SlideShare a Scribd company logo

Save yourself with the CSDF - ISACA Auckland - 16 June 2021

Download as PPTX, PDF
Chris Hails, profile picture
Chris Hails

The document discusses how the Cyber Self Defence Framework (CSDF) can help individuals prioritize cybersecurity efforts using Situational Crime Prevention (SCP) strategies. The CSDF identifies 101 unique safeguards across three priority levels to deter, deflect, and defend against cybercrime. It takes a holistic approach, focusing on practices like using unique passwords, antivirus software, firewalls, and backing up data. The CSDF aims to help overwhelmed users by stating clear actions and benefits. Future versions could tailor recommendations based on user profiles and provide time-bound or budget-bound "recipes" through distribution channels like the police or apps.

Internet
1 of 43
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Save Yourself! How the Cyber Self Defence Framework can help you prioritise and apply defence in depth efforts using traditional Situational Crime Prevention strategies
The Problem
“$1 trillion dollars!”
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
“more than half of humanity is at risk of falling victim to cybercrime at any time”
“the primary key threat is not state actors but cybercriminals”
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
But why?
“cybercrime is safe and profitable, occurs in an environment that is constantly expanding and thrives in vulnerable systems” • Cybercrime pays and can be easy to commit • Policing is (mostly) constrained to a pre-internet model • Risk of detection, arrest, prosecution and jail time is low • Connectivity is ubiquitous and more time is spent online
Stir in ingredients… • Low interest rates • Pandemic anxiety • Isolation and loneliness • Widespread loss of income • Digital transformation to WFA
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
Victorians had the highest reported losses - $49m, up 115% YoY “likely attributable to the long lockdown periods the population experienced in 2020, which created opportunities for scammers as people were forced into unusual economic and social situations that had the potential to increase their susceptibility to scams”
Enforcement Education Wide Focus Narrow Focus NZ Police – Districts - NZ jurisdiction - Offshore limitations NCSC - CNI threats - FVEY partnerships NZ Police - NCCC - Specialist cybercrime unit - Support nationwide ops Consumer Affairs - Scamwatch owner - Protection education NetSafe - Scamwatch triage - HDCA education/response DIA EMCU - UEMA 2007 - Spam / 7726 - Txt, email, fax channels IDCARE - Identity theft and fraud - Victim support across A/NZ FMA - Securities legislation - Investment scams Commerce Commission - Fair Trading Act Citizens Advice - Advice and education Domain Name Commission - .nz domainspace - Registry compliance “the New Zealand landscape for cybercrime is cluttered and fragmented… unclear and overlapping roles… multiple, overlapping information sources and entry points for members of the public” CERT NZ - Cyber security focus - COVID scams OPC - Data breaches (2020 Act)
Enforcement Education Wide Focus Narrow Focus NZ Police – Districts - NZ jurisdiction - Offshore limitations NCSC - CNI threats - FVEY partnerships NZ Police - NCCC - Specialist cybercrime unit - Support nationwide ops Consumer Affairs - Scamwatch owner - Protection education NetSafe - Scamwatch triage - HDCA education/response DIA EMCU - UEMA 2007 - Spam / 7726 - Txt, email, fax channels IDCARE - Identity theft and fraud - Victim support across A/NZ FMA - Securities legislation - Investment scams Commerce Commission - Fair Trading Act Citizens Advice - Advice and education Domain Name Commission - .nz domainspace - Registry compliance “the New Zealand landscape for cybercrime is cluttered and fragmented… unclear and overlapping roles… multiple, overlapping information sources and entry points for members of the public” CERT NZ - Cyber security focus - COVID scams OPC - Data breaches (2020 Act) 2020: $16.9m 4,740 reports 2020: $19.23m 13,926 reports
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
NZ Police Stats (NZCVS, 2019) • Only 10% of fraud or cybercrime incidents reported to the Police • The most common type of offence, more common than burglary • Most commonly recognised by the victim as a crime • Rated most ‘high seriousness’ (42%) but least reported • Why such under-reporting? 32% reported to other authorities, 22% because “Police couldn’t have done anything”
The Solution
Bruce Schneier “Why are we trying to fix the user instead of solving the underlying security problem?”
4 models of crime prevention Type Intent Effectiveness Law enforcement Criminal justice system deters and punishes offenders and delivers rehabilitation Poor Developmental Early intervention addresses the causes of criminality in youth Poor Social Strengthening neighbourhoods to build community relationships Poor Situational prevention Reducing the opportunities for crime through 5 mechanisms Good
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
What is SCP?
“a package of measures that: (1) are directed at highly specific forms of crime (2) involve the management, design or manipulation of the immediate environment in as systematic and permanent a way as possible (3) so as to reduce the opportunities for crime and increase the risks as perceived by a wide range of offenders” Situational Crime Prevention is…
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
5 mechanisms / 25 techniques
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
What is the Cyber Self Defence Framework?
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
Save yourself with the CSDF - ISACA Auckland - 16 June 2021
Internet users: • Have limited ‘compliance budgets’ • Make time/benefit tradeoffs • Struggle to understand and apply advice • Lack ability to judge effectiveness • Rates guidance based on cost, effort and effectiveness • States the action and the benefits • Helps you navigate a sea of poorly prioritised advice The CSDF:
101 Unique Safeguards Priority 1: 57 Priority 2: 35 Priority 3: 9
Holistic techniques • Identify your digital crown jewels - data and devices • Use unique complex passwords • Use trusted anti-virus/anti-malware software • Use a supported OS on all connected devices • Use a firewall • Use secure networks • Use HTTPS everywhere • Use secure DNS • Back up critical data and devices and test restoration • Do not pay ransoms • Use privacy and security enhancing browser add-ons • Review privacy and terms of service statements • Use services with good privacy protecting defaults • Use a webcam cover • Protect personal and financial information • Use privacy settings on all platforms to limit sharing • Protect phone numbers • Avoid oversharing online • Avoid high risk online activities when impaired • Keep your clothes on Privacy Security
Foundational practices to deter, deflect and defend against cybercrime: • Set clear online boundaries • Avoid oversharing online • Undertake security awareness training • Communicate how and when to report incidents • Communicate online policies/rules • Do not provoke trolls/doxers • Do not respond to trolls/doxers • Do not support bullying and doxing behaviours • Report abuse to service providers • Report to law enforcement • Use services with good security practices • Use services with good privacy protecting defaults
Next steps…
CSDF v2 • Performance Shaping Factors: Personality, Age, etc. • Profile baselines: ‘Crypto Investor’ • Quick Starts: • Time bound - 5 / 15 / 30 minute ‘recipes’ • Budget bound - $50 / $100 / $250 ‘recipes’ • Devices owned, risk appetite
Distribution channels? • Crime prevention guidance with NZ Police • Neighbourhood Support groups • Partnership with Personal Cyber cover providers • SaaS / App-based subscription service:  Task based checklists  Set your own ‘nudge’ cadence - DuoLingo  Maturity pathway - Gamification  Continuous monitoring and improvement
Questions/Feedback?

More Related Content

PDF
Cyber Resilience
Ian-Edward Stafrace
 
PDF
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Chris Hails
 
PDF
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'
Chris Hails
 
PPTX
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
PDF
Building Cyber Resilience in the Digital Economy
Agus Wicaksono
 
PDF
Practical approach to combating cyber crimes
Chinatu Uzuegbu
 
PPTX
Cybersecurity: Protection strategies from Cisco and Next Dimension
Next Dimension Inc.
 
PDF
Combating cyber crimes chinatu
Chinatu Uzuegbu
 
Cyber Resilience
Ian-Edward Stafrace
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Chris Hails
 
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'
Chris Hails
 
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
Building Cyber Resilience in the Digital Economy
Agus Wicaksono
 
Practical approach to combating cyber crimes
Chinatu Uzuegbu
 
Cybersecurity: Protection strategies from Cisco and Next Dimension
Next Dimension Inc.
 
Combating cyber crimes chinatu
Chinatu Uzuegbu
 

What's hot (20)

PPTX
Cyber Security - Things you need to know
Nathan Desfontaines
 
PDF
Cert adli wahid_iisf2011
Directorate of Information Security | Ditjen Aptika
 
PDF
Aprio cybersecurity and board information
Aprio
 
PDF
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
APNIC
 
PDF
Noah Maina: Computer Emergency Response Team (CERT)
Hamisi Kibonde
 
PPTX
Need for Improved Critical Industrial Infrastructure Protection
William McBorrough
 
PDF
Understanding Identity Management and Security.
Chinatu Uzuegbu
 
PDF
Cybersecurity Risk Management for Financial Institutions
Sarah Cirelli
 
PDF
Cyber resilience itsm academy_april2015
ITSM Academy, Inc.
 
PPTX
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
PPTX
Building Cyber Resilience: No Safe Harbor
Advanced Technology Consulting (ATC)
 
PDF
Shift Toward Dynamic Cyber Resilience
Darren Argyle
 
PDF
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
BCM Institute
 
PDF
The Legal Case for Cybersecurity
Shawn Tuma
 
PDF
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Withum
 
PPTX
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Government Technology and Services Coalition
 
PPTX
Cybersecurity & the Board of Directors
Abdul-Hakeem Ajijola
 
PPTX
Cyber security landscape
Jisc
 
PDF
Top 10 Cybersecurity Predictions for 2015
Matthew Rosenquist
 
PPTX
Virtual Bridge Sessions: The National Cyber Security Centre at Your Service
College Development Network
 
Cyber Security - Things you need to know
Nathan Desfontaines
 
Cert adli wahid_iisf2011
Directorate of Information Security | Ditjen Aptika
 
Aprio cybersecurity and board information
Aprio
 
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
APNIC
 
Noah Maina: Computer Emergency Response Team (CERT)
Hamisi Kibonde
 
Need for Improved Critical Industrial Infrastructure Protection
William McBorrough
 
Understanding Identity Management and Security.
Chinatu Uzuegbu
 
Cybersecurity Risk Management for Financial Institutions
Sarah Cirelli
 
Cyber resilience itsm academy_april2015
ITSM Academy, Inc.
 
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
Building Cyber Resilience: No Safe Harbor
Advanced Technology Consulting (ATC)
 
Shift Toward Dynamic Cyber Resilience
Darren Argyle
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
BCM Institute
 
The Legal Case for Cybersecurity
Shawn Tuma
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Withum
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Government Technology and Services Coalition
 
Cybersecurity & the Board of Directors
Abdul-Hakeem Ajijola
 
Cyber security landscape
Jisc
 
Top 10 Cybersecurity Predictions for 2015
Matthew Rosenquist
 
Virtual Bridge Sessions: The National Cyber Security Centre at Your Service
College Development Network
 
Ad

Similar to Save yourself with the CSDF - ISACA Auckland - 16 June 2021 (20)

PPTX
CTO-CybersecurityForum-2010-Richard Simpson
segughana
 
PPTX
Impact-of-Cybercrime ppt presentation /cybercrime and digital hygine
VivekNaik79
 
PPT
ILG CERT Presentation Final
Jon Praed
 
PDF
awareness.pdf
jolag93795
 
PPTX
CYBER SECURITY :Cyber Law – The Legal Perspectives
DrSamsonChepuri1
 
PDF
Cyber Security - back to basics - webinar slides.pdf
larsg2
 
PDF
Overview of national cybercrime strategies
Benjamin Ang
 
PPTX
TPC_Presentation - Copy.pptx
SPMTPCAMPUS
 
PPTX
Cyber Security, cyber crime and cyber safety all .pptx
sri223n
 
PDF
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Gohsuke Takama
 
PDF
Cyber_Security_Awareness_Presentation.pdf
BalaMurali958529
 
PPTX
Cyber_Security_Awareness_Presentation (1).pptx
javed75
 
PPTX
Cyber_Security_Awareness_Presentation.pptx
PREMTRIVEDI5
 
PPTX
Cyber_Security_Awareness_Presentation.pptx
MalikMumtaz6
 
PPTX
Cyber Crimefffggghjhgdddssdffggyuuuittttffuuuy.pptx
Priyanka045
 
PDF
Cybersecurity awareness.pdf
CRO Cyber Rights Organization
 
PPTX
TPC_Presentation.pptx
SPMTPCAMPUS
 
PPT
Unit 4 e security
Dr. C.V. Suresh Babu
 
PPTX
Cybercrime-and-Cyber-Terrorism in ind.pptx
bhaimodel20
 
PPTX
Cyber Security
Muktadir Shoaib
 
CTO-CybersecurityForum-2010-Richard Simpson
segughana
 
Impact-of-Cybercrime ppt presentation /cybercrime and digital hygine
VivekNaik79
 
ILG CERT Presentation Final
Jon Praed
 
awareness.pdf
jolag93795
 
CYBER SECURITY :Cyber Law – The Legal Perspectives
DrSamsonChepuri1
 
Cyber Security - back to basics - webinar slides.pdf
larsg2
 
Overview of national cybercrime strategies
Benjamin Ang
 
TPC_Presentation - Copy.pptx
SPMTPCAMPUS
 
Cyber Security, cyber crime and cyber safety all .pptx
sri223n
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Gohsuke Takama
 
