OPSEC and defense agains social engineering for devels, execs, and sart-ups

Similar documents
Infosec - Where is your weakest link?

Cybersecurity The Evolving Landscape

How Cyber-Criminals Steal and Profit from your Data

HOW SAFE IS YOUR DATA? Micho Schumann, KPMG, Cayman Islands

Governance Ideas Exchange

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

CLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies

Restech. User Security AVOIDING LOSS GAINING CONFIDENCE IN THE FACE OF TODAY S THREATS

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

ACM Retreat - Today s Topics:

About The Presentation 11/3/2017. Hacker HiJinx-Human Ways to Steal Data. Who We Are? Ethical Hackers & Security Consultants

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Troubleshooting and Cyber Protection Josh Wheeler

Security Awareness. Chapter 2 Personal Security

Intro to Capture the Flag

Sage Data Security Services Directory

2017 Annual Meeting of Members and Board of Directors Meeting

The Value of Automated Penetration Testing White Paper

Securing the SMB Cloud Generation

From Russia With Love

Cyber Security Updates and Trends Affecting the Real Estate Industry

Unit 2 Essentials of cyber security

The Cyber War on Small Business

Nine Steps to Smart Security for Small Businesses

Protect Your Organization from Cyber Attacks

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Cyber security tips and self-assessment for business

MIS5206-Section Protecting Information Assets-Exam 1

Verizon Software Defined Perimeter (SDP).

Social Engineering Hacking the Human Element

Who We Are! Natalie Timpone

ANATOMY OF AN ATTACK!

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

5 IT security hot topics How safe are you?

A practical guide to IT security

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

Ethical Hacking and Countermeasures: Attack Phases, Second Edition. Chapter 1 Introduction to Ethical Hacking

External Supplier Control Obligations. Cyber Security

Combating Cyber Risk in the Supply Chain

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Paystar Remittance Suite Tokenless Two-Factor Authentication

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Cyber Security Audit & Roadmap Business Process and

Take Risks in Life, Not with Your Security

IT & DATA SECURITY BREACH PREVENTION

Dissecting Data Breaches. What Keeps Going Wrong?

Effectively Meeting the Cyber Security Challenge: Strategies, Tips and Tactics

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Securing trust in electronic supply chains

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

AT&T Endpoint Security

Accounting Information Systems


How Breaches Really Happen

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Why you MUST protect your customer data

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

MANAGING CYBER RISK: THE HUMAN ELEMENTS OF CYBERSECURITY

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Advanced IT Risk, Security management and Cybercrime Prevention

Port Facility Cyber Security

Bank Infrastructure - Video - 1

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

SOCIAL NETWORKING IN TODAY S BUSINESS WORLD

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Cybersecurity in Acquisition

STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences

Countering the Insider Threat: Behavioral Analytics Security Intelligence Cell (BASIC)

Managing an Active Incident Response Case. Paul Underwood, COO

INTERNET SAFETY IS IMPORTANT

align security instill confidence

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

When the Lights go out. Hacking Cisco EnergyWise. Version: 1.0. Date: 7/1/14. Classification: Ayhan Koca, Matthias Luft

U.S. State of Cybercrime

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

A CFO s Guide to Cyber Security in the Coming Year

Understanding the Changing Cybersecurity Problem

Information Technology Enhancing Productivity and Securing Against Cyber Attacks

GSLC. GIAC Security Leadership.

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

CTS2134 Introduction to Networking. Module 08: Network Security

Preventing Corporate Espionage: Investigations, Data Analyses and Business Intelligence

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Online Threats. This include human using them!

Security Awareness Training Courses

CHAPTER 8 SECURING INFORMATION SYSTEMS

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

Dom Nessi Burns Engineering March 29, 2017 CYBERSECURITY TRENDS 2017 REPORT

Red Flag Regulations

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

How NOT To Get Hacked

Software-Defined Secure Networks. Sergei Gotchev April 2016

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too?

