How Cyber-Criminals Steal and Profit from your Data Presented by: Nick Podhradsky, SVP Operations SBS CyberSecurity www.sbscyber.com Consulting Network Security IT Audit Education 1
Agenda Why cybersecurity is now your responsibility? What are the bad guys after? How do they get what they want? How can I stop them or slow them down? www.sbscyber.com Consulting Network Security IT Audit Education 2
www.sbscyber.com Consulting Network Security IT Audit Education 3
You Have Been Enlisted www.sbscyber.com Consulting Network Security IT Audit Education 4
Strength or Weakness People are easier to defeat than technology! www.sbscyber.com Consulting Network Security IT Audit Education 5
What does a hacker look like? www.sbscyber.com Consulting Network Security IT Audit Education 6
What does a hacker look like? www.sbscyber.com Consulting Network Security IT Audit Education 7
Costs of Cybersecurity? Estimated annual global cost could reach $6 trillion by 2021 (estimated at $3 trillion in 2015) Cybersecurity Ventures Data breaches average a cost of around $154 per record www.cyberark.com Significant reputational damage associated with a data breach. www.sbscyber.com Consulting Network Security IT Audit Education 8
How hackers make money? Compromise Internet Banking Activity Credit Cards Health Information Ransomware User or Admin Credentials Personal Data Contact information including email addresses www.sbscyber.com Consulting Network Security IT Audit Education 9
www.sbscyber.com Consulting Network Security IT Audit Education 10
Data Values December 2015 (foxnews.com) Average estimated price for stolen debit and credit cards in US: $5 - $30 Bank login credentials for a $2,200 balance bank account: $190 Bank login credentials plus stealth funds transfers to US Banks for a $20,000 account balance: $1,200 Online payment service credentials (paypal, etc.) for $1,000 balance: $50 The more information provided, the higher the value. www.sbscyber.com Consulting Network Security IT Audit Education 11
How do bad guys get that data? Social Engineering Wikipedia definition: in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. www.sbscyber.com Consulting Network Security IT Audit Education 12
Social Engineering Types Email Phishing Phone Calls - Vishing Social Media USB Devices Dumpster Diving www.sbscyber.com Consulting Network Security IT Audit Education 13
Phish Finder Who, What, Where www.sbscyber.com Consulting Network Security IT Audit Education 14
WHO? www.sbscyber.com Consulting Network Security IT Audit Education 15
www.sbscyber.com Consulting Network Security IT Audit Education 16
What? www.sbscyber.com Consulting Network Security IT Audit Education 17
What? www.sbscyber.com Consulting Network Security IT Audit Education 18
Phishing Example Consulting Network Security IT Audit Education www.sbscyber.com 19
Where? www.sbscyber.com Consulting Network Security IT Audit Education 20
WHO? WHAT? WHERE? www.sbscyber.com Consulting Network Security IT Audit Education 21
Phishing Scenario Walkthrough www.sbscyber.com Consulting Network Security IT Audit Education 22
I clicked on the link www.sbscyber.com Consulting Network Security IT Audit Education 23
See what the hacker gets? www.sbscyber.com Consulting Network Security IT Audit Education 24
What about attachments? www.sbscyber.com Consulting Network Security IT Audit Education 25
Enabling content will run malware www.sbscyber.com Consulting Network Security IT Audit Education 26
What can you do? Understand the Importance of Cybersecurity Spoofed Wireless Strong Passwords Multi-Factor Authentication Be suspicious of Downloads Use Anti-Virus, but be aware that it s not entirely effective! www.sbscyber.com Consulting Network Security IT Audit Education 27
Understand the Importance of Cybersecurity You have a responsibility as an employee to help protect the network and data. Get educated If you ve done something you shouldn t have DON T cover it up let someone know. Remember that security controls may not be fun to have, but they are there to protect you and your data. www.sbscyber.com Consulting Network Security IT Audit Education 28
Spoofed Wireless Networks If you aren t certain of the network, don t connect. Never access confidential information while connected to unsecure wifi. If you can VPN through this, your traffic becomes encrypted and is safe. Using your Mobile Data and shutting off Wifi is also considered safe. www.sbscyber.com Consulting Network Security IT Audit Education 29
Strong Passwords Don t use passwords in multiple locations especially banking or confidential website passwords Use phrases: Iwah4C;Oahwd! I want a hippopotamus for Christmas; Only a hippopotamus will do! Use a Password keeper such as KeePass, LastPass; ensure that your password for that is strong. Change your password often www.sbscyber.com Consulting Network Security IT Audit Education 30
Multi-Factor Authentication Multi-Factor Authentication is the use of 2 or more identifiers to verify the user. 1 - something you have 2 - something you know 3 - something you are Most email providers OFFER multi-factor authentication. First factor is generally the password, 2 nd factor is often an email or text with a code or a security question Security questions can be a 2 nd factor, make sure that answers are not simple (birthdate may be on social media; high school may be found online; pet s name social media) www.sbscyber.com Consulting Network Security IT Audit Education 31
Be suspicious of Downloads Ensure it s from a trusted source. Go directly to the company site. Know what brand of antivirus you have. Don t panic when something happens that looks like the picture to the right. www.sbscyber.com Consulting Network Security IT Audit Education 32
Use Anti-Virus but be aware it s not entirely effective! Most sophisticated and new scams will get around anti-virus unnoticed. Anti-virus will catch older and very prevalent viruses. There are many good anti-viruses available with paid and free versions paid versions are generally better there is no reason not to have one. Be careful when downloading a new anti-virus (go directly to the company, not to a 3 rd party site. www.sbscyber.com Consulting Network Security IT Audit Education 33
HCPD Partnership HCPD cares about the CyberSecurity of your organization and wants to help! HCPD and SBS have partnered on a 5 phase approach to helping HCPD customers improve their Cybersecurity. HCPD will pay for 50% of the cost annually, up to $5,000! www.sbscyber.com Consulting Network Security IT Audit Education 34
HCPD Phase 1 Cybersecurity Services IT Asset Discovery Identifies hardware and software used by the organization. Internal Vulnerability Assessment Identifies soft spots on the inside of your network that cybercriminals could exploit. Information Security Risk Assessment A document that identifies the most and least risky use of technology in the organization Cyber Risk Management Prioritization Based on the 3 items above SBS will put together a plan for the organization on how to immediately improve their cybersecurity posture. www.sbscyber.com Consulting Network Security IT Audit Education 35
Investment Pricing based on the number of meters the customer has You can start with Phase 2-5 if you would prefer (contact SBS for more information. Time investment for Phase 1 ranges from ½ day to 3 days depending on size. SBS would do a presentation for your management/ board if you would like to further discuss. www.sbscyber.com Consulting Network Security IT Audit Education 36
Nick Podhradsky 605-770-3926 Nick@sbscyber.com www.sbscyber.com Madison, SD Let s Connect! www.sbscyber.com Consulting Network Security IT Audit Education 37