Cyber_Security_Awareness_Presentation.pdf
BalaMurali958529
 
Cyber_Security_Awareness_Presentation (1).pptx
javed75
 
Cyber_Security_Awareness_Presentation.pptx
PREMTRIVEDI5
 
Cyber_Security_Awareness_Presentation.pptx
MalikMumtaz6
 
Cyber Crimefffggghjhgdddssdffggyuuuittttffuuuy.pptx
Priyanka045
 
Cybersecurity awareness.pdf
CRO Cyber Rights Organization
 
TPC_Presentation.pptx
SPMTPCAMPUS
 
Unit 4 e security
Dr. C.V. Suresh Babu
 
Cybercrime-and-Cyber-Terrorism in ind.pptx
bhaimodel20
 
Cyber Security
Muktadir Shoaib
 
Ad

Recently uploaded (20)

PDF
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PDF
SlidesGDGoCxRAIS about Google Dialogflow and NotebookLM.pdf
minhtrietgect
 
PDF
The Ikigai Template _ Recalibrate How You Spend Your Time.pdf
KinchitJain2
 
PDF
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
PPTX
E -tech empowerment technologies PowerPoint
kylebalatero12
 
PPTX
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
PPT
415456121-Jiwratrwecdtwfdsfwgdwedvwe dbwsdjsadca-EVN.ppt
woldemariamworku2
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PDF
Session 1 (Week 1)fghjmgfdsfgthyjkhfdsadfghjkhgfdsa
ssuser25df8b
 
PPT
Ethics in Information System - Management Information System
faizhossain3
 
PPTX
1402_iCSC_-_RESTful_Web_APIs_--_Josef_Hammer.pptx
mwnorman1
 
PPTX
t_and_OpenAI_Combined_two_pressentations
wuvjwfnaadbnzelauy
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PDF
simpleintnettestmetiaerl for the simple testint
sherlockholmes10009
 
PPTX
IPCNA VIRTUAL CLASSES INTERMEDIATE 6 PROJECT.pptx
AldoCharaRojas
 
PDF
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
PDF
si manuel quezon at mga nagawa sa bansang pilipinas
LizaDeVeraFloresLaya
 
PDF
📍 LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1 TERPOPULER DI INDONESIA ! 🌟
alexiskandar061
 
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
SlidesGDGoCxRAIS about Google Dialogflow and NotebookLM.pdf
minhtrietgect
 
The Ikigai Template _ Recalibrate How You Spend Your Time.pdf
KinchitJain2
 
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
E -tech empowerment technologies PowerPoint
kylebalatero12
 
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
415456121-Jiwratrwecdtwfdsfwgdwedvwe dbwsdjsadca-EVN.ppt
woldemariamworku2
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
Session 1 (Week 1)fghjmgfdsfgthyjkhfdsadfghjkhgfdsa
ssuser25df8b
 
Ethics in Information System - Management Information System
faizhossain3
 
1402_iCSC_-_RESTful_Web_APIs_--_Josef_Hammer.pptx
mwnorman1
 
t_and_OpenAI_Combined_two_pressentations
wuvjwfnaadbnzelauy
 
Funds Management Learning Material for Beg
NKKumar16
 
simpleintnettestmetiaerl for the simple testint
sherlockholmes10009
 
IPCNA VIRTUAL CLASSES INTERMEDIATE 6 PROJECT.pptx
AldoCharaRojas
 
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
si manuel quezon at mga nagawa sa bansang pilipinas
LizaDeVeraFloresLaya
 
📍 LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1 TERPOPULER DI INDONESIA ! 🌟
alexiskandar061
 

