June 2 nd, 2016 Security Awareness

Transcription

1 June 2 nd, 2016 Security Awareness Security is the degree of resistance to, or protection from, harm. if security breaks down, technology breaks down

2

3 Protecting People, Property and Business Assets Goal for Today Current Security Landscape The Impact of Data Breach or Data Loss Raise everyone s overall awareness Security risks Techniques to reduce risk Changes in Strategy What we should and can be doing?

4 Security is a Growing Concern The AV-TEST Institute registers over 390,000 new malicious programs every day

5 Then Organizational Risk Now Malware has Changed Then Low Business Impact Less Sophisticated Targeted PC s Now High Business Impact High Sophistication Targets Data High Visibility Low

6 Active malware trends over the last 10 years Security is a Growing Concern

7 The Impact of Data Breach or Data Loss Organizational ability recover Brand damage Associated Costs

8 The Impact of Data Breach or Data Loss

9 In 2015 FBI Received 2,500 Ransomware attack complaints costing victims $24M The first 3 months of 2016 Ransomware Attacks have cost victims $209M Source NBC News

10 Attackers Evolve, Adapt and Accelerate Dark markets and services grow New targets emerge (IoT, Cars etc.) Attacks will drive down the technology stack Data Apps Operating Systems Firmware Hardware Ransomware and CEO fraud rises

11 Phishing 80% of Infections stem from massive e- mail attacks Phishing vs Spear Phishing Attackers are aware of 3 rd party relationships between large targets and smaller service providers

12 Spear Phishing

13 Spear Phishing

14 Phishing

15 Phishing

16 Phishing 5/12/2016

17 Services for sale

18 Need a credit card?

19 Cyber Criminals Offer Custom Built Ransomware and Hacking Services

20 Another Scary Fact

21

22 Background Security goes back as far a man kind.

23 The Traditional Approach to Security Antivirus Firewall Internet

24 Early Defense in Depth

25 Defense in Depth Example Antivirus & Antimalware Firewall Antivirus Antispyware Intrusion Prevention Internet

26 Defense in Depth The idea behind Defense in Depth is to defend your data and systems against any particular attack, using several independent methods Perimeter Internal Network Endpoint Firewall CGSS IPS Policies Access Rights Monitoring Antivirus Anti Malware Cloud Security

27 Why is all this important?

28 The United States is the most targeted country in the world. Fireeye Cyber Threat Map

29 Who are we trying to protect from? Nation States Insiders Organized Crime Other Companies Thrill Seekers Notoriety Political Activists

30 How do they do it? Poorly configured systems using default passwords and settings which are weak Exploit known vulnerabilities which are easy to find Metasploit CGE (Cisco Global Exploiter) Password cracking tools to break weak passwords Social engineering / Planting infection in web sites Real examples

31 Tools and Techniques Summary Train Network Users to have a healthy level of skepticism Keep Software up to date Least privileged access Encrypt Data in transit & on mobile devices Segment & Isolate Networks Documented and Tested DR Plan Regular tests/auditing to ensure measures are effective Data Loss Protection tools

32 Summary Seek an optimal balance of Risk/Cost Understand what we are protecting Treat security as on going concern Not a set it and forget it Ongoing Security Awareness Training

33 Will Anyone Out There Take on the Rest of My Risk?

34 Why Cyber/Privacy Breach Liability Insurance? Both the federal government, and each of the 50 states, impose certain actions upon persons/entities/businesses/agencies who maintain personal information on systems or computers in the event of a breach or suspected breach. Certain actions could include written notice to all impacted individuals, purchase of individual identification protection for 1 year ( Lifelock ), credit report monitoring for each impacted individual, and monetary responsibility for financial losses to the impacted individuals. There is NO insurance coverage for any of these items absent a cyber/privacy breach liability policy. The existence of statute and the absence of insurance creates an unfunded potential liability.

35 What Perils Will Cyber/Privacy Breach Liability imposed by statute Regulatory defense and penalties PCI fines and expenses Insure For? Notification of Individuals expenses Legal services/crisis management/public relations services. Cyber extortion Specific coverage parts can be bought ala carte or are offered as a bundle depending on specific need.

36 What Perils will Cyber/Privacy breach NOT Insure for? Failure to perform professional duties in a satisfactory manner. (Ex: systems designs, software build). Loss of digital assets (data). Loss of revenue (unless specifically added to the cyber policy). First party theft of money/securities.

37 THANK YOU TO OUR SPONSORS!