aplicaciones en informÁtica avanzada, s.l. 1 2015 global summit for women breakout sessions iii....

APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 1

2015 Global Summit for WomenBreakout Sessions III. Entrepreneurial Track:

Protecting Your Business in the Internet Age. Vulnerability of Business Assets to Security Risks

May 16th 2015

Regina LLopisSao Paulo - Brazil


SMEs

IMPORTANCE OF CIBERSECURITY

SOME NUMBERS2010, the U.S. Secret Service and Verizon Communications Inc.'s forensic analysis unit responded to a combined 761 data breaches. 63% at SME’s <100 employees

2011 ,Visa estimated 95% of the credit-card data breaches it discovers were at SME’sSource FCC’ss Small Biz Cyber Planner

2012, Symantec states cyberattacks for SME <250em rose to 31% from 18% in 2011 Source CNN money


Lower risk and high returns (H)

Data is Valuable

Easier targetGuard is down

Inadequate tools

SMEs

SECURITY RISK VULNERABILITY

Source Fireeye.com


FCC’s Small Biz Cyber Plannerhttps://www.fcc.gov/cyberplanner

Scams and Fraud Privacy and Data Security Network Security Website Security Email (Not the hosting services)Mobile Devices Employees Facility Security Operational Security Payment Cards Incident Response and ReportingPolicy Development, Management

SMEs

AGENDA TOPICS

https://www.fcc.gov/cyberplanner

https://www.fcc.gov/cyberplanner


1. Scams and Fraud

2. Privacy and Data Security

3. Network Security

4. Mobile Devices

5. Employees

6. Twente U Report

7. EXAMPLE OF ONE SME (G:AIA)

SMEs

AGENDA TOPICS


E-infections:virustrojans, worm, botnets

OL fraudphishing

Mal/scare/spy/adware

Social eng.Pretexting

DofSA, flooding

Scams and Fraud

Vocabulary


Update the antivirus soft

NO personal InfoEmployee awarenessNever click links

Don’t fall forFake antivirusUpdate soft patches

Verify identityInfo seekers

Layered access protection

Scams and Fraud

Protection


Inventory data types,access,location

Compliant Privacy Policy: PII, PHI,Clients, Biz IP other

Protection for Data from Internet

Contextual access to Data: HC,Sen,Int.UOSecure Data 2Factor Encription

Backup, Plan for Loss

Privacy and Data Security

INFORMATION ASSETS AND SECURITY


• Customer sales records• Customer credit card transactions• Customer mailing and email lists• Customer support information• Customer warranty information• Patient health or medical records (If in the health

industry)

Customers Policy RecoveryEmployees Business




•Employee personal information•Employee payroll records• Employee email lists• Employee health and medical records

Customers BusinessEmployees



Policy Recovery


• Business and personal financial records• Marketing plans• Business leads and enquiries• Product design and development plans• Protect IP Assets Patents, Copyright,

Trademarks• Legal, tax and financial correspondence

Employees BusinessCustomers



Policy Recovery


• Develop Privacy Policy compliant with Legislation

BusinessEmployeesCustomers



Policy Recovery


• Develop security, backup and Recovery from Loss processes

BusinessEmployeesCustomers



Policy Recovery


Secure Internal Network and Cloud Services(Audit rights)

Strong Password and HC & Sen DATA encryption

Wireless separation public and internal WPA2 (WiFiProtected Access) encryption level

Secure web browsingOnly VPN (Virtual Private Network) for remote access

Safe use of flash drivesSHIFT KEY

Network Security

PROTECTION


Devise as well as data loss, danger of policy BYOD

Social Engineering and Malware

Data Integrity threat

Resource Abuse (using the compromised devise)

Web, Network Based Attacks

Mobile Devices

THREATS


Security Software and update , use of different networks when BYOD

Same earlier recommendations on phishing, social engineering other

Users aware of surroundings , follow reporting policy

Ensure all devices are wiped clean prior to disposal

Encrypt on mobile devices

Mobile Devices

PROTECTION


Develop a demanding hiring process as well as background check (Outsc).

