Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

Transcription

1 Building The Human Firewall Andy Sawyer, CISM, C CISO Director of Security Locke Lord

2 Confidentiality, Integrity, Availability Benchmarks of Cybersecurity: Confidentiality Information is protected against disclosure to unauthorized parties Integrity Information can be relied upon. It is protected from unauthorized modification or destruction, ensuring non-repudiation and authenticity. Availability Timely and reliable information access to authorized individuals

3 Threats, Vulnerabilities, Risk Threat Any circumstance, event, or agent that can cause harm to an information asset Vulnerability Susceptibility to a threat due to a weakness or lack of a countermeasure Risk Probability of losing something of value. In information security, it is a threat exploiting a vulnerability and the resulting business impact.

4 Types of Cybercrime Computer Assisted Attacking financial systems, critical infrastructure, industrial spying, obtaining military intelligence Computer Targeted DDOS, identity theft, capturing sensitive data, installing malware, ransomware Identity theft is fastest growing white collar crime

5 Cybercrime Drivers Money/Organized Crime/Nation States/Hacktivism Globalization Systems Are More Open Convergence - Anything, anywhere, any time vs. sophisticated attackers Violent crime is down while cybercrime is up Number of criminals has not decreased, just tools of the trade Sophistication of hackers Advanced Persistent Targeted Threats Cybercrime Consumerism

6 Cybercrime Challenges Attackers are hard to identify Crimes are hard to detect Crimes are hard to prove Crimes are not reported Jurisdiction Issues

7 Cybercrime Victim Responses Most Common Responses (40-70%) Patch vulnerable software/hardware Install new security software/hardware Conduct internal investigation Additional security awareness training Change organization s security policies Least Common Responses (3 30%) Contact law enforcement Report to legal counsel Report to anyone outside the organization Report to media

8 2014 Cybercrime Victims Date Company Records Exposed Jan 25 Michaels 2,600,000 Feb 6 Home Depot 20,000 Apr 22 Iowa State 48,729 Jul 22 Goodwill 868,000 Aug 18 Community Health Systems 4,500,000 Aug 21 US Postal Service 105,000 Aug 28 JP Morgan Chase 1,000,000 Nov 7 Home Depot 53,000,000 Nov 10 US Postal Service 800,000 Nov 18 Staples 1,200,000

9 An Ounce of Prevention Zero or low cost solutions Be on P.A.R. Adopt Protective Measures Stay Aware of changes to business activity Immediately Respond to criminal cyber activity

10 Security Awareness The training and attitude people possess regarding the protection of physical and information assets. Information security is as much social science as it is computer science. Technology is the cyber attack delivery vehicle but human behavior, not computer vulnerability, is the target. Without understanding human factors and cultivating a culture of awareness, technology will let us down.

11 Security Awareness Building Blocks Training Your people can learn, improve, get better. They are your best firewall, a human firewall. If you are not providing security awareness training, there should be no expectation your employees are prepared for an attack. Recognize That You Are A Target Pay Attention to Federal and State Regulations Know What s Happening In Your Industry

12 Use Different Passwords Work Passwords Social Networks Banking Public Medical Shopping Change Every 90 Days Complex passwords are hard to remember Passphrases Instead of Passwords Second and 1 is not a pass down! That was a catch! Password Managers

13 90% of malware is delivered by phishing Think Target, Chase, Home Depot Phishing attempts to gain: Unauthorized access Confidential information Phishing is a people problem Appeal to trust, relationship, charity, greed, curiosity, fear, right a wrong

14 Use different accounts for work, personal correspondence, social networks Hyperlinks Hover to Discover Before Clicking Be wary of attachments Public is not for work Get your own domain

15 Lock Them Down Workstations Comprehensive Patching- O/S, Applications, Anti-virus Encrypt all drives, including removable media Use power-on passwords Lock screen after 15 minutes of inactivity

16 Require Passcodes/PINs Mobile Devices Encrypt everything, including memory cards Lock screen after 5 minutes of inactivity Remote Wipe Software Dispose with care

17 Two Factor Authentication Identification - Your claim Authentication Your proof Something you know - Password Something you have - Token, text Something you are Biometrics You already use two factor authentication Consider two-factor authentication for: Servers Websites Workstations Remote Access

18 Cloud Computing Your data is in the cloud. Sanctioned or not. Storage, Backup, Collaboration Office & Financial Apps, CRM Cloud Provider Checklist SLAs Access Auditing Compliance Backups Confidential Information Breach Reporting Encryption Geographic Location Data Return/Removal Support

19 Protective Measures Security Awareness Training Recognize Social Engineering Strong Passwords Discernment Two-Factor Authentication Lock Down Desktops Blacklist Applications Avoid Free Cloud Storage Avoid Free Web Security Restrictions Minimize Social Media Classify/Separate Data Restrict Access Backup Secure Wireless Networks Vulnerability Assessment Vet Third Parties Firewalls Intrusion Prevention Services Data Loss Prevention

20 Questions?

21 Helpful Links Today s Presentation Is Available: