TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY Mark Villinski @markvillinski
Why do we have to educate employees about cybersecurity?
2014 Corporate Threats Survey 94% of business s suffered one cyber attack in the last 12 months Nearly 27% of companies lost confidential data as the result of an internal security incident Average cost for Accidental Data Leaks $39K for SMB s $884K for Enterprise http://media.kaspersky.com/en/it_security_risks_survey_2014_global_report.pdf?_ga=1.57626858.1152823312.1404311525
QUICK POLL
PERCEPTION VS. REALITY REALITY TODAY B2B International and Kaspersky Lab, IT Security Threats and Data Breaches, October, 2014.
How bad is it out there? Malware Kaspersky Lab is currently processing 325,000 Or 70.000 unique samples/day malware 2011 2006 1994 One One new new virus virus every every second minute hour samples EVERY DAY
Investment in Security The Basic Theory for Staying Secure Simple math for advanced protection The chance of getting infected drops exponentially while the cost of an attack increases linearly Chance of getting infected
Tip #1: Regularly talk to employees about cybersecurity. Explain the potential impact a cyberincident may have on company operation Annual review and signing of a I have read and understood company IT policies is not enough!
Any one can be a target
Tip #2: Remember that top management and IT staff are employees too! Top managers are often targeted because: They have access to more information IT bends the rules for them The damage/payoff can be much bigger! IT folks are vulnerable, too Unlimited power over the network!
Tip #2: Remember that top management and IT staff are employees too!
Tip #3: Explain to the employees that while you make the best effort to secure company infrastructure, a system is only as secure as the weakest link You don t want them to just comply, you want them to cooperate You can t create a policy sophisticated enough to cover all possible vectors of attack You can t totally dehumanize humans. Humans have weaknesses and make mistakes.
Tip #4: Have regular focused sessions with employees to explore different types of cyberattacks Consider different formats (lunch and learn?) Make it useful Most of them have PCs at home and relatives who also need help Make it relevant and responsive to real-world examples Notice how much more often these topics hit the nightly news Those topics are big on social networks!
Malware-What is it? Malware, short for malicious software, is software (or script or code) designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. Characteristics: Single instance signature to evade anti-virus Activates programmatically Connects to a Command & Control Center Keylogger, Ransomware, Remote Access Tool (RAT), and Man in Browser Once a system is owned, it can t be restored.
Phishing Prevention-The 100% rules! Never click a link in an email Never open unexpected attachments Never provide information, no matter how innocuous it may seem, to unsolicited phone callers, visitors or email requests Never agree to an unsolicited remote control session (such as WebEx, GoToMeeting, LogMeIn) Your best defense: Can I call you back?
Phishing Prevention-The 100% rules! July 2012 Yahoo Passwords Hacked 435,000 usernames and passwords hacked. Particularly troubling? The login credentials are in plaintext, not even encrypted. TOP TEN PASSWORDS FROM THE YAHOO HACK 1) 123456 (38%) 2) password (18%) 3) welcome (10%) 4) ninja (8%) 5) abc123 (6%) 6) 123456789 (5%) 7) 12345678 (5%) 8) sunshine (5%) 9) princess = (5%) 10) qwerty = (4%)
Ramsomware More than 40% of CryptoLocker victims agreed to pay A Dell SecureWorks report estimates that ransomware rakes in $30 million every 100 days Expanding victim base means unlimited financial potential
Ramsomware
RSA: Targeted Attack Case Study On March 17th 2011, RSA announced that it was hacked During the 2011 Kaspersky Security Analyst Summit, Uri Rivner from RSA talked about how it happened: Two employees received an e-mail which contained a spreadsheet attachment labeled 2011 Recruitment Plan. The e-mail has been marked as SPAM and put into the spam folder One of the employees opened it and released a zeroday Adobe Flash vulnerability.
RSA E-mail & Attachment http://www.f-secure.com/weblog/archives/00002226.html
Phishing at ABC University
How did this happen? Trickery. A spear-phishing attack. People were tricked by a believable e-mail message into giving their passwords to the bad guys Spear-phishers and their tactics Goals Message crafted for ABC University Sent to a small number of selected people Strike on weekends & holidays, when you are less protected To collect information that will let them steal money: 22
23
24
25
Not Encrypted: no https Not going to real ABC University login site 26
27
Impact to people and abc university The University was able to recover a good portion of the money Anyone can fall for a clever phishing scam The University did replace paychecks This would be very challenging on a large scale 28
Lessons learned Understand how to know if you are at the real University web login, or a clever fake Learn how to analyze email messages to detect ones that are malicious Find out how to protect yourself and your devices from cyber threats Know common scams 29
Tip #5: Pay special attention to social engineering A lot of cyberincidents start with a phone conversation with someone who poses as a coworker and builds his understanding of company internal structure and operations by asking innocent questions A cybercriminal exploiting social weaknesses almost never looks like one
A Dangerous Weapon of Cybercrime
Piggybacking?
The Importance of Securing Computers/Workstations Windows: Mac: + <L> Enable screensaver Check Require password to quit screensaver check box
Tip #6: Train your employees to recognize an attack Communicate clear cut step-by-step instructions on what to do if employee believes there s a cyber incident happening If you are not trained, you will get lost when the show starts
Training should involve things like: Unplug your machine from the network (physically) Remember that any and every key stroke can be sent to cyber criminals by a key logger Notify your administrator If you can t find your mobile device immediately notify your administrator Emergency Number - if you can t find your IT emergency number in under 20 seconds, you are doing it wrong/ and so on
Tip #7: Never disapprove or make fun of an employee who raises a red flag even if it is a false alarm this will discourage employees from setting off alarm when time of cyber attack come I mean NEVER If false alarms come often, improve training approach
Tip #8: In case of an incident give your employees a heads up Even if an incident has happened already, improper handling may (significantly) increase impact Issue an instruction on how to speak to public/press about the incident Have a plan in place BEFORE anything happens Get insurance for cyber-incidents
Tip #9: Test knowledge Regularly Make it relevant remember they live digital lives. It matters! Make it fun. Or rewarding. Or fun and rewarding.
Phish Self-Testing (Too Successful 12/2013)
Phish Self-Testing (Zero Success 5/2014)
Phish Self-Testing eslap
Are you cyber savvy https://blog.kaspersky.com/cyber-savvy-quiz/
Tip #10: Listen to feedback If you force employees to change passwords every week be prepared they will write them down and post them in their work place If access to something they need for work is too complicated, they will use personal email, USB sticks, fellow employees to bypass the restrictions If something out of balance, this will trigger unsafe behavior. Listening to feedback is learning the root cause of that
Systems Management & Actionable Patching SYSTEM PROVISIONING LICENCE MANAGEMENT REMOTE TOOLS Create images Store and update Deploy Track usage Manage renewals Manage license compliance Install applications Update applications Troubleshoot VULNERABILITY SCANNING HW and SW inventory Multiple vulnerability databases ADVANCED PATCHING Automated prioritization Reboot options NETWORK ADMISSION CONTROL (NAC) Guest policy management Guest portal
Whitelisting & Application Control DEVICE CONTROL WEB CONTROL APPLICATION CONTROL WITH DYNAMIC WHITELISTING
Encryption & Data Protection If cybercriminals seize control of the system and penetrate the corporate network, they may try to exfiltrate sensitive data such as configuration files, private keys and source code. However, even if the criminals manage to download something, they will not be able to read the content of the encrypted files. Inside the Network Outside the Network
Why Kaspersky?
OUR LEADERSHIP IS PROVEN BY INDEPENDENT TESTS 49
Questions & Answers Mark Villinski Mark.villinski@kaspersky.com @markvillinski