Practical Cybersecurity Risk Management Strategies

Artificial Intelligence In the Legal and Regulatory Realm

Paul Ferrillo a/k/a Director Fury www.thecyberavengers.com Shawn Tuma a/k/a The Hulk
@PaulFerrillo #CyberAvengers @ShawnETuma
Who are the #CyberAvengers?

Paul Ferrillo Chuck Brooks Kenneth Holley George Platsis George Thomas Shawn Tuma Christophe Veltsos
“Director Fury” “Thor” “Captain America” “Ironman” “Black Panther” “Hulk” “Hawkeye”
Why do we do what we do?
 #CyberAvengers
www.thecyberavengers.com
Laws and regulations

 Types  State Laws

 Security  48 states (AL & SD)
 Privacy  NYDFS & Colorado FinServ
 Unauthorized Access  Industry Groups
 International Laws  PCI, FINRA
 Privacy Shield  Contracts
 GDPR  3rd Party Bus. Assoc.
 Federal Laws & Regs.  Data Security Addendum
 HIPAA, GLBA, FERPA
 FTC, SEC, FCC, HHS
When does an incident or breach require disclosure?
Usually the real-world threats are not so sophisticated
Easily Avoidable Breaches
90% in 2014
91% in 2015
91% in 2016 (90% from email)

• 63% confirmed breaches from weak,

default, or stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware detection.
Common 7.
8.
Internal controls / access controls.
No outdated or unsupported software.
Cybersecurity 9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Best Practices 11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
If the basics are so effective, why is it such a problem
for everyone to use them?
 What are artificial intelligence and machine learning?

In a cybersecurity context, AI is software that perceives its

environment well enough to identify events and take action
Artificial against a predefined purpose. AI is particularly good at
recognizing patterns and anomalies within them, which makes it
Intelligence & an excellent tool to detect threats.

Machine Machine learning is often used with AI. It is software that can
Learning “learn” on its own based on human input and results of actions
taken. Together with AI, machine learning can become a tool to
predict outcomes based on past events.

Source: Maria Korolov, How AI can help you stay ahead of cybersecurity threats, CSO Online
(Oct. 19, 2017)
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security
services provider (MSSP).
17. Cyber risk insurance.
 1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.

Why is this 6.
7.
Signature based antivirus and malware detection.
Internal controls / access controls.
important? 8.
9.
No outdated or unsupported software.
Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
Incident response plan.
Can AI/ML help? 11.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention systems.
16. Managed services provider (MSP) or managed security services
provider (MSSP).
17. Cyber risk insurance.
 Cyber Risk
Assessment

Reassess & Strategic

Refine Planning

Cyber Risk
Management Program
Tabletop Deploy
Testing Defenses

Develop,
Implement,
Train on
P&P
 #CyberAvengers
thecyberavengers.com
Questions?