cybersecurity matters: the human factor · cybersecurity matters: the human factor james stanger...

Seth RobinsonSr. Director Technology Analysis@sethdrobinson

Copyright (c) 2015 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

CyberSecurityMatters: The Human Factor

James StangerSr. Director Product Management@stangernet

www.NetComLearning.com

New Era of Enterprise Technology

Mainframe

Technology not widely accessible

Technology use highly restricted

Technology management highly centralized

PC/Internet

Technology moderately accessible

Technology use becoming pervasive

Technology management mostly centralized

Cloud/Mobile

Technology widely accessible

Technology use very open

Technology management decentralized

New Era Defined by New Behavior

Companies are Focused on Security…

4% 12%

50%

34%

2%13%

44% 41%

Lower No change ModeratelyHigher

SignificantlyHigher

Today

Two Years From Now

Source: CompTIA’s Trends in Information Security study | Base: 400 U.S. end users

But Are They Focused on the Right Things?Security Concern Change in Trend

Security ThreatsModerate Concern

SeriousConcern

No Change / Less Critical Today

MoreCritical Today

Malware (e.g. viruses, worms, trojans, botnets, etc.) 37% 50% 51% 49%

Hacking (e.g. DoS attack, APT, etc.) 38% 49% 54% 46%

Privacy concerns 36% 45% 62% 38%

Data loss/leakage 42% 40% 66% 34%

Social engineering/Phishing 41% 38% 58% 42%

Understanding security risks of emerging areas 43% 36% 61% 39%

Lack of budget/support for investing in security 34% 34% 72% 28%

Physical security threats (e.g. theft of a device) 42% 33% 71% 29%

Regulatory compliance 37% 32% 75% 25%

Intentional abuse by insiders, i.e. staff, contractors 35% 31% 75% 25%

Human error among general staff 51% 30% 74% 26%

Enforcement of company security policy 38% 29% 74% 26%

Formal risk assessment 46% 28% 73% 27%

Human error among IT staff 41% 27% 80% 20%


Drivers for Changing Security Approach


22%

26%

26%

29%

29%

34%

43%

47%

Focus on a new industry vertical

Change in management

Change in operations or client base

Internal security breach or incident

Vulnerability discovered by audit

Knowledge gained from training

Reports of security breaches

Change in IT operations

monkey

letmein

mustang

access

shadow

qwerty

baseball

dragon

football

master

michael

superman

batman

The Human Element

52% 48%

Human error Technology error

Factors in Security Breaches


Top Human Error Sources

42% End user failure to follow policies and procedures


42% General carelessness

31% Failure to get up to speed on new threats

29% Lack of expertise with websites/applications

26% IT staff failure to follow policies and procedures

42%

42%

31%

29%

26%

Planning for the Unknowns

Reports that say...that something hasn't happened are always interesting to me, because as we know,

there are known knowns;

there are things that we know that we know.

We also know there are known unknowns;

that is to say we know there are some things we do not know.

But there are also unknown unknowns,

the ones we don't know we don't know.

—Donald Rumsfeld, Former United States Secretary of Defense

“

”

Criteria Needed for Better Training

Source: CompTIA’s Trends in Information Security study | Base: 160 U.S. end users providing security training

27%

30%

35%

36%

40%

40%

53%

More dynamic (e.g. gamification elements,"pop quizzes," etc.)

More mobile

More real-world examples / case studies

More engaging / interesting

More user friendly / better interface

Better administrative tools

Better content

Best Practices for Managing End Users

Build a corporate policy

Simulate common attacks

Don’t forget physical security

Today’s vulnerabilities and threats

What you don’t see . . .

Attacks below the threshold

Stealth attackers• Insiders

• Outside attackers who are now lurking and waiting in silence . . .

Technology not mapped to a

company’s real needs

Advanced Persistent Threats (APT)

Complacency

Difficult to track

Thresholds not properly set

Unseen factors that lead to disruptions

Losing sight of the real business need

• Security technology serves a business need

• Unmapped technology

Let’s talk about the security issues that go bump in the night . . .


Today’s threats

• Social engineering• Phishing / spear phishing

• “False flag”

• Zero-day attacks• Retail industry has

experienced a surge

in point-of-sale (POS)

malware and attacks

• Web-based attacks• SSL/TLS

• SQL injection

• Malware

• SCADA / industrial systems

• Mobile

The most common attack vectors in 2015



How attacks have changed through the decades

Defense: Anti-Virus, Firewalls

Viruses (1990s)

Defense: Intrusion Detection & Prevention

Worms (2000s)

Defense: Reputation, DLP, App.-aware Firewalls

Botnets (late 2000s to current)

Strategy: Visibility and Context

Directed Attacks (APTs) (today)

ILOVEYOUMelissaAnna Kournikova

NimdaSQL SlammerConficker

TedrooRustockConficker

AuroraShady RatDuqu


The Advanced Persistent Threat (APT)

Characteristics:

Highly coordinated Embedded Often state sponsored

PlanningMalware

Introduction

Command

&

Control

Lateral Movement

Target Identification

Exfiltration

(Attack Event)Retreat

today’s targets


What specific technologies are targeted?

