aplicaciones en informÁtica avanzada, s.l. 1 2015 global summit for women breakout sessions iii....
TRANSCRIPT
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 1
2015 Global Summit for WomenBreakout Sessions III. Entrepreneurial Track:
Protecting Your Business in the Internet Age. Vulnerability of Business Assets to Security Risks
May 16th 2015
Regina LLopisSao Paulo - Brazil
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 2
SMEs
IMPORTANCE OF CIBERSECURITY
SOME NUMBERS2010, the U.S. Secret Service and Verizon Communications Inc.'s forensic analysis unit responded to a combined 761 data breaches. 63% at SME’s <100 employees
2011 ,Visa estimated 95% of the credit-card data breaches it discovers were at SME’sSource FCC’ss Small Biz Cyber Planner
2012, Symantec states cyberattacks for SME <250em rose to 31% from 18% in 2011 Source CNN money
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 3
Lower risk and high returns (H)
Data is Valuable
Easier targetGuard is down
Inadequate tools
SMEs
SECURITY RISK VULNERABILITY
Source Fireeye.com
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 4
FCC’s Small Biz Cyber Plannerhttps://www.fcc.gov/cyberplanner
Scams and Fraud Privacy and Data Security Network Security Website Security Email (Not the hosting services)Mobile Devices Employees Facility Security Operational Security Payment Cards Incident Response and ReportingPolicy Development, Management
SMEs
AGENDA TOPICS
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 5
1. Scams and Fraud
2. Privacy and Data Security
3. Network Security
4. Mobile Devices
5. Employees
6. Twente U Report
7. EXAMPLE OF ONE SME (G:AIA)
SMEs
AGENDA TOPICS
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 6
E-infections:virustrojans, worm, botnets
OL fraudphishing
Mal/scare/spy/adware
Social eng.Pretexting
DofSA, flooding
Scams and Fraud
Vocabulary
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 7
Update the antivirus soft
NO personal InfoEmployee awarenessNever click links
Don’t fall forFake antivirusUpdate soft patches
Verify identityInfo seekers
Layered access protection
Scams and Fraud
Protection
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 8
Inventory data types,access,location
Compliant Privacy Policy: PII, PHI,Clients, Biz IP other
Protection for Data from Internet
Contextual access to Data: HC,Sen,Int.UOSecure Data 2Factor Encription
Backup, Plan for Loss
Privacy and Data Security
INFORMATION ASSETS AND SECURITY
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 9
• Customer sales records• Customer credit card transactions• Customer mailing and email lists• Customer support information• Customer warranty information• Patient health or medical records (If in the health
industry)
Customers Policy RecoveryEmployees Business
Privacy and Data Security
INFORMATION ASSETS AND SECURITY
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 10
•Employee personal information•Employee payroll records• Employee email lists• Employee health and medical records
Customers BusinessEmployees
Privacy and Data Security
INFORMATION ASSETS AND SECURITY
Policy Recovery
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 11
• Business and personal financial records• Marketing plans• Business leads and enquiries• Product design and development plans• Protect IP Assets Patents, Copyright,
Trademarks• Legal, tax and financial correspondence
Employees BusinessCustomers
Privacy and Data Security
INFORMATION ASSETS AND SECURITY
Policy Recovery
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 12
• Develop Privacy Policy compliant with Legislation
BusinessEmployeesCustomers
Privacy and Data Security
INFORMATION ASSETS AND SECURITY
Policy Recovery
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 13
• Develop security, backup and Recovery from Loss processes
BusinessEmployeesCustomers
Privacy and Data Security
INFORMATION ASSETS AND SECURITY
Policy Recovery
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 14
Secure Internal Network and Cloud Services(Audit rights)
Strong Password and HC & Sen DATA encryption
Wireless separation public and internal WPA2 (WiFiProtected Access) encryption level
Secure web browsingOnly VPN (Virtual Private Network) for remote access
Safe use of flash drivesSHIFT KEY
Network Security
PROTECTION
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 15
Devise as well as data loss, danger of policy BYOD
Social Engineering and Malware
Data Integrity threat
Resource Abuse (using the compromised devise)
Web, Network Based Attacks
Mobile Devices
THREATS
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 16
Security Software and update , use of different networks when BYOD
Same earlier recommendations on phishing, social engineering other
Users aware of surroundings , follow reporting policy
Ensure all devices are wiped clean prior to disposal
Encrypt on mobile devices
Mobile Devices
PROTECTION
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 17
Develop a demanding hiring process as well as background check (Outsc).
