Post on 15-Jan-2016
Using Technology and Techno-People to Improve your Threat Resistance and Cyber Security
Stephen Cobb, CISSPSenior Security Researcher, ESET NA
Protecting federal data systems
• Requires: – technical and human elements– properly synchronized
We have the technology
• Anti-malware• Firewalls• 2-factor authentication• Encryption• Network monitoring• Filtering
And the technology is getting smarter
• Cloud-based reputation, signatures, big data
• But technology is undermined when your workforce is not trained to play defense
Waiting for technology alone to solve the data security problem? Dream on…
Techno-people
• Not everyone needs to be technical, but:
• We are all computer users• Data security is everyone’s
responsibility• Everyone needs to understand the
threats• And the defensive strategies
Today’s agenda
• Scale of the problem • Nature of our adversaries• Information security’s 9 patterns• Patterns applied to federal agencies• How to improve the coordination of
people and technology to address those patterns
April 2014 GAO report
• Information Security– Federal Agencies Need to
Enhance Responses to Data Breaches
• (GAO-14-487T)
• A lot of work still to be done, across numerous agencies– Improve security– Improve breach response
2009 2010 2011 2012 2013
29,999
41,776 42,85448,562
61,214
The scale of the problem
• Information security incidents reported to US-CERT by all agencies
• Number of incidents up• More data to defend?• Improved reporting?
Exposure of PII is growing
• More incidents involving Personally Identifiable Information (PII)
• Why?– Thriving black market for
PII
• Impact– Seriously impacts
individuals– Growing public displeasure– Heads may roll
2009 2010 2011 2012 2013
10,48113,028
15,584
22,156
25,566
A federal PII breach example
• July 2013, hackers get PII of 104,000+ people– From a DOE system
• Social Security numbers, birth dates and locations, bank account numbers– Plus security questions and answers
• DOE Inspector General: cost = $3.7 million– Assisting affected individuals and lost productivity
What happens to the stolen data?
• Sold to criminal enterprises – For identity theft, raiding bank accounts, buying
luxury goods, laundering money
• Lucrative scams like tax identity fraud
The market for stolen data has matured
All driven by proven business strategies
Specialization Modularity
Division of labor Standards
Markets
An overwhelming problem?
• Not if we analyze security incidents• 2014 Verizon Data Breach Investigation
Report• 92% of incidents can categorized into 9
patterns– True for 100,000 incidents over 10 year period– True for 95% of breaches in the last 3 years
The Big 9
• Point-of-sale intrusions• Web app attacks• Insider/privilege misuse• Physical theft and loss• Miscellaneous errors• Crimeware• Payment card skimmers• Denial of service• Cyber-espionage• Everything else
Industry sectors not affected equally
34%
24%
21%
19%
2%
Miscellaneous
Insider Misuse
Crimeware
Theft/Loss
Everything Else
Just 4 patterns where victim industry = Public
2014 Verizon Data Breach Investigation Report
Let’s count down the top 4
• Miscellaneous• Insider and privilege misuse• Crimeware• Physical theft/loss• Everything else
Pattern #4: Physical theft and loss
• Cause of 19% of public sector security incidents
• It’s people!• Screen, educate,
supervise• Reduce impact by
using encryptionDatabase
Tapes
Other
Flash drive
Desktop
Documents
Laptop
Other
11
36
39
102
108
140
308
892
2014 Verizon Data Breach Investigation Report
Pattern #3: Crimeware
• Accounts for 21%• It’s people
abusing technology
• Can be solved with the right anti-malware strategy
• Endpoint AND server scanning Removable media
Unknown
Remote injection
Other
Download by malware
Email link
Email attachment
Network propogation
Web download
Web drive-by
1%
1%
1%
2%
2%
4%
5%
6%
38%
43%
2014 Verizon Data Breach Investigation Report
Pattern #2: Insider and privilege misuse• 24% of incidents• Again it’s people!• Can be fixed!– Education– Awareness– Screening
Auditor
System admin
Developer
Other
Executive
Call center
Manager
Finance
End-user
Cashier
1%
6%
6%
7%
7%
9%
13%
13%
17%
23%
2014 Verizon Data Breach Investigation Report
Pattern #1: Miscellaneous Errors
• 34% of incidents• Human error!• Can be fixed!– Training– Awareness– Oversight
Maintenance error
Other
Omission
Gaffe
Programming error
Malfunction
Misconfiguration
Disposal error
Publishing error
Misdelivery
1%
1%
1%
1%
3%
3%
6%
20%
22%
44%
2014 Verizon Data Breach Investigation Report
Strategy for doing better
• Technologies and people working together• If they don’t you get: Target
– Malware was detected– Exfiltration detected– But nobody reacted– Training and awareness?– Clearly lacking
Security training and awareness
• You need both, but what’s the difference?• Training
– Ensure people at different levels of IT engagement have the knowledge they need
• Awareness – Ensure all people at all levels know the threats
and the defensive measures they must use
Who gets trained?
• Everyone, but not in the same way:– All-hands training– IT staff training– Security staff training
How to deliver training
• In person• Online• On paper• In house• Outside contractor• Mix and match• Be creative
Incentives?
• They work!– Drive engagement– Encourage compliance
• But need reinforcement– Security in job descriptions– Evaluations– Rewards
Use your internal organs
• Of communication!• Newsletter• Internal social media• Physical posters• Add to meeting agendas• Email blasts
How to do awareness
• Make it fun• Make it relevant• Leverage the news• Remember:
– Everyone now has a vested interested in staying current on threats to their/your data
Awareness example: phish traps
• Train on phishing• Send out a phishing
message• Track responses• Report card and re-
education– No naming &
shaming
Awareness example: flash phish
• Train on media scanning• Sprinkle USB/flash drives
– Sample file/autorun
• Track results – Inserted? Scanned? Reported?
• Rewards or re-education– Again, avoid name+shame
Resources to tap
• CompTIA• ISSA • SANS• (ISC)2
• Vendors• Websites
Thank you!
• Stephen Cobb• Stephen.cobb@eset.com
• We Live Security• www.welivesecurity.com
• Webinars• www.brighttalk.com/channel/1718
• Booth Number 826