Using Technology and Techno-People to Improve your Threat Resistance and Cyber Security

Using Technology and Techno-People to Improve your Threat Resistance and Cyber Security

Stephen Cobb, CISSPSenior Security Researcher, ESET NA

Protecting federal data systems• Requires: – technical and human elements– properly synchronized

We have the technology• Anti-malware• Firewalls• 2-factor authentication• Encryption• Network monitoring• Filtering

And the technology is getting smarter • Cloud-based reputation, signatures, big

data• But technology is undermined when your

workforce is not trained to play defense

Waiting for technology alone to solve the data security problem? Dream

on…

Techno-people• Not everyone needs to be technical,

but:• We are all computer users• Data security is everyone’s

responsibility• Everyone needs to understand the

threats• And the defensive strategies

Today’s agenda• Scale of the problem • Nature of our adversaries• Information security’s 9 patterns• Patterns applied to federal agencies• How to improve the coordination of

people and technology to address those patterns

April 2014 GAO report• Information Security

– Federal Agencies Need to Enhance Responses to Data Breaches

• (GAO-14-487T)

• A lot of work still to be done, across numerous agencies– Improve security– Improve breach response

2009 2010 2011 2012 2013

29,999

41,776 42,85448,562

61,214

The scale of the problem• Information security

incidents reported to US-CERT by all agencies

• Number of incidents up• More data to defend?• Improved reporting?

Exposure of PII is growing• More incidents involving

Personally Identifiable Information (PII)

• Why?– Thriving black market for

PII• Impact

– Seriously impacts individuals

– Growing public displeasure– Heads may roll

2009 2010 2011 2012 2013

10,48113,028

15,584

22,156

25,566

A federal PII breach example• July 2013, hackers get PII of 104,000+

people– From a DOE system

• Social Security numbers, birth dates and locations, bank account numbers– Plus security questions and answers

• DOE Inspector General: cost = $3.7 million– Assisting affected individuals and lost productivity

What happens to the stolen data?• Sold to criminal enterprises

– For identity theft, raiding bank accounts, buying luxury goods, laundering money

• Lucrative scams like tax identity fraud

The market for stolen data has matured

All driven by proven business strategies

Specialization Modularity

Division of labor Standards

Markets

An overwhelming problem?• Not if we analyze security incidents• 2014 Verizon Data Breach Investigation

Report• 92% of incidents categorized into 9

patterns– True for 100,000 incidents over 10 year period– True for 95% of breaches in the last 3 years

The Big 9• Point-of-sale intrusions• Web app attacks• Insider/privilege misuse• Physical theft and loss• Miscellaneous errors• Crimeware• Payment card skimmers• Denial of service• Cyber-espionage• Everything else

Industry sectors not affected equally

34%

24%

21%

19%

2%

MiscellaneousInsider MisuseCrimewareTheft/LossEverything Else

Just 4 main patterns where victim industry = Public

2014 Verizon Data Breach Investigation Report

Let’s count down the top 4• Miscellaneous• Insider and privilege misuse• Crimeware• Physical theft/loss• Everything else

Pattern #4: Physical theft and loss• Cause of 19% of

public sector security incidents

• It’s people!• Screen, educate,

supervise• Reduce impact by

using encryptionDatabase

Tapes

Other

Flash drive

Desktop

Documents

Laptop

Other

11

36

39

102

108

140

308

892

2014 Verizon Data Breach Investigation Report

Pattern #3: Crimeware• Accounts for 21%• It’s people

abusing technology

• Can be solved with the right anti-malware strategy

• Endpoint AND server scanning Removable media

Unknown

Remote injection

Other

Download by malware

Email link

Email attachment

Network propogation

Web download

Web drive-by

1%

1%

1%

2%

2%

4%

5%

6%

38%

43%

2014 Verizon Data Breach Investigation Report

Pattern #2: Insider and privilege misuse• 24% of incidents• Again it’s people!• Can be fixed!– Education– Awareness– Screening

Auditor

System admin

Developer

Other

Executive

Call center

Manager

Finance

End-user

Cashier

1%

6%

6%

7%

7%

9%

13%

13%

17%

23%

2014 Verizon Data Breach Investigation Report

Pattern #1: Miscellaneous Errors• 34% of incidents• Human error!• Can be fixed!– Training– Awareness– Oversight

Maintenance error

Other

Omission

Gaffe

Programming error

Malfunction

Misconfiguration

Disposal error

Publishing error

Misdelivery

1%

1%

1%

1%

3%

3%

6%

20%

22%

44%

2014 Verizon Data Breach Investigation Report

Strategy for doing better• Technologies and people working together• If they don’t you get: Target

– Malware was detected– Exfiltration detected– But nobody reacted– Training and awareness?– Clearly lacking

Security training and awareness• You need both, but what’s the difference?• Training

– Ensure people at different levels of IT engagement have the knowledge they need

• Awareness – Ensure all people at all levels know the threats

and the defensive measures they must use

Who gets trained?• Everyone, but not in the same way:

– All-hands training– IT staff training– Security staff training

How to deliver training• In person• Online• On paper• In house• Outside contractor• Mix and match• Be creative

Incentives?• They work!

– Drive engagement– Encourage compliance

• But need reinforcement– Security in job descriptions– Evaluations– Rewards

Use your internal organs• Of communication!• Newsletter• Internal social media• Physical posters• Add to meeting agendas• Email blasts

How to do awareness• Make it fun• Make it relevant• Leverage the news• Remember:

– Everyone now has a vested interested in staying current on threats to their/your data

Awareness example: phish traps• Train on phishing• Send out a phishing

message• Track responses• Report card and re-

education– No naming &

shaming

Awareness example: flash phish• Train on media scanning• Sprinkle USB/flash drives

– Sample file/autorun• Track results

– Inserted? Scanned? Reported?• Rewards or re-education

– Again, avoid name+shame

Resources to tap• CompTIA• ISSA • SANS• (ISC)2

• Vendors• Websites

Thank you!• Stephen Cobb• Stephen.cobb@eset.com

• We Live Security• www.welivesecurity.com

• Webinars• www.brighttalk.com/channel/1718

• Booth Number 826