Cyber Security for the SMB 2014

Cyber Security for SMB

Social Media, Identity Theft, Data Breaches , Espionage & Cyber Security

Donald E. Hestertwitter.com/sobca |

www.facebook.com/LearnSecwww.learnsecurity.org

What you don’t know can hurt you

Challenge for SMB Knowledge of cyber threats (What you don’t know)

Dynamic and changing technology Requires expert or professional advice Additional costs Security products and services sized for Enterprise

Balance customer & business needs

SMB Cyber Security Don’t think in terms of security Think in terms of risk to your business What is the risk to my business if I ________? What can I do to minimize that risk? How much will it cost if I do nothing? How much will it cost if I do something? Am I money ahead?

What is the risk to my business if I accept payment cards?

Payment Card Acceptance If your business accepts credit cards you are required to protect cardholder data.

Failure to protect cardholder data can lead to steep fines.

The fines have put some small businesses out of business.

pcisecuritystandards.org/merchants/

Risks related to Social Media

Business Integration

Online Profile & Reputation Your "online profile" is the sum of online content about you that you've created and content about you created by others. Items include: emails, videos, posts on social networks, someone posting a picture or comments about you on a social network or website, credit, financial and medical information.

Your "online reputation" is the image created of you through information you or others shared online in blogs, posts, pictures, tweets and videos.

Online Reputation Do you have control of what is posted?

Not all fame is good! People use anonymity to post stuff about others!

Embarrassment, loss of credibility

• Rev2/28/2011

Social Shopping & Brand Protection

If you own a business or are self-employed:• Have you looked to see

what is posted about you?• Do you monitor for

comments or ratings?• How do you address

complaints? • Do you monitor for brand-

jacking? http://knowem.com/

Social Media & HR

The use of social media outside of personal lives has increased and continues to increase

Concern that potential employers will misconstrue what is seen

Used for monitoring current employees Used for screening job applicants

Employees see it as a good way to “get to know” the applicant

Ramifications• Employers are increasingly using

social media for background checks.

• Insurance companies use social media to look for fraud.

• Spies use social media to look for informants.

Bad guys use social media too

Bad guys can exploit your use of social media to infect your computer with malware

Information about your business online Do I have control of what is

posted about my business? Look your business up! Even if you are not on the web,

you may be on the web! Do what you can to control what

is out there. What is you social relevancy

(Reputation)? Setup alerts and monitor what is

posted about you.

Are people using your intellectual property?

Can someone use what you post against you?

The risk of keeping customer information? Why do criminals want personal information? In an information age information becomes a

commodity Information has a value Some information has a greater value Personal information is potentially worth more than

you think Criminals can trade for money or drugs

What is PII Personally Identifiable Information

Name and account number Name and social security number Name and address Credit Card Number

Where you might find it Tax files Account Statements Records (Medical, Public and other) Businesses you do business with

Who keeps personal data on you and your business? Social Media Sites – User generated Corporations – Big data, Tracking, Sales, Marketing

Government – Local, State, Federal and other

Organizations – Non-profits, Clubs, VSOs Schools – Grades, Clubs, School Newspaper Media – Newspapers, News, Video

Data from unexpected sources

ID Theft vs. ID Fraud “Identity fraud," consists mainly of someone making unauthorized charges to your credit card.

“Identity theft,” is when someone gathers your personal information and assumes your identity as their own."Identify theft is one of the fastest

growing crimes in the US."John Ashcroft79th US Attorney General

The Busboy That Started It All

March 20th 2001, MSNBC reported the first identity theft case to gain widespread public attention

Thief assumed the identities of Oprah Winfrey and Martha Stewart, took out new credit cards in their names, and accessed their bank accounts

Stole more than $7 million from 200 of the world’s super rich - Warren Buffet and George Soros, tech tycoons Paul Allen and Larry Ellison

Used a library computer, public records, a cell phone, a fax machine, a PO Box, and a copy of Forbes Richest People

32-year-old Abraham Abdallah was described as “a high school dropout, a New York City busboy, a pudgy, disheveled, career petty criminal.”

ID Theft & Fraud PII exposed by others (Data Breaches) PII exposed by ourselves (online & others) Malware (Spyware, Viruses, etc…) Social Engineering

Phone Internet (Phishing, social websites etc…) In Person (at your door, in a restaurant etc…)

Physical theft Mail box Trash (Dumpster diving) ATMs (skimming) Home break-ins

Physical theft Dumpster diving ATM – Credit Card skimming Mailbox Break-in

“Lock Bumping”

http://cbs11tv.com/seenon/Bump.Key.Safety.2.499252.html

Credit Card/ATM Skimming

Credit Card Skimming Stats

TOP MERCHANT GROUPS

RESTAURANTSGASHOTELSCAR RENTALSALL OTHER

SOURCE: CALIFORNIA RESTAURANT ASSOCIATION, VISA USA, UNITED STATES SECRET SERVICE

Credit Card Skimming Stats

BY MERCHANT LOCATIONS

CALIFORNIAFLORIDANEW YORKNEW JERSEYTEXASMEXICOILLINOISALL OTHER

SOURCE: CALIFORNIA RESTAURANT ASSOCIATION, VISA USA, UNITED STATES SECRET SERVICE

What do they do with stolen IDs?

• Information is sold on the Black Market

• Sometimes the information is traded for drugs

• Used to fund terrorist operations

Computer and Mobile Security

Cyber Spying

Other risks P2P (Peer to Peer file sharing, IP loss, Malware)

Theft of mobile devices (data on mobile devices)

Malware, Spyware, Viruses (disrupt or data theft) Advanced Persistent Threats (APTs)

Data loss (no backups) Access to your network

Wireless or no firewall Remote access

Computer Spyware

Cell Phone Spyware

Data Breaches

Desensitization of data breaches

The Problem

Albert Gonzalez, 28

With accomplices, he was involved in data breaches of most of the major data breaches: Heartland, Hannaford Bros., 7-Eleven, T.J. Maxx, Marshalls, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Dave & Busters, Boston Market, Forever 21, DSW and others.

Who is behind data breaches? 70% from external agents 48% caused by insiders 11% implicated business partners 27% involved multiple parties

How PII might be exposed

Data Breach Lack of security on the part of

businesses Organization may post information

online Loss of a laptop, hard drive or paper

work Data loss by a third party Hacker (Organized Crime & Nation

State) Organizations may break into your

computer Hacktivisim

Top 10 Largest Breaches

Data provided by DataLoss db as of February 2014

Hacktivisim

Cyber Security Framework http://www.nist.gov/cyberframework/

Help SBA.gov US Small Business Administration

Other Sites

Linkstwitter.com/sobca | www.facebook.com/LearnSec

www.learnsecurity.orglinkedin.com/in/donaldehester

Slideshttp://www.slideshare.net/sobca/