Mark Villinski

@markvillinski

TOP 10 TIPS FOR EDUCATING

EMPLOYEES ABOUT CYBERSECURITY

Why do we have to educate employees about

cybersecurity?

2015 Corporate Threats Survey

http://media.kaspersky.com/en/IT_Security_Risks_Survey_2015_Global_report.pdf?_ga=1.57626858.1152823312.1404311525

• 90% of business’s experienced some form of external threat

• Nearly 46% of companies lost confidential data as the result of a security incident

• Average direct cost of a security breach: – $38K for SMB’s – $551K for Enterprise

QUICK POLL

PERCEPTION VS. REALITY

B2B International and Kaspersky Lab, “IT Security Threats and Data Breaches,” October, 2014.

REALITY TODAY

How bad is it out there?

Malware

1994

One new virus every hour

2006

One new virus every minute

2011

One new virus every second

Or 70.000 samples/day

Kaspersky Labis currently processing310,000unique malware samplesEVERY DAY

The Basic Theory for Staying Secure

Simple math for advanced protection…

Inve

stm

en

t in

Se

curi

ty

Chance of getting infected

The chance of getting infected dropsexponentially while the cost of an attackincreases linearly

Tip #1: Regularly talk to employees about

cybersecurity.

Explain the potential impact a

cyberincident may have on company

operation

Annual review and signing of a “I have read

and understood company IT policies” is not

enough!

Any one can be a target

Tip #2: Remember that top management and

IT staff are employees too!

Top managers are often targeted because:

They have access to more information

IT bends the rules for them

The damage/payoff can be much bigger!

IT folks are vulnerable, too

Unlimited power over the network!

Tip #2: Remember that top management and

IT staff are employees too!

Tip #3: Explain to the employees that while you

make the best effort to secure company

infrastructure, a system is only as secure as the

weakest link

You don’t want them to just comply, you want

them to cooperate

You can’t create a policy sophisticated enough to

cover all possible vectors of attack

You can’t totally dehumanize humans. Humans

have weaknesses and make mistakes.

Tip #4: Have regular focused sessions with

employees to explore different types of

cyberattacks

Consider different formats (lunch and learn?)

Make it useful

Most of them have PCs at home and relatives who also

need help

Make it relevant and responsive to real-world examples

Notice how much more often these topics hit the

nightly news

Those topics are big on social networks!

Malware-What is it?

Malware, short for malicious software, is software (or script or code) designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems.

Characteristics:

– Single instance signature to evade anti-virus

– Activates programmatically

– Connects to a Command & Control Center

– Keylogger, Ransomware, Remote Access Tool (RAT), and Man in

Browser

Once a system is owned, it can’t be restored.

• Never click a link in an email

• Never open unexpected attachments

• Never provide information, no matter how innocuous it may seem, to unsolicited phone callers, visitors or email requests

• Never agree to an unsolicited remote control session (such as WebEx, GoToMeeting, LogMeIn)

• Your best defense: “Can I call you back?”

Phishing Prevention-The 100% rules!

Phishing Prevention-The 100% rules!

July 2012 – Yahoo

Passwords Hacked

435,000 usernames and

passwords hacked.

Particularly troubling? The

login credentials are in

plaintext, not even

encrypted.

TOP TEN PASSWORDS FROM

THE YAHOO HACK

1) 123456 (38%)

2) password (18%)

3) welcome (10%)

4) ninja (8%)

5) abc123 (6%)

6) 123456789 (5%)

7) 12345678 (5%)

8) sunshine (5%)

9) princess = (5%)

10) qwerty = (4%)

Ramsomware

• More than 40% of

CryptoLocker victims agreed

to pay

• A Dell SecureWorks report

estimates that ransomware

rakes in $30 million every 100

days

• Expanding victim base means

unlimited financial potential

Ramsomware

Phishing at ABC University

How did this happen?

20

• Trickery. A spear-phishing attack.

