using technology and people to improve your threat resistance and cyber security
DESCRIPTION
A presentation delivered at the 2014 meeting of the Municipal Information Systems Association of California. Includes suggestions for security awareness programs.TRANSCRIPT
Using Technology and Techno-People to Improve Threat Resistance
Stephen Cobb, CISSPSenior Security Researcher, ESET NA(as presented at MISAC 2014)
How many city workers have seen this man?
I will be talking about how to:
• Combine people and technology to maximize your cybersecurity
• Use existing security research to maximize your security budget
• Improve security education and awareness
• Leverage McDumpals and friends
Why am I here?
• In 1991 I wrote a book about personal computer and network security because…
• This technology has great potential to make the world a better place, but…
• That potential will not be fully realized if we don’t get security right
Getting security right means
• Getting the right combination of technology and people
• ESET makes security technology, but understands that alone is not enough
• So it pays my team to learn about threats and threat trends
• Then share knowledge of threats/trends and their practical implications
We have the technology
• Anti-malware• Firewalls• Authentication • Encryption• Network monitoring• Threat intelligence
But we also need techno-people• Not everyone needs to be technically
trained, but:–We are all computer users– IT security is everyone’s responsibility–We all need to understand the threats–And the defensive strategies
The threats can seem huge and overwhelming
• But if we analyze security incidents– Verizon Data Breach Investigation Report
• We see 92% of incidents can be categorized into 9 patterns– True for 95% of breaches in the last 3 years
• And for most sectors, just 3 or 4 patterns account for most of the threats
The Big 9 Basic Patterns
The Big 9 Basic Patterns
1. Point-of-sale intrusions2. Web app attacks3. Insider/privilege misuse4. Physical theft and loss5. Miscellaneous errors6. Crimeware7. Payment card skimmers8. Denial of service9. Cyber-espionage
Industry sectors not affected equally
34%
24%21%
19%
2%MiscellaneousInsider MisuseCrimewareTheft/LossEverything Else
Just 4 main patterns where victim industry = Public
2014 Verizon Data Breach Investigation Report
Let’s count down the top 4
• Miscellaneous• Insider and privilege misuse• Crimeware• Physical theft/loss
Pattern #4: Physical theft and loss
• Cause of 19% of public sector security incidents
• It’s people!• Screen, educate,
supervise• Reduce impact
by using encryption Database
Tapes
Other
Flash drive
Desktop
Documents
Laptop
Other
11
36
39
102
108
140
308
892
2014 Verizon Data Breach Investigation Report
Pattern #3: Crimeware
• Accounts for 21%• It’s people abusing
technology• Can be solved with
the right anti-malware, anti-phishing strategy– Endpoint AND
server scanning
• AND end user education*
Removable mediaUnknown
Remote injectionOther
Download by malwareEmail link
Email attachmentNetwork propogation
Web downloadWeb drive-by
1%
1%
1%
2%
2%
4%
5%
6%
38%
43%
2014 Verizon Data Breach Investigation Report
Pattern #2: Insider and privilege misuse
• 24% of incidents• Again it’s people!• Can be fixed!– Education– Awareness– Screening
AuditorSystem admin
DeveloperOther
ExecutiveCall center
ManagerFinance
End-userCashier
1%
6%
6%
7%
7%
9%
13%
13%
17%
23%
2014 Verizon Data Breach Investigation Report
Pattern #1: Miscellaneous Errors
• 34% of incidents• Human error!• Can be fixed!– Education– Awareness– Oversight
Maintenance errorOther
OmissionGaffe
Programming errorMalfunction
MisconfigurationDisposal error
Publishing errorMisdelivery
1%1%1%1%3%3%
6%20%22%
44%
2014 Verizon Data Breach Investigation Report
Strategies for doing better
• Technologies and people must be working together
• If they don’t you get: Target– Malware was detected– Exfiltration detected– But nobody reacted– Education and awareness?– Probably not enough
Security education and awareness
• You need both, but what’s the difference?
• Education– Ensure people at different levels of IT
engagement have the knowledge they need to maintain and promote security
• Awareness – Ensure all people at all levels know the
threats and the defensive measures they must use, and why
Security education is for?
• Everyone, but not in the same way:–All-hands education– IT staff education–Security staff education
How to deliver security education
• In person• In groups• Online• On paper• In house• Outside contractor• Mix and match• Be creative
Incentives?
• They work!– Drive engagement– Encourage compliance
• But need reinforcement– Security in job descriptions– Evaluations– Rewards
Use your internal organs
• Of communication!• Newsletter• Internal social media• Physical posters• Add to meeting agendas• Email blasts
Making security awareness work
• Make it fun• Make it relevant• Leverage the news• Remember:– Everyone now has a
vested interested in staying current on threats to their/your data
• Meet McDumpals
Government PII breach example
• July 2013, hackers get PII belonging to 104,000+ people from a DOE system
• Social Security numbers, birth dates and locations, bank account numbers– Plus security questions and answers
• DOE Inspector General: cost = $3.7 million– Just for assisting affected individuals and
the lost productivity– Not including the costs of fixing vulnerable
systems
What went wrong?
• SSNs stored in 354 database tables• None were encrypted• All were accessible without 2FA or VPN• “The Department had not taken
appropriate action to remediate known vulnerabilities in its systems either through patches, system enhancements, or upgrades.”
What happens to the stolen data?
• Sold to criminal enterprises – For identity theft, raiding bank accounts,
buying luxury goods, laundering money
• Lucrative scams like tax identity fraud– Billions of taxpayer dollars stolen per
year– Hundreds of thousands of victims– Time to rectify?– Nine months
Elements of cybercrime operations• Host an exploit kit on a server• Put malware on different server• Send malicious email linked to exploit kit• Find holes in visiting systems• Use holes to infect visitors with malware• Use console on command and control box• To steal, DDoS, spread more malware• Use markets to sell/rent infected systems• Use markets to sell any data you can find
• E.g. Community Health Systems 4.5m IDs
From a chart by DeepEnd Research
•Exploit Kits•Buy or rent•A few hundred dollars to thousands•Add new exploits over time•Note all of the Java exploits
Cybercrime tools are readily available
Proliferation and variety of exploit kits over time
Markets for Cybercrime Tools and Stolen Data (RAND, 2014)
Market for stolen data has matured
Thanks to krebsonsecurity.com for screenshots
An evolved, market-based industry
Specialization Modularity
Division of labor Standards
Markets
Do your employees know this?
• Are they aware of the value of PII stored in municipal data systems?
• Do they know that cyber criminals are well-organized, well-motivated, pitiless, and relentless?
Techniques: phish traps
• Train on phishing• Send out a
phishing message• Track responses• Report card and re-
education– No naming &
shaming
Techniques: flash phish
• Train on media scanning• Sprinkle USB/flash drives
– Sample file/autorun
• Track results – Inserted? Scanned? Reported?
• Rewards or re-education– Again, avoid name+shame
LAWKNOWLEDGE
DIP
LOM
AC
Y
What more can we do?
CYBERCRIME
TECHNOLOGY
DIP
LOM
AC
Y
CYBERCRIME
We need better cybercrime deterrence, which means stepping up law enforcement and diplomacy
TECHNOLOGY
LAW
KNOWLEDGE
Resources to tap• MS-ISAC > msisac.cisecurity.org• California Cyber Security Task Force• State Threat Assessment System (Fusion)• NIST Framework (I agree with Ken)• Local ISSA and (ISC)2
• Your security vendors• MISAC NASCIO CCISDA• NCSAM > StaySafeOnline.org• Websites
– CSOonline.com– KrebsOnSecurity.com– SecuringOureCity.com– WeLiveSecurity.com
Thank you!
• Stephen Cobb• [email protected]• @zcobb @ESET
• We Live Security• www.welivesecurity.com
• Webinars• www.brighttalk.com/channel/1718