how to develop a security conscious lens and the tools to ... · hacked, will be hacked again....
TRANSCRIPT
How to Develop a Security Conscious Lens and the Tools to Help You Do It
Security
Siddika JessaService ManagerTLD Computers & CustomWorks
“When you discover a new Lens, you can no longer see without it”
Our Journey together
• Security at a personal & business level• Vulnerabilities, Risks & Threats – What’s what?• Leave it to Chance / Change • What can I do to ensure that my business is safe?• A history lesson on Cloud• Can my fridge be hacked? • Dark Web – How Dark is it?
“When you discover a new Lens, you can no longer see without it”
My Story
Security at a personal & business levelLet’s compare
Security
“When you discover a new Lens, you can no longer see without it”
What does security look like?How many locks would this house have?
GateGarageFront DoorBack doorBalcony (upstairs)Windows (12)Garage Door into houseBasement
Security
Vulnerabilities, Risks & ThreatsWhat’s what?
S e c u r i t y
Vulnerability, Risk, Threat• What was the vulnerability? Weakness or gaps that can be exploited
• Door was open• No Alarm system installed
• What was the threat? Someone targeting this vulnerability that was not mitigated because it was not properly identified as a risk
• Someone takes advance of the vulnerability • Loss of assets• Valuable family jewels – sentimental value
• What was the risk? The potential for loss, damage• High chance of Break–in• Risk of repeat break in - Key may be copied• Higher risk if No Alarm system installed or alarm monitoring systems
Point
• Securing a computer or a network follows the same principles • Gaining access is easier than ever • Notice a microwave missing• A remote cyber hacker maybe lurking in our systems for years without
us even noticing
Would you intentionally?
• Give a set of key to your house to strangers?
• Leave door/window open?• Not install a lock on the front
door?• Not install an Alarm/monitoring?• Install the same locks throughout
the house– safe, file cabinet.• Not Insurance your property
• Sharing passwords• No password/Simple password policy. • Unpatched systems• No encryption, firewall, etc.• No Monitoring alerts • Same password on all systems• No backups in place to recover from
Is Like
How do we recover/mitigate?
• Check for losses – Claim insurance• Change all the locks• Install an alarm system• Have good neighbors
People are People
Cybercrime is the modern crime
• Less bricks and mortars – padlock, etc• More digital crimes • Sophisticated thieves• Take advantage of people’s Vulnerability – Social Engineering• White Hat / Black Hat
Consumers can shop in the comfort of their homeThieves can steal in the comfort of their homes too
Vulnerability, Risk, Threat - Business• What vulnerability? Weakness or gaps that can be exploited
• Patches are not installed• Employee information accessible through an employee with a weak password• Employees can access malicious website – no web protection• Employees unaware of the psychology of Persuasion
• What is the threat? Someone targeting this vulnerability that was not mitigated because it was not properly identified as a risk
• Hacker attempts and gets into your system and takes control of resources• Steals employee information and sends malicious messages to your employee
• What is the risk? The potential for loss, damage• High chance of Break–in to the environment• Risk of repeat break in – Open other doors in your environment by making changes• No policies or tools applied so greater chance of comprise
Do you know the vulnerabilities in your business
You can’t mitigate what you don’t knowASSESSMENT – Step 1
Human or MachineWho is getting smarter?
Comprised System Impact - CIAPolicySecurity Technologiesfirewall, MFA, Passwords
Access ControlWhat can they do with the data?Rollbacks, tests, audits
Data/System AvailabilityUPS, resilient systems
Tug of War – Who Wins?
• Security is a tug of war between protection and convenience
• At times convenience is going to win • People get frustrated and demand relaxing
security protocols to make it more convenient without fully understanding or measuring the risk to reward factors.
Know your risks
Most of the hacks are an inside job
- mostly unintendedly
Your biggest risk is your most valuable resource
- your people
Is this you?
Do you create tons of accounts you will never again visit?
Do you get annoyed thinking up new passwords, so you just use the same one across all your accounts?
Does your password contain a sequence of numbers, such as “123456” or a name of a family member or your birthday?
Do you automatically click all links and download all email attachments coming from your friends?
You are incredibly lucky that nobody's hacked you before.
Or perhaps you don’t even know that you are being hacked.
Do you do online transactions?
• Payment Card Industry Data Security Standard (PCI DSS)
• PCI Standards Council, an organization formed in 2006 – independent body
• Ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment
What can I do to protect my business?There is hope
Develop a Security Conscious LENS
Security Awareness for your people
Secure your technology with Tools
Security
Habits – Change in behaviorIncrease Awareness of Risk
• Educate/Train on awareness: Social Engineering, Phishing. Mandatory training
• Compare to personal loss, not just business loss
• Have an in-house Security Awareness team.E.g. Pizza Group.
• Good Neighbour Check-in.• Appoint a personal in-house to be the go-to• Report on any unattended devices
Violation of privacy• Personal and Professional
How do I prevent this?
Reputational loss
Security
User BehaviorInfluence - Principles of Persuasion• Reciprocity - Free gift – Obligation to buy or download the free software• Commitment to a good story – Everyone likes a good story. We overlook strange
details• Authority – Following a person in authority is easier and almost feel pressured.
Fear of repercussions• Liking – Create a relationship of trust and we give in quickly• Scarcity – Time limited, urgent
• Hackers are good at human psychology and study it. Then use these strategies• Evoking emotions to the point that the victim forgets about security. • How do you train your staff to avoid falling victim to such attacks?
How can I spot Phishing?
• Always check the email address and not just the display name• Notice any change in language in the email. Words that your contact wouldn’t typically
use• Ask questions that only you and them would know. Often if they are already in your
system, they maybe aware of your discussion with others, so even this would be difficult. They work one step ahead
• Use another way to contact, don’t just rely on email. Phone, Text, etc• When asked to provide information like maiden name, address, birthdate, be vigilant.
Ask for name and contact and check with your financial institution in another way. • If you feel something is not right, go with your gut and do that extra check• Train your employees regularly with mandatory security training, and keep up with
webinars, share security articles – Tools to test your employee behavior available as well
Fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic
i ti
Gaining insight into your IT Systems?
• What Risks are you exposed to?
• How much data can you afford to lose?
• How long can you afford to be down?
• Have you implemented any mitigation strategies?
• How well are your systems running?
Case Study: Financial Firm Requirements
Couldn’t lose more than a day’s worth of Data
Couldn’t be down for more than half a day
Couldn’t be down “at all” during tax season
Prevent ransomware attacks
Secure email accounts
Current System is out of date and bogging down productivity and efficiency
Strategies Implemented• Moved from physical servers to Infrastructure as a Service - decreased chances of
and reduced outages• Upgraded network and VPN connections with reliable business class hardware -
decreased chances of and reduced outages• Moved exchange on-prem to Office 365 - Provided better protections from phishing
attempts• Eliminate Direct RDP - Removed the ability for malicious login attempts to have
major impacts as well as allow for MFA• Implemented DMZ - In the event that public facing services were compromised an
attacker is limited in what he can attack• Implemented Sensible Password Policy with MFA for all public facing services -
Eliminated guessed passwords and significantly reduced ransomware attack vectors• Implemented High performance Backup and Disaster Recovery System - Recovery of
lost servers takes minutes
Strategy
• We use security tools that are using the NIST https://www.nist.gov/cyberframework
• This voluntary Framework consists of standards, guidelines and best practices to manage cybersecurity risk.
Solution Strategy
1. IDENTIFY - Valued assets
2. PROTECT - Tools, Awareness
3. DETECT - Monitoring tools
4. RESPOND - Block / contain it
5. RECOVER - Recover the losses
What to protect/arm?
Install an Alarm
Alarm Monitoring System
Response Team
Insurance Claim/Police Report
Solution Strategy - Business
1. IDENTIFY - Gaps in security / Valued assets
2. PROTECT - Security Tools, MFA, Backup, Awareness
3. DETECT - Monitoring tools
4. RESPOND - Block vulnerability/contain it
5. RECOVER - Recover the files/system
ASSESSMENT
TOOLS / EDUCATION
ALERT MONITORING
TOOLS / TEAM
BACKUP SOLUTION/REPORT CYBERCRIME
Center for Internet Security
Basic1. Inventory and Control of Hardware
Assets2. Inventory and Control of Software
Assets3. Continuous Vulnerability Management4. Controlled use of Administrative
Privileges5. Secure Configuration for Hardware and
Software on Workstations & Servers6. Maintenance, Monitoring and Analysis
of Audit Logs
20 CIS Controls & Resources https://www.cisecurity.org/controls/cis-controls-list/
Foundational1. Email and Web Browser Protections2. Malware Defenses3. Limitation and Control of Network Ports
and Protocols and Services4. Data Recovery Capabilities5. Secure Configuration for Network Devices,
such as firewalls, Routers and Switches6. Boundary Defense7. Data Protection8. Controlled Access based on the Need to
know9. Wireless Access Control10. Account Monitoring and Control
Center for Internet Security
Organizations1. Implement a Security Awareness and Training Program2. Application Software Security3. Incident Response Management4. Penetration Tests and Red Team Exercises
20 CIS Controls & Resources https://www.cisecurity.org/controls/cis-controls-list/
A History Lesson on CloudWhen did it start?
