How to Develop a Security Conscious Lens and the Tools to Help You Do It

Security

Siddika JessaService ManagerTLD Computers & CustomWorks

“When you discover a new Lens, you can no longer see without it”

Our Journey together

• Security at a personal & business level• Vulnerabilities, Risks & Threats – What’s what?• Leave it to Chance / Change • What can I do to ensure that my business is safe?• A history lesson on Cloud• Can my fridge be hacked? • Dark Web – How Dark is it?

“When you discover a new Lens, you can no longer see without it”

My Story

Security at a personal & business levelLet’s compare

Security

“When you discover a new Lens, you can no longer see without it”

What does security look like?How many locks would this house have?

GateGarageFront DoorBack doorBalcony (upstairs)Windows (12)Garage Door into houseBasement

Security

Vulnerabilities, Risks & ThreatsWhat’s what?

S e c u r i t y

Vulnerability, Risk, Threat• What was the vulnerability? Weakness or gaps that can be exploited

• Door was open• No Alarm system installed

• What was the threat? Someone targeting this vulnerability that was not mitigated because it was not properly identified as a risk

• Someone takes advance of the vulnerability • Loss of assets• Valuable family jewels – sentimental value

• What was the risk? The potential for loss, damage• High chance of Break–in• Risk of repeat break in - Key may be copied• Higher risk if No Alarm system installed or alarm monitoring systems

Point

• Securing a computer or a network follows the same principles • Gaining access is easier than ever • Notice a microwave missing• A remote cyber hacker maybe lurking in our systems for years without

us even noticing

Would you intentionally?

• Give a set of key to your house to strangers?

• Leave door/window open?• Not install a lock on the front

door?• Not install an Alarm/monitoring?• Install the same locks throughout

the house– safe, file cabinet.• Not Insurance your property

• Sharing passwords• No password/Simple password policy. • Unpatched systems• No encryption, firewall, etc.• No Monitoring alerts • Same password on all systems• No backups in place to recover from

Is Like

How do we recover/mitigate?

• Check for losses – Claim insurance• Change all the locks• Install an alarm system• Have good neighbors

People are People

Cybercrime is the modern crime

• Less bricks and mortars – padlock, etc• More digital crimes • Sophisticated thieves• Take advantage of people’s Vulnerability – Social Engineering• White Hat / Black Hat

Consumers can shop in the comfort of their homeThieves can steal in the comfort of their homes too

Vulnerability, Risk, Threat - Business• What vulnerability? Weakness or gaps that can be exploited

• Patches are not installed• Employee information accessible through an employee with a weak password• Employees can access malicious website – no web protection• Employees unaware of the psychology of Persuasion

• What is the threat? Someone targeting this vulnerability that was not mitigated because it was not properly identified as a risk

• Hacker attempts and gets into your system and takes control of resources• Steals employee information and sends malicious messages to your employee

• What is the risk? The potential for loss, damage• High chance of Break–in to the environment• Risk of repeat break in – Open other doors in your environment by making changes• No policies or tools applied so greater chance of comprise

Do you know the vulnerabilities in your business

You can’t mitigate what you don’t knowASSESSMENT – Step 1

Human or MachineWho is getting smarter?

Comprised System Impact - CIAPolicySecurity Technologiesfirewall, MFA, Passwords

Access ControlWhat can they do with the data?Rollbacks, tests, audits

Data/System AvailabilityUPS, resilient systems

Tug of War – Who Wins?

• Security is a tug of war between protection and convenience

• At times convenience is going to win • People get frustrated and demand relaxing

security protocols to make it more convenient without fully understanding or measuring the risk to reward factors.

Know your risks

Most of the hacks are an inside job

- mostly unintendedly

Your biggest risk is your most valuable resource

- your people

Is this you?

Do you create tons of accounts you will never again visit?

Do you get annoyed thinking up new passwords, so you just use the same one across all your accounts?

Does your password contain a sequence of numbers, such as “123456” or a name of a family member or your birthday?

Do you automatically click all links and download all email attachments coming from your friends?

You are incredibly lucky that nobody's hacked you before.

Or perhaps you don’t even know that you are being hacked.

Do you do online transactions?

• Payment Card Industry Data Security Standard (PCI DSS)

• PCI Standards Council, an organization formed in 2006 – independent body

• Ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment

What can I do to protect my business?There is hope

Develop a Security Conscious LENS

Security Awareness for your people

Secure your technology with Tools

Security

Habits – Change in behaviorIncrease Awareness of Risk

• Educate/Train on awareness: Social Engineering, Phishing. Mandatory training

• Compare to personal loss, not just business loss

• Have an in-house Security Awareness team.E.g. Pizza Group.

• Good Neighbour Check-in.• Appoint a personal in-house to be the go-to• Report on any unattended devices

Violation of privacy• Personal and Professional

How do I prevent this?

Reputational loss

Security

User BehaviorInfluence - Principles of Persuasion• Reciprocity - Free gift – Obligation to buy or download the free software• Commitment to a good story – Everyone likes a good story. We overlook strange

details• Authority – Following a person in authority is easier and almost feel pressured.

Fear of repercussions• Liking – Create a relationship of trust and we give in quickly• Scarcity – Time limited, urgent

• Hackers are good at human psychology and study it. Then use these strategies• Evoking emotions to the point that the victim forgets about security. • How do you train your staff to avoid falling victim to such attacks?

How can I spot Phishing?

• Always check the email address and not just the display name• Notice any change in language in the email. Words that your contact wouldn’t typically

use• Ask questions that only you and them would know. Often if they are already in your

system, they maybe aware of your discussion with others, so even this would be difficult. They work one step ahead

• Use another way to contact, don’t just rely on email. Phone, Text, etc• When asked to provide information like maiden name, address, birthdate, be vigilant.

Ask for name and contact and check with your financial institution in another way. • If you feel something is not right, go with your gut and do that extra check• Train your employees regularly with mandatory security training, and keep up with

webinars, share security articles – Tools to test your employee behavior available as well

Fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic

i ti

Gaining insight into your IT Systems?

• What Risks are you exposed to?

• How much data can you afford to lose?

• How long can you afford to be down?

• Have you implemented any mitigation strategies?

• How well are your systems running?

Case Study: Financial Firm Requirements

Couldn’t lose more than a day’s worth of Data

Couldn’t be down for more than half a day

Couldn’t be down “at all” during tax season

Prevent ransomware attacks

Secure email accounts

Current System is out of date and bogging down productivity and efficiency

Strategies Implemented• Moved from physical servers to Infrastructure as a Service - decreased chances of

and reduced outages• Upgraded network and VPN connections with reliable business class hardware -

decreased chances of and reduced outages• Moved exchange on-prem to Office 365 - Provided better protections from phishing

attempts• Eliminate Direct RDP - Removed the ability for malicious login attempts to have

major impacts as well as allow for MFA• Implemented DMZ - In the event that public facing services were compromised an

attacker is limited in what he can attack• Implemented Sensible Password Policy with MFA for all public facing services -

Eliminated guessed passwords and significantly reduced ransomware attack vectors• Implemented High performance Backup and Disaster Recovery System - Recovery of

lost servers takes minutes

Strategy

• We use security tools that are using the NIST https://www.nist.gov/cyberframework

• This voluntary Framework consists of standards, guidelines and best practices to manage cybersecurity risk.

Solution Strategy

1. IDENTIFY - Valued assets

2. PROTECT - Tools, Awareness

3. DETECT - Monitoring tools

4. RESPOND - Block / contain it

5. RECOVER - Recover the losses

What to protect/arm?

Install an Alarm

Alarm Monitoring System

Response Team

Insurance Claim/Police Report

Solution Strategy - Business

1. IDENTIFY - Gaps in security / Valued assets

2. PROTECT - Security Tools, MFA, Backup, Awareness

3. DETECT - Monitoring tools

4. RESPOND - Block vulnerability/contain it

5. RECOVER - Recover the files/system

ASSESSMENT

TOOLS / EDUCATION

ALERT MONITORING

TOOLS / TEAM

BACKUP SOLUTION/REPORT CYBERCRIME

Center for Internet Security

Basic1. Inventory and Control of Hardware

Assets2. Inventory and Control of Software

Assets3. Continuous Vulnerability Management4. Controlled use of Administrative

Privileges5. Secure Configuration for Hardware and

Software on Workstations & Servers6. Maintenance, Monitoring and Analysis

of Audit Logs

20 CIS Controls & Resources https://www.cisecurity.org/controls/cis-controls-list/

Foundational1. Email and Web Browser Protections2. Malware Defenses3. Limitation and Control of Network Ports

and Protocols and Services4. Data Recovery Capabilities5. Secure Configuration for Network Devices,

such as firewalls, Routers and Switches6. Boundary Defense7. Data Protection8. Controlled Access based on the Need to

know9. Wireless Access Control10. Account Monitoring and Control

Center for Internet Security

Organizations1. Implement a Security Awareness and Training Program2. Application Software Security3. Incident Response Management4. Penetration Tests and Red Team Exercises

20 CIS Controls & Resources https://www.cisecurity.org/controls/cis-controls-list/

A History Lesson on CloudWhen did it start?

Money in the Bank Data on the Cloud

Digital Footprint

What is Safe?

• Money at your premises – cash?• Data on premise in your business

• Money in the bank Cloud?• Data on the Cloud?

• Low accessibility • High risk loss in a disaster• Lower levels of protection

• Higher Accessibility• Lower risk of loss in a disaster• Higher levels of protection in the

bank/cloud? More to loose

Compare Value

Assets • Car• Appliances• Jewelry• Clothes• Electronics (Google home)

Data• Finance records• Employee information• Client information• Personal information • Social media information

Internet-of-Things (IoT)

IoT Definition: A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.Oxford Dictionary

What’s one thing that can prevent the IoT from transforming the way we live and work?

Interestingly, the Oxford definition is accompanied by:

"If one thing can prevent the Internet of Things from transforming the way we live and work, it will be a breakdown in security."

IoT & Security

The Internet of Things is set to transform the digital marketplace and dominate the way we live and work. Because there are so many devices that can be hacked, that means that hackers can accomplish more. The point is that we have to think about what a hacker could do with a device if he can break through its security.

Security

IoT Exploits. Casino Fish Tank Hacked

IoT & Security

“As IoT devices associated risks increase exponentially.

Organizations and individual consumers need to be far more educated on how to address these risks: from the simplistic, such as changing default passwords, to the more complex, such as network segmentation or device management.

Failure to do so can truly be a matter of life or death. That isn’t hyperbole any longer.” Chris Hall, Principal, PwC

The Dark Web

What is it?

Dark Web

• According to researchers, only 4% of the internet is visible to the general public.

• Meaning that the remaining 96% of the internet is made up of “The Deep Web”

Why was TOR Created - Backstory

• Created by the US Office of Naval Research Laboratory in the 1990s

• TOR is an Open Source Non-Profit Organization running out of YWCA in Cambridge, Massachusetts

• 33 full time Employees• TOR’s hosted by 1000s of Volunteers around the world

The Dark Web - .onion

Cybersecurity is a Continual Solution

FBI: There are only two types of companies:

1. Those that have been hacked and 2. Those that will be.

And companies that have been hacked, will be hacked again.

Steps to take1. IT Risk Assessment – Know what your risks are then act on reducing the

risks2. Encrypt sensitive information in storage and in transit3. Backup on-site and cloud. Keeping it at home may affect your insurance4. Limit access to data on as needed basis. Folder permissions 5. Create a good password policy – and enforce it. 6. Consider Multi-Factor Authentication (MFA). Requires tow or more

pieces of evidence to authenticate7. Patch your systems regularly – including wireless access 8. Train your employees on good security hygiene 9. Consider cybersecurity insurance - There are a lots of Ransomware

attacks still occurring

Policy, Tools and Training• Password sharing – Security Awareness Training• Using same password across all systems – Security Awareness Training• Detecting Phishing and malicious email – Security Awareness Training• Internet usage Policy Document – Security Awareness • No screen lock – Policy and Tools• Poor password – Policy and Tools• No backup – Disaster Recovery Plan - Tools• No Firewall – Network Security Plan - Tools• No DNS filtering – Web Security Plan - Tools• No malware protection – End-Point Protection Plan- Tools

Things to Consider

Awareness and Education

Backups and Disaster Recovery

IT Security Outages

Mitigations Plans Manageability Assessments Policies

Building a bridge for your Business needs

IT SolutionsTLDConnect Managed

www.tld.com

Audio Video SolutionsCustomWorksConnect Managed

www.customworks.ca

So you can FOCUS on what you do BEST