isaca uae - importance of human-centric approaches to cyber security
TRANSCRIPT
Innovation in a Borderless WorldISACCA – ISAFE 2015 - Dubai, UAE
Importance of
Human-Centric Approaches
to Cyber Security
Lydia Kostopoulos, PhD@LKCYBER
Social Engineering
Human-CentricApproach
AttackVectors
Accessibility
Social Engineering
Human-CentricApproach
AttackVectors
Accessibility
Social Engineering
Human-CentricApproach
AttackVectors
Accessibility
- Criminals- Hacktivists & Terrorists- Industry- Nation State Actors
- Operations Sabotage- Data Manipulation- Intellectual Property Theft- Industrial Espionage
- Money- Reputation (Both Ways)- Political- Security
Actors
Interests
Motivations
“The clever manipulation of the natural human tendency to trust.”
Social Engineering:
Social Engineering
Human-CentricApproach
AttackVectors
Accessibility
Humans are the weakest link in Information Security.
Admiral Rogers Director of US Cyber Command/NSA
Social Engineering
Human-CentricApproach
AttackVectors
Accessibility
"Never underestimate the impact of user
behavior on a defensive strategy"
Social Engineering
Human-CentricApproach
AttackVectors
Accessibility
Attacks: Human Factor & Intellectual Property (IP)
91% of cyberattacks begin with spear phishing email – TrendMicro Research
Intellectual Property and the U.S. Economy: Industries in Focus –by the Economics and Statistics Administration and the United States Patent and Trademark Office
IP Intensive Businesses in the US• Support at least 40 million jobs
• $5 trillion to US GDP 28%
$445 billion – annual cost of cybercrime and economic espionage to the world economy - 2014 CSIS & McAfee report
How much does it cost the world?
What’s the most common attack vector?
Social Engineering
Human-CentricApproach
AttackVectors
Accessibility
Source: Get Cyber Safe
Social Engineering
Human-CentricApproach
AttackVectors
Accessibility
Social Media UseHave a policy
• Promote Collaboration• Maintain Vigilance• Protect Information
Social Engineering
Human-CentricApproach
AttackVectors
Accessibility
Social Media UseHave a policy for sharing
• Intellectual Property Theft• Inside Information• Organization Intentions• Internal Leaks
Social Engineering
Human-CentricApproach
AttackVectors
Accessibility
Accessibility: Tools have been democratized
Malware comes in all shapes and sizesTools
We set up network defenses…
Intrusion Detection System
Defense in Depth
Firewall
We set up data defenses…
Destruction
What about human defenses?
Encryption
Data in Use
At Rest
In Motion
Classification
Internal Use
Public
Confidential
Secret
We set up malware defenses…
Anti-Virus Spam Filter?
Identity & Access Management
Social Engineering
Human-CentricApproach
AttackVectors
Accessibility
Phishing
You don’t know what you don’t know…
Data Leakage Prevention Plan: Don’t forget Business Continuity
Social Engineering
Human-CentricApproach
AttackVectors
Accessibility
Followed by End-User Awareness
The process of elevating security awareness of a human asset in efforts to reduce and
eliminate as many risks as possible.
Hardening of Human Assets (HHA)
Social Engineering
Human-CentricApproach
AttackVectors
Accessibility
OPSEC Awareness
Social Engineering Awareness
Specialized SIEM Settings(Cross-departmental collaboration)
Espionage Threat Awareness
Data Protection Awareness
Social Media Use Awareness
Travel Security Awareness
Hardening Human Assets (HHA) Have a Plan
Social Engineering
Human-CentricApproach
AttackVectors
Accessibility
Social Engineering
Human-CentricApproach
AttackVectors
Accessibility
Be proactive not reactive!
Cross departmental teamwork
Whole of Enterprise Approach
Security Culture: Have one!
Social Engineering
Human-CentricApproach
AttackVectors
Accessibility
Incorporate a culture of cyber professionalism- Clearly communicate acceptable and unacceptable cyber practices
- Create channels for communication about incidents
- Foster an open environment to discuss cyber practices, concerns, questions and doubt
Cyber Professionalism: Set the example!
Leaders should lead through example- Practice cyber hygiene
- Follow best practices
- Report incidents, phishing attempts, potentially malicious files
- Communicate cyber expectations
Lydia Kostopoulos, PhD
@LKCYBER
Questions?