Access control for employees based on need to use, clean desk shred when disposing HC,Sen
Training on security for Employees
Implement Employee Departure Checklist
Employee Password protected access
Employees
PROTECTION
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 18
Most common Cyber Security threats in SMEs(credit: The Impact of Cyber Security on SMEs, N. Amrin, U. of Twente)
Attack Compromised Asset SME’s Preventive Action
1 Automated exploit of a known vulnerability
Operating System of computers
· Use patch management software· Train the employees to comply with updates· Implement prevention policy
2 Malicious HTML email Devices that view email · Implement spam filtering· Raise employee awareness· Implement prevention policy
3 Reckless web surfing by employees Computers, laptop, etc. · Web filtering solutions to block URLs· Use a firewall
4 Web server compromise Website and server · Audit the web code to fix all the security holes· Use firewall for malicious traffic
5 Data lost on a portable device Portable devices and data · Encrypt data on the devices,· Use of Mobile Device Management (MDM) software
6 Reckless use of Wi-Fi hot spots Company’s data · Use encrypted Wi-Fi connection
7 Reckless use of hotel networks and kiosks Employee’s device. · Use updated anti-virus/spyware/malware· Use a firewall
8 Poor configuration leading to compromise Entire network · Always change factory default user & passwords
· Implement prevention policy
9 Lack of contingency plan Entire IT infrastructure · Develop policy based on the company’s need· Implement prevention policy
10 Insider attacks Entire IT infrastructure · Check the basic background of employees· Do not concentrate all IT authority on one employee· Implement prevention policy
Twente U Report
Attacks on Assets and Actions
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 19
GENERAL GUIDELINES OVERVIEW
• Network security• Intrusions (tip: separate your Internet-facing services
as much as you can from your internal network; outsource it whenever possible)
• WiFi challenges and security levels• Min: use WPA2 and change passwords often• Medium: add RADIUS to control users accesses• Max: air-gap with separate Internet access, and
use VPN to access the internal network
EXAMPLE
CIBERSECURITY AT GROUP AIA
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 20
• Information theft• The challenge of BYOD• Theft or loss of laptops (use two-factor auth using
USB or SmartCards)• Disaster Recovery and Business Continuity Plans
• Don’t be your worst enemy, be prepared!• Redundancy (RAID) is not the same as backup• Always keep regular, point-in-time backups, à la
Time-Machine in Macs• On-premises copies are not backup! — Ship them
off-site regularly
EXAMPLE
CIBERSECURITY AT GROUP AIA
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 21
Our view on BYOD (Bring your own device):
• It is true that people sometimes want to be able to use their own devices at work, but…
• Does it really save the business having to buy a device for the worker?
• How will the IT department enforce security policies on the worker’s device?
• Vendors will be happy to sell you BYOD-management software, but it adds cost and complexity
• We think the savings are not worth it for an SME• Simple solution:
1. Deploy a separate, isolated WiFi, with its own independent connection to the internet. After all, most people just want to use their phone/tablet.
2. For those that do want to use their device for work, make them go through VPN as any other remote worker.
EXAMPLE
CIBERSECURITY AT GROUP AIA
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 22
Corporate LAN
(may include isolated VLANs) outsourced
housing and support
Corporate DMZ
Users
Demo serversProduct
downloads
Server room50% Virtualized
Internet
VPN gateway
Private WiFi access point
• Google email+• Amazon EC2• Harvest (time)• Webhoster
(website host)
EXAMPLE
CIBERSECURITY AT GROUP AIA
Mobile and remote Users
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 23
Security best practices: In our infrastructure:
•A mixed Windows/Linux environment, all user permissions based on roles, and managed from Active Directory.