WHITE PAPER. Vericlave The Kemuri Water Company Hack

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Transcription:

OPSEC and defense agains social engineering for devels, execs, and sart-ups @KirilsSolovjovs on twitter http://kirils.org for more Mg.sc.comp. Kirils Solovjovs Possible Security

Problem: Social Engineering concepts attacks Solution: OPSEC theory practice Contents 2/23

[video] This is how hackers hack you using simple social engineering https://www.youtube.com/watch?v=lc7scxvkqoo 3/23

Social Engineering 4/23

Social Engineering (SE) is the use of deception to manipulate individuals into divulging sensitive information that may be used for illegitimate or fraudulent purposes or to further attacks on a larger entity 5/23

SE attack cycle for organisations Research Research Target Build trust Exploit Target Exploit Build trust 6/23

SE attack types (in person) Impersonation VIP, user, tech appeal to authority reverse social engineering identity theft Access tailgating key duplication Acquisition eavesdropping shoulder-surfing dumpster-diving 7/23

SE attack types (remote) Types phishing, spearphishing vishing app impersonation Delivery vehicles e-mails usb drops instant messages, sms social networks traffic injection malware, adware 8/23

Operations Security 9/23

OPSEC or Operations Security 10/23

OPSEC history Military origins Has found use in today s cybersecurity Why? Humans the weakest link Solution? OPSEC 11/23

OPSEC Identification of critical information Analysis of potential threats Analysis of your vulnerabilities Assessment of risk Application of appropriate countermeasures 12/23

Identification of critical information Losing which information would be detrimental to you? Gaining which information would be beneficial to your competitors? Examples: passwords research data analytical data 13/23

Analysis of potential threats What are the current cybersecurity threats and exploits? Which threat actors should you be concerned about? competitors entities Examples: Company B is developing the same product as we and is rumored to have offensive cyber capability. We are travelling to China with corporate laptops and fear intercept. 14/23

Analysis of your vulnerabilities What are the potential deficiencies of your security process? What could reveal your critical information? Can you fix it? Think like the enemy! Where would you attack? Examples: Our tech support does not properly identify callers before providing assistance We don t have a firewall and do not follow secure coding practices 15/23

Assessment of risk What is the risk of each vulnerability? Multiply every potential threat with every weakness to get the risk! Risk = Impact Probability What OPSEC measures can you apply for each vulnerability? Examples: Impact of tech support not identifying callers is medium (5), because of limited tech support permissions. Interests and capabilities of Company B make it very likely (8) that they will target us, therefore risk = 5 8 = 40%. We can require callers to provide secret phrases when connecting over the phone. 16/23

Application of appropriate countermeasures Have you implemented countermeasures for the risks identified? What do you need to apply all the required countermeasures? What hinders application of the required countermeasures? Is it financially feasibile? Prioritize by risk! Examples: Our top risk ir rated 40% and costs 1800 per year in extra workload and lost productivity, so we will be implementing it starting 1 st of April 2018 and financing it from the IT support budget. 17/23

Tips for Operations Security 18/23

Practical OPSEC tips (everywhere) Secure passwords create strong passwords use a password manager or your head don t reuse passwords Install latest security updates Do not connect unknown devices to your device or vice versa Mindfully decide, if you will share a piece of information (including on social media) 19/23

Practical OPSEC tips (outside the office) Use VPN to protect your data when using other networks If using a VPN is not possible, do not use shared WiFi hot-spots Know where your stuff is Keep your devices and work information (e.g. printouts) with you at all times, if possible Be aware of your surroundings when processing sensitive information talking on the phone, working on a laptop, having a face-to-face conversation 20/23

Methodological OPSEC tips (1) Carry out regular employee awareness trainings consider reminders / posters Test your employees by carrying out mock social engineering attacks Make sure that everyone, including especially founders / exec branch commits to OPSEC 21/23

Methodological OPSEC tips (2) Discover your vulnerability surface as seen from the outside Carry out or purchase penetration tests Set up technical defenses and countermeasures Manage risk posed by contractors and suppliers 22/23

Q&A Slides are available on http://kirils.org Find me on twitter: @KirilsSolovjovs 23/23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback