Cyber Hygiene

Stay Clean at work and at Home!

About the Author- Mike AhernDirector, Corporate and Professional EducationWorcester Polytechnic Institute

Leads the development of WPI’s Corporate and Professional Graduate Education Programs in: Cybersecurity; Electrical and Computer Engineering and Power Systems

Previous Experience:– Vice-President, Northeast Utilities (responsibilities included: Distribution

Engineering; Training; Planning, Performance and Analysis)– Member, Executive Compliance and Internal Controls Committee– Member, Executive Steering Committee for Cyber Security– Director, Transmission Operations and Planning– Director, Distribution Engineering– Director, Nuclear Oversight, Millstone Nuclear Power Station

B.S. from Worcester Polytechnic InstituteM.S. and M.B.A. from Rensselaer Polytechnic InstituteProfessional Engineer - ConnecticutNERC Certified System Operator - Transmission (2005 to 2010)

Human Firewall Trained . . . Back at the turn of the century!

About WPI

Non-profit, top quartile national university (U.S. News and World Report ranking)

Founded in 1865 to teach both “Theory and Practice”

Strong Computer Science, Engineering and Business Schools

DHS/NSA Designated Center of Excellence in Information Security Research

WPI- Accreditations

Computer Science Engineering

Business Whole University

Cyber Hygiene

Outline:

• The Growing Menace

• Risk Reduction

• Attacker Motives and Methods

• Where Do We Start?

• Covering All the Bases

• Questions and Answers

The Growing Menace

We’ve been seeing news articles about the threat of hackers for quite a while

JPMorgan and other banks struck by cyberattackNicole PerlrothWednesday, 27 Aug 2014 | New York Times

U.S. notified 3,000 companies in 2013 about cyberattacksBy Ellen Nakashima March 24, 2014The Washington Post

DOD Needs Industry’s Help to Catch Cyber Attacks, Commander SaysBy Lisa Daniel March 27, 2012American Forces Press Service, DoD News

The Growing Menace

Remember Target? Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew ItBy Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack BloombergBusinessweek 3/13/14

Target’s Story . . . Continued

Cyber attack takes toll on TargetBy Elizabeth Paton in New York Financial Times 8/20/14

Cyber attack cost Target $148M

To win back sales, Target took another $234M charge for discounting

The new CEO was announced on 8/1/14

The new CEO lowered the annual earnings forecast by ~15%

What About Me?

OK, a company lost a lot of money . . .how does this affect me?

Thieves also want to steal your money!

How? Hacking Your Debit Account(s)

Identity Theft

Ransomware

What About Me?

Is this a big threat to me?

The FBI reports that in 2014: US Citizens reported losses of over $800,000,000 from over

123,000 cyber attacks The median loss was $530 but the average was $6,472 The trend is to more frequent Ransomware attacks 80% of the losses were to both men and women between

the ages of 20 and 60

Source: http://www.ic3.gov/media/annualreport/2014_IC3Report.pdf

Risk Reduction Through Cyber Hygiene

With cybersecurity attacks and threats growing . . .

What personal behaviors can reduce my risk?

Let’s start by understanding attackers motives and methods . . .

Attacker Motives

Source: http://www.slideshare.net/NortonSecuredUK/cybercrime-attack-of-the-cyber-spies

Attacker MethodsThe Most Recent Verizon Data Breach Investigations Report* gives us some

insights into methods attackers use

Top “attack vectors”:

1. Behavioral – 80%+ of the attackers are external people but insiders can cause the extensive damage

2. Behavioral – Phishing in 2/3 of attacks, used all by itself in 20% of attacks

3. Technical – 80% of attacks use malware; almost always exploiting known vulnerabilities

*http://www.verizonenterprise.com/DBIR/2015/

Attacker Methods

The FBI Reports growing use of: Click-jacking - Concealing hyperlinks beneath legitimate clickable content which,

when clicked, causes a user to unknowingly perform actions, such as downloading malware, or sending personal information to a website. Numerous click-jacking scams have employed “Like” and “Share” buttons on social networking websites. Research other ways to use your browser options to maximize security.

Doxing - Publicly releasing a person’s identifying information online without authorization. Caution should be exercised by users when sharing or posting information about themselves, family, and friends.

