PowerPoint Presentation
Security 101Training, awareness, and strategies
Stephen Cobb, CISSPSenior Security ResearcherESET NA
The SMB Sweet Spot for the cyber-criminally inclined
Enterprises
SMB Sweet Spot
ConsumersAssets worthlootingLevel of protection
The challengeOrganizations of every type rely on computers to handle informationEveryone today is a computer userMost have no security trainingLack of security training leads to problems
How big is the challengeWe asked U.S. consumers if they had ever received any computer security training*Savitz Research for ESET, 2012
68% is sadly consistentWe asked working adults in the U.S. if they had ever received any computer security training*Harris poll for ESET, 2012
73% is even worseWe asked adults in U.S. who use social media if they had ever received online safety training*Harris poll for ESET, 2012
Security training is not yet part of our society*This has serious implications for your business93% of American adults say theyve had no computer security training in the last 12 monthsHow many of them work for you, or for your clients, suppliers, etc?*Savitz Research for ESET, 2012
Some problems that lack of security training can causeUnauthorized access to informationLoss of access to informationLoss of informationCorruption of informationTheft of information
The implications are non-trivialLoss of revenueLoss of businessFines, lawsuits, headlinesUnbudgeted expensesBreach costs currently estimated at around $190 per record exposed*5,263 records = $1 million hit*Ponemon Institute
Trojan terminates escrow firm$1.1 million wired to China and could not be retrievedFirm was closed by state law, now in receivership, 9 people out of a jobSo whats the best weapon for keeping that kind of Trojan code out of your companys system?
A well-trained workforceKnows not to click on suspicious links in email or social mediaKnows to report strange activity (e.g. the two-factor authentication not working) Knows to scan all incoming files for malwareEmail, USB drives
Does training make a difference?YesA significant percentage of problems can be averted, or their impact minimized, if more employees get better security training and education**A bunch of different studies in recent years
Security training or awarenessWhats the difference?Training makes sure people at different levels of IT engagement have the right knowledge to execute their roles securelyAwareness makes sure all people at all levels know what to look out for
Not that kind of actorDo your employees know what motivates bad actors?IMPACT
ADVANTAGE
MONEY
CREDENTIALS
Do you know how the bad guys operate?SpecializationModularityDivision of laborStandardsMarkets
Taken to exploit site
Malware serverPopularAttackTechnique!?**!
User clicks a link
Gets infected/ownedCommand & Control
Here is a buyers guy to eleven English language exploit kits you can buy or rent, with a chart of the vulnerabilities they use to infect systems, e.g. Adobe Reader, Java, Flash, Windows, IE.17
This is the face of banking Trojans today. SpyEye has actually been around for a while. Akin to Zeus, Gataka, and Hesperbot, a recent ESET discovery. Note the modular design. Want to do DDoS attacks instead of grab BOA account data? Just add a DDoS module and push it out to your botnet.18
RAT has full access to victim PCAnd its network connectionsSearch and exfiltrate filesAccess to webcam and audioScrape passwordsExecute system functionsChat with victim
What happens next?
And dont forget your mobile phones: they are worth $5 if I can get the right malware on them. Our researchers in Russia found this Dancing Penguins site for PPI, pay-per-install. In other words they pay you $5 per Android device you can infect with their code. They then use it for premium rate SMS scams.23
So how do we move forward?
The road map: A B C D E FAssess your assets, risks, resourcesBuild your policyChoose your controlsDeploy controls Educate employees, execs, vendorsFurther assess, audit, test
A B C D E FF E D C B A
Technology
Assess assets, risks, resourcesAssets: digital, physical If you dont know what youve got you cant protect it!RisksWho or what is the threat?ResourcesIn house, hired, partners, vendors, trade groups, associations
Build your policySecurity begins with policyPolicy begins with C-level buy-inHigh-level commitment to protecting the privacy and security of dataThen a set of policies that spell out the protective measures, the controls that will be used
Choose controls to enforce policiesFor example: Policy: Only authorized employees can access sensitive data Controls: Require identification and authentication of all employees via unique user name and passwordLimit access through application(s) by requiring authenticationLog all access
Deploy controls, ensure they workPut control in place; for example, antivirus (anti-malware, anti-phishing, anti-spam)Test controlDoes it work technically?Does it work with your work?Can employees work it?
Educate everyoneEveryone needs to know What the security policies areHow to comply with them through proper use of controlsPay attention to any information-sharing relationships Vendors, partners, even clientsClearly state consequences of failure to comply
Who gets trained?Everyone, but not in the same way, break it down:All-hands trainingIT staff trainingSecurity staff training
How to deliver trainingIn personOnlineOn paperIn houseOutside contractorMix and matchBe creative
Incentives?Yes!To launch programs, push agendasPrizes do workBut also make security part of every job description and evaluation
Use your internal organsOf communication!NewsletterIntranetBulletin boardMeetingsCompany-wide email
How to do awarenessMake it funMake it relevantLeverage the newsBear in mind that everyone benefits from greater awareness, at work and at home
Resources to tapIndustry associationsFS-ISAC, NH-ISAC, othersCompTIA, SBA, BBBISSA, ISACA, SANS, (ISC)2Local colleges and universitiesSecuring Our eCity
Need more motivation?Security training is the lawHIPAARed Flag Identity Theft PreventionGramm-Leach-Bliley, Sarbanes-OxleyFISMAOr required by industryPCI Data Security Standard
Or just plain requiredTo get that big juicy contractMany companies now require suppliers to certify that they have security training and awareness programs in place as a condition of doing business
Further assess, audit, test
This is a process, not a projectLay out a plan to assess security on a periodic basisStay up-to-date on emerging threatsStay vigilant around change such as arrivals, departures, functionality
A B C D E FF E D C B A
Backup and archiveFirewall and scan:Incoming trafficemailsfilesdevicesmedia
Encrypt
MonitorFilter andmonitoroutboundAuthenticateusersThe Technology Slide
Thank [email protected] info in the lobby