![Page 1: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/1.jpg)
Using Technology and Techno-People to Improve Threat Resistance
Stephen Cobb, CISSPSenior Security Researcher, ESET NA(as presented at MISAC 2014)
![Page 2: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/2.jpg)
How many city workers have seen this man?
![Page 3: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/3.jpg)
I will be talking about how to:
• Combine people and technology to maximize your cybersecurity
• Use existing security research to maximize your security budget
• Improve security education and awareness
• Leverage McDumpals and friends
![Page 4: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/4.jpg)
Why am I here?
• In 1991 I wrote a book about personal computer and network security because…
• This technology has great potential to make the world a better place, but…
• That potential will not be fully realized if we don’t get security right
![Page 5: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/5.jpg)
Getting security right means
• Getting the right combination of technology and people
• ESET makes security technology, but understands that alone is not enough
• So it pays my team to learn about threats and threat trends
• Then share knowledge of threats/trends and their practical implications
![Page 6: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/6.jpg)
We have the technology
• Anti-malware• Firewalls• Authentication • Encryption• Network monitoring• Threat intelligence
![Page 7: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/7.jpg)
But we also need techno-people• Not everyone needs to be technically
trained, but:–We are all computer users– IT security is everyone’s responsibility–We all need to understand the threats–And the defensive strategies
![Page 8: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/8.jpg)
The threats can seem huge and overwhelming
• But if we analyze security incidents– Verizon Data Breach Investigation Report
• We see 92% of incidents can be categorized into 9 patterns– True for 95% of breaches in the last 3 years
• And for most sectors, just 3 or 4 patterns account for most of the threats
![Page 9: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/9.jpg)
The Big 9 Basic Patterns
![Page 10: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/10.jpg)
The Big 9 Basic Patterns
1. Point-of-sale intrusions2. Web app attacks3. Insider/privilege misuse4. Physical theft and loss5. Miscellaneous errors6. Crimeware7. Payment card skimmers8. Denial of service9. Cyber-espionage
![Page 11: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/11.jpg)
Industry sectors not affected equally
34%
24%21%
19%
2%MiscellaneousInsider MisuseCrimewareTheft/LossEverything Else
Just 4 main patterns where victim industry = Public
2014 Verizon Data Breach Investigation Report
![Page 12: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/12.jpg)
Let’s count down the top 4
• Miscellaneous• Insider and privilege misuse• Crimeware• Physical theft/loss
![Page 13: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/13.jpg)
Pattern #4: Physical theft and loss
• Cause of 19% of public sector security incidents
• It’s people!• Screen, educate,
supervise• Reduce impact
by using encryption Database
Tapes
Other
Flash drive
Desktop
Documents
Laptop
Other
11
36
39
102
108
140
308
892
2014 Verizon Data Breach Investigation Report
![Page 14: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/14.jpg)
Pattern #3: Crimeware
• Accounts for 21%• It’s people abusing
technology• Can be solved with
the right anti-malware, anti-phishing strategy– Endpoint AND
server scanning
• AND end user education*
Removable mediaUnknown
Remote injectionOther
Download by malwareEmail link
Email attachmentNetwork propogation
Web downloadWeb drive-by
1%
1%
1%
2%
2%
4%
5%
6%
38%
43%
2014 Verizon Data Breach Investigation Report
![Page 15: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/15.jpg)
Pattern #2: Insider and privilege misuse
• 24% of incidents• Again it’s people!• Can be fixed!– Education– Awareness– Screening
AuditorSystem admin
DeveloperOther
ExecutiveCall center
ManagerFinance
End-userCashier
1%
6%
6%
7%
7%
9%
13%
13%
17%
23%
2014 Verizon Data Breach Investigation Report
![Page 16: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/16.jpg)
Pattern #1: Miscellaneous Errors
• 34% of incidents• Human error!• Can be fixed!– Education– Awareness– Oversight
Maintenance errorOther
OmissionGaffe
Programming errorMalfunction
MisconfigurationDisposal error
Publishing errorMisdelivery
1%1%1%1%3%3%
6%20%22%
44%
2014 Verizon Data Breach Investigation Report
![Page 17: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/17.jpg)
Strategies for doing better
• Technologies and people must be working together
• If they don’t you get: Target– Malware was detected– Exfiltration detected– But nobody reacted– Education and awareness?– Probably not enough
![Page 18: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/18.jpg)
Security education and awareness
• You need both, but what’s the difference?
• Education– Ensure people at different levels of IT
engagement have the knowledge they need to maintain and promote security
• Awareness – Ensure all people at all levels know the
threats and the defensive measures they must use, and why
![Page 19: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/19.jpg)
Security education is for?
• Everyone, but not in the same way:–All-hands education– IT staff education–Security staff education
![Page 20: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/20.jpg)
How to deliver security education
• In person• In groups• Online• On paper• In house• Outside contractor• Mix and match• Be creative
![Page 21: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/21.jpg)
Incentives?
• They work!– Drive engagement– Encourage compliance
• But need reinforcement– Security in job descriptions– Evaluations– Rewards
![Page 22: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/22.jpg)
Use your internal organs
• Of communication!• Newsletter• Internal social media• Physical posters• Add to meeting agendas• Email blasts
![Page 23: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/23.jpg)
Making security awareness work
• Make it fun• Make it relevant• Leverage the news• Remember:– Everyone now has a
vested interested in staying current on threats to their/your data
• Meet McDumpals
![Page 24: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/24.jpg)
Government PII breach example
• July 2013, hackers get PII belonging to 104,000+ people from a DOE system
• Social Security numbers, birth dates and locations, bank account numbers– Plus security questions and answers
• DOE Inspector General: cost = $3.7 million– Just for assisting affected individuals and
the lost productivity– Not including the costs of fixing vulnerable
systems
![Page 25: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/25.jpg)
What went wrong?
• SSNs stored in 354 database tables• None were encrypted• All were accessible without 2FA or VPN• “The Department had not taken
appropriate action to remediate known vulnerabilities in its systems either through patches, system enhancements, or upgrades.”
![Page 26: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/26.jpg)
What happens to the stolen data?
• Sold to criminal enterprises – For identity theft, raiding bank accounts,
buying luxury goods, laundering money
• Lucrative scams like tax identity fraud– Billions of taxpayer dollars stolen per
year– Hundreds of thousands of victims– Time to rectify?– Nine months
![Page 27: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/27.jpg)
Elements of cybercrime operations• Host an exploit kit on a server• Put malware on different server• Send malicious email linked to exploit kit• Find holes in visiting systems• Use holes to infect visitors with malware• Use console on command and control box• To steal, DDoS, spread more malware• Use markets to sell/rent infected systems• Use markets to sell any data you can find
• E.g. Community Health Systems 4.5m IDs
![Page 28: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/28.jpg)
From a chart by DeepEnd Research
•Exploit Kits•Buy or rent•A few hundred dollars to thousands•Add new exploits over time•Note all of the Java exploits
Cybercrime tools are readily available
![Page 29: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/29.jpg)
Proliferation and variety of exploit kits over time
Markets for Cybercrime Tools and Stolen Data (RAND, 2014)
![Page 30: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/30.jpg)
Market for stolen data has matured
Thanks to krebsonsecurity.com for screenshots
![Page 31: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/31.jpg)
![Page 32: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/32.jpg)
![Page 33: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/33.jpg)
![Page 34: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/34.jpg)
![Page 35: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/35.jpg)
An evolved, market-based industry
Specialization Modularity
Division of labor Standards
Markets
![Page 36: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/36.jpg)
Do your employees know this?
• Are they aware of the value of PII stored in municipal data systems?
• Do they know that cyber criminals are well-organized, well-motivated, pitiless, and relentless?
![Page 37: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/37.jpg)
Techniques: phish traps
• Train on phishing• Send out a
phishing message• Track responses• Report card and re-
education– No naming &
shaming
![Page 38: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/38.jpg)
Techniques: flash phish
• Train on media scanning• Sprinkle USB/flash drives
– Sample file/autorun
• Track results – Inserted? Scanned? Reported?
• Rewards or re-education– Again, avoid name+shame
![Page 39: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/39.jpg)
LAWKNOWLEDGE
DIP
LOM
AC
Y
What more can we do?
CYBERCRIME
TECHNOLOGY
![Page 40: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/40.jpg)
DIP
LOM
AC
Y
CYBERCRIME
We need better cybercrime deterrence, which means stepping up law enforcement and diplomacy
TECHNOLOGY
LAW
KNOWLEDGE
![Page 41: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/41.jpg)
Resources to tap• MS-ISAC > msisac.cisecurity.org• California Cyber Security Task Force• State Threat Assessment System (Fusion)• NIST Framework (I agree with Ken)• Local ISSA and (ISC)2
• Your security vendors• MISAC NASCIO CCISDA• NCSAM > StaySafeOnline.org• Websites
– CSOonline.com– KrebsOnSecurity.com– SecuringOureCity.com– WeLiveSecurity.com
![Page 42: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/42.jpg)
![Page 43: Using Technology and People to Improve your Threat Resistance and Cyber Security](https://reader035.vdocuments.net/reader035/viewer/2022062513/5562c11ad8b42aaf178b4b1b/html5/thumbnails/43.jpg)
Thank you!
• Stephen Cobb• [email protected]• @zcobb @ESET
• We Live Security• www.welivesecurity.com
• Webinars• www.brighttalk.com/channel/1718