Pharming - Redirecting users from legitimate websites to fraudulent ones for the purpose of extracting confidential data. Type in an official website, instead of “linking” to it from an unsolicited source.

Source: http://www.ic3.gov/media/annualreport/2014_IC3Report.pdf

Risk Reduction – Where to StartStart with Behaviors!

Training for basic cyber defense For you and your family - how to be “human firewalls” Don’t Store Sensitive Information On Your Computer Password Protect your Phones and Computers Never Share Passwords Outside Your Family Defeat Decoders - Use Strong Passwords, unrelated to public

information (your name, your pet’s name, your birthday) Defeat Phishers –

Be Skeptical Hover Over Links To See Where They’re Taking You Don’t Click in Suspect Dialog Boxes – Quit The Application Instead

Defeat Known Vulnerabilities – Have Everyone In Your Family Install Software Updates As Soon As They’re Available

Cyber Defense Against Phishing

How do I stop phishing?• Keep your spam filter switched on to reduce spam (which can contain viruses or be

used for phishing);• Be suspicious of unsolicited advertising and offers;• Be on the alert if you do not know the sender;• A trusted website or online payment processor will never ask you to confirm sensitive

information like passwords or account details;• Delete any suspected spam immediately and do NOT open any attachments.

A phishing email may appear to come from a trusted source. Some warning signs are if the e-mail:• Is sent from a free webmail address, not from an organization’s official address;• Opens with a generic greeting, and is not personalized with your name;• Contains a threat, for example that your account is not secure or may be shut down;• Requests personal information such as username, password or bank details;• Includes a link to a website with a URL (web address) that is different from the

organization’s official address.

Source: http://www.interpol.int/Crime-areas/Cybercrime/Online-safety

Covering All The BasesThe US National Cybersecurity Workforce Framework*

* http://csrc.nist.gov/nice/framework/

The U.S. National Initiative for Cybersecurity Education (NICE) issued the National Cybersecurity Workforce Framework (“the Framework”)

– Developed with more than 20 Federal departments and agencies and numerous national organizations from within academia and general industry.

– The categories, serving as an overarching structure for the Framework, group related specialty areas together.

– Within each specialty area, typical tasks and knowledge, skills, and abilities (KSAs) are provided.

You can use the Framework to make sure your organization is “covering all the bases”

US National Cybersecurity Workforce FrameworkCovers All the Bases

Framework Category Specialty Areas Include:

Securely ProvisionSystems Security ArchitectureSoftware Assurance and Security EngineeringSecure AcquisitionTest and EvaluationSystems Development

Operate and MaintainSystem Administration

Systems Security AnalysisNetwork Services

Protect and DefendComputer Network Defense Analysis

Incident ResponseVulnerability Assessment and Management

InvestigateDigital ForensicsCyber Investigation

Collect and OperateFederal Government Role

Collection OperationsCyber Operations and Planning

AnalyzeFederal Government Role

All Source IntelligenceExploitation Analysis / Targets / Threat Analysis

Oversight and DevelopmentLegal Advice and AdvocacyStrategic Planning and Policy DevelopmentTraining, Education and AwarenessSecurity Program ManagementKnowledge Management

http://csrc.nist.gov/nice/framework/national_cybersecurity_workforce_framework_03_2013_version1_0_interactive.pdfDraft Version 2.0: http://niccs.us-cert.gov/sites/default/files/documents/files/DraftNationalCybersecurityWorkforceFrameworkV2.xlsx

Risk Reduction At WorkThreat Actions Measures

InsiderBackground Checks

Training – Everyone, IT, HR, LeadershipRemove Access Promptly

RegularException Reports

External Hacker

Patches to Keep Software UpdatedAnti-Virus for Known MalwareLimited Administrative Rights

Two-factor Authentication

Regular Time Delay Reports and

Rights Reviews

Successful Intrusion

Certified IT ProfessionalsAccess Log Reviews

Intrusion Detection SoftwareExfiltration Software

“White-listing” for Control Systems

Frequent (Daily?) Results Reports

Successful Attack

“Loss of IT” Business Continuity ExercisesEngage/Develop Forensic Capability

Exercise Frequency and

Results

Cybersecurity Webinar Series

Thank you

Mike AhernDirector, Corporate and Professional Education508-831-6563mfahern@wpi.edu

What do you think?Your feedback is welcome!