Upload
donald-hester
View
284
Download
0
Tags:
Embed Size (px)
DESCRIPTION
What small and mediums business need to know about cyber security. The risks related to social media, hackers, Identity Theft, Data Breaches, Espionage…
Citation preview
Cyber Security for SMB
Social Media, Identity Theft, Data Breaches , Espionage & Cyber Security
Donald E. Hestertwitter.com/sobca |
www.facebook.com/LearnSecwww.learnsecurity.org
What you don’t know can hurt you
Challenge for SMB Knowledge of cyber threats (What you don’t know)
Dynamic and changing technology Requires expert or professional advice Additional costs Security products and services sized for Enterprise
Balance customer & business needs
SMB Cyber Security Don’t think in terms of security Think in terms of risk to your business What is the risk to my business if I ________? What can I do to minimize that risk? How much will it cost if I do nothing? How much will it cost if I do something? Am I money ahead?
What is the risk to my business if I accept payment cards?
Payment Card Acceptance If your business accepts credit cards you are required to protect cardholder data.
Failure to protect cardholder data can lead to steep fines.
The fines have put some small businesses out of business.
pcisecuritystandards.org/merchants/
Risks related to Social Media
Business Integration
Online Profile & Reputation Your "online profile" is the sum of online content about you that you've created and content about you created by others. Items include: emails, videos, posts on social networks, someone posting a picture or comments about you on a social network or website, credit, financial and medical information.
Your "online reputation" is the image created of you through information you or others shared online in blogs, posts, pictures, tweets and videos.
Online Reputation Do you have control of what is posted?
Not all fame is good! People use anonymity to post stuff about others!
Embarrassment, loss of credibility
• Rev2/28/2011
Social Shopping & Brand Protection
If you own a business or are self-employed:• Have you looked to see
what is posted about you?• Do you monitor for
comments or ratings?• How do you address
complaints? • Do you monitor for brand-
jacking? http://knowem.com/
Social Media & HR
The use of social media outside of personal lives has increased and continues to increase
Concern that potential employers will misconstrue what is seen
Used for monitoring current employees Used for screening job applicants
Employees see it as a good way to “get to know” the applicant
Ramifications• Employers are increasingly using
social media for background checks.
• Insurance companies use social media to look for fraud.
• Spies use social media to look for informants.
Bad guys use social media too
Bad guys can exploit your use of social media to infect your computer with malware
Information about your business online Do I have control of what is
posted about my business? Look your business up! Even if you are not on the web,
you may be on the web! Do what you can to control what
is out there. What is you social relevancy
(Reputation)? Setup alerts and monitor what is
posted about you.
Are people using your intellectual property?
Can someone use what you post against you?
The risk of keeping customer information? Why do criminals want personal information? In an information age information becomes a
commodity Information has a value Some information has a greater value Personal information is potentially worth more than
you think Criminals can trade for money or drugs
What is PII Personally Identifiable Information
Name and account number Name and social security number Name and address Credit Card Number
Where you might find it Tax files Account Statements Records (Medical, Public and other) Businesses you do business with
Who keeps personal data on you and your business? Social Media Sites – User generated Corporations – Big data, Tracking, Sales, Marketing
Government – Local, State, Federal and other
Organizations – Non-profits, Clubs, VSOs Schools – Grades, Clubs, School Newspaper Media – Newspapers, News, Video
Data from unexpected sources
ID Theft vs. ID Fraud “Identity fraud," consists mainly of someone making unauthorized charges to your credit card.
“Identity theft,” is when someone gathers your personal information and assumes your identity as their own."Identify theft is one of the fastest
growing crimes in the US."John Ashcroft79th US Attorney General
The Busboy That Started It All
March 20th 2001, MSNBC reported the first identity theft case to gain widespread public attention
Thief assumed the identities of Oprah Winfrey and Martha Stewart, took out new credit cards in their names, and accessed their bank accounts
Stole more than $7 million from 200 of the world’s super rich - Warren Buffet and George Soros, tech tycoons Paul Allen and Larry Ellison
Used a library computer, public records, a cell phone, a fax machine, a PO Box, and a copy of Forbes Richest People
32-year-old Abraham Abdallah was described as “a high school dropout, a New York City busboy, a pudgy, disheveled, career petty criminal.”
ID Theft & Fraud PII exposed by others (Data Breaches) PII exposed by ourselves (online & others) Malware (Spyware, Viruses, etc…) Social Engineering
Phone Internet (Phishing, social websites etc…) In Person (at your door, in a restaurant etc…)
Physical theft Mail box Trash (Dumpster diving) ATMs (skimming) Home break-ins
Physical theft Dumpster diving ATM – Credit Card skimming Mailbox Break-in
“Lock Bumping”
http://cbs11tv.com/seenon/Bump.Key.Safety.2.499252.html
Credit Card/ATM Skimming
Credit Card Skimming Stats
TOP MERCHANT GROUPS
RESTAURANTSGASHOTELSCAR RENTALSALL OTHER
SOURCE: CALIFORNIA RESTAURANT ASSOCIATION, VISA USA, UNITED STATES SECRET SERVICE
Credit Card Skimming Stats
BY MERCHANT LOCATIONS
CALIFORNIAFLORIDANEW YORKNEW JERSEYTEXASMEXICOILLINOISALL OTHER
SOURCE: CALIFORNIA RESTAURANT ASSOCIATION, VISA USA, UNITED STATES SECRET SERVICE
What do they do with stolen IDs?
• Information is sold on the Black Market
• Sometimes the information is traded for drugs
• Used to fund terrorist operations
Computer and Mobile Security
Cyber Spying
Other risks P2P (Peer to Peer file sharing, IP loss, Malware)
Theft of mobile devices (data on mobile devices)
Malware, Spyware, Viruses (disrupt or data theft) Advanced Persistent Threats (APTs)
Data loss (no backups) Access to your network
Wireless or no firewall Remote access
Computer Spyware
Cell Phone Spyware
Data Breaches
Desensitization of data breaches
The Problem
Albert Gonzalez, 28
With accomplices, he was involved in data breaches of most of the major data breaches: Heartland, Hannaford Bros., 7-Eleven, T.J. Maxx, Marshalls, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Dave & Busters, Boston Market, Forever 21, DSW and others.
Who is behind data breaches? 70% from external agents 48% caused by insiders 11% implicated business partners 27% involved multiple parties
How PII might be exposed
Data Breach Lack of security on the part of
businesses Organization may post information
online Loss of a laptop, hard drive or paper
work Data loss by a third party Hacker (Organized Crime & Nation
State) Organizations may break into your
computer Hacktivisim
Top 10 Largest Breaches
Data provided by DataLoss db as of February 2014
Hacktivisim
Cyber Security Framework http://www.nist.gov/cyberframework/
Help SBA.gov US Small Business Administration
Other Sites
Linkstwitter.com/sobca | www.facebook.com/LearnSec
www.learnsecurity.orglinkedin.com/in/donaldehester
Slideshttp://www.slideshare.net/sobca/