Save yourself with the CSDF - ISACA Auckland - 16 June 2021

  • 1. Save Yourself! How the Cyber Self Defence Framework can help you prioritise and apply defence in depth efforts using traditional Situational Crime Prevention strategies
  • 5. “more than half of humanity is at risk of falling victim to cybercrime at any time”
  • 6. “the primary key threat is not state actors but cybercriminals”
  • 9. “cybercrime is safe and profitable, occurs in an environment that is constantly expanding and thrives in vulnerable systems” • Cybercrime pays and can be easy to commit • Policing is (mostly) constrained to a pre-internet model • Risk of detection, arrest, prosecution and jail time is low • Connectivity is ubiquitous and more time is spent online
  • 10. Stir in ingredients… • Low interest rates • Pandemic anxiety • Isolation and loneliness • Widespread loss of income • Digital transformation to WFA
  • 12. Victorians had the highest reported losses - $49m, up 115% YoY “likely attributable to the long lockdown periods the population experienced in 2020, which created opportunities for scammers as people were forced into unusual economic and social situations that had the potential to increase their susceptibility to scams”
  • 13. Enforcement Education Wide Focus Narrow Focus NZ Police – Districts - NZ jurisdiction - Offshore limitations NCSC - CNI threats - FVEY partnerships NZ Police - NCCC - Specialist cybercrime unit - Support nationwide ops Consumer Affairs - Scamwatch owner - Protection education NetSafe - Scamwatch triage - HDCA education/response DIA EMCU - UEMA 2007 - Spam / 7726 - Txt, email, fax channels IDCARE - Identity theft and fraud - Victim support across A/NZ FMA - Securities legislation - Investment scams Commerce Commission - Fair Trading Act Citizens Advice - Advice and education Domain Name Commission - .nz domainspace - Registry compliance “the New Zealand landscape for cybercrime is cluttered and fragmented… unclear and overlapping roles… multiple, overlapping information sources and entry points for members of the public” CERT NZ - Cyber security focus - COVID scams OPC - Data breaches (2020 Act)
  • 14. Enforcement Education Wide Focus Narrow Focus NZ Police – Districts - NZ jurisdiction - Offshore limitations NCSC - CNI threats - FVEY partnerships NZ Police - NCCC - Specialist cybercrime unit - Support nationwide ops Consumer Affairs - Scamwatch owner - Protection education NetSafe - Scamwatch triage - HDCA education/response DIA EMCU - UEMA 2007 - Spam / 7726 - Txt, email, fax channels IDCARE - Identity theft and fraud - Victim support across A/NZ FMA - Securities legislation - Investment scams Commerce Commission - Fair Trading Act Citizens Advice - Advice and education Domain Name Commission - .nz domainspace - Registry compliance “the New Zealand landscape for cybercrime is cluttered and fragmented… unclear and overlapping roles… multiple, overlapping information sources and entry points for members of the public” CERT NZ - Cyber security focus - COVID scams OPC - Data breaches (2020 Act) 2020: $16.9m 4,740 reports 2020: $19.23m 13,926 reports
  • 17. NZ Police Stats (NZCVS, 2019) • Only 10% of fraud or cybercrime incidents reported to the Police • The most common type of offence, more common than burglary • Most commonly recognised by the victim as a crime • Rated most ‘high seriousness’ (42%) but least reported • Why such under-reporting? 32% reported to other authorities, 22% because “Police couldn’t have done anything”
  • 19. Bruce Schneier “Why are we trying to fix the user instead of solving the underlying security problem?”
  • 20. 4 models of crime prevention Type Intent Effectiveness Law enforcement Criminal justice system deters and punishes offenders and delivers rehabilitation Poor Developmental Early intervention addresses the causes of criminality in youth Poor Social Strengthening neighbourhoods to build community relationships Poor Situational prevention Reducing the opportunities for crime through 5 mechanisms Good
  • 26. “a package of measures that: (1) are directed at highly specific forms of crime (2) involve the management, design or manipulation of the immediate environment in as systematic and permanent a way as possible (3) so as to reduce the opportunities for crime and increase the risks as perceived by a wide range of offenders” Situational Crime Prevention is…
  • 31. 5 mechanisms / 25 techniques
  • 33. What is the Cyber Self Defence Framework?
  • 36. Internet users: • Have limited ‘compliance budgets’ • Make time/benefit tradeoffs • Struggle to understand and apply advice • Lack ability to judge effectiveness • Rates guidance based on cost, effort and effectiveness • States the action and the benefits • Helps you navigate a sea of poorly prioritised advice The CSDF:
  • 37. 101 Unique Safeguards Priority 1: 57 Priority 2: 35 Priority 3: 9
  • 38. Holistic techniques • Identify your digital crown jewels - data and devices • Use unique complex passwords • Use trusted anti-virus/anti-malware software • Use a supported OS on all connected devices • Use a firewall • Use secure networks • Use HTTPS everywhere • Use secure DNS • Back up critical data and devices and test restoration • Do not pay ransoms • Use privacy and security enhancing browser add-ons • Review privacy and terms of service statements • Use services with good privacy protecting defaults • Use a webcam cover • Protect personal and financial information • Use privacy settings on all platforms to limit sharing • Protect phone numbers • Avoid oversharing online • Avoid high risk online activities when impaired • Keep your clothes on Privacy Security
  • 39. Foundational practices to deter, deflect and defend against cybercrime: • Set clear online boundaries • Avoid oversharing online • Undertake security awareness training • Communicate how and when to report incidents • Communicate online policies/rules • Do not provoke trolls/doxers • Do not respond to trolls/doxers • Do not support bullying and doxing behaviours • Report abuse to service providers • Report to law enforcement • Use services with good security practices • Use services with good privacy protecting defaults
  • 41. CSDF v2 • Performance Shaping Factors: Personality, Age, etc. • Profile baselines: ‘Crypto Investor’ • Quick Starts: • Time bound - 5 / 15 / 30 minute ‘recipes’ • Budget bound - $50 / $100 / $250 ‘recipes’ • Devices owned, risk appetite
  • 42. Distribution channels? • Crime prevention guidance with NZ Police • Neighbourhood Support groups • Partnership with Personal Cyber cover providers • SaaS / App-based subscription service:  Task based checklists  Set your own ‘nudge’ cadence - DuoLingo  Maturity pathway - Gamification  Continuous monitoring and improvement

