the unpleasant truths of modern business cybersecurity

The Unpleasant Truths of Modern Business Cybersecurity

Phillip D. [email protected]

© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023

Phillip “Sherlock” Shade (Phill)[email protected] Certified instructor and internationally recognized

network security and forensics expert with more than 30 years of experience

Retired US Navy and the founder of Merlion’s Keep Consulting, a professional services company specializing in network and forensics analysis

A member of the Global Cyber Response Team (GCRT), FBI InfraGard, Computer Security Institute, and the IEEE and volunteer at Cyber Warfare Forum Initiative

Holds numerous certifications, including Certified Network Expert (CNX)-Ethernet, CCNA, Certified Wireless Network Administrator (CWNA), and WildPackets Certified Network Forensics Analysis Expert (WNAX)


Thank You for Joining Us Today


Another Day, Another Hacking Victim

Inquiries begin into nude celebrity photo leaksBy Associated Press

Updated: 16:39 EST, 1 September 2014


…and Most Recently


A Simple, Unavoidable Truth

Perception

Remember, the odds are dramatically in an attacker’s favor.Since an attacker only needs to get one attack through,

you need to stop all attacks.

Reality


Poll #1

How Many of You have been hacked or

had a Computer Virus?


Today’s Agenda

1. The current gap between what we think is secure and modern realities

2. Training and equipping current cyber professionals

3. The impact of not having trained personnel and end-user awareness training

4. The pros and cons of hiring outside vs. training internal personnel

Case Study 1:

Current Gap Between What We Think is Secure and Modern

Realities


I Have an IT Security Staff: I’m Secure...

Cisco ASR 2015


Some Sobering Statistics

Unisys Security Insights United States 2015

The rise of Cyber Espionage and

Cyber Crime are interesting as both

lead to a corresponding increase in the

number of financial fraud reports.


The News Gets Even Better

2015 Data Breach Investigations Report (DBIR)

Case Study 2:

Training and Equipping Current Cyber Professionals


Poll #2

How Many of You had one or More Credit / Debit Cards replaced because of the Target

Breach?


Target - Setting the Stage

The company has bought, installed, and configured a state-of-the-art cybersecurity suite centered around a powerful Universal Threat Management (UTM) system

While the initial security staff received comprehensive training by the system vendor, as well as ongoing technical and system update support, subsequent new-hires received cursory training

The senior, well-trained staff delegated the less desirable weekend and late-night shifts to the junior, less-trained personnel


Scene of the Crime


Forensic Reconstruction of the Crime

HVAC Contractor

PoS Server

(Stolen Credentials)

1

2

3

4

Sold online5


So Where did They End up?


The Bad News - Results of the Investigation

1. Three separate teams were brought in to perform independent investigations2. The forensic investigation revealed some shocking facts:

a. The UTM system was properly configured and operating correctlyb. The security system actually detected the initial breachc. Log file analysis revealed that the poorly trained system operator disabled the alarms to deal with other issues

The Good News: Target Data Hack Optioned for Big Screen Movie3/21/14 9:40am - jezebel.com/target-data-hack-optioned-for-big-screen-movie-1548629671


Economic Impact

$40 million in penalties and numerous lawsuits Consumer credit monitoring Stock price collapsed by more than 11.3 percent

The Wall Street Journal

Case Study 3:

Impact of Not Having Trained Personnel

and End User Awareness Training


Cybersecurity Skills Crisis


Security is a moving target

Just like building a computer or network, security training requires constant updates

Unfortunately, too many organizations consider “security” to be a bullet point on a presentation to

This becomes even worse at the user levelMany users are given a security brief once—when they

are hired—and little or no refresher training


Sources of a Network Security Breach

federal-cybersecurity-survey-2015


Causes of Insider-Based Breaches

federal-cybersecurity-survey-2015


Time to Meet the Hacker’s Best Friend: YOU


Your Gaming Data is Valuable

Value of Personal Data Costs 2015 - Gartner


How Can We Fix This?

Commitment of resources from the top down!Annual training, certification, and penetration testing for

security professionals Certified Ethical Hacking (CEH) Certified Security Information Professional (CISSP) Network forensics training

Periodic basic security training for user personnelTips of the monthBanner screensPostersAudits


OK, I’m Scared. What Do I Do?

Layers of SecurityFirewall/Anti-Virus/Anti-Malware toolsEncrypt your traffic: Consider VPNs and use HTTPs for your

browser sessionsEncrypt your data: VeraCrypt, Microsoft BitLocker, or Apple

FileVault Passwords are the weak point in any system

Change them oftenDon’t use an online password storage service

Disable automatic updates on unneeded programsSelect “notify me to install updates” instead

Pay attention to the behavior of your computer so you can recognize when something is wrong

Case Study 4:

Pros and Cons of Hiring Outside vs.

Training Internal Personnel


To Outsource or Not to Outsource

To many IT personnel, the idea of handing over control of network security to an outsider is controversial to say the least

However, recent studies indicate the practice may be growing as companies place net cost over in-house control of security

Says Gavan Egan, VP sales at Verizon: “Nothing is ever as simple as it seems. Part of the complexity of security is that its requirements are interwoven throughout the whole business. It’s not just hardware; it’s business processes and structures, it’s staff and attitudes, and it’s data.”


Factors to be Considered

Factors for: Reduce administrative, office, and

operational overhead to recruit, screen, train, schedule, manage, and pay personnel

Increase efficiency and productivity by concentrating on core business functions

Improve management and quality due to focus of the contractor

Increase ability to define service requirements

Leverage contractors’ project management experience, security expertise and investment in people, equipment and technology

Minimize requirements to track and implement changing standards

Factors against: Tighter control, supervision, and the

ability to control, correct, and modify negative behaviors

Better training; maintaining in-house provides more extensive and continuous training to security personnel

Employee loyalty; in-house security operations create a much stronger sense of ownership vs. perceived “outsiders.”

Culture integration; it’s easier to achieve a high level of integration of a companies culture and values

Experience and familiarity with existing infrastructure, policies, and procedures


A Final Example


Some Final Thoughts

You Control What You Choose to ClickMost end-user threats are targeted specifically in hopes that you will click on a harmful link, attachment, picture, video, or icon in an email or web page, including social media applications

STOP, and THINK, BEFORE you CLICKYou need to be aware, alert, and diligent; always look for the signs that someone may be trying to gain access to your network


Phill Shade: [email protected]

Merlion’s Keep Consulting: [email protected]

International: [email protected]

Instructor Contact Information

mailto:[email protected]




Learn More

Recommended Global Knowledge Courses

Network Forensics using Wireshark Cybersecurity Foundations CEH v8 ECSA v8 CASP Prep Course Security+ Prep Course Fundamentals of Information

Systems Security Request an On-Site Delivery

We can tailor our courses to meet your needs

We can deliver them in a private setting

Visit Our Knowledge Center Assessments Blog Case Studies Demos Lab Topologies Special Reports Twitter Videos Webinars White Papers

the unpleasant truths of modern business cybersecurity

Technology