 Cybersecurity Issues – Ransomware FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 7 Cybersecurity Issues – DDOS Attack DD4BC Team <dd4bc@open mailbox.org> 06/26/2015 10:01 PM To: Subject: DDOS ATTACK ! You are ignoring us. You probably believe that after some time we will give up. But we never give up. Maybe you believe that if you pay us once, we will be back? But we never attack the same target twice. Please note that there are 2 options: - You pay us, you never hear from us again. - You don't pay, your services go offline for a long time. Until you pay more. Is it worth it? We will give you more time and because it's weekend, we will wait until the end of Monday. By the end of Monday (GMT), if not paid, attack will start. Understand that this is your last chance. FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 8 Applicable Rules and Regulations Regulation S-P (Requires written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access) Regulation S-ID (Outlines a firm’s duties regarding the detection, prevention and mitigation of ID theft) FINRA Rule 3110 (Requires firms to implement effective oversight) FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 9 Exam Priorities and Exam Results 2016 Exam Priorities Letter FINRA remains focused on firms’ cyber security preparedness given the persistence of threats and the perceived need to enhance cybersecurity – www.finra.org/industry/2016-regulatory-and-examination-priorities-letter FINRA Exam Results Risk Identification, Branch Controls, Governance, Training, Vendor Management, Technical Controls, etc. FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 10 Polling Question #2 Has your firm formally identified the key cybersecurity risks that could affect your firm? A. Yes, we have related risks B. Yes, we have no cyber-related risks C. Unsure / Not sure where to start FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 11 Issues Impacting Small Firms Protecting BD assets Phishing and other scams including Ransomware Wire fraud Distributed Denial of Service (DDOS) Attacks Compliance Issues 2008 $275,000 fine related to password policies 2009 $175,000 fine related phishing scam 2009 $100,000 fine related to anti-virus installation and controls 2015 $2225,000 fine for failure to encrypt a laptop FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 12 SOLUTIONS Firms should establish Information Security GOVERNANCE frameworks that support informed decision-making and escalation at appropriate levels within the organization. This would include: Active senior management and, as appropriate, board level oversight of cyber security Articulated risk appetite that guides firm decision-making with respect to the acceptance, mitigation, avoidance or transfer of risks Defined accountabilities, structures, policies and procedures to support decision-making based on risk appetite and industry effective practices Use of appropriate metrics and thresholds FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 13 Polling Question #3 Where is your cybersecurity program today? A. Robust and up to date B. Have a program, but It could be better C. Currently working on it D. Do not have a program FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 14 SOLUTIONS Firms should conduct regular RISK ASSESSMENTS to identify vulnerabilities and prioritize risk remediation activities. As defined by the International Organization for Standardization (ISO), risk assessment is a systematic approach to estimating the magnitude of risks (risk analysis) and comparing risk to risk criteria (risk evaluation). It is an ongoing process, not a single point-in-time review Scope of a risk assessment would include: – Critical asset inventory and vulnerability assessment of these assets – Threat & Risk evaluation (external & internal) and prioritization – Vendors and their Affiliates FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 15 SOLUTIONS Firms should provide CYBERSECURITY TRAINING to their staff and provide additional training based on staff’s role. Appropriate types of training are driven by: – Firm’s experience with cyber security incidents, such as loss incidents – Risk assessment – Awareness and intelligence about threats firm may face – Phishing training – Password tips – Annual compliance meeting and periodic email alerts FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 16 SOLUTIONS Firms should implement VENDOR MANAGEMENT policies and procedures. Vendor management should cover the lifecycle of the relationship, from initiation through termination, and should be risk-based, i.e., there is greater due diligence and oversight on vendors who have access to sensitive data or processes. Initial and ongoing due diligence including vendor systems Incorporation of appropriate contractual requirements Top 6 vendors to review Clearing firm Cloud/Document storage After Hours Access Email archive Bookkeeper/accounting Consultants FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 17 SOLUTIONS Firms should develop, implement and test TECHNICAL CONTROLS including incident response plans, containment and mitigation, eradication and recovery, investigation, notification and making customers whole. Encrypting sensitive information at rest and in transit: Includes hardware, portable devices, USBs, email, data transfers Smart spam filters Robust firewall and virus protection Operating system patches and upgrades FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 18 SOLUTIONS Firms should address measures for DATA LOSS PREVENTION such as limiting access to authorized users, processes, or devices, and to authorized activities and transactions. Managed identities and credentials for authorized devices and users Ransomware prevention: back up and replication program Physical, technical and remote access strategies, including password rules Testing: Vulnerability and PEN testing FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 19 Supplemental Guidance FINRA Report on Cybersecurity: www.finra.org/file/reportcybersecurity-practices FINRA Small Firm Cybersecurity Checklist: www.finra.org/industry/cybersecurity NIST: www.nist.gov/cyberframework/index.cfm SIFMA Cybersecurity Resource Center: www.sifma.org/issues/operations-andtechnology/cybersecurity/overview/ SANS 20 Critical Security Controls: www.sans.org/criticalsecurity-controls FINRA Small Firm Conference © 2016 FINRA. All rights reserved. 20 [Firm Name] Cyber Security Policies [Firm Name] Cyber Security Policies and Procedures November, 2016 CONTENTS OVERVIEW 2 AUDIT TRAIL 4 ACCESS MANAGEMENT 5 END-USER: MOBILE DEVICE AND APPLICATION SECURITY 7 COLLABORATION SITES AND END-USER DATA STORAGE 7 SECURITY RISK ASSESSMENT 8 OR (FOR FINANCIAL SERVICES FIRMS REGISTERED IN NY) 9 EMPLOYEE SECURITY AWARENESS TRAINING 10 VENDOR SELECTION AND MANAGEMENT 10 TECHNOLOGY ASSET INVENTORY, CLASSIFICATION AND TRACKING 11 TECHNOLOGY END-OF-LIFE PROCESS 12 EMPLOYEE TERMINATION 12 DISASTER RECOVERY AND BACKUP TESTING 13 CYBER SECURITY INSURANCE 13 CYBER SECURITY BREACH FRAMEWORK 13 REGULATORY REPORTING REQUIREMENT(S) 14 Page 1 of 16 Monahan & Roth, LLC Template November 1, 2016 [Firm Name] Cyber Security Policies Overview [Firm Name] has implemented this program, designed to promote the protection of customer information as well as its information technology systems which include any discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems. At a high level, the goal of this program is to: (1) identify internal and external cyber risks by, at a minimum, identifying the Nonpublic Information stored on [Firm Name]’s Information Systems, the sensitivity of such Nonpublic Information, and how and by whom such Nonpublic Information may be accessed; (2) use defensive infrastructure and the implementation of policies and procedures to protect [Firm Name]’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts; (3) detect Cyber security incidents; (4) respond to identified or detected Cyber security incidents to mitigate any negative effects; (5) recover from Cyber security incidents and restore normal operations and services; and (6) fulfill all regulatory reporting obligations. [Name] has been designated as the Chief Information Security Officer (“CISO”) and has primary oversight, maintenance, and execution of this Technology and Information Security Program (the “Program”). The CISO is authorized to delegate physical, technical, and administrative components of this program to qualified third parties as and whenever appropriate. If [Firm Name] elects to delegate CISO responsibility to a third party it must: • Retain ultimate responsibility for implementation of the program • Designate a senior member to supervise the [assigned party], and • Require the [assigned party] to maintain a cyber security program that substantially complies with relevant rules and regulations. The [Firm Name] [TITLE] bears overall responsibility for Business Continuity Plan (“BCP”) / Disaster Recovery (“DR”) planning, information protection, and creating agile security processes and procedures. The CCO has identified the following core functions to guide the Program. These functions will be evaluated and updated by Page 2 of 16 Monahan & Roth, LLC Template November 1, 2016 [Firm Name] Cyber Security Policies the CISO as indicated below to adjust to technological, business and/or operational changes at the firm that may have a material impact on the Program. The CISO will also be responsible for preparing a report, at least bi-annually that: (1) assesses the confidentiality, integrity and availability of [Firm Name]’s Information Systems; (2) details exceptions to [Firm Name]’s cyber security policies and procedures; (3) identifies cyber risks to [Firm Name]; (4) assesses the effectiveness of [Firm Name]’s cyber security program; (5) proposes steps to remediate any inadequacies identified therein; and (6) includes a summary of all material Cyber security incidents that affected [Firm Name] during the time period addressed by the report. The CISO shall present the report to [Firm Name’s] senior management or board of directors as applicable. Functions Designated Person Access management: CISO password and technology access Access management: CISO physical access End-user: desktop, CISO web, network and server security End-user: mobile CISO devices and application security Collaboration sites CISO and storage networks Security risk CISO assessment Cyber security CISO testing and audit Network CISO vulnerability scan Employee security CISO awareness training Vendor selection COO and maintenance Technology asset CISO inventory Page 3 of 16 Frequency of Document Review Periodically Frequency of Execution Periodically Quarterly Monahan & Roth, LLC Template November 1, 2016 [Firm Name] Technology end-oflife process Employee termination Disaster recovery and backup testing Cyber security insurance Information Security Vendor and third party service provider management Cyber incident response Penetration testing CISO Report to Senior Management Application security Audit Trail Cyber Security Policies CISO COO COO CISO CCO CISO CCO CISO CISO Annually Annually Bi-Annually Annually The CSIO shall be responsible for implementing an audit trail that: (1) tracks and maintain data that allows for the complete and accurate reconstruction of all financial transactions and accounting necessary to enable [Firm Name] to detect and respond to a Cyber security incident; (2) tracks and maintain data logging of all privileged Authorized User access to critical systems; (3) protects the integrity of data stored and maintained as part of any audit trail from alteration or tampering; (4) protects the integrity of hardware from alteration or tampering, including by limiting electronic and physical access permissions to hardware and maintaining logs of physical access to hardware that allows for event reconstruction; (5) logs system events including, at a minimum, access and alterations made to the audit trail systems by the systems or by an Authorized User, and all system administrator functions performed on the systems; and (6) maintains records produced as part of the audit trail for not fewer than six years. Page 4 of 16 Monahan & Roth, LLC Template November 1, 2016 [Firm Name] Access Management Cyber Security Policies [Firm Name] has an approach to entitlement management that helps establish controls around access activities. The goal of this program is focused on the following: • • • • • Protect remote, mobile, cloud and social access Provide transparency and up-to-date information on entitlements Provide centralized administration for permissions Ensure that employees have access only relevant to their job functions Protect against insider threats and unauthorized escalation of user privileges Each employee’s profile will be managed in a central directory that will be used to create, delete and modify employee access data. The CCO is the primary owner of the central directory. Authorization: [Firm Name] manages authorization information that defines what functions an employee can perform in the context of a specific application. The CCO maintains a record of the authorizations. Passwords: For accessing any firm desktop or device, employees are required tp use unique passwords, requiring the following characteristics: • • • • • Contains at least 8 characters Uses a combination of lower and uppercase letters Uses at least one number and one symbol Expires every 180 days (the reuse of any previous password is disallowed) After 10 failed login attempts within 15 minutes, the user account will be locked until released by the CISO or a [assigned party] administrator. Each administrator will have a unique login account and password. Any [assigned party]’s employees (employees of a consultant or other party delegated responsibility for [Firm Name’s] program, on an as needed basis, will each have a unique login and password to access the firm’s password management list. Physical access: [Firm Name] will secure the firm’s physical premises with locks and inventory keys issued to authorized persons on an ongoing basis. Page 5 of 16 Monahan & Roth, LLC Template November 1, 2016 [Firm Name] Cyber Security Policies End-user: desktop, web, network and server security : [Firm Name] has developed practices in [Firm Name] firm to protect the sensitivity of all information by implementing the following processes: • Implement the use of password protection for all sensitive data, applications, and collaboration tools • Reconcile the inventory of hardware, software and devices with [assigned party] • Educate end-users on appropriate use of desktops and web browsing for business purposes • Track and log USB portable flash drive uses that access the firm’s desktop to detect any unauthorized use • Maintain white-list of desktop approved applications and blacklist policy for websites (i.e. adult content, social media, gambling, etc.) Working closely with the CISO, [assigned party] will proactively manage the following items: • Maintain inventory of hardware, software and devices • Closely monitor application and systems log activity (i.e. control the execution of code with an application white-listing policy) • Deploy critical operating system security patches within 48 hours of release • Non-critical patches are delivered monthly • Implement appropriate protections for electronic systems, including anti-virus software and firewalls • Anti-virus software is set to auto-update and firewalls are updated at least quarterly by [assigned party] To combat social engineering, the [assigned party] will do the following: – Employ up-to-date anti-malware systems (continuously updated by auto-update plus quarterly reviews) – Employ spam filters and other email gateways (continuously updated by autoupdate and periodically reviewed by [assigned party]) (a) Multi-Factor Authentication. Each Covered Entity shall: (1) require Multi-Factor Authentication for any individual accessing [Firm Name]’s internal systems or data from an external network; (2) require Multi-Factor Authentication for privileged access to database servers that allow access to Nonpublic Information; (3) require Risk-Based Authentication in order to access web applications that capture, display or interface with Nonpublic Information; and (4) support Multi-Factor Authentication for any individual accessing web applications that capture, display or interface with Nonpublic Information. Page 6 of 16 Monahan & Roth, LLC Template November 1, 2016 [Firm Name] Cyber Security Policies End-user: mobile device and application security Firm-owned devices include, but are not limited to, laptops, tablets, cellular phones, and smartphones. Personal devices may utilize mobile access as long as they are password-encrypted and firm-approved. At the time of hiring, and annually thereafter, [Firm Name] requests disclosure of all electronic devices, including the % business and personal use for purposes of maintaining an up-to-date inventory. Employees are advised to report any lost, stolen, or compromised electronic device to the CISO or CCO immediately. The CISO or CCO will update the firm inventory and shut off inbound and outbound access to the device as necessary. Firm personnel will receive training on the secure use of mobile devices and removable media on an as-needed basis including during the annual compliance meeting. Collaboration sites and end-user data storage The CISO will be primarily responsible for vetting any collaboration site and data storage along with the CCO. Each site must have identified “data owners,” who manage, control, and review access. Only firm approved collaboration sites listed below will be utilized: [Name ANY RELEVANT CITATIONS] Protecting firm data includes the proper use of collaboration sites and data storage sites. The following are requirements for collaboration sites and storing data: Desktop, laptop, remote desktop and tablets • Ensure storage only in an approved, sandboxed or otherwise encrypted location instead of the desktop • Save information to be shared to an access-controlled network location such as a network shared drive • Store data and information with retention requirements in a records management repository • Only use applications obtained through firm-approved channels Mobile devices (smart phones and tablets) • Only store data within firm-approved applications • [Firm Name] intends to have remote-wipe capability for all employee devices Records retention Page 7 of 16 Monahan & Roth, LLC Template November 1, 2016 [Firm Name] • • • • • • • • Cyber Security Policies • Certain types of data have retention periods • All records including digital should be stored in an approved records repository • Collaboration sites are not approved repositories Employees are responsible for preventing inappropriate use of or access to data by • Only accessing information needed for your job function • Preparing, handling, using and releasing data • Using correct storage locations • Following appropriate use or restrictions of electronic communications, including but not limited to email, instant messaging, text, chat, audio/video conferencing and social media Security risk assessment The firm will use an independent [assigned party] to perform a comprehensive enterprise risk assessment. The [assigned party] will assess any potential or existing cyber-security threats to identify potential risks and business impacts. At the discretion of the CISO and CCO, the following items under review may include, as relevant, the following: Category Network Security Data Security Access Control Page 8 of 16 Subcategory Network Infrastructure Firewalls Network Diagram Frequency of Documentation Wireless Data Classification Backup and Restoration Encryption Mobile Security Disposal Protection of Transmission Active Directory Authentication Network Access Control Monahan & Roth, LLC Template November 1, 2016 [Firm Name] Cyber Security Policies System Development Protection Testing and Monitoring Vendors Employees Physical Premise Security Information Security Program Cyber security Insurance Account/Password Management Application Access Systems Installation Software Development Maintenance and Patching Decommissioning Change Control Management Antivirus software Updates and patches Web Filter and traffic Server Monitoring Network Monitoring Penetration Testing Vulnerability Testing Alerting Vendor Assessment Client Data Termination / Role Transfer Data Center Building Security and Staff Building and Office Access Server Room Info Security Policy Coverage Review OR (For Financial Services Firms registered in NY) (At least annually, each Covered Entity shall conduct a risk assessment of [Firm Name]’s Information Systems. Such risk assessment shall be carried out in accordance with written policies and procedures and shall be documented in writing. The risk assessment shall minimally include: (1) criteria for the evaluation and categorization of identified risks; (2) criteria for the assessment of the confidentiality, integrity and availability of [Firm Name]’s Information Systems, including the adequacy of existing controls in the context of identified risks; and (3) requirements for documentation describing how identified risks will be mitigated or accepted based on the risk assessment, justifying such decisions in light of the risk assessment findings, and assigning accountability for the identified risks. Page 9 of 16 Monahan & Roth, LLC Template November 1, 2016 [Firm Name] Cyber Security Policies Employee security awareness training To assist firm employees in understanding their obligations regarding sensitive firm information, the CISO will provide each employee with a copy of this Program upon commencement of employment and whenever changes are made. In addition, the CISO and/or CCO will implement programs to perform training functions on an asneeded basis. At the discretion of the CCO and CISO, employee security awareness training may include any of the following: • Instruct employees to take basic steps to maintain the security, confidentiality and integrity of client and investor information, including: – Secure all files, notes, and correspondence – Change passwords periodically and do not post passwords near computers – Avoid the use of speaker phones and discourage discussions in public areas – Recognize any fraudulent attempts to obtain client or investor information and report to appropriate management personnel – Access firm, client, or investor information on removable and mobile devices with care and on an as-needed basis using firm protocols (passwords, etc.) • Instruct employees to close out of files that hold protected client and investor information, investments, investment strategies, and other confidential information when they are not at their desks • Educate employees about the types of cyber security attacks and appropriate responses Vendor selection and management For vendors interacting with [Firm Name] systems, network and data, the firm will perform the following activities to protect sensitive information: • Assess vendors before working with them including a cyber-security risk assessment • Review third-party vendor contract language to establish each party’s responsibility with respect to cyber-security procedures • Segregate sensitive firm systems from third-party vendor access and monitor remote maintenance performed by third-party contractors Page 10 of 16 Monahan & Roth, LLC Template November 1, 2016 [Firm Name] • • • • • • Cyber Security Policies the use of Multi-Factor Authentication as set forth herein to limit access to sensitive systems and Nonpublic Information; the use of encryption to protect all Nonpublic Information in transit and at rest; prompt notice to be provided to [Firm Name] in the event of a Cyber security incident affecting the third party service provider; identity protection services to be provided for any customers materially impacted by a cyber security incident that results from the third party service provider’s negligence or willful misconduct; representations and warranties from the third party service provider that the service or product provided to [Firm Name] is free of viruses, trap doors, time bombs and other mechanisms that would impair the security of [Firm Name]’s Information Systems or Nonpublic Information; and the right of [Firm Name] or its agents to perform cyber security audits of the third party service provider. Technology asset inventory, classification and tracking [Firm Name] has a process in place to identify, classify, and track all technology assets (“assets”): • To ensure accurate classification and tracking, [Firm Name] will procure/vet all assets through [assigned party] • [Firm Name] will maintain an inventory of all assets as well as an identified owner • [Firm Name] will cross-reference the list of internal assets with [assigned party] • Asset identification and classification process will be scalable to accommodate growth and acquisition • [Firm Name] will track assets and their attributes throughout their lifecycle • Automated processes will be used periodically to perform discovery of unknown assets • [Firm Name] will create a map of network resources, including data flows, internal connections and external connections [Firm Name] will establish and enforce a process of assessing and classifying assets based on their sensitivity to attack and business value. [assigned party] will auto-alert [Firm Name] if a new device is discovered on the network Page 11 of 16 Monahan & Roth, LLC Template November 1, 2016 [Firm Name] Cyber Security Policies [Firm Name] shall encrypt all Nonpublic Information it holds or transmits both in transit and at rest, Technology end-of-life process [Firm Name] has developed and will follow processes for securely disposing of assets once they are no longer being used by the firm or have reached the end of their usable life (the “end-of-life process”). Working closely with the CISO, [assigned party] will closely monitor the firm hardware and recommend a refresh every 3-5 years per individual hardware equipment. A certified end-of-life management vendor (“EMV”) will properly recycle any old hardware. Notification: The end-of-life process will notify all necessary and relevant parties to initiate a coordinated execution: • CISO • Asset owner • End user(s) • Relevant vendor(s) Hard Drives: Any decommissioned hard drive will be securely stored for a minimum of 6 years since decommission date. When disposing the hard drive, the EMV will do the following: • Erase all data on the drive • Physically destroy the hard drive • Produce documentation of proper disposal Employee termination The firm is dedicated to protecting the network and proprietary data at risk upon termination of employees. To prevent any issues of former employees leaking information, [Firm Name] has adopted an approach towards access controls and entitlement management. Please refer to the [assigned party] checklist for employee on/off-boarding. [Firm Name] will maintain this list as new applications, drives, systems, and vendors are incorporated. Page 12 of 16 Monahan & Roth, LLC Template November 1, 2016 [Firm Name] Cyber Security Policies The following items will be monitored: • Network access • Desktop access • Mobile device access • Internal and external applications • Vendors, such as prime brokers, executing brokers, etc. Disaster recovery and backup testing Please see [Firm Name’s] Business Continuity Procedures / Disaster Recovery Plan (“BCP”) for detailed documentation. Any changes can be represented in that BCP / DR plan. The CCO in connection with the CISO will update the firm’s BCP on an as-needed basis to ensure that it is consistent with the Program. Cyber security insurance On an annual basis the CISO will review the firm’s insurance coverage related to cyber security threats and make a determination as to its adequacy in conjunction with the CCO and COO. It is anticipated that cyber security insurance will not be attained unless or until the firm’s risk profile substantially increases, because currently the majority of client sensitive data are retained by competent third party vendors primarily including its clearing firm. Cyber security breach framework The firm has implemented a framework to identify, prepare, prevent, detect, respond, and recover from cyber security incidents, any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System. In the event of a cyber security incident, the firm’s information technology personnel (or anyone detecting the incident) will immediately notify the CISO (or qualified designee) who will work with appropriate personnel to: • Assess the nature and scope of any such incident and maintain a written record of the systems and information involved Page 13 of 16 Monahan & Roth, LLC Template November 1, 2016 [Firm Name] • • • • • • • Cyber Security Policies Take appropriate steps to contain and control the incident to prevent further unauthorized access, disclosure or use, and maintain a written record of steps taken Promptly conduct a reasonable investigation, determine the likelihood that personal information has or will be misused, and maintain a written record of such determination Discuss the issue with outside counsel (or a qualified resource) and make a determination regarding disclosing the issue to regulatory authorities, law enforcement and/or individuals whose information may have been affected Evaluate the need for changes to the firm’s policies and procedures in light of the breach The firm will work with outside resource(s) and/or counsel as necessary to determine appropriate next steps including addressing any weaknesses identified in the process A record of the response to the incident shall be recorded and retained among the firm’s central records. Regulatory reporting requirement(s) (For entities registered to do business in NY and not otherwise exempt: [Firm Name] submit to the superintendent of the state of New York, Department of Financial Services (“DFS”) a written statement by January 15, in such form set forth as by the DFS, certifying that [Firm Name] is