A Small Business Approach to Big Business Cyber Security. Brent Bettis, CISSP 23 September, 2014

Transcription

1 A Small Business Approach to Big Business Cyber Security Brent Bettis, CISSP 23 September,

2 First, a Video 2

3 3

4 Agenda Threat Landscape Strategic Initiatives Security Strategy Q&A 4

5 Threat Landscape Hackers Disgruntled Employees Nation-States Terrorists The Threat is multi-faceted, global, ever changing and relentless 5

6 6

7 Cyber Crime Any crime that involves a computer or a network is a cyber crime. Typically, cyber crime is committed via the internet in the form of identity theft, spam, or credit card fraud. It is imperative that all users recognize threats to the security of your company s information and information systems. Video: 7 7

8 Social Engineering One way criminals attempt to commit cyber crime is through social engineering. Social engineering is a technique used to obtain information through the act of manipulating or exploiting human behavior to gain unauthorized access to information or systems for criminal purposes. Social engineers use the human desire to trust and help people to their advantage. They target passwords, access badges, smart phones, wallets, or personal employee information. Social engineers use a variety of techniques to obtain information. Video: 8 8

9 Phishing Phishing is the act of posing as a legitimate person or business requesting information or passwords to obtain access to personal or company information. Typically, phishing attacks come in the form of or text messages that have a malicious link within the that resembles a real website address. Video: 9 9

10 Malware Malware, or malicious software, disrupts, steals information from, or damages a computer system. It is inadvertently installed by users, most commonly, when they download infected files, click on malicious links, or visit an infected website. Once the malware is installed, it can give a hacker access to your computer and provide a gateway to the rest of the network. As a user, you can prevent malware from being installed on your computer by scanning attachments for viruses, reporting suspicious s instead of opening them

11 Social Media Social media services are a great way to keep in touch with people you know. There are many social media sites that individuals use to communicate and share information such as Facebook, Twitter, and LinkedIn. Typically, these sites will ask you for personal information such as your birthday, hobbies, education, job, and contact information. Everything on a social networking site is searchable and people can target you based on things you like or what you do. You can even be targeted through friends on your site

12 So, what can we do about this threat 12

13 Cyber Security Program Maturity The amount of effort you put into your cyber security training and policy development radically drives up your maturity and success with the program. 13

14 SWOT Analysis 14

15 Building the Team The first step in effective security program is having the right team: Security Engineer/Admins Perimeter Defense (Firewalls, IPS/IDS, anti-virus, web-gateway, spam protection etc) Access Control (account provisioning and de-provisioning) Governance, Risk, and Compliance team Establish controls (managerial, operational or technical) Policy creation, security education and training awareness, disaster recovery and business continuity, legal hold and e-discovery 15

16 Negotiate, not mandate, restrictiveness of Cyber Security Policy to ensure higher levels of acceptance and adoption Determine Required Controls Establish Initial Stringency Review Interactively with Business Publish Drafts, Solicit Feedback Security Services determining the areas where documented controls are needed by the enterprise. Use the results of security audits to identify weak points in existing security controls. IT sets initial stringency such that its rationale can be provided in business terms. Start point only; using it as the opening position. Dynamic, in that it will change once business needs are understood. IT and business units use workshop sessions to tailor the constraint the policy represents. Allows for Security Services to know which issues we can give on, and where we need to hold firm then practice give-andtake. IT drafts policies based on agreedto stringency, circulates for review, and incorporates feedback. Maintaining business unit involvement eliminate the risk of error and disagreement at publication. 16

17 Assess, interview & analyze to determine security policy and training needs 17

18 Security Strategy Leverage technical and process controls with continued education to provide a secure yet flexible computing environment Combination lock approach to security Multi-layered approach Technical and process controls Employee education and awareness 18 18

19 Strategic Communications/Partnerships (CRUCIAL to SUCCESS) 19

20 Resources to aid you in your campaign to combat cyber crime

21 Q&A 21