Money in the Bank Data on the Cloud
Digital Footprint
What is Safe?
• Money at your premises – cash?• Data on premise in your business
• Money in the bank Cloud?• Data on the Cloud?
• Low accessibility • High risk loss in a disaster• Lower levels of protection
• Higher Accessibility• Lower risk of loss in a disaster• Higher levels of protection in the
bank/cloud? More to loose
Compare Value
Assets • Car• Appliances• Jewelry• Clothes• Electronics (Google home)
Data• Finance records• Employee information• Client information• Personal information • Social media information
Internet-of-Things (IoT)
IoT Definition: A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.Oxford Dictionary
What’s one thing that can prevent the IoT from transforming the way we live and work?
Interestingly, the Oxford definition is accompanied by:
"If one thing can prevent the Internet of Things from transforming the way we live and work, it will be a breakdown in security."
IoT & Security
The Internet of Things is set to transform the digital marketplace and dominate the way we live and work. Because there are so many devices that can be hacked, that means that hackers can accomplish more. The point is that we have to think about what a hacker could do with a device if he can break through its security.
Security
IoT Exploits. Casino Fish Tank Hacked
IoT & Security
“As IoT devices associated risks increase exponentially.
Organizations and individual consumers need to be far more educated on how to address these risks: from the simplistic, such as changing default passwords, to the more complex, such as network segmentation or device management.
Failure to do so can truly be a matter of life or death. That isn’t hyperbole any longer.” Chris Hall, Principal, PwC
The Dark Web
What is it?
Dark Web
• According to researchers, only 4% of the internet is visible to the general public.
• Meaning that the remaining 96% of the internet is made up of “The Deep Web”
Why was TOR Created - Backstory
• Created by the US Office of Naval Research Laboratory in the 1990s
• TOR is an Open Source Non-Profit Organization running out of YWCA in Cambridge, Massachusetts
• 33 full time Employees• TOR’s hosted by 1000s of Volunteers around the world
The Dark Web - .onion
Cybersecurity is a Continual Solution
FBI: There are only two types of companies:
1. Those that have been hacked and 2. Those that will be.
And companies that have been hacked, will be hacked again.
Steps to take1. IT Risk Assessment – Know what your risks are then act on reducing the
risks2. Encrypt sensitive information in storage and in transit3. Backup on-site and cloud. Keeping it at home may affect your insurance4. Limit access to data on as needed basis. Folder permissions 5. Create a good password policy – and enforce it. 6. Consider Multi-Factor Authentication (MFA). Requires tow or more
pieces of evidence to authenticate7. Patch your systems regularly – including wireless access 8. Train your employees on good security hygiene 9. Consider cybersecurity insurance - There are a lots of Ransomware
attacks still occurring
Policy, Tools and Training• Password sharing – Security Awareness Training• Using same password across all systems – Security Awareness Training• Detecting Phishing and malicious email – Security Awareness Training• Internet usage Policy Document – Security Awareness • No screen lock – Policy and Tools• Poor password – Policy and Tools• No backup – Disaster Recovery Plan - Tools• No Firewall – Network Security Plan - Tools• No DNS filtering – Web Security Plan - Tools• No malware protection – End-Point Protection Plan- Tools
Things to Consider
Awareness and Education
Backups and Disaster Recovery
IT Security Outages
Mitigations Plans Manageability Assessments Policies
Building a bridge for your Business needs
IT SolutionsTLDConnect Managed
www.tld.com
Audio Video SolutionsCustomWorksConnect Managed
www.customworks.ca
So you can FOCUS on what you do BEST