•All software developers and admin desktops & laptops are managed by Active Directory
•BYOD policy: not allowed on the network (use the Facilities’ public WiFi ) & Private WiFi: access through RADIUS(802.1X/WPA2)
EXAMPLE
CIBERSECURITY AT GROUP AIA
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 24
•Remote VPN access only given if needed for work•Possibility to segment isolated VLANs at the switch level, if a client (typically Banks) request isolated project teams.
•Centralized antivirus software that pushes updates to all desktops/laptops.
•Daily backups performed as efficient incremental snapshots, on standard external HDs. Monthly copies are shipped off-site to a Bank Vault.
EXAMPLE
CIBERSECURITY AT GROUP AIA
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 25
Security best practices: In our OUTSOURCING VENDOR ‘s Infrastructure:
• Professionally trained IT staff (5 to 6 people)• Centralized Firewall (FortiGate)• Intrusion Detection Systems (monitors traffic to detect
anomalies)• Segmentation of different company LANs through
managed switches VLANs• Server room: fully backed up power supply, continuous
monitoring. Restricted physical access.• Internet links: triple-redundant link to different ISPs
EXAMPLE
CIBERSECURITY AT GROUP AIA
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 26
We were recently hit by ransomware:
1.One of our secretaries inadvertently executed an attachment in a deviously crafted email.
2.Our user do not have admin privileges, malware was contained to run with regular user permissions
3.All files that the secretary had access to, locally and on server, were being encrypted!!!
4.It is virtually impossible to crack this crypto, and the original contents are overwritten, so they cannot be recovered. The malware points the victim to a website with instructions to pay a ransom in order to decrypt the files.
EXAMPLE
CIBERSECURITY AT GROUP AIA
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 27
How we reacted:1.Our secretary had been trained on how to deal with
malware, phishing scams, etc. 2.She immediately called the IT support. Realizing the
malware was running locally, she was instructed to disconnect from the network right away, and then switch her PC off.
3.Cleaning the malware from the PC was quite easy, but some damage had already been done: several documents on the server had been encrypted.
4. Those documents had to be recovered from the day before backup,. Luckily only a few hours of editing work were lost.
EXAMPLE
CIBERSECURITY AT GROUP AIA
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 28
Take away from our story:
• Invest in training your users against malware. Keep them updated on the latest trends.
• Backups, backups, backups!• For an SME, Disaster Recovery and Business Continuity
Plans are mostly about backups. More so in an era of virtualized IT.
Beware of the new ransomware threat. It is a trend that is alarmingly on the rise. According to Tom Kellermann, chief cybersecurity officer for Trend Micro Inc., about 30% of ransomware victims pay to regain their data.See: http://www.wsj.com/articles/ransomware-a-growing-threat-to-small-businesses-1429127403
EXAMPLE
CIBERSECURITY AT GROUP AIA
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 29
ENDTHANK YOU FOR YOUR ATTENTION
Grupo AIA has innovated in the area of Knowledge Generation and Business Analytics for Decision Support for over twenty-five years
BUILDING ALGORITHMS FOR A BETTER WORLD
• Regina LLopis• [email protected]
Questions?More Information?
Need Biblio?
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 30
FINALCOMPLEMENTARY TERMNOLOGY
DMZ stands for “De-Militarized Zone”: it’s a separate LAN in which all Internet-facing servers are put, to isolate them from the internal LAN. The Firewall thus separates the three main Zones: Internal LAN, DMZ, and the Internet.
A VLAN is a virtually isolated LAN, a feature provided at a lower-level hardware implementation (and therefore quite hacker-resistant) by network switches. It’s like having two (or more) different switches in one. When configured properly, they are bullet proof (I mean, there is no way someone on VLAN1 can ever hop onto VLAN2).
APLICACIONES EN INFORMÁTICA AVANZADA, S.L. www.aia.es 31
FINALCOMPLEMENTARY TERMNOLOGY
Radius is a server for remote user authentication and accounting. Its primary use is for Internet Service Providers, though it may as well be used on any network that needs a centralized authentication and/or accounting service for its workstations.
Time Machine-style backups were invented in UNIX a long time ago, and provide a cheap and efficient way to keep several incremental snapshots of a file-system (the files that haven’t changed only take space once). This is what we use, on external USB HDs. Then they should be renewed every 2--3 years, for reliability.