using technology and techno-people to improve your threat resistance and cyber security
TRANSCRIPT
Using Technology and Techno-People to Improve your Threat Resistance and Cyber Security
Stephen Cobb, CISSPSenior Security Researcher, ESET NA
Protecting federal data systems• Requires: – technical and human elements– properly synchronized
We have the technology• Anti-malware• Firewalls• 2-factor authentication• Encryption• Network monitoring• Filtering
And the technology is getting smarter • Cloud-based reputation, signatures, big
data• But technology is undermined when your
workforce is not trained to play defense
Waiting for technology alone to solve the data security problem? Dream
on…
Techno-people• Not everyone needs to be technical,
but:• We are all computer users• Data security is everyone’s
responsibility• Everyone needs to understand the
threats• And the defensive strategies
Today’s agenda• Scale of the problem • Nature of our adversaries• Information security’s 9 patterns• Patterns applied to federal agencies• How to improve the coordination of
people and technology to address those patterns
April 2014 GAO report• Information Security
– Federal Agencies Need to Enhance Responses to Data Breaches
• (GAO-14-487T)
• A lot of work still to be done, across numerous agencies– Improve security– Improve breach response
2009 2010 2011 2012 2013
29,999
41,776 42,85448,562
61,214
The scale of the problem• Information security
incidents reported to US-CERT by all agencies
• Number of incidents up• More data to defend?• Improved reporting?
Exposure of PII is growing• More incidents involving
Personally Identifiable Information (PII)
• Why?– Thriving black market for
PII• Impact
– Seriously impacts individuals
– Growing public displeasure– Heads may roll
2009 2010 2011 2012 2013
10,48113,028
15,584
22,156
25,566
A federal PII breach example• July 2013, hackers get PII of 104,000+
people– From a DOE system
• Social Security numbers, birth dates and locations, bank account numbers– Plus security questions and answers
• DOE Inspector General: cost = $3.7 million– Assisting affected individuals and lost productivity
What happens to the stolen data?• Sold to criminal enterprises
– For identity theft, raiding bank accounts, buying luxury goods, laundering money
• Lucrative scams like tax identity fraud
The market for stolen data has matured
All driven by proven business strategies
Specialization Modularity
Division of labor Standards
Markets
An overwhelming problem?• Not if we analyze security incidents• 2014 Verizon Data Breach Investigation
Report• 92% of incidents categorized into 9
patterns– True for 100,000 incidents over 10 year period– True for 95% of breaches in the last 3 years
The Big 9• Point-of-sale intrusions• Web app attacks• Insider/privilege misuse• Physical theft and loss• Miscellaneous errors• Crimeware• Payment card skimmers• Denial of service• Cyber-espionage• Everything else
Industry sectors not affected equally
34%
24%
21%
19%
2%
MiscellaneousInsider MisuseCrimewareTheft/LossEverything Else
Just 4 main patterns where victim industry = Public
2014 Verizon Data Breach Investigation Report
Let’s count down the top 4• Miscellaneous• Insider and privilege misuse• Crimeware• Physical theft/loss• Everything else
Pattern #4: Physical theft and loss• Cause of 19% of
public sector security incidents
• It’s people!• Screen, educate,
supervise• Reduce impact by
using encryptionDatabase
Tapes
Other
Flash drive
Desktop
Documents
Laptop
Other
11
36
39
102
108
140
308
892
2014 Verizon Data Breach Investigation Report
Pattern #3: Crimeware• Accounts for 21%• It’s people
abusing technology
• Can be solved with the right anti-malware strategy
• Endpoint AND server scanning Removable media
Unknown
Remote injection
Other
Download by malware
Email link
Email attachment
Network propogation
Web download
Web drive-by
1%
1%
1%
2%
2%
4%
5%
6%
38%
43%
2014 Verizon Data Breach Investigation Report
Pattern #2: Insider and privilege misuse• 24% of incidents• Again it’s people!• Can be fixed!– Education– Awareness– Screening
Auditor
System admin
Developer
Other
Executive
Call center
Manager
Finance
End-user
Cashier
1%
6%
6%
7%
7%
9%
13%
13%
17%
23%
2014 Verizon Data Breach Investigation Report
Pattern #1: Miscellaneous Errors• 34% of incidents• Human error!• Can be fixed!– Training– Awareness– Oversight
Maintenance error
Other
Omission
Gaffe
Programming error
Malfunction
Misconfiguration
Disposal error
Publishing error
Misdelivery
1%
1%
1%
1%
3%
3%
6%
20%
22%
44%
2014 Verizon Data Breach Investigation Report
Strategy for doing better• Technologies and people working together• If they don’t you get: Target
– Malware was detected– Exfiltration detected– But nobody reacted– Training and awareness?– Clearly lacking
Security training and awareness• You need both, but what’s the difference?• Training
– Ensure people at different levels of IT engagement have the knowledge they need
• Awareness – Ensure all people at all levels know the threats
and the defensive measures they must use
Who gets trained?• Everyone, but not in the same way:
– All-hands training– IT staff training– Security staff training
How to deliver training• In person• Online• On paper• In house• Outside contractor• Mix and match• Be creative
Incentives?• They work!
– Drive engagement– Encourage compliance
• But need reinforcement– Security in job descriptions– Evaluations– Rewards
Use your internal organs• Of communication!• Newsletter• Internal social media• Physical posters• Add to meeting agendas• Email blasts
How to do awareness• Make it fun• Make it relevant• Leverage the news• Remember:
– Everyone now has a vested interested in staying current on threats to their/your data
Awareness example: phish traps• Train on phishing• Send out a phishing
message• Track responses• Report card and re-
education– No naming &
shaming
Awareness example: flash phish• Train on media scanning• Sprinkle USB/flash drives
– Sample file/autorun• Track results
– Inserted? Scanned? Reported?• Rewards or re-education
– Again, avoid name+shame
Resources to tap• CompTIA• ISSA • SANS• (ISC)2
• Vendors• Websites
Thank you!• Stephen Cobb• [email protected]
• We Live Security• www.welivesecurity.com
• Webinars• www.brighttalk.com/channel/1718
• Booth Number 826