1 / 23

Cybersecurity: Protecting Company/Personal Data

This agenda covers an overview of the cyber threat environment, actionable tips and tricks to safeguard data, and a discussion on the evolution of cybersecurity. It emphasizes the need for continuous vigilance and accountability in protecting against various cyber threats.

elisew
Download Presentation

Cybersecurity: Protecting Company/Personal Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cybersecurity, an Exercise of Continuous Vigilance

  2. Agenda • Cyber Threat Environment Overview • What Can Be Done? • Tips & Tricks to Protect Company/Personal Data • Closing Remarks/Parting Thoughts

  3. Cyber Evolution Timeline 1980s 1990s 2000s 2010s 1960s-70s Mainframe Distributed Computing PCs Hardware Software Networking Cyber Threats Mobile Devices e-mail Social Networks Cloud Timesharing Productivity eCommerce Web Applications Everything networked Internet of Things (IoT) Private/limited Local Area Networks Internet Social Engineering Widespread Viruses & Worms Simple Viruses & Worms Advanced Persistent Threats Limited Botnets Trojan Horses An increasingly interconnected world has greatly increased the risk of cyber threats

  4. Several Different Types of Bad Actors with Differing Motives The “bad guys” can chose from an array of attack methods to infiltrate their targets of interest

  5. Examples of Data Breaches • Yahoo – 3 billion • Equifax – 143 million • Anthem – 78.8 million • eBay – 145 million • Facebook – 87 million • Target – 110 million • Marriott – 500 million • Home Depot – 56 million • Pacific Gas and Electric – 30,000 • Saks, Lord & Taylor – 5 million • Sacramento Bee – 19.5 million • Panera – 37 million • JP Morgan Chase – 76 million • Under Armour – 150 million • Uber – 57 million • U.S. Postal Service – 60 million Uptick in the number of data breaches in all industry verticals/sectors

  6. Responsibility & Accountability • All personnel (e.g., employees, contractors, etc.) are responsible for the protection of Company’s assets and data from unauthorized access or modification • This should be enforced with Company policies/standards/documentation related to cybersecurity that all personnel are required to acknowledge and consent to the terms and conditions • It all starts from Company’s top echelon by building and instilling a resilient cybersecurity culture

  7. Defense-in-Depth Cybersecurity Architecture Firewalls Internet • Content Filtering • Email • Web • Network DMZ Business Net Protected Net Critical Assets Multifactor Authentication Least-Privilege Access Defense-in-depth based upon best-practice frameworks and cybersecurity controls

  8. Mature Cybersecurity Program • PEOPLE • Highly-skilled cybersecurity team • Decades of experience • Multiple certifications • Diverse backgrounds– DOD, law enforcement • Secret & Top Secret clearances (where applicable) • PROCESS • Well-defined corporate policies & standards • Mature governance and process controls • Cybersecurity awareness • Patch management • Inter-affiliate information sharing to minimize risk (where applicable) • TECHNOLOGY • Best-of-breed cybersecurity tools and controls

  9. Essential Practices to Minimize Cybersecurity Incidents • End users are the Company’s first line of defense and should have an easy avenue to report potential cyber security incidents • Preferably, the Service/Help Desk should be leveraged to provide tier one support for reporting/triaging cybersecurity incidents • The Service/Help Desk and Cybersecurity teams should meet regularly and work well together • Job shadowing/cross training on how to quickly triage common cybersecurity incidents (e.g., machine compromised with commodity malware, user’s credentials harvested) is highly recommended • Restrict the ability to place non-Company devices on the network to prevent propagation of malware • Isolate critical systems behind multiple layers of defense, including segmenting them from the rest of the corporate network

  10. Essential Practices to Minimize Cybersecurity Incidents, cont. • Passwords are simply not enough • Use different passwords everywhere • Complexity is recommended but comes with its challenges • People have a tendency to write down passwords that are hard to remember • Utilize passphrases – the longer the password the better • Password vaults/repositories help simplify the management of passwords

  11. Essential Practices to Minimize Cybersecurity Incidents, cont. • Phishing is the Company’s biggest threat vector • Not going away anytime soon due to its highly effective success rate • Social Engineering – manipulate people to perform nefarious actions or divulge confidential information • Safeguard personnel from phishing/spearphishing/social engineering attacks • Implement email filtering • Visual (e.g., banner) denoting the email was by an external sender • Avenue for customers to send suspicious emails to be analyzed by the cybersecurity team

  12. Dogbert and Spearphishing Don’t become an active part of Dogbert’s hobby

  13. Email statistics

  14. Essential Practices to Minimize Cybersecurity Incidents, cont. • Removable Media (e.g., Thumb drives, flash drives, external hard drives) • Use Company approved/issued devices • Implement encryption (e.g., BitLocker) to minimize loss of Company data • Educate personnel to scan the drive before use • Disable Autoruns

  15. Essential Practices to Minimize Cybersecurity Incidents, Cont. • Conduct periodic tabletop exercises to test and improve the effectiveness of Company’s incident response plans • Response plans that have not been tested are as useful as having no plan at all • Companies cannot improve what they do not measure • Exercises should touch on cyber threats pertinent to the Company • Examples: Privacy Breach, Disconnecting from the Internet, Out-of-band communications when emails are no longer an option • Postmortems on incidents that happened in the same vertical (e.g., a healthcare provider testing their plans from what it learned from the Anthem data breach) • Create playbooks for dealing with common types of cyber threats • Should include the departments needed for incident response efforts • Service/Help Desks should be an active participant

  16. Essential Practices to Minimize Cybersecurity Incidents, Cont. • Threat intelligence sharing with industry peers, third party vendors and government partners is crucial in staying abreast of cyber threats and how to combat them • Collaboration allows peers to benchmark (e.g., patch management, anti-malware, phishing, etc.) which can help drive funding opportunities for essential security controls • Leverage industry-driven Information Sharing and Analysis Centers (e.g., E-ISAC, MS-ISAC, DNG-ISAC, etc.) • Establish relationships with government partners that can help funnel timely information • Conduct security assessments on critical/core business processes to ensure adequate security controls are in place

  17. Tips & Tricks to Protect Data • GOOD • Validate an unexpected email from someone you know by calling them first • Use removable media only for business purposes on Company devices [do not use your personal device] • Change default passwords and use a password that is hard for an adversary to guess • Backup important files to an offline storage device such as an encrypted removal media device • Install and keep anti-malware software up-to-date • Install ALL relevant security patches for operating system and third party software

  18. Tips & Tricks to Protect Data, Cont. • GOOD • Utilize credit monitoring services/freeze credit during lull times • Set a password/PIN on your mobile device(s) • Implement multi-factor authentication (e.g., fingerprint, Face ID, one-time passcode) • Use strong encryption on home wireless networks • Be leery of what you share on social media outlets There’s no single solution to better cybersecurity, but combining multiple best practices can significantly reduce your risk

  19. Tips & Tricks to Protect Data, Cont. • BAD • Click on links or open attachments in emails you are not expecting (e.g., from unknown senders) • When browsing the Internet, click on unexpected pop-ups or use the close box [use Task Manager to terminate the window/process] • Let vendors/contractors insert removable media without first scanning the media on a non-critical Company device • Use the same password across multiple accounts [invest in password management software] Remember, the “bad guys” are trying to “trick” you into taking an action that allows them access to your computer!

  20. Free Internet Security resources • VirusTotal – Used to analyze URLs: https://haveibeenpwned.com/ • MX Toolbox – Used to analyze email headers (for the technical savvy): https://mxtoolbox.com/ • Have I Been PWNED – Check to see if your email account was a part of a breach: https://haveibeenpwned.com/ • PIPL - comprehensive people search (search your name): https://pipl.com/

  21. Closing Remarks/Parting Thoughts • Incorporate a sound cybersecurity program throughout all levels of the Company • Everyone is “playing with the same deck of cards” • The tactics, tools and procedures (TTPs) used on both sides are well-known and documented • There is no “silver bullet” in cybersecurity defense, only hard work • Cybersecurity is not rocket science, but execution is complicated because of how quickly technology changes and the need to coordinate across the entire Company • It only takes one mistake by a defender for an adversary to record a “win”

  22. Closing Remarks/Parting Thoughts, Cont. • Educate your customers/clients on good cybersecurity hygiene • Continuous security awareness will help minimize business risks due to cyber threats • Mitigate risk by 90% or more • Stay patched/up-to-date, use good password management, do not fall for phishing/social engineering attacks, refrain from risky Internet browsing, etc. • The main takeaway is that cybersecurity is everyone’s responsibility

  23. Questions?

More Related