IT SECURITY AWARENESS SERIES

IT Security 101 for Business

INTRODUCTIONS Welcome

Theresa Blackbird, CISSP• Certified Information Systems Security Professional [CISSP] since 2003

• More than 12 years experience managing computer systems, servers and networks

• Previously worked with:• US Department of Treasury• Federal Aviation Administration• US Office of Senate Security• General Dynamics• Lockheed Martin

Agenda• A quick poll• What is IT security?• What are the bad guys after?• Who are the players?• When am I the most vulnerable? • Why do they do it?• Should I be worried?• How can I stay secure?• Q & A

Quick PollHow much confidence do you have in your current security posture at your place of business?

A. Very ConfidentB. Somewhat ConfidentC. ConfidentD. Somewhat ConcernedE. Very Concerned

WHATis IT Security?

• Definition of Security1

• the state of being protected or safe from harm• things done to make people or places safe• freedom from fear or anxiety

• A Google search of ‘IT Security’ returns 1,950,000,000 results

• “Security is equal parts people, policy, process and product.” Andrew Briney, CISSP for Information Security Magazine

______________________________________________________________________________________

1Definition provided by Merriam-Webster Dictionary

Three Pillars of Security

IntegrityThe data has not

been modified and is accurate and complete

AvailabilityThe data is ready

and accessible by authorized

users

Confidentiality The data is disclosed

only to authorized users

Security is like layers of an

onion. Each layer is a speed-bump to slow the bad guys down.

NOTHING is 100% secure. If someone tells you so, they are trying to sell you something you don’t need and it won’t work as advertised.“Security in IT is like locking your house or car – it doesn't stop the bad guys, but if it's good enough they may move on to an easier target.” Paul Herbka

WHATThe Bad Guys are After

Examples of Your Digital AssetsThe ways in which a business can be harmed by a hacker:

• Theft of employee or customer - Personally Identifiable Information (PII)

• Theft of customer credit card information• Denial of Service - preventing access to your business websites and/or e-commerce sites

• Shutdown of critical information systems• Theft of funds from bank accounts• Loss of crucial intellectual property to a competitor

• Fines in addition to any or all of the above

WHOare the Players?

The Bad Guys aka …• Hackers

• (or Crackers) a general term for someone who seeks and exploits weaknesses in a computer system or network.

• Black Hats• Someone who maliciously breaks into a computer system or

network for personal gain or infamy.

• Hacktivists• Someone who utilizes hacking skills to announce a social, ideological, religious, or political message.

• Script Kiddies• This is someone, not as experienced as a ‘Black Hat’ that

utilizes pre-packaged automated tools (starting as little as $100) to gain access and exploit weaknesses.

The Good Guys• White Hats

• The term for ‘Ethical Hacker’; these are people like me who break security for non-malicious reasons perhaps for a penetration test or vulnerability assessment.

• Grey Hats• A combination of Black Hat and White Hat. This is a person who may break into a computer system or network, notify the administrator that their system has a security flaw somewhere and then offer to correct it, for a fee.

• … and YOU!

WHENam I the Most Vulnerable

You are ALWAYS Vulnerable…• Cyber-criminals do not take vacation or holidays off … they have nothing but time, all day everyday.

• Pay attention to phishing scams in your business and personal email during times of crisis. A current example: www.healthcare.gov

• Open enrollment has begun for the Affordable Care Act, as well as for health insurance plans offered by many states and employers. That means it's prime time for fraudsters to target consumers with phishing scams, disguised as official-looking open enrollment messages, in an attempt to steal personal information.

• Similar scams pop up shortly after natural disasters requesting donations on legitimate looking websites. This is an example of a watering hole type of attack.

[Infect a legitimate website and sit and wait for them]

“We only need to be lucky once. You need to be lucky every time.” The IRA to Margaret Thatcher, after a failed assassination attempt

WHYThey Do It

Ultimately, the Motivation is MONEY

• Hackers may be motivated by a multitude of reasons, such as profit, protest, fame, or just the challenge.

• Criminal activity is often driven by crimes of opportunity. With cybercrimes, that opportunity appears to be with SMB.

• The largest growth area for targeted attacks is businesses with fewer than 250 employees.

• Other reasons:• To use your computer and ISP account for illegal activity. • To cause DDoS (distributive denial of service) attacks.

What They Can Do with Your PC

REALLY…Should I Be Worried

Yes, but More Importantly…Be Educated

• The reality is that theft of digital information far exceeds the loss from physical theft.

• Total number of new vulnerabilities reported in 2012 = 5,291

• This figure = approximately 101 new vulnerabilities each week

• Think your company is too small or not an attractive enough target to worry about IT Security?

• Small businesses represent low risk and little chance of exposure for thieves.

The Numbers• 37.3 million users worldwide were subjected to phishing attacks in 2012-2013• This is up 87% from 2011-2012

• 76 % of attacks used stolen credentials [passwords]• When malware is used:

• 75% of time key-loggers are used to get your password

• 45% use password dumpers• 80% of the attacks would have failed if multi-factor authentication were used

• Small business:• Within 6 months of a breach close their doors for good• That equates to 60% of small business go under after a security

breach.---------------------------------------------------------------------------------------------------Statistics from Symantec 2013 Internet Security Threat Report

Potential Impacts Resulting from the Loss of Sensitive Information

Failure to exercise due diligence in protecting sensitive information can result in: • Reputation damage • Loss of trust • Legal ramifications • Injury or damage for those who have had their private information exposed

• Potential financial ramifications for those affected • Employee discipline • Criminal and/or civil penalties for employees involved

HOWCan I Stay Secure

How Can I Defend Myself?• Assume you are a target • Understand the threat• Know what data in your organization

is vitally important and where it resides in your network• Protect it

• Firewalls• Encryption is a great solution

How Can I Defend Myself?• Employee Education

• Social Engineering• A person’s propensity to trust, to help, to obey, or simply to be curious or entertained• It has become more in-person and on the phone. It's not just online.• Combination of social engineering and physical intrusion and/or technical intrusion

• Spear Phishing• Someone out there wants you (the user of a system)

to do something that they can’t do without you taking some form of action towards their end goal.

Next Steps• Security Awareness Training for all of employees• Make sure they understand the different types of attacks like Phishing & Social Engineering so they can avoid them

• Never transmit a password electronically• Look for https://www.mybank.com • Ensure the website you are visiting truly IS the website you think it is.• https://microsoft.thz.com is NOT a part of Microsoft in Redmond, WA

• Implement a password policy• Use Industry Standard Complexity Pattern• Change your password every 4 months

Quick PollHow much confidence do you have in your current security posture at your place of business?

A. Very ConfidentB. Somewhat ConfidentC. ConfidentD. Somewhat ConcernedE. Very Concerned

Q & ATHANK YOU !!!!

Thank you for your time and attention!

Let’s Connect

Theresa Blackbird, CISSPSecurity EngineerSafety Net, Inc.(231) 944-1100

tblackbird@safetynet-inc.comhttp://www.safetynet-inc.com/services/security/

: ( +