Editor's Notes

  • #2: Presenting to ISACA Auckland – Wednesday 16th June 2021 At the end of 2020, The Center for Strategic and International Studies (CSIS) declared cybercrime to be a "$1 trillion dollar drag on the global economy" that can harm public safety, undermine national security, and damage economies. Incidents of cybercrime have increased by anything from 40% to 400% in the fraught environment of a global pandemic and the true scale of the problem remains unknown in New Zealand with only 10% of fraud or cybercrime incidents reported to Police. Digital safety and security advice can be confusing or packed full of jargon that leaves the average internet user unsure on how to protect themselves and where best to start. The Cyber Self Defence Framework (CSDF) proposes a set of situational security measures – tailored to common cyber-enabled crimes including phishing, social engineering, malware and online scams and fraud – that can help you understand real-world threats to your identity, finances, data and devices and assist you in prioritising your security investments. Attendees at this session can help refine the framework and break the causal chains to prevent cybercrime from occurring.
  • #4: The Center for Strategic and International Studies (CSIS) declared cybercrime to be a "$1 trillion dollar drag on the global economy" that can harm public safety, undermine national security, and damage economies.
  • #5: Fourth biannual report estimates the monetary loss from cybercrime at approximately $945 billion, an increase of $345bn in just 2 years
  • #6: Jürgen Stock, INTERPOL Secretary General - Cybercrime is one of the most prolific forms of international crime, with damages set to cost the global economy USD 10+ trillion annually by 2025
  • #7: Lindy Cameron, NCSC UK CEO spoke this week (whilst the G7 event was taking place in the UK) about the real threat to UK individuals, businesses and CNI operators in light of events at Colonial Pipeline and the Irish health system.
  • #10: - Cybercrime pays and can be easy to commit - Policing is (mostly) constrained to a pre-internet model of sovereign nation states with jurisdictional boundaries - The risk of detection, arrest, prosecution and punishment is low - Connectivity is ubiquitous and more time is spent online
  • #12: Australians lost over $850 million to scams and made 444,164 scam reports in total to Scamwatch, ReportCyber, other government agencies, banks and payment platforms in 2020. Based on this combined data, the scams causing the most financial harm to Australians in 2020 were: - ƒ$328 million lost to investment scams - $131 million lost to romance scams - ƒƒ$128 million lost to business email compromise (payment redirection scams)
  • #13: “Australians lost over $851 million to scams in 2020, a record amount, as scammers took advantage of the pandemic to con unsuspecting people”- https://www.accc.gov.au/media-release/scammers-capitalise-on-pandemic-as-australians-lose-record-851-million-to-scams Startling metrics coming out of Oz where 444,000 incident reports from Scamwatch, ReportCyber, other government agencies and 10 banks and financial intermediaries have been aggregated. Great to see this level of cooperation between private and public sector. KEY FINDINGS: - “As people spent more time online during the COVID-19 pandemic lockdown, reports and losses for some scams also increased” - a 75% increase in phishing scams - “Investment scams accounted for the biggest losses, with $328 million, and made up more than a third of total losses. Romance scams were the next biggest category, costing Australians $131 million, while payment redirection scams resulted in $128 million” And despite the various reporting points pooling their data it’s believed these numbers will still not reflect the true picture due to under reporting.
  • #15: Neil Hallett from IDCARE indicates in NZ they have helped 1000 Kiwis losing around $10m ($10,000 each on average)
  • #16: This illustration aptly demonstrates the complexity of reporting and responding to cybercrime