62%

22%

10%

4% 2%

Weak Passwords

Missing Patches

Web ManagementConsole

File Upload

Social Engineering

Often waged by a single individual or by a group

Can be devastating


Data loss statistics


Primary security concerns in the enterprise


Where does data loss occur?

You name it, but here are the “big 3”

1. Data at rest

2. Data in motion

3. End users

The skills needed to counter vulnerabilities and mitigate threats

An essential realization . . .


Attackers have realized that

simple, powerful tools are available

Very effective malware is available as

well

All they need to do is find

that one user

There are also additional attacks and trends that

the public usually doesn’t see

Vendor or service

provider impersonation

Insider attacks

Maturing overall operations

DMV

Corrections

CourtsMunicipalCountyStateFederalLaw Enforcement

Message Switch

Copyright (c) 2015 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.orgCopyright (c) 2015 Target

The key is to create a matrix thathelps you focus your activities.

It’s vital to focus on identifying the hacker cycle

Mitigation involves inhibiting the hacker as well as detection and

response


Essential skills overview

Perimeter device

configuration

Router

Firewall

VPN

Re-assignment of resources

Policy-based security

Data analysis

Project management

Coordination

Custom framework

creation

End user

Workstation

ServerIDSVoice and

video systems

“Dwell time:” The amount of elapsed time between an initial

breach to containment

Questions to ask whencreating a custom framework

1. How do we detect that initial footprint?

2. How do we detect lateral movement?

3. How do we detect that initial prevention failure?

4. How do you cut down on “dwell time?”

• Taking dwell time from 14 days to 3 days.

• What framework and technology can you put in place?

The 80/20 rule: In many cases, organizations are already at the 80% threshold; getting to 90% and above

requires hard work and smart allocation of resources.


Validating the workforce

73% “It’s important to test after training to confirm knowledge gains”

64% “Teams of staff with IT certifications benefit from having a common foundation of knowledge”

62% “Staff with IT certifications have proven expertise”

58% “Staff holding IT certifications are more valuable to the organization”

54% “The organization is more secure from malware and hackers due to staff with IT certifications”

NET Agreement* to Statements

*Strongly Agree + AgreeBase: 1,246 business and IT executives from Brazil, Canada, France, Germany, India, Japan, Mexico, Middle East, Thailand and the UK

IT Certifications expected to increase in importance


28%

43%

24%

Significant Increase in Importance

Increasein Importance

NET Decrease

NET Increase in Importance

No Change

Expectations for change in importance of IT certifications over next 2 Years

Source: CompTIA International Technology Adoption and Workforce Issues study

Importance (cont’d)

combined = 67%



Vendor-neutral certification benefits

Vendor-neutral security training is in demand in regards to security.

The right mix of skills

Provides a perspective concerning the entire network, not one particular vendor’s approach

Provides confidence

For the technical worker

Management

Partners who use company services

Advanced certification and vendor-specific training is a great next step.

International technology adoption &workforce issues study 2013

35

Key Strategic Priorities for Businesses

Reach new customers Reduce costs / overhead Improve staff productivity/capabilities

Key IT Priorities for Businesses

Security Data Storage / backup Web/online presence/e-commerce Network Infrastructure Mobility related initiatives

61% of executivesbelieve the security threat is increasing.

85% indicate IT skills gaps in their business exist.

86% of businesses engaged in training over

the last 12 months.

41% believed IT certifications will become

more important.

54% believed their importance would remain

unchanged.


Source: CompTIA Market Research 2012

Better able to understand new technologies

More productive

More insightful problem solving

Better project management skills

1

2

3

4

5 Better communication skills


Top 5 benefits of certified IT staff

1 CompTIA A+ 2 PMP 3 CCNA4 CompTIA

Security+

5 MCSE6 CompTIA

Network+7 MCP 8 CISSP

9 ITIL 10 MCITP

Source: The Dice Report, February 2012


Hiring and certification

Thank You

Seth [email protected]@sethdrobinson

James [email protected]@stangernet

cybersecurity matters: the human factor · cybersecurity matters: the human factor james stanger...

Documents