How Cyber-Criminals Steal and Profit from your Data

Transcription

1 How Cyber-Criminals Steal and Profit from your Data Presented by: Nick Podhradsky, SVP Operations SBS CyberSecurity Consulting Network Security IT Audit Education 1

2 Agenda Why cybersecurity is now your responsibility? What are the bad guys after? How do they get what they want? How can I stop them or slow them down? Consulting Network Security IT Audit Education 2

3 Consulting Network Security IT Audit Education 3

4 You Have Been Enlisted Consulting Network Security IT Audit Education 4

5 Strength or Weakness People are easier to defeat than technology! Consulting Network Security IT Audit Education 5

6 What does a hacker look like? Consulting Network Security IT Audit Education 6

7 What does a hacker look like? Consulting Network Security IT Audit Education 7

8 Costs of Cybersecurity? Estimated annual global cost could reach $6 trillion by 2021 (estimated at $3 trillion in 2015) Cybersecurity Ventures Data breaches average a cost of around $154 per record Significant reputational damage associated with a data breach. Consulting Network Security IT Audit Education 8

9 How hackers make money? Compromise Internet Banking Activity Credit Cards Health Information Ransomware User or Admin Credentials Personal Data Contact information including addresses Consulting Network Security IT Audit Education 9

10 Consulting Network Security IT Audit Education 10

11 Data Values December 2015 (foxnews.com) Average estimated price for stolen debit and credit cards in US: $5 - $30 Bank login credentials for a $2,200 balance bank account: $190 Bank login credentials plus stealth funds transfers to US Banks for a $20,000 account balance: $1,200 Online payment service credentials (paypal, etc.) for $1,000 balance: $50 The more information provided, the higher the value. Consulting Network Security IT Audit Education 11

12 How do bad guys get that data? Social Engineering Wikipedia definition: in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. Consulting Network Security IT Audit Education 12

13 Social Engineering Types Phishing Phone Calls - Vishing Social Media USB Devices Dumpster Diving Consulting Network Security IT Audit Education 13

14 Phish Finder Who, What, Where Consulting Network Security IT Audit Education 14

15 WHO? Consulting Network Security IT Audit Education 15

16 Consulting Network Security IT Audit Education 16

17 What? Consulting Network Security IT Audit Education 17

18 What? Consulting Network Security IT Audit Education 18

19 Phishing Example Consulting Network Security IT Audit Education 19

20 Where? Consulting Network Security IT Audit Education 20

21 WHO? WHAT? WHERE? Consulting Network Security IT Audit Education 21

22 Phishing Scenario Walkthrough Consulting Network Security IT Audit Education 22

23 I clicked on the link Consulting Network Security IT Audit Education 23

24 See what the hacker gets? Consulting Network Security IT Audit Education 24

25 What about attachments? Consulting Network Security IT Audit Education 25

26 Enabling content will run malware Consulting Network Security IT Audit Education 26

27 What can you do? Understand the Importance of Cybersecurity Spoofed Wireless Strong Passwords Multi-Factor Authentication Be suspicious of Downloads Use Anti-Virus, but be aware that it s not entirely effective! Consulting Network Security IT Audit Education 27

28 Understand the Importance of Cybersecurity You have a responsibility as an employee to help protect the network and data. Get educated If you ve done something you shouldn t have DON T cover it up let someone know. Remember that security controls may not be fun to have, but they are there to protect you and your data. Consulting Network Security IT Audit Education 28

29 Spoofed Wireless Networks If you aren t certain of the network, don t connect. Never access confidential information while connected to unsecure wifi. If you can VPN through this, your traffic becomes encrypted and is safe. Using your Mobile Data and shutting off Wifi is also considered safe. Consulting Network Security IT Audit Education 29

30 Strong Passwords Don t use passwords in multiple locations especially banking or confidential website passwords Use phrases: Iwah4C;Oahwd! I want a hippopotamus for Christmas; Only a hippopotamus will do! Use a Password keeper such as KeePass, LastPass; ensure that your password for that is strong. Change your password often Consulting Network Security IT Audit Education 30

31 Multi-Factor Authentication Multi-Factor Authentication is the use of 2 or more identifiers to verify the user. 1 - something you have 2 - something you know 3 - something you are Most providers OFFER multi-factor authentication. First factor is generally the password, 2 nd factor is often an or text with a code or a security question Security questions can be a 2 nd factor, make sure that answers are not simple (birthdate may be on social media; high school may be found online; pet s name social media) Consulting Network Security IT Audit Education 31

32 Be suspicious of Downloads Ensure it s from a trusted source. Go directly to the company site. Know what brand of antivirus you have. Don t panic when something happens that looks like the picture to the right. Consulting Network Security IT Audit Education 32

33 Use Anti-Virus but be aware it s not entirely effective! Most sophisticated and new scams will get around anti-virus unnoticed. Anti-virus will catch older and very prevalent viruses. There are many good anti-viruses available with paid and free versions paid versions are generally better there is no reason not to have one. Be careful when downloading a new anti-virus (go directly to the company, not to a 3 rd party site. Consulting Network Security IT Audit Education 33

34 HCPD Partnership HCPD cares about the CyberSecurity of your organization and wants to help! HCPD and SBS have partnered on a 5 phase approach to helping HCPD customers improve their Cybersecurity. HCPD will pay for 50% of the cost annually, up to $5,000! Consulting Network Security IT Audit Education 34

35 HCPD Phase 1 Cybersecurity Services IT Asset Discovery Identifies hardware and software used by the organization. Internal Vulnerability Assessment Identifies soft spots on the inside of your network that cybercriminals could exploit. Information Security Risk Assessment A document that identifies the most and least risky use of technology in the organization Cyber Risk Management Prioritization Based on the 3 items above SBS will put together a plan for the organization on how to immediately improve their cybersecurity posture. Consulting Network Security IT Audit Education 35

36 Investment Pricing based on the number of meters the customer has You can start with Phase 2-5 if you would prefer (contact SBS for more information. Time investment for Phase 1 ranges from ½ day to 3 days depending on size. SBS would do a presentation for your management/ board if you would like to further discuss. Consulting Network Security IT Audit Education 36

37 Nick Podhradsky Madison, SD Let s Connect! Consulting Network Security IT Audit Education 37