Access control for employees based on need to use, clean desk shred when disposing HC,Sen

Training on security for Employees

Implement Employee Departure Checklist

Employee Password protected access

Employees

PROTECTION


Most common Cyber Security threats in SMEs(credit: The Impact of Cyber Security on SMEs, N. Amrin, U. of Twente)

Attack Compromised Asset SME’s Preventive Action

1 Automated exploit of a known vulnerability

Operating System of computers

· Use patch management software· Train the employees to comply with updates· Implement prevention policy

2 Malicious HTML email Devices that view email · Implement spam filtering· Raise employee awareness· Implement prevention policy

3 Reckless web surfing by employees Computers, laptop, etc. · Web filtering solutions to block URLs· Use a firewall

4 Web server compromise Website and server · Audit the web code to fix all the security holes· Use firewall for malicious traffic

5 Data lost on a portable device Portable devices and data · Encrypt data on the devices,· Use of Mobile Device Management (MDM) software

6 Reckless use of Wi-Fi hot spots Company’s data · Use encrypted Wi-Fi connection

7 Reckless use of hotel networks and kiosks Employee’s device. · Use updated anti-virus/spyware/malware· Use a firewall

8 Poor configuration leading to compromise Entire network · Always change factory default user & passwords

· Implement prevention policy

9 Lack of contingency plan Entire IT infrastructure · Develop policy based on the company’s need· Implement prevention policy

10 Insider attacks Entire IT infrastructure · Check the basic background of employees· Do not concentrate all IT authority on one employee· Implement prevention policy

Twente U Report

Attacks on Assets and Actions


GENERAL GUIDELINES OVERVIEW

• Network security• Intrusions (tip: separate your Internet-facing services

as much as you can from your internal network; outsource it whenever possible)

• WiFi challenges and security levels• Min: use WPA2 and change passwords often• Medium: add RADIUS to control users accesses• Max: air-gap with separate Internet access, and

use VPN to access the internal network

EXAMPLE

CIBERSECURITY AT GROUP AIA


• Information theft• The challenge of BYOD• Theft or loss of laptops (use two-factor auth using

USB or SmartCards)• Disaster Recovery and Business Continuity Plans

• Don’t be your worst enemy, be prepared!• Redundancy (RAID) is not the same as backup• Always keep regular, point-in-time backups, à la

Time-Machine in Macs• On-premises copies are not backup! — Ship them

off-site regularly

EXAMPLE



Our view on BYOD (Bring your own device):

• It is true that people sometimes want to be able to use their own devices at work, but…

• Does it really save the business having to buy a device for the worker?

• How will the IT department enforce security policies on the worker’s device?

• Vendors will be happy to sell you BYOD-management software, but it adds cost and complexity

• We think the savings are not worth it for an SME• Simple solution:

1. Deploy a separate, isolated WiFi, with its own independent connection to the internet. After all, most people just want to use their phone/tablet.

2. For those that do want to use their device for work, make them go through VPN as any other remote worker.

EXAMPLE



Corporate LAN

(may include isolated VLANs) outsourced

housing and support

Corporate DMZ

Users

Demo serversProduct

downloads

Server room50% Virtualized

Internet

VPN gateway

Private WiFi access point

• Google email+• Amazon EC2• Harvest (time)• Webhoster

(website host)

EXAMPLE


Mobile and remote Users


Security best practices: In our infrastructure:

•A mixed Windows/Linux environment, all user permissions based on roles, and managed from Active Directory.

•All software developers and admin desktops & laptops are managed by Active Directory

•BYOD policy: not allowed on the network (use the Facilities’ public WiFi ) & Private WiFi: access through RADIUS(802.1X/WPA2)

EXAMPLE



•Remote VPN access only given if needed for work•Possibility to segment isolated VLANs at the switch level, if a client (typically Banks) request isolated project teams.

•Centralized antivirus software that pushes updates to all desktops/laptops.

•Daily backups performed as efficient incremental snapshots, on standard external HDs. Monthly copies are shipped off-site to a Bank Vault.

