cyber security 101: training, awareness, strategies for small to medium sized business
DESCRIPTION
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.TRANSCRIPT
Security 101Training, awareness, and strategies
Stephen Cobb, CISSPSenior Security ResearcherESET NA
The SMB Sweet Spot for the cyber-criminally inclined
Enterprises
SMB “Sweet Spot”
Consumers
Assets worthlooting
Level of protection
The challenge
• Organizations of every type rely on computers to handle information
• Everyone today is a computer user
• Most have no security training• Lack of security
training leads to problems
How big is the challengeWe asked U.S. consumers if they had ever received any computer security training
No: 68%
Yes:
32%
*Savitz Research for ESET, 2012
68% is sadly consistentWe asked working adults in the U.S. if they had ever received any computer security training
No: 68%
Yes:
32%
*Harris poll for ESET, 2012
73% is even worseWe asked adults in U.S. who use social media if they had ever received online safety training
No: 73%
Yes:
27%
*Harris poll for ESET, 2012
Security training is not yet part of our society*
• This has serious implications for your business
• 93% of American adults say they’ve had no computer security training in the last 12 months
• How many of them work for you, or for your clients, suppliers, etc?
*Savitz Research for ESET, 2012
Some problems that lack of security training can cause
• Unauthorized access to information
• Loss of access to information
• Loss of information
• Corruption of information
• Theft of information
The implications are non-trivial
• Loss of revenue• Loss of business• Fines, lawsuits, headlines• Unbudgeted expenses– Breach costs currently estimated
at around $190 per record exposed*
– 5,263 records = $1 million hit
*Ponemon Institute
Trojan terminates escrow firm
• $1.1 million wired to China and could not be retrieved
• Firm was closed by state law, now in receivership, 9 people out of a job
• So what’s the best weapon for keeping that kind of Trojan code out of your company’s system?
A well-trained workforce
• Knows not to click on suspicious links in email or social media
• Knows to report strange activity (e.g. the two-factor authentication not working)
• Knows to scan all incoming files for malware– Email, USB drives
Does training make a difference?
• Yes• A significant percentage of
problems can be averted, or their impact minimized, if more employees get better security training and education*
*A bunch of different studies in recent years
Security training or awareness
• What’s the difference?• Training makes sure people at
different levels of IT engagement have the right knowledge to execute their roles securely
• Awareness makes sure all people at all levels know what to look out for
Not that kind of actor…
Do your employees know what motivates bad actors?
IMPACTADVANTAGEMONEY
CREDENTIALS
Do you know how the bad guys operate?
Specialization Modularity
Division of labor Standards
Markets
Taken to exploit site
Malware server
PopularAttackTechnique
!?**!
User clicks a link Gets infected/owned
Command & Control
• RAT has full access to victim PC• And its network connections• Search and exfiltrate files• Access to webcam and audio• Scrape passwords• Execute system functions• Chat with victim
What happens next?
So how do we move forward?
The road map: A B C D E F
• Assess your assets, risks, resources
• Build your policy• Choose your controls• Deploy controls • Educate employees, execs,
vendors• Further assess, audit, testA B C D E
FF E D C B A
Technology
Assess assets, risks, resources
• Assets: digital, physical – If you don’t know what you’ve got
you can’t protect it!• Risks–Who or what is the threat?
• Resources– In house, hired, partners, vendors,
trade groups, associations
Build your policy
• Security begins with policy• Policy begins with C-level buy-in• High-level commitment to
protecting the privacy and security of data
• Then a set of policies that spell out the protective measures, the controls that will be used
Choose controls to enforce policies• For example: – Policy: Only authorized employees
can access sensitive data – Controls: • Require identification and
authentication of all employees via unique user name and password• Limit access through application(s) by
requiring authentication• Log all access
Deploy controls, ensure they work
• Put control in place; for example, antivirus (anti-malware, anti-phishing, anti-spam)
• Test control– Does it work technically?– Does it “work” with your work?– Can employees work it?
Educate everyone
• Everyone needs to know –What the security policies are– How to comply with them through
proper use of controls• Pay attention to any information-
sharing relationships – Vendors, partners, even clients
• Clearly state consequences of failure to comply
Who gets trained?
• Everyone, but not in the same way, break it down:– All-hands training– IT staff training– Security staff training
How to deliver training
• In person• Online• On paper• In house• Outside contractor• Mix and match• Be creative
Incentives?
• Yes!• To launch programs, push
agendas• Prizes do work• But also make security part of
every job description and evaluation
Use your internal organs
• Of communication!• Newsletter• Intranet• Bulletin board• Meetings• Company-wide email
How to do awareness
• Make it fun• Make it relevant• Leverage the news• Bear in mind that everyone
benefits from greater awareness, at work and at home
Resources to tap
• Industry associations• FS-ISAC, NH-ISAC, others• CompTIA, SBA, BBB• ISSA, ISACA, SANS, (ISC)2
• Local colleges and universities• Securing Our eCity
Need more motivation?
• Security training is the law– HIPAA– Red Flag Identity Theft Prevention– Gramm-Leach-Bliley, Sarbanes-
Oxley– FISMA
• Or required by industry– PCI Data Security Standard
Or just plain required
• To get that big juicy contract• Many companies now require
suppliers to certify that they have security training and awareness programs in place as a condition of doing business
Further assess, audit, test…
• This is a process, not a project• Lay out a plan to assess security on
a periodic basis• Stay up-to-date on emerging
threats• Stay vigilant around change such
as arrivals, departures, functionalityA B C D E
FF E D C B A
Backup and archive
Firewall and scan:Incoming trafficemailsfilesdevicesmedia
Encrypt
MonitorFilter and
monitoroutbound
Authenticateusers
The Technology Slide
Thank you!
• [email protected]• WeLiveSecurity.com• www.eset.com• More info in the lobby