Using Technology and Techno-People to Improve your Threat Resistance and Cyber Security
Download as PPTX, PDF2 likes974 views
The document discusses improving threat resistance and cybersecurity through the integration of technology and trained personnel. It highlights the increasing number of information security incidents, particularly those involving personally identifiable information, and identifies common patterns of breaches affecting federal agencies. The importance of education, awareness, and collaboration between technology and personnel is emphasized as crucial for effective data security strategies.
Using Technology and Techno-People to Improve your Threat Resistance and Cyber Security
- 1. Using Technology and Techno-People to Improve your Threat Resistance and Cyber Security Stephen Cobb, CISSP Senior Security Researcher, ESET NA
- 2. Protecting federal data systems • Requires: – technical and human elements – properly synchronized
- 3. We have the technology • Anti-malware • Firewalls • 2-factor authentication • Encryption • Network monitoring • Filtering
- 4. And the technology is getting smarter • Cloud-based reputation, signatures, big data • But technology is undermined when your workforce is not trained to play defense
- 5. Waiting for technology alone to solve the data security problem? Dream on…
- 6. Techno-people • Not everyone needs to be technical, but: • We are all computer users • Data security is everyone’s responsibility • Everyone needs to understand the threats • And the defensive strategies
- 7. Today’s agenda • Scale of the problem • Nature of our adversaries • Information security’s 9 patterns • Patterns applied to federal agencies • How to improve the coordination of people and technology to address those patterns
- 8. April 2014 GAO report • Information Security – Federal Agencies Need to Enhance Responses to Data Breaches • (GAO-14-487T) • A lot of work still to be done, across numerous agencies – Improve security – Improve breach response
- 9. 29,999 41,776 42,854 48,562 61,214 2009 2010 2011 2012 2013 The scale of the problem • Information security incidents reported to US-CERT by all agencies • Number of incidents up • More data to defend? • Improved reporting?
- 10. Exposure of PII is growing • More incidents involving Personally Identifiable Information (PII) • Why? – Thriving black market for PII • Impact – Seriously impacts individuals – Growing public displeasure – Heads may roll 10,481 13,028 15,584 22,156 25,566 2009 2010 2011 2012 2013
- 11. A federal PII breach example • July 2013, hackers get PII of 104,000+ people – From a DOE system • Social Security numbers, birth dates and locations, bank account numbers – Plus security questions and answers • DOE Inspector General: cost = $3.7 million – Assisting affected individuals and lost productivity
- 12. What happens to the stolen data? • Sold to criminal enterprises – For identity theft, raiding bank accounts, buying luxury goods, laundering money • Lucrative scams like tax identity fraud
- 13. The market for stolen data has matured
- 16. All driven by proven business strategies
- 17. An overwhelming problem? • Not if we analyze security incidents • 2014 Verizon Data Breach Investigation Report • 92% of incidents categorized into 9 patterns – True for 100,000 incidents over 10 year period – True for 95% of breaches in the last 3 years
- 18. The Big 9 • Point-of-sale intrusions • Web app attacks • Insider/privilege misuse • Physical theft and loss • Miscellaneous errors • Crimeware • Payment card skimmers • Denial of service • Cyber-espionage • Everything else
- 19. Industry sectors not affected equally 34% 24% 21% 19% 2% Miscellaneous Insider Misuse Crimeware Theft/Loss Everything Else Just 4 main patterns where victim industry = Public 2014 Verizon Data Breach Investigation Report
- 20. Let’s count down the top 4 • Miscellaneous • Insider and privilege misuse • Crimeware • Physical theft/loss • Everything else
- 21. Pattern #4: Physical theft and loss • Cause of 19% of public sector security incidents • It’s people! • Screen, educate, supervise • Reduce impact by using encryption 11 36 39 102 108 140 308 892 Database Tapes Other Flash drive Desktop Documents Laptop Other 2014 Verizon Data Breach Investigation Report
- 22. Pattern #3: Crimeware • Accounts for 21% • It’s people abusing technology • Can be solved with the right anti- malware strategy • Endpoint AND server scanning 1% 1% 1% 2% 2% 4% 5% 6% 38% 43% Removable media Unknown Remote injection Other Download by malware Email link Email attachment Network propogation Web download Web drive-by 2014 Verizon Data Breach Investigation Report
- 23. Pattern #2: Insider and privilege misuse • 24% of incidents • Again it’s people! • Can be fixed! – Education – Awareness – Screening 1% 6% 6% 7% 7% 9% 13% 13% 17% 23% Auditor System admin Developer Other Executive Call center Manager Finance End-user Cashier 2014 Verizon Data Breach Investigation Report
- 24. Pattern #1: Miscellaneous Errors • 34% of incidents • Human error! • Can be fixed! – Training – Awareness – Oversight 0.5% 1% 1% 1% 3% 3% 6% 20% 22% 44% Maintenance error Other Omission Gaffe Programming error Malfunction Misconfiguration Disposal error Publishing error Misdelivery 2014 Verizon Data Breach Investigation Report
- 25. Strategy for doing better • Technologies and people working together • If they don’t you get: Target – Malware was detected – Exfiltration detected – But nobody reacted – Training and awareness? – Clearly lacking
- 26. Security training and awareness • You need both, but what’s the difference? • Training – Ensure people at different levels of IT engagement have the knowledge they need • Awareness – Ensure all people at all levels know the threats and the defensive measures they must use
- 27. Who gets trained? • Everyone, but not in the same way: – All-hands training – IT staff training – Security staff training
- 28. How to deliver training • In person • Online • On paper • In house • Outside contractor • Mix and match • Be creative
- 29. Incentives? • They work! – Drive engagement – Encourage compliance • But need reinforcement – Security in job descriptions – Evaluations – Rewards
- 30. Use your internal organs • Of communication! • Newsletter • Internal social media • Physical posters • Add to meeting agendas • Email blasts
- 31. How to do awareness • Make it fun • Make it relevant • Leverage the news • Remember: – Everyone now has a vested interested in staying current on threats to their/your data
- 32. Awareness example: phish traps • Train on phishing • Send out a phishing message • Track responses • Report card and re- education – No naming & shaming
- 33. Awareness example: flash phish • Train on media scanning • Sprinkle USB/flash drives – Sample file/autorun • Track results – Inserted? Scanned? Reported? • Rewards or re-education – Again, avoid name+shame
- 34. Resources to tap • CompTIA • ISSA • SANS • (ISC)2 • Vendors • Websites
- 36. Thank you! • Stephen Cobb • Stephen.cobb@eset.com • We Live Security • www.welivesecurity.com • Webinars • www.brighttalk.com/channel/1718 • Booth Number 826