Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Technology and Techno-People to Improve your Threat Resistance and Cyber Security Stephen Cobb, CISSP Senior Security Researcher, ESET NA.

Similar presentations


Presentation on theme: "Using Technology and Techno-People to Improve your Threat Resistance and Cyber Security Stephen Cobb, CISSP Senior Security Researcher, ESET NA."— Presentation transcript:

1 Using Technology and Techno-People to Improve your Threat Resistance and Cyber Security Stephen Cobb, CISSP Senior Security Researcher, ESET NA

2 Protecting federal data systems Requires: –technical and human elements –properly synchronized

3 We have the technology Anti-malware Firewalls 2-factor authentication Encryption Network monitoring Filtering

4 And the technology is getting smarter Cloud-based reputation, signatures, big data But technology is undermined when your workforce is not trained to play defense

5 Waiting for technology alone to solve the data security problem? Dream on…

6 Techno-people Not everyone needs to be technical, but: We are all computer users Data security is everyone’s responsibility Everyone needs to understand the threats And the defensive strategies

7 Today’s agenda Scale of the problem Nature of our adversaries Information security’s 9 patterns Patterns applied to federal agencies How to improve the coordination of people and technology to address those patterns

8 April 2014 GAO report Information Security –Federal Agencies Need to Enhance Responses to Data Breaches (GAO-14-487T) A lot of work still to be done, across numerous agencies –Improve security –Improve breach response

9 The scale of the problem Information security incidents reported to US-CERT by all agencies Number of incidents up More data to defend? Improved reporting?

10 Exposure of PII is growing More incidents involving Personally Identifiable Information (PII) Why? –Thriving black market for PII Impact –Seriously impacts individuals –Growing public displeasure –Heads may roll

11 A federal PII breach example July 2013, hackers get PII of 104,000+ people –From a DOE system Social Security numbers, birth dates and locations, bank account numbers –Plus security questions and answers DOE Inspector General: cost = $3.7 million –Assisting affected individuals and lost productivity

12 What happens to the stolen data? Sold to criminal enterprises –For identity theft, raiding bank accounts, buying luxury goods, laundering money Lucrative scams like tax identity fraud

13 The market for stolen data has matured

14

15

16 All driven by proven business strategies

17 An overwhelming problem? Not if we analyze security incidents 2014 Verizon Data Breach Investigation Report 92% of incidents can categorized into 9 patterns –True for 100,000 incidents over 10 year period –True for 95% of breaches in the last 3 years

18 The Big 9 Point-of-sale intrusions Web app attacks Insider/privilege misuse Physical theft and loss Miscellaneous errors Crimeware Payment card skimmers Denial of service Cyber-espionage Everything else

19 Industry sectors not affected equally Just 4 patterns where victim industry = Public 2014 Verizon Data Breach Investigation Report

20 Let’s count down the top 4 Miscellaneous Insider and privilege misuse Crimeware Physical theft/loss Everything else

21 Pattern #4: Physical theft and loss Cause of 19% of public sector security incidents It’s people! Screen, educate, supervise Reduce impact by using encryption 2014 Verizon Data Breach Investigation Report

22 Pattern #3: Crimeware Accounts for 21% It’s people abusing technology Can be solved with the right anti- malware strategy Endpoint AND server scanning 2014 Verizon Data Breach Investigation Report

23 Pattern #2: Insider and privilege misuse 24% of incidents Again it’s people! Can be fixed! –Education –Awareness –Screening 2014 Verizon Data Breach Investigation Report

24 Pattern #1: Miscellaneous Errors 34% of incidents Human error! Can be fixed! –Training –Awareness –Oversight 2014 Verizon Data Breach Investigation Report

25 Strategy for doing better Technologies and people working together If they don’t you get: Target –Malware was detected –Exfiltration detected –But nobody reacted –Training and awareness? –Clearly lacking

26 Security training and awareness You need both, but what’s the difference? Training –Ensure people at different levels of IT engagement have the knowledge they need Awareness –Ensure all people at all levels know the threats and the defensive measures they must use

27 Who gets trained? Everyone, but not in the same way: –All-hands training –IT staff training –Security staff training

28 How to deliver training In person Online On paper In house Outside contractor Mix and match Be creative

29 Incentives? They work! –Drive engagement –Encourage compliance But need reinforcement –Security in job descriptions –Evaluations –Rewards

30 Use your internal organs Of communication! Newsletter Internal social media Physical posters Add to meeting agendas Email blasts

31 How to do awareness Make it fun Make it relevant Leverage the news Remember: –Everyone now has a vested interested in staying current on threats to their/your data

32 Awareness example: phish traps Train on phishing Send out a phishing message Track responses Report card and re- education –No naming & shaming

33 Awareness example: flash phish Train on media scanning Sprinkle USB/flash drives –Sample file/autorun Track results –Inserted? Scanned? Reported? Rewards or re-education –Again, avoid name+shame

34 Resources to tap CompTIA ISSA SANS (ISC) 2 Vendors Websites

35

36 Thank you! Stephen Cobb Stephen.cobb@eset.com We Live Security www.welivesecurity.com Webinars www.brighttalk.com/channel/1718 Booth Number 826


Download ppt "Using Technology and Techno-People to Improve your Threat Resistance and Cyber Security Stephen Cobb, CISSP Senior Security Researcher, ESET NA."

Similar presentations


Ads by Google