Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications

CS-6 Using Technology and Techno-people to Improve your

advertisement 
Using Technology and Techno-People to
Improve your Threat Resistance and
Cyber Security
Stephen Cobb, CISSP
Senior Security Researcher, ESET NA
Protecting federal data systems
• Requires:
– technical and human elements
– properly synchronized
We have the technology
•
•
•
•
•
•
Anti-malware
Firewalls
2-factor authentication
Encryption
Network monitoring
Filtering
And the technology is getting smarter
• Cloud-based reputation, signatures, big data
• But technology is undermined when your
workforce is not trained to play defense
Waiting for technology alone to solve the data
security problem? Dream on…
Techno-people
•
•
•
•
•
Not everyone needs to be technical, but:
We are all computer users
Data security is everyone’s responsibility
Everyone needs to understand the threats
And the defensive strategies
Today’s agenda
•
•
•
•
•
Scale of the problem
Nature of our adversaries
Information security’s 9 patterns
Patterns applied to federal agencies
How to improve the coordination of people and
technology to address those patterns
April 2014 GAO report
• Information Security
– Federal Agencies Need to Enhance
Responses to Data Breaches
• (GAO-14-487T)
• A lot of work still to be done,
across numerous agencies
– Improve security
– Improve breach response
The scale of the problem
• Information security
incidents reported to
US-CERT by all agencies
• Number of incidents up
• More data to defend?
• Improved reporting?
61,214
48,562
41,776 42,854
29,999
2009
2010
2011
2012
2013
Exposure of PII is growing
25,566
• More incidents involving
Personally Identifiable
Information (PII)
• Why?
– Thriving black market for PII
22,156
15,584
13,028
10,481
• Impact
– Seriously impacts individuals
– Growing public displeasure
– Heads may roll
2009
2010
2011
2012
2013
A federal PII breach example
• July 2013, hackers get PII of 104,000+ people
– From a DOE system
• Social Security numbers, birth dates and
locations, bank account numbers
– Plus security questions and answers
• DOE Inspector General: cost = $3.7 million
– Assisting affected individuals and lost productivity
What happens to the stolen data?
• Sold to criminal enterprises
– For identity theft, raiding bank accounts, buying luxury
goods, laundering money
• Lucrative scams like tax identity fraud
The market for stolen data has matured
All driven by proven business strategies
An overwhelming problem?
• Not if we analyze security incidents
• 2014 Verizon Data Breach Investigation Report
• 92% of incidents can categorized into 9 patterns
– True for 100,000 incidents over 10 year period
– True for 95% of breaches in the last 3 years
The Big 9
•
•
•
•
•
•
•
•
•
•
Point-of-sale intrusions
Web app attacks
Insider/privilege misuse
Physical theft and loss
Miscellaneous errors
Crimeware
Payment card skimmers
Denial of service
Cyber-espionage
Everything else
Industry sectors not affected equally
Just 4 patterns where victim industry = Public
2%
34%
Miscellaneous
Insider Misuse
19%
Crimeware
Theft/Loss
24%
Everything Else
21%
2014 Verizon Data Breach Investigation Report
Let’s count down the top 4
•
•
•
•
•
Miscellaneous
Insider and privilege misuse
Crimeware
Physical theft/loss
Everything else
Pattern #4: Physical theft and loss
• Cause of 19% of
public sector
security incidents
• It’s people!
• Screen, educate,
supervise
• Reduce impact by
using encryption
Other
892
Laptop
308
Documents
140
Desktop
108
Flash drive
102
Other
39
Tapes
36
Database
11
2014 Verizon Data Breach Investigation Report
Pattern #3: Crimeware
• Accounts for 21%
• It’s people abusing
technology
• Can be solved with
the right antimalware strategy
• Endpoint AND
server scanning
Web drive-by
43%
Web download
38%
Network propogation
6%
Email attachment
5%
Email link
4%
Download by malware
2%
Other
2%
Remote injection
1%
Unknown
1%
Removable media
1%
2014 Verizon Data Breach Investigation Report
Pattern #2: Insider and privilege misuse
• 24% of incidents
• Again it’s people!
• Can be fixed!
– Education
– Awareness
– Screening
Cashier
23%
End-user
17%
Finance
13%
Manager
13%
Call center
9%
Executive
7%
Other
7%
Developer
6%
System admin
6%
Auditor
1%
2014 Verizon Data Breach Investigation Report
Pattern #1: Miscellaneous Errors
• 34% of incidents
• Human error!
• Can be fixed!
– Training
– Awareness
– Oversight
Misdelivery
44%
Publishing error
22%
Disposal error
20%
Misconfiguration
6%
Malfunction
3%
Programming error
3%
Gaffe
1%
Omission
1%
Other
1%
Maintenance error
0.5%
2014 Verizon Data Breach Investigation Report
Strategy for doing better
• Technologies and people working together
• If they don’t you get: Target
–
–
–
–
–
Malware was detected
Exfiltration detected
But nobody reacted
Training and awareness?
Clearly lacking
Security training and awareness
• You need both, but what’s the difference?
• Training
– Ensure people at different levels of IT engagement have
the knowledge they need
• Awareness
– Ensure all people at all levels know the threats and the
defensive measures they must use
Who gets trained?
• Everyone, but not in the same way:
– All-hands training
– IT staff training
– Security staff training
How to deliver training
•
•
•
•
•
•
•
In person
Online
On paper
In house
Outside contractor
Mix and match
Be creative
Incentives?
• They work!
– Drive engagement
– Encourage compliance
• But need reinforcement
– Security in job descriptions
– Evaluations
– Rewards
Use your internal organs
•
•
•
•
•
•
Of communication!
Newsletter
Internal social media
Physical posters
Add to meeting agendas
Email blasts
How to do awareness
•
•
•
•
Make it fun
Make it relevant
Leverage the news
Remember:
– Everyone now has a vested
interested in staying current on
threats to their/your data
Awareness example: phish traps
• Train on phishing
• Send out a phishing
message
• Track responses
• Report card and reeducation
– No naming & shaming
Awareness example: flash phish
• Train on media scanning
• Sprinkle USB/flash drives
– Sample file/autorun
• Track results
– Inserted? Scanned? Reported?
• Rewards or re-education
– Again, avoid name+shame
Resources to tap
•
•
•
•
•
•
CompTIA
ISSA
SANS
2
(ISC)
Vendors
Websites
Thank you!
• Stephen Cobb
• Stephen.cobb@eset.com
• We Live Security
• www.welivesecurity.com
• Webinars
• www.brighttalk.com/channel/1718
• Booth Number 826
Related documents
What is a brand?
What is a brand?
Data Privacy and Data Security Compliance Issues
Data Privacy and Data Security Compliance Issues
- National Association of Realtors
- National Association of Realtors
Review, Grammar and Test
Review, Grammar and Test
Mending Fences After a Breach - Centre for Information Policy
Mending Fences After a Breach - Centre for Information Policy
Critical Incidents and Complaints
Critical Incidents and Complaints
Fee for Intervention
Fee for Intervention
Remedies for Breach of Contract pages 210-214
Remedies for Breach of Contract pages 210-214
here
here
Critically incident technique The Critical Incident Technique (or CIT
Critically incident technique The Critical Incident Technique (or CIT
Data Breach QuickView
Data Breach QuickView
Safeguarding Personally Identifiable Information - tri
Safeguarding Personally Identifiable Information - tri
Web Exploitation Kits Revealed “It's immoral, but the money
Web Exploitation Kits Revealed “It's immoral, but the money
Download
advertisement