Date post: | 15-Apr-2017 |
Category: |
Technology |
Upload: | centralohioissa |
View: | 587 times |
Download: | 2 times |
2015 Corporate Threats Survey
http://media.kaspersky.com/en/IT_Security_Risks_Survey_2015_Global_report.pdf?_ga=1.57626858.1152823312.1404311525
• 90% of business’s experienced some form of external threat
• Nearly 46% of companies lost confidential data as the result of a security incident
• Average direct cost of a security breach: – $38K for SMB’s – $551K for Enterprise
PERCEPTION VS. REALITY
B2B International and Kaspersky Lab, “IT Security Threats and Data Breaches,” October, 2014.
REALITY TODAY
How bad is it out there?
Malware
1994
One new virus every hour
2006
One new virus every minute
2011
One new virus every second
Or 70.000 samples/day
Kaspersky Labis currently processing310,000unique malware samplesEVERY DAY
The Basic Theory for Staying Secure
Simple math for advanced protection…
Inve
stm
en
t in
Se
curi
ty
Chance of getting infected
The chance of getting infected dropsexponentially while the cost of an attackincreases linearly
Tip #1: Regularly talk to employees about
cybersecurity.
Explain the potential impact a
cyberincident may have on company
operation
Annual review and signing of a “I have read
and understood company IT policies” is not
enough!
Tip #2: Remember that top management and
IT staff are employees too!
Top managers are often targeted because:
They have access to more information
IT bends the rules for them
The damage/payoff can be much bigger!
IT folks are vulnerable, too
Unlimited power over the network!
Tip #3: Explain to the employees that while you
make the best effort to secure company
infrastructure, a system is only as secure as the
weakest link
You don’t want them to just comply, you want
them to cooperate
You can’t create a policy sophisticated enough to
cover all possible vectors of attack
You can’t totally dehumanize humans. Humans
have weaknesses and make mistakes.
Tip #4: Have regular focused sessions with
employees to explore different types of
cyberattacks
Consider different formats (lunch and learn?)
Make it useful
Most of them have PCs at home and relatives who also
need help
Make it relevant and responsive to real-world examples
Notice how much more often these topics hit the
nightly news
Those topics are big on social networks!
Malware-What is it?
Malware, short for malicious software, is software (or script or code) designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems.
Characteristics:
– Single instance signature to evade anti-virus
– Activates programmatically
– Connects to a Command & Control Center
– Keylogger, Ransomware, Remote Access Tool (RAT), and Man in
Browser
Once a system is owned, it can’t be restored.
• Never click a link in an email
• Never open unexpected attachments
• Never provide information, no matter how innocuous it may seem, to unsolicited phone callers, visitors or email requests
• Never agree to an unsolicited remote control session (such as WebEx, GoToMeeting, LogMeIn)
• Your best defense: “Can I call you back?”
Phishing Prevention-The 100% rules!
Phishing Prevention-The 100% rules!
July 2012 – Yahoo
Passwords Hacked
435,000 usernames and
passwords hacked.
Particularly troubling? The
login credentials are in
plaintext, not even
encrypted.
TOP TEN PASSWORDS FROM
THE YAHOO HACK
1) 123456 (38%)
2) password (18%)
3) welcome (10%)
4) ninja (8%)
5) abc123 (6%)
6) 123456789 (5%)
7) 12345678 (5%)
8) sunshine (5%)
9) princess = (5%)
10) qwerty = (4%)
Ramsomware
• More than 40% of
CryptoLocker victims agreed
to pay
• A Dell SecureWorks report
estimates that ransomware
rakes in $30 million every 100
days
• Expanding victim base means
unlimited financial potential
How did this happen?
20
• Trickery. A spear-phishing attack.
People were tricked by a believable e-mail message into giving their
passwords to the bad guys
• Spear-phishers and their tactics
Message crafted for ABC University
Sent to a small number of selected people
Strike on weekends & holidays, when you are less protected
• Goals
To collect information that will let them steal money:
Passwords, social security numbers, bank account or credit card numbers
26
Impact to people and abc university
• The University was able to recover a good portion of the
money
• Anyone can fall for a clever phishing scam
• The University did replace paychecks
This would be very challenging on a large scale
27
Lessons learned
• Understand how to know if you
are at the real University web login,
or a clever fake
• Learn how to analyze email
messages to detect ones that are
malicious
• Find out how to protect yourself
and your devices from cyber
threats
• Know common scams
Tip #5: Pay special attention to social
engineering
A lot of cyberincidents start with a phone
conversation with someone who poses as a co-
worker and builds his understanding of company
internal structure and operations by asking
innocent questions
A cybercriminal exploiting social weaknesses
almost never looks like one
The Importance of Securing Computers/Workstations
+ <L>
Windows: Mac:
• Enable screensaver
• Check “Require
password to quit
screensaver” check
box
Tip #6: Train your employees to recognize an attack
Communicate clear cut
step-by-step instructions on
what to do if employee
believes there’s a cyber
incident happening
If you are not trained, you
will get lost when the “show”
starts
Training should involve things like:
Unplug your machine from the network (physically)
Notify your administrator
Remember that any and every key stroke can be sent to
cyber criminals by a key logger
If you can’t find your mobile device – immediately notify
your administrator
Emergency Number - if you can’t find your IT emergency
number in under 20 seconds, you are doing it wrong
…and so on
Tip #7: Never disapprove or make fun of an
employee who raises a red flag
…even if it is a false alarm – this will
discourage employees from setting off
alarm when time of cyber attack come
I mean NEVER
If false alarms come often, improve training
approach
Tip #8: In case of an incident give your
employees a heads up
Even if an incident has happened already,
improper handling may (significantly) increase
impact
Issue an instruction on how to speak to
public/press about the incident
Have a plan in place BEFORE anything happens
Get insurance for cyber-incidents
Tip #9: Test knowledge
Regularly
Make it relevant – remember they live
digital lives. It matters!
Make it fun. Or rewarding. Or fun and
rewarding.
Are you cyber savvy
https://blog.kaspersky.com/cyber-savvy-quiz/
Tip #10: Listen to feedback
If you force employees to change passwords every
week be prepared they will write them down and
post them in their work place
If access to something they need for work is too
complicated, they will use personal email, USB
sticks, fellow employees to bypass the restrictions
If something out of balance, this will trigger unsafe
behavior. Listening to feedback is learning the root
cause of that
Systems Management & Actionable Patching
HW and SW inventory
Multiple vulnerability databases
VULNERABILITY
SCANNING
Install applications
Update applications
Troubleshoot
REMOTE TOOLS
Track usage
Manage renewals
Manage license compliance
LICENCE MANAGEMENT
Guest policy management
Guest portal
NETWORK ADMISSION
CONTROL (NAC)Automated prioritization
Reboot options
ADVANCED PATCHING
Create images
Store and update
Deploy
SYSTEM PROVISIONING
Whitelisting & Application Control
DEVICE CONTROL
WEB CONTROL
APPLICATION CONTROL
WITH DYNAMIC WHITELISTING
Encryption & Data Protection
Inside the Network Outside the Network
If cybercriminals seize control of the system and penetrate the
corporate network, they may try to exfiltrate sensitive data such as
configuration files, private keys and source code.
However, even if the criminals manage to download something,
they will not be able to read the content of the encrypted files.