• No results found

TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY. Mark

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY. Mark"

Copied!
50
0
0

Loading.... (view fulltext now)

Download now ( 50 Page )

Full text

(1)

Mark Villinski @markvillinski

TOP 10 TIPS FOR EDUCATING

(2)

Why do we have to educate employees about cybersecurity?

(3)

2014 Corporate Threats Survey

http://media.kaspersky.com/en/IT_Security_Risks_Survey_2014_Global_report.pdf?_ga=1.57626858.1152823312.1404311525

• 94% of business’s suffered one cyber attack in the last 12 months

• Nearly 27% of companies lost

confidential data as the result of an internal security incident • Average cost for

Accidental Data Leaks – $39K for SMB’s – $884K for Enterprise

(4)
(5)

PERCEPTION VS. REALITY

B2B International and Kaspersky Lab, “IT Security Threats and Data Breaches,” October, 2014.

(6)

How bad is it out there?

Malware

1994

One new virus every hour 2006

One new virus every minute 2011

One new virus every second

Or 70.000 samples/day Kaspersky Lab is currently processing 325,000 unique malware samples EVERY DAY

(7)

The Basic Theory for Staying Secure Simple math for advanced protection…

In ves tme n t in Se curi ty

Chance of getting infected

The chance of getting infected drops

exponentially while the cost of an attack increases linearly

(8)

Tip #1: Regularly talk to employees about cybersecurity.

Explain the potential impact a cyberincident may have on company operation

Annual review and signing of a “I have read and understood company IT policies” is not enough!

(9)
(10)

Tip #2: Remember that top management and IT staff are employees too!

Top managers are often targeted because:

They have access to more information

IT bends the rules for them

The damage/payoff can be much bigger!

IT folks are vulnerable, too

(11)

Tip #2: Remember that top management and IT staff are employees too!

(12)

Tip #3: Explain to the employees that while you make the best effort to secure company infrastructure, a system is only as secure as the weakest link

You don’t want them to just comply, you want them to cooperate

You can’t create a policy sophisticated enough to cover all possible vectors of attack

You can’t totally dehumanize humans. Humans have weaknesses and make mistakes.

(13)

Tip #4: Have regular focused sessions with

employees to explore different types of cyberattacks

 Consider different formats (lunch and learn?)

 Make it useful

 Most of them have PCs at home and relatives who also need help

 Make it relevant and responsive to real-world examples

 Notice how much more often these topics hit the nightly news

(14)

Malware-What is it?

Malware, short for malicious software, is software (or script or code) designed to disrupt computer operation, gather

sensitive information, or gain unauthorized access to

computer systems.

Characteristics:

– Single instance signature to evade anti-virus – Activates programmatically

– Connects to a Command & Control Center

– Keylogger, Ransomware, Remote Access Tool (RAT), and Man in Browser

(15)

• Never click a link in an email

• Never open unexpected attachments

• Never provide information, no matter how innocuous it may seem, to unsolicited phone callers, visitors or email requests

• Never agree to an unsolicited remote control

session (such as WebEx, GoToMeeting, LogMeIn) • Your best defense: “Can I call you back?”

(16)

Phishing Prevention-The 100% rules!

July 2012 – Yahoo Passwords Hacked

435,000 usernames and passwords hacked.

Particularly troubling? The login credentials are in plaintext, not even

encrypted.

TOP TEN PASSWORDS FROM THE YAHOO HACK

1) 123456 (38%) 2) password (18%) 3) welcome (10%) 4) ninja (8%) 5) abc123 (6%) 6) 123456789 (5%) 7) 12345678 (5%) 8) sunshine (5%) 9) princess = (5%) 10) qwerty = (4%)

(17)

Ramsomware

• More than 40% of CryptoLocker victims agreed to pay

• A Dell SecureWorks report

estimates that ransomware rakes in $30 million every 100 days

• Expanding victim base means unlimited financial potential

(18)
(19)

RSA: Targeted Attack Case Study

On March 17th 2011, RSA announced that it was hacked During the 2011 Kaspersky Security Analyst Summit, Uri

Rivner from RSA talked about how it happened:

Two employees received an e-mail which contained a

spreadsheet attachment labeled “2011 Recruitment Plan”.

The e-mail has been marked as SPAM and put into the

spam folder

One of the employees opened it…and released a

(20)

RSA E-mail & Attachment

(21)

Phishing at ABC University

(22)

How did this happen?

22 • Trickery. A spear-phishing attack.