  • #18: 8% of Kiwis were victims of cybercrime in 2019 but only 10% was reported to NZP – what is the true picture? New Zealand Crime and Victims Survey (NZCVS) – September 2019 - https://www.justice.govt.nz/assets/Documents/Publications/NZCVS-Y2-A5-KeyFindings-v2.0-.pdf Over 320,000 adults (7.9%) experienced 420,000 fraud or cybercrime incidents over last 12 months. (Fraud and cybercrime offences are grouped) The estimated number of fraud and cybercrime offences reported in the NZCVS over the last 12 months is 421,000, which equated to an incidence rate of 11 fraud and cybercrime offences per 100 adults. The estimated total number of adults who experienced one or more fraud and cybercrime offences over the last 12 months is 328,000, which equated to a prevalence rate of 8%. The groups significantly more likely than the NZ average to experience fraud and cybercrime offences were: • having low life satisfaction and a low feeling of safety • experiencing a moderate or high level of psychological distress • having high household income ($150,001 or more). The groups significantly less likely to experience fraud and cybercrime offences were: • older (aged 65 and over) • Asian (especially Chinese) • widowed • retired • having high life satisfaction and a high feeling of safety • having household income between $30,001 to $40,000.
  • #19: In the real world, crime prevention is a key part of tackling social harms The Cyber Self Defence Framework (CSDF) proposes a set of situational security measures – tailored to common cyber-enabled crimes including phishing, social engineering, malware and online scams and fraud – that can help you understand real-world threats to your identity, finances, data and devices and assist you in prioritising your security investments. Attendees at this session can help refine the framework and break the causal chains to prevent cybercrime from occurring.
  • #20: 10+ years to stand up CERT, 10 years to sign up to the Budapest Convention, Ministers committing to publishing flow charts – Govt action is not going to save you….
  • #21: SCP is designed to break the causal chains to prevent crime from occurring
  • #22: SHIELD is the inspiration…
  • #23: Deploy an Active Defense with MITRE Shield - https://medium.com/mitre-shield/three-simple-ways-to-deploy-an-active-defense-with-mitre-shield-95ae639a50b5
  • #25: ADVERSARY ATTRITION - What adversaries do deplete though is time and the resources associated with it and their personnel. Depleting an adversary’s resources, including their time to plan and achieve their objectives, is of critical importance to a defender. Passive Defenses help achieve this. The Sliding Scale of Cyber Security - Robert M. Lee The U.S. military has unofficially and commonly used the actions of “deny, disrupt, deceive, degrade, and destroy” to describe a cyber attack.29
  • #26: Rational choice, routine activity and crime pattern theories emphasise that crimes occur in specific situations and result from a nexus of a motivated offender, suitable target or victim, and the absence of a capable guardian (not focused on criminals and their motivations)
  • #29: Visual examples of SCP
  • #30: In NZ
  • #31: Links to CPTED and physical security controls
  • #32: Most obvious example is prevention for burglary
  • #33: SCP is a framework utilising 5 mechanisms and under each 5 techniques designed to modify the environment and deter the attackers (Ron Clarke)
  • #34: My efforts to apply this to cybercrime have identified a control set for the average internet users, informed by best practice at CERT, CIS and others
  • #36: CSDF will be the security ‘meal kit’ for the masses
  • #37: The masses who post pandemic understand layers of protection and the swiss cheese model
  • #39: Situational security measures tailored to common cyber-enabled crimes including phishing, social engineering, malware and online scams and fraud Help you understand real-world threats to your identity, finances, data and devices and assist you in prioritising your security investments Intent to address CRAVED items – in SCP world a hot product: Concealable, Removable, Available, Valuable, Enjoyable, and Disposable
  • #45: For more information see https://www.ubisec.nz/csdf/ - we welcome feedback!