Security 101Training, awareness, and strategies

Stephen Cobb, CISSPSenior Security ResearcherESET NA

The SMB Sweet Spot for the cyber-criminally inclined

Enterprises

SMB “Sweet Spot”

Consumers

Assets worthlooting

Level of protection

The challenge

• Organizations of every type rely on computers to handle information

• Everyone today is a computer user

• Most have no security training• Lack of security

training leads to problems

How big is the challengeWe asked U.S. consumers if they had ever received any computer security training

No: 68%

Yes:

32%

*Savitz Research for ESET, 2012

68% is sadly consistentWe asked working adults in the U.S. if they had ever received any computer security training

No: 68%

Yes:

32%

*Harris poll for ESET, 2012

73% is even worseWe asked adults in U.S. who use social media if they had ever received online safety training

No: 73%

Yes:

27%

*Harris poll for ESET, 2012

Security training is not yet part of our society*

• This has serious implications for your business

• 93% of American adults say they’ve had no computer security training in the last 12 months

• How many of them work for you, or for your clients, suppliers, etc?

*Savitz Research for ESET, 2012

Some problems that lack of security training can cause

• Unauthorized access to information

• Loss of access to information

• Loss of information

• Corruption of information

• Theft of information

The implications are non-trivial

• Loss of revenue• Loss of business• Fines, lawsuits, headlines• Unbudgeted expenses– Breach costs currently estimated

at around $190 per record exposed*

– 5,263 records = $1 million hit

*Ponemon Institute

Trojan terminates escrow firm

• $1.1 million wired to China and could not be retrieved

• Firm was closed by state law, now in receivership, 9 people out of a job

• So what’s the best weapon for keeping that kind of Trojan code out of your company’s system?

A well-trained workforce

• Knows not to click on suspicious links in email or social media

• Knows to report strange activity (e.g. the two-factor authentication not working)

• Knows to scan all incoming files for malware– Email, USB drives

Does training make a difference?

• Yes• A significant percentage of

problems can be averted, or their impact minimized, if more employees get better security training and education*

*A bunch of different studies in recent years

Security training or awareness

• What’s the difference?• Training makes sure people at

different levels of IT engagement have the right knowledge to execute their roles securely

• Awareness makes sure all people at all levels know what to look out for

Not that kind of actor…

Do your employees know what motivates bad actors?

IMPACTADVANTAGEMONEY

CREDENTIALS

Do you know how the bad guys operate?

Specialization Modularity

Division of labor Standards

Markets

Taken to exploit site

Malware server

PopularAttackTechnique

!?**!

User clicks a link Gets infected/owned

Command & Control

• RAT has full access to victim PC• And its network connections• Search and exfiltrate files• Access to webcam and audio• Scrape passwords• Execute system functions• Chat with victim

What happens next?

So how do we move forward?

The road map: A B C D E F

• Assess your assets, risks, resources

• Build your policy• Choose your controls• Deploy controls • Educate employees, execs,

vendors• Further assess, audit, testA B C D E

FF E D C B A

Technology

Assess assets, risks, resources

• Assets: digital, physical – If you don’t know what you’ve got

you can’t protect it!• Risks–Who or what is the threat?

• Resources– In house, hired, partners, vendors,

trade groups, associations

Build your policy

• Security begins with policy• Policy begins with C-level buy-in• High-level commitment to

protecting the privacy and security of data

• Then a set of policies that spell out the protective measures, the controls that will be used

Choose controls to enforce policies• For example: – Policy: Only authorized employees

can access sensitive data – Controls: • Require identification and

authentication of all employees via unique user name and password• Limit access through application(s) by

requiring authentication• Log all access

Deploy controls, ensure they work

• Put control in place; for example, antivirus (anti-malware, anti-phishing, anti-spam)

• Test control– Does it work technically?– Does it “work” with your work?– Can employees work it?

Educate everyone

• Everyone needs to know –What the security policies are– How to comply with them through

proper use of controls• Pay attention to any information-

sharing relationships – Vendors, partners, even clients

• Clearly state consequences of failure to comply

Who gets trained?

• Everyone, but not in the same way, break it down:– All-hands training– IT staff training– Security staff training

How to deliver training

• In person• Online• On paper• In house• Outside contractor• Mix and match• Be creative

Incentives?

• Yes!• To launch programs, push

agendas• Prizes do work• But also make security part of

every job description and evaluation

Use your internal organs

• Of communication!• Newsletter• Intranet• Bulletin board• Meetings• Company-wide email

How to do awareness

• Make it fun• Make it relevant• Leverage the news• Bear in mind that everyone

benefits from greater awareness, at work and at home

Resources to tap

• Industry associations• FS-ISAC, NH-ISAC, others• CompTIA, SBA, BBB• ISSA, ISACA, SANS, (ISC)2

• Local colleges and universities• Securing Our eCity

Need more motivation?

• Security training is the law– HIPAA– Red Flag Identity Theft Prevention– Gramm-Leach-Bliley, Sarbanes-

Oxley– FISMA

• Or required by industry– PCI Data Security Standard

Or just plain required

• To get that big juicy contract• Many companies now require

suppliers to certify that they have security training and awareness programs in place as a condition of doing business

Further assess, audit, test…

• This is a process, not a project• Lay out a plan to assess security on

a periodic basis• Stay up-to-date on emerging

threats• Stay vigilant around change such

as arrivals, departures, functionalityA B C D E

FF E D C B A

Backup and archive

Firewall and scan:Incoming trafficemailsfilesdevicesmedia

Encrypt

MonitorFilter and

monitoroutbound

Authenticateusers

The Technology Slide

Thank you!

• stephen.cobb@eset.com• WeLiveSecurity.com• www.eset.com• More info in the lobby