People were tricked by a believable e-mail message into giving their

passwords to the bad guys

• Spear-phishers and their tactics

Message crafted for ABC University

Sent to a small number of selected people

Strike on weekends & holidays, when you are less protected

• Goals

To collect information that will let them steal money:

Passwords, social security numbers, bank account or credit card numbers

21

22

23

24

Not Encrypted: no https

Not going to real ABC University login site

25

26

Impact to people and abc university

• The University was able to recover a good portion of the

money

• Anyone can fall for a clever phishing scam

• The University did replace paychecks

This would be very challenging on a large scale

27

Lessons learned

• Understand how to know if you

are at the real University web login,

or a clever fake

• Learn how to analyze email

messages to detect ones that are

malicious

• Find out how to protect yourself

and your devices from cyber

threats

• Know common scams

Tip #5: Pay special attention to social

engineering

A lot of cyberincidents start with a phone

conversation with someone who poses as a co-

worker and builds his understanding of company

internal structure and operations by asking

innocent questions

A cybercriminal exploiting social weaknesses

almost never looks like one

A Dangerous Weapon of Cybercrime

Piggybacking?

The Importance of Securing Computers/Workstations

+ <L>

Windows: Mac:

• Enable screensaver

• Check “Require

password to quit

screensaver” check

box

Tip #6: Train your employees to recognize an attack

Communicate clear cut

step-by-step instructions on

what to do if employee

believes there’s a cyber

incident happening

If you are not trained, you

will get lost when the “show”

starts

Training should involve things like:

Unplug your machine from the network (physically)

Notify your administrator

Remember that any and every key stroke can be sent to

cyber criminals by a key logger

If you can’t find your mobile device – immediately notify

your administrator

Emergency Number - if you can’t find your IT emergency

number in under 20 seconds, you are doing it wrong

…and so on

Tip #7: Never disapprove or make fun of an

employee who raises a red flag

…even if it is a false alarm – this will

discourage employees from setting off

alarm when time of cyber attack come

I mean NEVER

If false alarms come often, improve training

approach

Tip #8: In case of an incident give your

employees a heads up

Even if an incident has happened already,

improper handling may (significantly) increase

impact

Issue an instruction on how to speak to

public/press about the incident

Have a plan in place BEFORE anything happens

Get insurance for cyber-incidents

Tip #9: Test knowledge

Regularly

Make it relevant – remember they live

digital lives. It matters!

Make it fun. Or rewarding. Or fun and

rewarding.

Phish Self-Testing (Too Successful 12/2013)

Phish Self-Testing (Zero Success 5/2014)

Phish Self-Testing eSlap

Are you cyber savvy

https://blog.kaspersky.com/cyber-savvy-quiz/

Tip #10: Listen to feedback

If you force employees to change passwords every

week be prepared they will write them down and

post them in their work place

If access to something they need for work is too

complicated, they will use personal email, USB

sticks, fellow employees to bypass the restrictions

If something out of balance, this will trigger unsafe

behavior. Listening to feedback is learning the root

cause of that

Systems Management & Actionable Patching

HW and SW inventory

Multiple vulnerability databases

VULNERABILITY

SCANNING

Install applications

Update applications

Troubleshoot

REMOTE TOOLS

Track usage

Manage renewals

Manage license compliance

LICENCE MANAGEMENT

Guest policy management

Guest portal

NETWORK ADMISSION

CONTROL (NAC)Automated prioritization

Reboot options

ADVANCED PATCHING

Create images

Store and update

Deploy

SYSTEM PROVISIONING

Whitelisting & Application Control

DEVICE CONTROL

WEB CONTROL

APPLICATION CONTROL

WITH DYNAMIC WHITELISTING

Encryption & Data Protection

Inside the Network Outside the Network

If cybercriminals seize control of the system and penetrate the

corporate network, they may try to exfiltrate sensitive data such as

configuration files, private keys and source code.

However, even if the criminals manage to download something,

they will not be able to read the content of the encrypted files.

Why Kaspersky?

OUR LEADERSHIP IS PROVEN BY INDEPENDENT TESTS

46

Questions & Answers

Mark Villinski

Mark.villinski@kaspersky.com

@markvillinski