PowerPoint Presentation

Security 101Training, awareness, and strategies

Stephen Cobb, CISSPSenior Security ResearcherESET NA

The SMB Sweet Spot for the cyber-criminally inclined

Enterprises

SMB Sweet Spot

ConsumersAssets worthlootingLevel of protection

The challengeOrganizations of every type rely on computers to handle informationEveryone today is a computer userMost have no security trainingLack of security training leads to problems

How big is the challengeWe asked U.S. consumers if they had ever received any computer security training*Savitz Research for ESET, 2012

68% is sadly consistentWe asked working adults in the U.S. if they had ever received any computer security training*Harris poll for ESET, 2012

73% is even worseWe asked adults in U.S. who use social media if they had ever received online safety training*Harris poll for ESET, 2012

Security training is not yet part of our society*This has serious implications for your business93% of American adults say theyve had no computer security training in the last 12 monthsHow many of them work for you, or for your clients, suppliers, etc?*Savitz Research for ESET, 2012

Some problems that lack of security training can causeUnauthorized access to informationLoss of access to informationLoss of informationCorruption of informationTheft of information

The implications are non-trivialLoss of revenueLoss of businessFines, lawsuits, headlinesUnbudgeted expensesBreach costs currently estimated at around $190 per record exposed*5,263 records = $1 million hit*Ponemon Institute

Trojan terminates escrow firm$1.1 million wired to China and could not be retrievedFirm was closed by state law, now in receivership, 9 people out of a jobSo whats the best weapon for keeping that kind of Trojan code out of your companys system?

A well-trained workforceKnows not to click on suspicious links in email or social mediaKnows to report strange activity (e.g. the two-factor authentication not working) Knows to scan all incoming files for malwareEmail, USB drives

Does training make a difference?YesA significant percentage of problems can be averted, or their impact minimized, if more employees get better security training and education**A bunch of different studies in recent years

Security training or awarenessWhats the difference?Training makes sure people at different levels of IT engagement have the right knowledge to execute their roles securelyAwareness makes sure all people at all levels know what to look out for

Not that kind of actorDo your employees know what motivates bad actors?IMPACT

ADVANTAGE

MONEY

CREDENTIALS

Do you know how the bad guys operate?SpecializationModularityDivision of laborStandardsMarkets

Taken to exploit site

Malware serverPopularAttackTechnique!?**!

User clicks a link

Gets infected/ownedCommand & Control

Here is a buyers guy to eleven English language exploit kits you can buy or rent, with a chart of the vulnerabilities they use to infect systems, e.g. Adobe Reader, Java, Flash, Windows, IE.17

This is the face of banking Trojans today. SpyEye has actually been around for a while. Akin to Zeus, Gataka, and Hesperbot, a recent ESET discovery. Note the modular design. Want to do DDoS attacks instead of grab BOA account data? Just add a DDoS module and push it out to your botnet.18

RAT has full access to victim PCAnd its network connectionsSearch and exfiltrate filesAccess to webcam and audioScrape passwordsExecute system functionsChat with victim

What happens next?

And dont forget your mobile phones: they are worth $5 if I can get the right malware on them. Our researchers in Russia found this Dancing Penguins site for PPI, pay-per-install. In other words they pay you $5 per Android device you can infect with their code. They then use it for premium rate SMS scams.23

So how do we move forward?

The road map: A B C D E FAssess your assets, risks, resourcesBuild your policyChoose your controlsDeploy controls Educate employees, execs, vendorsFurther assess, audit, test

A B C D E FF E D C B A

Technology

Assess assets, risks, resourcesAssets: digital, physical If you dont know what youve got you cant protect it!RisksWho or what is the threat?ResourcesIn house, hired, partners, vendors, trade groups, associations

Build your policySecurity begins with policyPolicy begins with C-level buy-inHigh-level commitment to protecting the privacy and security of dataThen a set of policies that spell out the protective measures, the controls that will be used

Choose controls to enforce policiesFor example: Policy: Only authorized employees can access sensitive data Controls: Require identification and authentication of all employees via unique user name and passwordLimit access through application(s) by requiring authenticationLog all access

Deploy controls, ensure they workPut control in place; for example, antivirus (anti-malware, anti-phishing, anti-spam)Test controlDoes it work technically?Does it work with your work?Can employees work it?

Educate everyoneEveryone needs to know What the security policies areHow to comply with them through proper use of controlsPay attention to any information-sharing relationships Vendors, partners, even clientsClearly state consequences of failure to comply

Who gets trained?Everyone, but not in the same way, break it down:All-hands trainingIT staff trainingSecurity staff training

How to deliver trainingIn personOnlineOn paperIn houseOutside contractorMix and matchBe creative

Incentives?Yes!To launch programs, push agendasPrizes do workBut also make security part of every job description and evaluation

Use your internal organsOf communication!NewsletterIntranetBulletin boardMeetingsCompany-wide email

How to do awarenessMake it funMake it relevantLeverage the newsBear in mind that everyone benefits from greater awareness, at work and at home

Resources to tapIndustry associationsFS-ISAC, NH-ISAC, othersCompTIA, SBA, BBBISSA, ISACA, SANS, (ISC)2Local colleges and universitiesSecuring Our eCity

Need more motivation?Security training is the lawHIPAARed Flag Identity Theft PreventionGramm-Leach-Bliley, Sarbanes-OxleyFISMAOr required by industryPCI Data Security Standard

Or just plain requiredTo get that big juicy contractMany companies now require suppliers to certify that they have security training and awareness programs in place as a condition of doing business

Further assess, audit, test

This is a process, not a projectLay out a plan to assess security on a periodic basisStay up-to-date on emerging threatsStay vigilant around change such as arrivals, departures, functionality

A B C D E FF E D C B A

Backup and archiveFirewall and scan:Incoming trafficemailsfilesdevicesmedia

Encrypt

MonitorFilter andmonitoroutboundAuthenticateusersThe Technology Slide

Thank you!stephen.cobb@eset.comWeLiveSecurity.comwww.eset.comMore info in the lobby