CYBERSECURITY THREATS –
IMPROVING USER
AWARENESS
Dr. James W. Gabberty, MBA, MS, CISSP 2017 ACFE, June 2017, Pace University, NYC
THE PROBLEM
� Attackers innovating faster than defenders
o Malware commercialized
o Botnets available for rent ($100/day DDoS)
o Malware reuse rate >> Malware signature rate
o Users love to click
� CIOs & CISOs need prioritized controls
� Agreement between
o Auditors
o System Administrators & Security Engineers
SOCIAL ENGINEERING (SE)
“….any act that influences a person to take an action that may or may not be in their best interests…”
WHY DO ATTACKERS USE S.E.?
�As revealed in the “2016 IBM Cost of Data Breach Study: Global Analysis”, the average cost to a company is $4 million in US dollars
�This figure continues to rise…
WHAT CAN BE DONE TO CURTAIL S.E.?
� Technology solves part of the problem
� Policy solves part of the problem
� Users can override either of the above solutions
S.E. IS PSYCHOLOGICAL
“THE INFLUENCEMODEL: USING RECIPROCITY AND EXCHANGE TO GET WHAT YOU NEED”, Allan R. Cohen and David L. Bradford
PHISHING
“… the practice of sending e-mails that appear
to be from reputable sources with the goal of
influencing or gaining personal information… “
Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails (2015 Wiley)
THE SPEAR PHISH
� A very specific form of phishing
� Attackers conduct research on targets
� Messaging is personal and difficult to resist
A RECENT PHISHING EXAMPLE
WHAT’S THE MOST DANGEROUS ACTIVITY YOU DO EVERYDAY?
Can you spot the error(s)?
TECHNOLOGY CONTROLS - DO YOU WHITELIST?
NoScript.net
15 YEARS OF MICROSOFT SECURITY CONTROLS
“Why Train”? Webinar from SANS, available at: https://www.sans.org/webcast/recording/citrix/99987/60490
WHICH FRAMEWORK TO USE?(AUDITS NEED BASELINES & STANDARDS)
� ISO 27001/2
� HIPAA / SOX / GLBA
� COBIT 5 / Corporate Standards
� NIST 800-53 / FISMA / DIACAP
� PCI DSS / NERC / CIP
� GDPR
IMPERSONATION – ONSITE ATTACKS COMMON
IMPERSONATION TECHNIQUES
� Tail gating
� Fake badges
� Pretexts/costumes
IMPERSONATION “IN THE NEWS”
SMISHING
SMISHING “IN THE NEWS”
POLICIES & PROCEDURES
� Directive Controls: Extremely important yet often ignored
� Blood alcohol content when driving is a form of direct control
� It doesn’t keep everyone from drinking and driving …
� Works for some people, but
� Does not work for others
� Policies and Procedures are the speed limit signs of information security
SECURITY POLICIES
� High-level guidance about expectations
� Needs to be communicated effectively to employees
� Should not counteract / overturn existing laws and policies
� Can be interpreted as executive directives
� Overall goal: Make certain well-meaning employees understand firm’s expectations
� Can only be as effective as corporate dedication to information security and company culture
� Should not be as simple as an e-mail campaign targeted at employees to change their behavior / attitude towards information security
WHAT MAKES UP A POLICY?
� Purpose (and any supportive documentation)
� Background (and any existing policies that are being replaced)
� Scope
� Policy statement
� Specific actions
� Responsibility & Ownership
POLICY LEVELS IN AN ORGANIZATION
� Enterprise / corporate–wide policies
� Division-wide policies
� Local policies
� Issue-specific policies
� Procedures & checklists
POLICIES VS. PROCEDURES
� Policies
� HIGH LEVEL and GENERAL directives from management
� Provide the answers to “WHY” & “WHAT” must be done
� Procedures
� DETAILS about how to fulfill specific tasks
� Provide the answers “WHY” by providing the “HOW”
For example: Consider policy and procedure for handling PII
� Policy - General statements about data sensitivity of personal data of customers
� Procedure - Step by step instructions on how to encrypt, key management, etc.
EXERCISE 1 OF 3
� Policy: Don’t click on bad links
� Weakness: Who determines what is “bad” and what is “good”? What if employee doesn’t know that online-microsoft.com is not really microsoft.com?
� Improvement: Tell the employees how to recognize bad links, who
to report them to and clear instructions on how to report
EXERCISE 2 OF 3
� Policy: Don’t give out sensitive information over the phone
� Weakness: Does your employee clearly understand what is sensitive? Do they realize what can and cannot be used by attackers?
� Improvement: Make it easy for your employees to verify other employees and vendors before they can give out any
information over the phone
EXERCISE 3 OF 3
� Policy: Just delete an email if you think its dangerous
� Weakness: By deleting a potential threat to the company you are not saving the company and other employees from potential danger. It is no different than seeing a fire in your apartment building and running out but telling no one else.
� Improvement: Give clear instruction on how and who to report it
to
THE 20 CRITICAL SECURITY CONTROLS
PCI-DSS VS. CSC
1. Install & maintain firewall configuration to protect cardholder data
2. Do not use vendor defaults for passwords & other security concerns
3. Protect stored cardholder data
4. Encryption transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop & maintain secure systems & applications
7. Restrict access to cardholder data by business need-to-know
8. Assign unique ID to each person w/computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to N/W resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security
1. Inventory authorized/unauthorized devices
2. Inventory authorized/unauthorized software
3. Secure configurations of hardware and software on Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment & Remediation
5. Malware Defenses
6. Application Software Security
7. Wireless Device Control
8. Data Recovery Capability (validated manually)
9. Security Skills Assessment & Training to Fill Gaps
10. Secure configurations for network devices (Firewalls, Routers)
11. Limitation of control of network ports, protocols, and services
12. Controlled Use of Administrative Privileges
13. Boundary Defense
14. Maintenance, monitor & analysis of audit logs
15. Controlled Access Based on Need to Know
16. Account Monitoring & Control
17. Data Loss Prevention
18. Incident Response Capability (val. manually)
19. Secure N/W Engineering (validated manually)
20. Pen Tests, Red Team Exercises (val. manually)
Note: 1) Compliancy is important, does not stop hacking2) Assurance can be measured against baselines
WHICH IS BETTER? WHICH PASSES THE AUDIT?
Bank “A”� Fully compliant with all 12 items of PCI-DSS
� Nothing is documented
� Loosely-defined remediation plan
Bank “B”� 65% compliant with all 12 items of PCI-DSS
� Everything is fully documented
� Fully planned/approved remediation plan
THANK YOU