in compliance with the requirements specifically identified by DFS. [Firm Name] shall maintain for examination by the DFS all records, schedules and data supporting this certificate for a period of five years. (1) To the extent [Firm Name] has identified areas, systems, or processes that require material improvement, updating or redesign, [Firm Name] shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by DFS. (2) To the extent that [Firm Name] has identified any material risk of imminent harm relating to its cyber security program, [Firm Name] shall notify the superintendent within 72 hours and include such items in its annual report filed pursuant to this section. Page 14 of 16 Monahan & Roth, LLC Template November 1, 2016 [Firm Name] Page 15 of 16 Cyber Security Policies Monahan & Roth, LLC Template November 1, 2016 [Firm Name] Cyber Security Policies [Firm Name] January 15, 20 __ Certification of Compliance with New York State Department of Financial Services Cyber security Regulations The Board of Directors or a Senior Officer(s) of [Firm Name] certifies: (1) The Board of Directors (or name of Senior Officer(s)) has reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary; (2) To the best of the (Board of Directors) or (name of Senior Officer(s)) knowledge, the Cyber security Program of [Firm Name] as of [Date] complies with the rules and regulations of the state of New York. By: Printed Name: Date: Page 16 of 16 Title: Monahan & Roth, LLC Template November 1, 2016 Third-Party Vendor Contracts – Sample Language Confidential Information. As used in this Agreement, "Confidential Information" means information not generally known to the public, and maintained by [Company Name] as confidential, whether of a technical, business or other nature that relates to the engagement or that, although not related to such engagement, is nevertheless disclosed as a result of the Parties' discussions in that regard, and that should reasonably have been understood by the [Service Provider], because of (i) legends or other markings, (ii) the circumstances of disclosure or (iii) the nature of the information itself, to be proprietary and confidential to [Company Name]. Confidential Information includes “nonpublic personal information” about the “customers” and “consumers” (as those terms are defined in Title V of the Gramm-Leach-Bliley Act and the privacy regulations adopted thereunder) of [Company Name]. Confidential Information may be disclosed in written or other tangible form (including information in computer software or held in electronic storage media) or by oral, visual or other means. For purposes of this Agreement, " [Company Name] " includes employees and controlled affiliates of [Company Name] who disclose Confidential Information to the [Service Provider], and Confidential Information includes information disclosed by such affiliates. Use of Confidential Information. The [Service Provider], except as expressly provided in this Agreement, shall not disclose [Company Name]'s Confidential Information to anyone without [Company Name]'s prior written consent. The [Service Provider] shall take all steps necessary to safeguard and protect such Confidential Information from unauthorized access, use or disclosure by or to others, including but not limited to, maintaining appropriate security measures and providing access on an as-needed basis only. The Parties will treat Confidential Information using the same degree of care used to protect its own confidential or proprietary information of like importance, but in any case using no less than a reasonable degree of care. The [Service Provider] shall not reverse-engineer, decompile, or disassemble any hardware or software provided or disclosed to it and shall not remove, overprint or deface any notice of copyright, trademark, logo, legend or other notice of ownership from any originals or copies of Confidential Information it obtains from [Company Name]. The [Service Provider] shall not use Confidential Information for any purpose other than with respect to [the Project]. Exceptions. The provisions of the “Use of Confidential Information” Section above shall not apply to any information that (i) is or becomes publicly available without breach of this Agreement; (ii) can be shown by documentation to have been known to the [Service Provider] without confidentiality restrictions at the time of its receipt from [Company Name]; (iii) is rightfully received from a third party who did not acquire or disclose such information by a wrongful or tortious act, or in breach of a confidentiality restriction; (iv) can be shown by documentation to have been independently developed by the [Service Provider] without reference to any Confidential Information; or (v) is identified by [Company Name] as no longer proprietary or confidential. [Service Provider] Personnel. The [Service Provider] shall restrict the possession, knowledge, development and use of Confidential Information to its employees, agents, subcontractors, consultants, [Company Name]s and entities controlled by it (collectively, "Personnel") who have a need to know Confidential Information in connection with the Project. The [Service Provider]'s Personnel shall have access only to the Confidential Information they need for such purposes. The [Service Provider] shall ensure that its Personnel are bound by confidentiality obligations substantially similar to those contained herein and that such Personnel comply with this Agreement. Disclosures Required by Law, Rule or Regulation. If, in the opinion of its counsel, the [Service Provider] becomes legally obligated to disclose Confidential Information, the [Service Provider] shall give [Company Name] prompt written notice sufficient to allow [Company Name] to seek a protective order or other appropriate remedy, and shall, to the extent practicable, consult with [Company Name] in an attempt to agree on the form, content, and timing of such disclosure. Notwithstanding the preceding sentence, notification to [Company Name] shall not be required if such notification is not permitted by law or would interfere with applicable law enforcement activities. The [Service Provider] shall disclose only such information as is required, in the opinion of its counsel, and shall exercise all reasonable efforts to obtain confidential treatment for any Confidential Information that is so disclosed. Ownership of Confidential Information. All Confidential Information disclosed under this Agreement (including information in computer software or held in electronic storage media) shall remain the exclusive property of [Company Name], and the [Service Provider] shall have no rights, by license or otherwise, to use the Confidential Information except as expressly provided herein. No patent, copyright, trademark or other proprietary right is licensed, granted or otherwise conveyed by this Agreement with respect to Confidential or other information. Provisions Applicable to “Nonpublic Personal Information.” Notwithstanding any other provision of this Agreement, with respect to “nonpublic personal information” about the “customers” and “consumers” (as those terms are defined in Title V of the Gramm-Leach-Bliley Act and the privacy regulations adopted thereunder) of [Company Name] and any Affiliate of [Company Name], Service Provider agrees as follows: (i) Except as may be reasonably necessary in the ordinary course of business to carry out the activities to be performed by Service Provider under this Agreement or as may be required by law or legal process, it will not disclose any such nonpublic personal information to any third party other than affiliates of Service Provider or [Company Name] (ii) That it will not use any such nonpublic personal information other than to carry out the purposes for which it was disclosed by [Company Name] or [Company Name]’s Affiliate unless such other use is (a) expressly permitted by a written agreement executed by [Company Name] or its Affiliate, or (b) required by law or legal process. (iii) It will take all reasonable measures, including without limitation such measures as it takes to safeguard its own confidential information, to ensure the security and confidentiality of all such nonpublic personal information, to protect against anticipated threats or hazards to the security or integrity of such nonpublic personal information and to protect against unauthorized access to or use of such nonpublic personal information. Bring Your Own Device (“BYOD”) Policy Development and Implementation Outline • Secure Mobile Devices o o o o o o o o o o • Address App Risk o o o o o • o o o Create and enforce an appropriate BYOD support and usage policy. Revamp support provisioning and de-provisioning (wipe) of devices, and an increased level of self-help. Create a patch education process to encourage users to update their mobile devices. Introduce a social support mechanism to augment the existing IT support team. Implement a wiki/knowledge base employee self-service support solution. Test and Verify the Security of the Implementation o o o • Use mobile anti-virus programs to protect company- issued and BYOD malware-prone mobile operating systems with mobile anti-virus. Ensure security processes cover mobile app development and leverage tools, and vendors to bridge assessment skill gaps. Manage apps through a mobile app management product. Introduce services that enable data sharing between BYOD devices. To increase productivity and security, continually assess the need for new apps. Manage the Mobile Environment o o • Authentication (passcode/PIN) requirements Storage/transmission encryption requirements Requirements to automatically wipe devices after a number of failed login attempts Usage restrictions for mobile devices Company rights to monitor, manage and wipe Invest in a mobile device management (MDM) solution to enforce policies and monitor usage and access. Enforce industry standard security policies as a minimum: whole-device encryption, PIN code, failed login attempt actions, remotely wiping, etc. Set a security baseline: certify hardware/operating systems for enterprise use using this baseline. Differentiate trusted and untrusted devise access: layer infrastructure accordingly. Introduce more stringent authentication and access controls for critical business apps. Add mobile device risk to the organization’s awareness program. Perform security testing and review of the implemented solution Use an integrated testing approach combining automated tools Perform manual penetration testing Test Infrastructural Changes Affecting Mobile Connections to the Enterprise Network o o Wi-Fi deployments VPN endpoints Courtesy of Lisa Roth FINRA Small Firm Conference November 9-10, 2016 Cyber Security Incident Report Complete the following form when any of the following events has occurred. Include incidents resulting from an accident or negligence, as well as those resulting from deliberate wrongdoing. 1. Malware was detected on one or more Firm devices. 2. Access to a web site or network resource was blocked or impaired by a denial of service attack. 3. The availability of a critical web or network resource was impaired by a software or hardware malfunction. 4. An unauthorized user breached the network. 5. The compromise of a customer’s or vendor’s computer was used to remotely access the Firm’s network resulted in fraudulent activity, such as efforts to fraudulently transfer funds from a customer account or the submission of fraudulent payment requests purportedly on behalf of a vendor. 6. The Firm received fraudulent emails, purportedly from customers, seeking to direct transfers of customer funds of securities. 7. The Firm was the subject of an extortion attempt by an individual or group threatening to impair access to or damage the Firm’s data, devices, network, or web services. 8. An employee or other authorized user of the Firm’s network engaged in misconduct resulting in the misappropriation of funds, securities, sensitive customer or Firm information or damage to the Firm’s network or data. 9. The Firm, either directly or as a result of an incident involving a vendor, experienced the theft, loss, unauthorized exposure, or unauthorized use of or access to customer information. 10. Any other security breach event. Which of the above best describes the incident: (No.#): __ If (other) please describe: Date detected: ___________________________ How was the incident detected? What was the source of the incident? Please identify the cause of the incident. Was client non-public data compromised? Date Remediated: _________________________________ ☐Internally ☐Externally ☐Not Known ☐Internal ☐External ☐Not Known ☐Deliberate wrongdoing ☐Error, accident ☐Yes ☐No Please describe the nature, duration, and consequences of the breach, how it was detected and how it was remediated: Please provide any additional notes and/or details regarding this event, including the name(s) of any regulatory authorities to which the incident was reported. Report Submitted by: _____________________________________________________________ Date: ___________________ Report Reviewed by: ________________________________________________________________ Date: ____________________ 2016 Courtesy of Monahan & Roth, LLC Electronic Devices and Communications Inspection Form Electronic Device Review: Device Name Description % Business Use % Personal Use ☐ Yes ☐ No Anti-malware software is installed on this device. ☐ Yes ☐ No Anti-virus software is installed on this device. ☐ Yes ☐ No Software auto-update is set to “ON” on this device. ☐ Yes ☐ No Log in privileges to this device are password protected. ☐ Yes ☐ No This device ‘times out’ after 15 minutes or less time of non-use. ☐ Yes ☐ No ONLY approved (company) email is received on this device. ☐ Yes ☐ No This device ‘times out’ after 15 minutes or less time of non-use. ☐ Yes ☐ No ONLY associated personnel have access to this device. Please explain any “NO” answer in the space provided below: Exceptions, Notes: Electronic Device Review: Device Name Description % Business Use % Personal Use ☐ Yes ☐ No Anti-malware software is installed on this device. ☐ Yes ☐ No Anti-virus software is installed on this device. ☐ Yes ☐ No Software auto-update is set to “ON” on this device. ☐ Yes ☐ No Log in privileges to this device are password protected. ☐ Yes ☐ No This device ‘times out’ after 15 minutes or less time of non-use. ☐ Yes ☐ No ONLY approved (company) email is received on this device. ☐ Yes ☐ No This device ‘times out’ after 15 minutes or less time of non-use. ☐ Yes ☐ No ONLY associated personnel have access to this device. Please explain any “NO” answer in the space provided below: Exceptions, Notes: If you are having trouble viewing this email, click here.[newsletter.knowbe4.com] How Vulnerable Is Your Network? Download The New Ransomware Simulator. Email not displaying correctly? View Knowbe4 Blog[newsletter.knowbe4.com]. [newsletter.knowbe4.com] CyberheistNews Vol 6 #42 Oct. 18th How Vulnerable Is Your Network? Download The New Ransomware Simulator. KnowBe4 has been working hard on something brand new! Bad guys are constantly coming out with new versions of ransomware strains to evade detection. Is your network effective in blocking ransomware when employees fall for social engineering attacks? KnowBe4’s Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 5 ransomware infection scenarios and show you if a workstation is vulnerable to infection. RanSim is complimentary; there are no costs. This will take you 5 minutes at best, and may give you some insights you never expected! Download RanSim here, and tell your IT Pro friends. This is a cool new tool: https://info.knowbe4.com/ransomware-simulator-tool-1chn Want to know more before you download? Here is the "How It Works" technical background and FAQ in our Zendesk tech support section: https://knowbe4.zendesk.com/hc/en-us/articles/229040167 If you find that your AV is not blocking any of the 5 scenarios, you can discuss the possible consequences with your peers at KnowBe4's Hackbusters forum in the Ransomware Topic. The forum has five main discussion topics: • Social Engineering • Ransomware • Phishing • Security Awareness Training • PowerShell We look forward to seeing you on KnowBe4's exciting new online community. Join us at: https://discuss.hackbusters.com Python Ransomware Uses A Unique Key For Each File That Is Encrypted A new ransomware strain written in Python called CryPy was disclosed by Avast malware analyst Jakub Kroustek. It seems that Python is getting more popular as a ransomware development language has seen the recent rise of strains like PWOBot, Zimbra, HolyCrypt, and Fs0ciety Locker. Security pros observed that while CryPy is a new strain, it's not yet a major threat like Locky because a unique encryption key for each file is a double-edged sword - it causes performance problems and is more susceptible to disruption if you block the malicious IP address. It is still in the early days for CryPy, for instance the command & control infrastructure is still immature, but expect that to be rapidly improved. The problem with the CryPy approach is that decryptors will never work, and can potentially defeat anti-ransomware software like the prototype created by researchers at the University of Florida and Villanova University in July. Here is a technical analysis at the SecureList blog: https://securelist.com/blog/research/76318/crypy-ransomware-behind-israeli-lines/ And while we are discussing new strains, EvilTwin's "Exotic Ransomware" continuously monitors for new files to encrypt and maxes out the CPU The Exotic Ransomware is a new infection released by a malware developer going by the alias of EvilTwin or Exotic Squad. Discovered on October 12th by MalwareHunterTeam, the Exotic Ransomware will encrypt all files, including executables in targeted folders on a victim's computer. In general, there is nothing particularly innovative about this ransomware, but it does contain an annoying feature. This is the constant encryption of new files in the targeted folders, making the system practically unusable. Read the story at BleepingComputer: http://www.bleepingcomputer.com/news/security/eviltwins-exotic-ransomwarecontinuously-monitors-for-new-files-to-encrypt/ AI-powered ransomware is coming, and it's going to be terrifying Business Insider started an article with the following: "Imagine you've got a meeting with a client, and shortly before you leave, they send you over a confirmation and a map with directions to where you're planning to meet. It all looks normal — but the entire message was actually written by a piece of smart malware mimicking the client's email mannerisms, with a virus attached to the map." I have a blog post here that goes into this and at the end lifts the veil on something exciting we have been working on for quite a while with an invite for the Beta: https://blog.knowbe4.com/ai-powered-ransomware-is-coming-and-its-going-to-beterrifying More Than 60% Of US Office Workers Are Unaware Of The Ransomware Threat OK, here is some very good ammo to get budget. Nearly half of ransomware attacks are aimed at office workers, but almost two-thirds of those polled are unaware of the threat. More than 60% of US office workers are unaware of ransomware and the threat it poses to business, according to a survey of more than 1,000 employees commissioned by security firm Avecto. The survey also showed that 39% of respondents either have no confidence that their employer has measures in place to protect them against cyber threats or they are unaware of what their employer is doing to safeguard their online safety. More than 4,000 ransomware attacks occur every day, according to US government statistics, projecting it to be a 1 billion dollar criminal business for this year. According to a report by security firm Symantec, ransomware attacks are becoming more targeted and a number of ransomware groups have begun using advanced attack techniques, displaying a level of expertise similar to that seen in many cyber espionage attacks. This blog post has more data, and links to all the sources, especially the US Government stats, which is an inter-agency guidance document for CIOs and CISOs: https://blog.knowbe4.com/more-than-60-of-us-office-workers-are-unaware-of-theransomware-threat Yahoo Hack Triggers 'Material Adverse Change' Clause The Wall Street Journal reported that Verizon's lawyers are looking at using the "material adverse clause' to renegotiate the terms of the 4.8 billion dollars deal they struck this July. Verizon’s general counsel, Craig Silliman, said “we have a reasonable basis to believe right now that the impact is material.” Would you say that losing your whole customer database is an adverse change? I would! Especially after you promise in your merger agreement that no security breach had taken place, and that no breaches will have occurred by the deal’s closing. Yeah, right. The hack, which Yahoo blamed on a state-sponsored actor, (I'm calling BS on that by the way) occurred two years ago but was "discovered" after the merger deal was signed. It is rare for companies to trigger material adverse change clauses because courts have resisted their use, said Lisa Stark, a partner at K&L Gates LLP. “It has to be a very substantial event. It can’t just be a hiccup.” Again, if this is not a material adverse change, I will eat my hat. My comment at the end of the story in the WSJ: "Yahoo disregarded best security practices and some key employees fell for a spear phishing attack by Eastern European cybercrime, just like 91% of all data breaches before them. And then to think that this could have been prevented by new-school security awareness training which helps employees to make smarter security decisions..." Full article at the WSJ. Send this link to your C-level execs. Getting hacked could shave a billion dollars off the value of your company. How's about some more IT security budget?: http://www.wsj.com/articles/material-adverse-change-clause-is-rarely-triggered1476402532 Warm Regards, Stu Sjouwerman Quotes Of The Week "The means by which intelligent and able generals operate to defeat the enemy is having advance knowledge and prediction."- Sun Tzu "Stealthily gather information! Subtly Operate! Agents can be used anywhere and for anything."