SecureWorld Philadelphia celebrated its 14th annual cybersecurity conference with phishing awareness, medieval comparisons, and Brickerbot discussions.
Here are some sessions we attended, and what we learned.
EU GDPR: Review of the IT security requirements and changes
Joan Antokol, a partner at Park Legal, explained the scope of the European Union's General Data Protection Regulation, set to take effect May 25, 2018.
Antokol said, "One of the main purposes of the GDPR is to have consistency across the EU," with the goal of harmonizing compliance.
GDPR brings greater rights to individuals, with more responsibilities for organizations and more enforcement. Even IP addresses are now protected, since they are associated with a specific individual.
One of the main impacts of GDPR is the data breach requirements. Notifications must be made within 72 hours after you become aware of a breach occurring. However, notice is not required if "the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons."
The main thing to remember about the GDPR compliance is that the law travels with the data. So if you're a business based in the United States with no offices abroad, but you do business involving European customers, you'll be affected.
Fighting cybercrime - A team effort
Jared Hosid, a prosecutor with the Department of Justice, explained how behind every cybercrime is a cyber criminal.
"Law enforcement has a very big role to play in the security of our networks," he said.
Here are his recommended best practices for victim response and the reporting of cyber incidents:
- Take the right precautions before a crime occurs — Determine your critical assets, have a response plan in place, permit network monitoring with appropriate authorization, and make sure your legal team is involved.
- Execute your incident response plan — Make an initial assessment, stop continuing damage, record and collect data, and notify the proper authorities and victims.
- Don't do the wrong things — Don't communicate with your compromised system, and don't try to access or impair another system or network.
- Afterwards, remain vigilant — Don't let this same type of attack happen again!
Jumping the canyon from technical to leadership and landing successfully
Thomas Handlon went from being a security engineer at Cooper University Hospital to Director of Information Security at American Reality Capital to CISO for Kennedy Health System.
In his Thursday morning session, he shared his advice on moving through the ranks and into a successful management position.
Handlon explained that people in security are jacks of all trades. "If you do security best practices, it's easy. It's people that make it hard," he says.
So to make it easier on yourself and move ahead, you need to:
- Get out of your comfort zone — Take up new tasks outside of your current responsibilities such as getting involved with compliance or legal.
- Get educated — Attend conferences, listen to webinars, and join organizations.
- Find a mentor — There are plenty of successful people happy to help, as someone most likely did for them.
- Focus on your mindset — Nothing is set in stone. Believe you can be and do anything.
Phishing dark waters - Don't end up on the hook
Chris Hadnagy, CEO of Social-Engineer, explained in Thursday's opening keynote how "the bad guys are getting better."
According to Verizon, 90% of data breaches have a phishing or social engineering element to them. The FBI reported a 1,300% increase in monetary loss from Business Email Compromise (BEC) scams.
But it's not poorly worded emails asking for a wire transfer that are causing us to fall for phishing attacks at such a high rate; phishing works through influence and manipulation.
Phishing uses our emotions, our natural curiosity, and our business to trick us into clicking. If we receive an email notifying us of our impending jury duty, and that mail correspondence has been missed, we are more likely to click the link for fear of contempt of court.
"Compliance works on us. We don't want to be seen as disobedient or non-compliant, so we comply," Hadnagy said.
Hear Hadnagy recount some of his favorite phishing horror stories below:
