Using Technology and Techno-People to Improve your Threat Resistance and Cyber Security

1. Using Technology and Techno-People to Improve your Threat Resistance and Cyber Security • Stephen Cobb, CISSP • Senior Security Researcher, ESET NA

2. Protecting federal data systems • Requires: • technicaland human elements • properly synchronized

3. We have the technology Anti-malware Firewalls 2-factor authentication Encryption Network monitoring Filtering

4. And the technology is getting smarter • Cloud-based reputation, signatures, big data • But technology is undermined when your workforce is not trained to play defense

5. Waiting for technology alone to solve the data security problem? Dream on…

6. Techno-people Not everyone needs to be technical, but: We are all computer users Data security is everyone’s responsibility Everyone needs to understand the threats And the defensive strategies

7. Today’s agenda Scale of the problem Nature of our adversaries Information security’s 9 patterns Patterns applied to federal agencies How to improve the coordination of people and technology to address those patterns

8. April 2014 GAO report • Information Security • Federal Agencies Need to Enhance Responses to Data Breaches • (GAO-14-487T) • A lot of work still to be done, across numerous agencies • Improve security • Improve breach response

9. The scale of the problem Information security incidents reported to US-CERT by all agencies Number of incidents up More data to defend? Improved reporting?

10. Exposure of PII is growing • More incidents involving Personally Identifiable Information (PII) • Why? • Thriving black market for PII • Impact • Seriously impacts individuals • Growing public displeasure • Heads may roll

11. A federal PII breach example • July 2013, hackers get PII of 104,000+ people • From a DOE system • Social Security numbers, birth dates and locations, bank account numbers • Plus security questions and answers • DOE Inspector General: cost = $3.7 million • Assisting affected individuals and lost productivity

12. What happens to the stolen data? • Sold to criminal enterprises • For identity theft, raiding bank accounts, buying luxury goods, laundering money • Lucrative scams like tax identity fraud

13. The market for stolen data has matured

16. All driven by proven business strategies Specialization Modularity Markets Division of labor Standards

17. An overwhelming problem? • Not if we analyze security incidents • 2014 Verizon Data Breach Investigation Report • 92% of incidents can categorized into 9 patterns • True for 100,000 incidents over 10 year period • True for 95% of breaches in the last 3 years

18. The Big 9 Point-of-sale intrusions Web app attacks Insider/privilege misuse Physical theft and loss Miscellaneous errors Crimeware Payment card skimmers Denial of service Cyber-espionage Everything else

19. Industry sectors not affected equally Just 4 patterns where victim industry = Public 2014 Verizon Data Breach Investigation Report

20. Let’s count down the top 4 • Miscellaneous • Insider and privilege misuse • Crimeware • Physical theft/loss • Everything else

21. Pattern #4: Physical theft and loss Cause of 19% of public sector security incidents It’s people! Screen, educate, supervise Reduce impact by using encryption 2014 Verizon Data Breach Investigation Report

22. Pattern #3: Crimeware Accounts for 21% It’s people abusing technology Can be solved with the right anti-malware strategy Endpoint AND server scanning 2014 Verizon Data Breach Investigation Report

23. Pattern #2: Insider and privilege misuse • 24% of incidents • Again it’s people! • Can be fixed! • Education • Awareness • Screening 2014 Verizon Data Breach Investigation Report

24. Pattern #1: Miscellaneous Errors • 34% of incidents • Human error! • Can be fixed! • Training • Awareness • Oversight 2014 Verizon Data Breach Investigation Report

25. Strategy for doing better • Technologies and people working together • If they don’t you get: Target • Malware was detected • Exfiltration detected • But nobody reacted • Training and awareness? • Clearly lacking

26. Security training and awareness • You need both, but what’s the difference? • Training • Ensure people at different levels of IT engagement have the knowledge they need • Awareness • Ensure all people at all levels know the threats and the defensive measures they must use

27. Who gets trained? • Everyone, but not in the same way: • All-hands training • IT staff training • Security staff training

28. How to deliver training In person Online On paper In house Outside contractor Mix and match Be creative

29. Incentives? • They work! • Drive engagement • Encourage compliance • But need reinforcement • Security in job descriptions • Evaluations • Rewards

30. Use your internal organs Of communication! Newsletter Internal social media Physical posters Add to meeting agendas Email blasts

31. How to do awareness • Make it fun • Make it relevant • Leverage the news • Remember: • Everyone now has a vested interested in staying current on threats to their/your data

32. Awareness example: phish traps • Train on phishing • Send out a phishing message • Track responses • Report card and re-education • No naming & shaming

33. Awareness example: flash phish • Train on media scanning • Sprinkle USB/flash drives • Sample file/autorun • Track results • Inserted? Scanned? Reported? • Rewards or re-education • Again, avoid name+shame

34. Resources to tap • CompTIA • ISSA • SANS • (ISC)2 • Vendors • Websites

36. Thank you! • Stephen Cobb • Stephen.cobb@eset.com • We Live Security • www.welivesecurity.com • Webinars • www.brighttalk.com/channel/1718 • Booth Number 826