- Sun Tzu Thanks for reading CyberheistNews But if you want to unsubscribe, you can do that right here[newsletter.knowbe4.com] You can read CyberheistNews online at our Blog https://blog.knowbe4.com/cyberheistnews-vol-6-42-how-vulnerable-is-your-networkdownload-the-new-ransomware-simulator Security News Ransomware In The UK: 58% Of IT Directors Have Paid Up Some astounding ransomware figures from our brethren across the pool. An article in the ITPro Portal revealed numbers from a Datto survey. "Even the more moderate figures show that this is now a mainstream issue: in the UK, 58 percent of IT directors have paid attackers to get corporate files back post a ransomware attack. Just consider that 93 per cent of phishing emails now contain ransomware." The article goes into technical controls that need to be in place, and mentions: "Comprehensive training, including compelling incentives that demonstrate how harmful cyber crime really is, is crucial here." We could not agree more. Here is the whole article: http://www.itproportal.com/features/why-the-enterprise-should-be-laughing-atransomware/ Here is the full Datto report with a lot of interesting data: http://cdn2.hubspot.net/hubfs/241394/DattoStateOfTheChannelRansomwareReport201 6.pdf 10 Highest-Paying IT Security Jobs Data breaches, DDOS attacks, hacks and threats continue to dominate the headlines, so it's no surprise that some of the most in-demand IT jobs are in the security area. And with a massive skills gap, companies are willing to pay handsomely for skilled security talent at all levels. "One area we're still seeing huge demand for is in cybersecurity, and hiring companies are willing to pay whatever it takes for talent that can help secure data and mitigate threats while simultaneously ensuring consistent and simplified accessibility from desktop to mobile devices. Companies are sending the message with their budgets: you can't put a price on that," says Jack Cullen, CEO of IT staffing firm Modis. Here are the top 10 highest-paying security roles, culled from career site Dice.com clients' job postings and median salary range data from cloud compensation solutions firm PayScale.com over at CSOonline: http://www.csoonline.com/article/3130142/it-careers/10-highest-paying-it-securityjobs.html Watch Out For This Crafty Gift Card Scam! Someone gave you a gift card but you'd really like cash instead? Scammers just developed a new trick to steal the value of your card. Suppose you decide to sell your 400 dollar Best Buy gift card on Craigslist for 350 dollars. The buyer wants to meet you for the handoff, but has one quick request: can we 3-way call and verify the Best Buy card's value please? So you set up the call and punch in the number of the card using the phone and get the confirmation. An hour later the card was emptied, but not by the owner! Yup, you guessed it. The bad guys recorded the call and used the touch-tone to translate the number and empty the card. Crafty! There are safer ways to sell a gift card, there are dedicated sites that take between 5% and 10% of the value as their profit. The most popular ones are: • CardPool • CardCash • Gift Card Granny • Raise.com It's incredible how industrious these dishonest people are, don't you wish they would use all that energy to be actually productive? Cyberheist 'FAVE' LINKS: This Week's Links We Like, Tips, Hints And Fun Stuff • Here is a short 2:45 minute virtual vacation with some incredible shots. BBC Planet Earth II - the beauty of life on our planet: http://www.flixxy.com/planet-earth-2-extended-trailer-bbc.htm?utm_source=4 • Danny MacAskill riding his mountain bike around the Edinburgh countryside, leaping onto a train track, riding over a rolling hay bale and riding through a 6ft puddle. Love it: http://www.flixxy.com/danny-macaskills-wee-day-out.htm?utm_source=4 • This short clip called "Swedishness" is a riot if you know some Swedes: https://www.youtube.com/watch?v=8_asVWhfZYg&feature=youtu.be • BMW just unveiled a stunning motorcycle concept that comes with augmented reality glasses: http://www.businessinsider.com/bmw-vision-next-100-motorcycle-photos2016-10 • The Internet of Unpatchable Things': 12-year old idiot bug has no fix: http://www.pcmag.com/news/348640/this-12-year-old-iot-bug-has-no-fix? • These stats show that people use their year of birth in their passwords at a crazy high frequency. Don't be that guy: http://minimaxir.com/2015/02/password-numbers/ • Deril the dog amazed the audience of the Dog Dance World Championship 2016 when he performed CPR on his owner. CPR? Yeah: http://www.flixxy.com/deril-and-lusy-at-the-dog-dance-world-championship2016.htm?utm_source=4 [newsletter.knowbe4.com] [newsletter.knowbe4.com] [newsletter.knowbe4.com] [newsletter.knowbe4.com] Copyright © 2014-2016 KnowBe4 LLC, All rights reserved. [newsletter.knowbe4.com] Contact Information – U.S. Law Enforcement The US Secret Service Investigative Support Division, centrally located in Washington DC, can assist FS-ISAC member companies 24/7 to aid in referring companies to their ECTF's on a 24/7 basis. The USSS-ECTF toll free number is 877-242-3375. Information regarding contacting the USSS-CID or USSS-ECTF can be found at http://www.secretservice.gov/ectf.shtml. Contact information for the closest ECTF Office to your company can be found on that web page. The FBI staffs CY-WATCH for 24/7 incident awareness and response issues. They can be contacted via email at [email protected] or phone at 855-292-3937. Local contact information for USSS is provided here: ECTF ATLANTA, GA BALTIMORE, MD BIRMINGHAM, AL BOSTON, MA BUFFALO/SYRACUSE, NY CHARLOTTE, NC CHICAGO, IL CINCINNATI, OH CLEVELAND, OH COLUMBIA, SC DALLAS, TX DENVER, CO HONOLULU, HI HOUSTON, TX KANSAS CITY, MO LAS VEGAS, NV LOS ANGELES, CA LOUISVILLE, KY MEMPHIS, TN MIAMI, FL MINNEAPOLIS, MN NASHVILLE, TN NEWARK, NJ NEW ORLEANS, LA NEW YORK, NY OKLAHOMA CITY, OK ORLANDO, FL PHILADELPHIA, PA PHOENIX, AZ PITTSBURGH, PA SAN FRANCISCO, CA SEATTLE, WA St. LOUIS, MO WASHINGTON, DC LONDON, ENGLAND ROME, ITALY FS-ISAC AMBER SUPERVISOR ATSAIC Marc Debrody ATSAIC James Meehan ATSAIC Nicholas Steen ATSAIC Thomas Baker RAIC Timothy Kirk ATSAIC Eric Eversole ATSAIC Troy Land RAIC Todd Bagby ATSAIC Michael Dobeck ATSAIC James Ramicone ATSAIC Steven Bullitt ATSAIC Isaac Barnes ATSAIC Keith Jones ATSAIC Marvin Wright ATSAIC Jeff Rinehart ASAIC Gil Lejarde ATSAIC Gregory Auer ATSAIC Kirk Mcclelland ATSAIC James Hawkins ATSAIC Angel Nazario ATSAIC Mark Johnson ATSAIC Gregory Mays ATSAIC Russell Wilson SAIC Anthony Bynum ATSAIC Scott Sarafian ATSAIC David Allison ATSAIC Keith Hoover SA Ryan Van Deusen ATSAIC Bradley Keller ATSAIC Matthew Lavigna ATSAIC Kirk Arthur ASAIC Michael Germain ATSAIC Douglas Roberts ATSAIC Chris Gagne SA James Gee SA Michael Burgin CONTACT # 404-331-6111 443-263-1000 205-731-1144 617-565-5640 315-448-0304 704-442-8370 312-353-5431 513-684-3585 216-706-4365 803-772-4015 972-868-3200 303-850-2700 808-462-1404 713-868-2299 816-460-0600 702-868-3000 213-894-4830 502-582-5171 901-544-0333 305-863-5000 612-348-1800 615-736-5841 973-971-3100 504-841-3260 718-840-1000 405-271-0630 407-648-6333 215-861-3300 602-640-5580 412-281-7825 415-576-1210 206-564-5712 314-539-2238 202-406-8000 442-07-894-0846 390-64-674-2736 MOBILE # 404-227-3851 202-355-3141 205-834-3576 617-990-4152 315-727-8694 980-207-8809 312-771-3209 937-684-6204 216-973-9272 803-513-1096 214-784-5996 202-558-8977 808-286-1216 281-229-4435 816-500-0351 702–600-9205 213-598-9353 502-263-8906 901-481-2900 305-407-5673 612-508-9423 615-788-0150 202-263-9387 504-382-3677 646-842-1698 405-409-5896 407-803-3855 215-370-1916 480-220-9099 412-303-2761 415-238-4745 202-841-3617 314-413-9076 202-680-8264 011-447-590-976557 EMAIL [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
© Copyright 2026 Paperzz