EXAMPLE



Security best practices: In our OUTSOURCING VENDOR ‘s Infrastructure:

• Professionally trained IT staff (5 to 6 people)• Centralized Firewall (FortiGate)• Intrusion Detection Systems (monitors traffic to detect

anomalies)• Segmentation of different company LANs through

managed switches VLANs• Server room: fully backed up power supply, continuous

monitoring. Restricted physical access.• Internet links: triple-redundant link to different ISPs

EXAMPLE



We were recently hit by ransomware:

1.One of our secretaries inadvertently executed an attachment in a deviously crafted email.

2.Our user do not have admin privileges, malware was contained to run with regular user permissions

3.All files that the secretary had access to, locally and on server, were being encrypted!!!

4.It is virtually impossible to crack this crypto, and the original contents are overwritten, so they cannot be recovered. The malware points the victim to a website with instructions to pay a ransom in order to decrypt the files.

EXAMPLE



How we reacted:1.Our secretary had been trained on how to deal with

malware, phishing scams, etc. 2.She immediately called the IT support. Realizing the

malware was running locally, she was instructed to disconnect from the network right away, and then switch her PC off.

3.Cleaning the malware from the PC was quite easy, but some damage had already been done: several documents on the server had been encrypted.

4. Those documents had to be recovered from the day before backup,. Luckily only a few hours of editing work were lost.

EXAMPLE



Take away from our story:

• Invest in training your users against malware. Keep them updated on the latest trends.

• Backups, backups, backups!• For an SME, Disaster Recovery and Business Continuity

Plans are mostly about backups. More so in an era of virtualized IT.

Beware of the new ransomware threat. It is a trend that is alarmingly on the rise. According to Tom Kellermann, chief cybersecurity officer for Trend Micro Inc., about 30% of ransomware victims pay to regain their data.See: http://www.wsj.com/articles/ransomware-a-growing-threat-to-small-businesses-1429127403

EXAMPLE


http://www.wsj.com/articles/ransomware-a-growing-threat-to-small-businesses-1429127403




ENDTHANK YOU FOR YOUR ATTENTION

Grupo AIA has innovated in the area of Knowledge Generation and Business Analytics for Decision Support for over twenty-five years

BUILDING ALGORITHMS FOR A BETTER WORLD

• Regina LLopis• [email protected]

Questions?More Information?

Need Biblio?


FINALCOMPLEMENTARY TERMNOLOGY

DMZ stands for “De-Militarized Zone”: it’s a separate LAN in which all Internet-facing servers are put, to isolate them from the internal LAN. The Firewall thus separates the three main Zones: Internal LAN, DMZ, and the Internet.

A VLAN is a virtually isolated LAN, a feature provided at a lower-level hardware implementation (and therefore quite hacker-resistant) by network switches. It’s like having two (or more) different switches in one. When configured properly, they are bullet proof (I mean, there is no way someone on VLAN1 can ever hop onto VLAN2).


FINALCOMPLEMENTARY TERMNOLOGY

Radius is a server for remote user authentication and accounting. Its primary use is for Internet Service Providers, though it may as well be used on any network that needs a centralized authentication and/or accounting service for its workstations.

Time Machine-style backups were invented in UNIX a long time ago, and provide a cheap and efficient way to keep several incremental snapshots of a file-system (the files that haven’t changed only take space once). This is what we use, on external USB HDs. Then they should be renewed every 2--3 years, for reliability.


HQ BarcelonaAv. de la Torre Blanca, 5708172 Sant Cugat del VallèsBarcelonaTel. +34 93 504 49 00

San Francisco 48 Terra Vista Ave. # DSan Francisco, CA 94115 Tel. 1 415 978 98 00 Fax. 1 415 978 98 10

aplicaciones en informÁtica avanzada, s.l. 1 2015 global summit for women breakout sessions iii....

Documents

verizon communications

s forensic analysis

security risks

secret service

global summit

women breakout sessions

data breaches

entrepreneurial track