 People were tricked by a believable e-mail message into giving their passwords to the bad guys

• Spear-phishers and their tactics

 Message crafted for ABC University

 Sent to a small number of selected people

 Strike on weekends & holidays, when you are less protected

• Goals

 To collect information that will let them steal money:

 Passwords, social security numbers, bank account or credit card numbers

(23)
(24)
(25)
(26)

26 Not Encrypted:

no https

Not going to real ABC University login site

(27)
(28)

28

Impact to people and abc university

• The University was able to recover a good portion of the money • Anyone can fall for a clever phishing scam

• The University did replace paychecks

(29)

29

Lessons learned

• Understand how to know if you are at the

real University web login, or a clever fake • Learn how to analyze email messages to

detect ones that are malicious

• Find out how to protect yourself and your devices from cyber threats

(30)

Tip #5: Pay special attention to social engineering A lot of cyberincidents start with a phone

conversation with someone who poses as a co-worker and builds his understanding of company internal structure and operations by asking

innocent questions

A cybercriminal exploiting social weaknesses almost never looks like one

(31)
(32)
(33)

The Importance of Securing Computers/Workstations

+ <L>

Windows:

Mac:

Enable screensaver Check “Require password to quit screensaver” check box

(34)

Tip #6: Train your employees to recognize an attack Communicate clear cut

step-by-step instructions on what to do if employee

believes there’s a cyber incident happening

If you are not trained, you will get lost when the

(35)

Training should involve things like:

 Unplug your machine from the network (physically)

 Notify your administrator

 Remember that any and every key stroke can be sent to cyber criminals by a key logger

 If you can’t find your mobile device – immediately notify your administrator

 Emergency Number - if you can’t find your IT emergency number in under 20 seconds, you are doing it wrong/

(36)

Tip #7: Never disapprove or make fun of an employee who raises a red flag

…even if it is a false alarm – this will discourage employees from setting off alarm when time of cyber attack come

I mean NEVER

If false alarms come often, improve training approach

(37)
(38)

Tip #8: In case of an incident give your employees a heads up

 Even if an incident has happened already, improper handling may (significantly) increase impact

 Issue an instruction on how to speak to public/press about the incident

 Have a plan in place BEFORE anything happens

(39)

Tip #9: Test knowledge Regularly

Make it relevant – remember they live digital lives. It matters!

(40)
(41)
(42)
(43)

Are you cyber savvy

(44)

Tip #10: Listen to feedback

 If you force employees to change passwords every week be prepared they will write them down and post them in their work place

 If access to something they need for work is too

complicated, they will use personal email, USB sticks, fellow employees to bypass the restrictions

 If something out of balance, this will trigger unsafe

behavior. Listening to feedback is learning the root cause of that

(45)

Systems Management & Actionable Patching HW and SW inventory Multiple vulnerability databases VULNERABILITY SCANNING Install applications Update applications Troubleshoot REMOTE TOOLS Track usage Manage renewals Manage license compliance LICENCE MANAGEMENT Guest policy management Guest portal NETWORK ADMISSION CONTROL (NAC) Automated prioritization Reboot options ADVANCED PATCHING Create images Store and update Deploy

(46)

Whitelisting & Application Control

DEVICE CONTROL

WEB CONTROL

APPLICATION CONTROL

(47)

Encryption & Data Protection

Inside the Network Outside the Network

If cybercriminals seize control of the system and penetrate the corporate network, they may try to exfiltrate sensitive data such as configuration files, private keys and source code.

However, even if the criminals manage to download something, they will not be able to read the content of the encrypted files.

(48)
(49)

OUR LEADERSHIP IS PROVEN BY INDEPENDENT TESTS

(50)

Questions & Answers Mark Villinski

[email protected] @markvillinski

References

Download now ( PDF - 50 Page - 3.83 MB )

Related documents

Towards a multi-level servitization framework : conceptualizing ambivalence in manufacturing firms

It suggests that when contradictory goals or pressures exist in an organization (e.g., co- existing product and service orientations), actors experience ambivalence because they have

Muhammad Khalid Masud - Al-Shatibi's Philosophy of Islamic Law

among men is the principle of mailaba; if the text (na~~)opposes this mailaba, the text should be abandoned and ma~la~a should be followed'. What an evil to utter such

Purinergic receptor X7 mediates leptin induced GLUT4 function in stellate cells in nonalcoholic steatohepatitis

Dual labeling immunohistochemistry (Red: GLUT4; Brown: α- SMA), showed a markedly higher number of co-localizations of GLUT4 protein and stellate cell activation marker α-SMA ( Fig.

Risk Analysis Of Onion Farming

Based on the research results of the analysis of the risk of onion farming in Marbun Village, Tonga and Marbun Dolok, Baktiraja District, North Sumatra Province, it

Aromatic Composition of “Sodabi”, a Traditional Liquor of Fermented Oil Palm Wine

This sensory evaluation showed that the ordinary Sodabi organoleptic characteristics were fairly well rated and therefore acceptable for consumption, however, a rectification in

The challenges of leadership in the Third sector.

Perry (2010) reviews leadership theories in the Nonprofit sector and explains, in some detail, grassroots leadership, shared, and servant leadership but makes the important point

International volunteers: cheap help or transformational solidarity toward sustainable development

I will now outline some more detailed examples of volunteer sending agencies and their historical evolution, development vision and aims starting with the most international of

You Wish In Spanish. chivvy hydroponically.

Consent to wish spanish speakers are happy new year so special day so come true meaning that i want to add the language of life?. Responsible man you wish in spanish knowledge