Upload
wpicpe
View
597
Download
4
Embed Size (px)
Citation preview
Cyber Hygiene
Stay Clean at work and at Home!
About the Author- Mike AhernDirector, Corporate and Professional EducationWorcester Polytechnic Institute
Leads the development of WPI’s Corporate and Professional Graduate Education Programs in: Cybersecurity; Electrical and Computer Engineering and Power Systems
Previous Experience:– Vice-President, Northeast Utilities (responsibilities included: Distribution
Engineering; Training; Planning, Performance and Analysis)– Member, Executive Compliance and Internal Controls Committee– Member, Executive Steering Committee for Cyber Security– Director, Transmission Operations and Planning– Director, Distribution Engineering– Director, Nuclear Oversight, Millstone Nuclear Power Station
B.S. from Worcester Polytechnic InstituteM.S. and M.B.A. from Rensselaer Polytechnic InstituteProfessional Engineer - ConnecticutNERC Certified System Operator - Transmission (2005 to 2010)
Human Firewall Trained . . . Back at the turn of the century!
About WPI
Non-profit, top quartile national university (U.S. News and World Report ranking)
Founded in 1865 to teach both “Theory and Practice”
Strong Computer Science, Engineering and Business Schools
DHS/NSA Designated Center of Excellence in Information Security Research
WPI- Accreditations
Computer Science Engineering
Business Whole University
Cyber Hygiene
Outline:
• The Growing Menace
• Risk Reduction
• Attacker Motives and Methods
• Where Do We Start?
• Covering All the Bases
• Questions and Answers
The Growing Menace
We’ve been seeing news articles about the threat of hackers for quite a while
JPMorgan and other banks struck by cyberattackNicole PerlrothWednesday, 27 Aug 2014 | New York Times
U.S. notified 3,000 companies in 2013 about cyberattacksBy Ellen Nakashima March 24, 2014The Washington Post
DOD Needs Industry’s Help to Catch Cyber Attacks, Commander SaysBy Lisa Daniel March 27, 2012American Forces Press Service, DoD News
The Growing Menace
Remember Target? Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew ItBy Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack BloombergBusinessweek 3/13/14
Target’s Story . . . Continued
Cyber attack takes toll on TargetBy Elizabeth Paton in New York Financial Times 8/20/14
Cyber attack cost Target $148M
To win back sales, Target took another $234M charge for discounting
The new CEO was announced on 8/1/14
The new CEO lowered the annual earnings forecast by ~15%
What About Me?
OK, a company lost a lot of money . . .how does this affect me?
Thieves also want to steal your money!
How? Hacking Your Debit Account(s)
Identity Theft
Ransomware
What About Me?
Is this a big threat to me?
The FBI reports that in 2014: US Citizens reported losses of over $800,000,000 from over
123,000 cyber attacks The median loss was $530 but the average was $6,472 The trend is to more frequent Ransomware attacks 80% of the losses were to both men and women between
the ages of 20 and 60
Source: http://www.ic3.gov/media/annualreport/2014_IC3Report.pdf
Risk Reduction Through Cyber Hygiene
With cybersecurity attacks and threats growing . . .
What personal behaviors can reduce my risk?
Let’s start by understanding attackers motives and methods . . .
Attacker Motives
Source: http://www.slideshare.net/NortonSecuredUK/cybercrime-attack-of-the-cyber-spies
Attacker MethodsThe Most Recent Verizon Data Breach Investigations Report* gives us some
insights into methods attackers use
Top “attack vectors”:
1. Behavioral – 80%+ of the attackers are external people but insiders can cause the extensive damage
2. Behavioral – Phishing in 2/3 of attacks, used all by itself in 20% of attacks
3. Technical – 80% of attacks use malware; almost always exploiting known vulnerabilities
*http://www.verizonenterprise.com/DBIR/2015/
Attacker Methods
The FBI Reports growing use of: Click-jacking - Concealing hyperlinks beneath legitimate clickable content which,
when clicked, causes a user to unknowingly perform actions, such as downloading malware, or sending personal information to a website. Numerous click-jacking scams have employed “Like” and “Share” buttons on social networking websites. Research other ways to use your browser options to maximize security.
Doxing - Publicly releasing a person’s identifying information online without authorization. Caution should be exercised by users when sharing or posting information about themselves, family, and friends.
Pharming - Redirecting users from legitimate websites to fraudulent ones for the purpose of extracting confidential data. Type in an official website, instead of “linking” to it from an unsolicited source.
Source: http://www.ic3.gov/media/annualreport/2014_IC3Report.pdf
Risk Reduction – Where to StartStart with Behaviors!
Training for basic cyber defense For you and your family - how to be “human firewalls” Don’t Store Sensitive Information On Your Computer Password Protect your Phones and Computers Never Share Passwords Outside Your Family Defeat Decoders - Use Strong Passwords, unrelated to public
information (your name, your pet’s name, your birthday) Defeat Phishers –
Be Skeptical Hover Over Links To See Where They’re Taking You Don’t Click in Suspect Dialog Boxes – Quit The Application Instead
Defeat Known Vulnerabilities – Have Everyone In Your Family Install Software Updates As Soon As They’re Available
Cyber Defense Against Phishing
How do I stop phishing?• Keep your spam filter switched on to reduce spam (which can contain viruses or be
used for phishing);• Be suspicious of unsolicited advertising and offers;• Be on the alert if you do not know the sender;• A trusted website or online payment processor will never ask you to confirm sensitive
information like passwords or account details;• Delete any suspected spam immediately and do NOT open any attachments.
A phishing email may appear to come from a trusted source. Some warning signs are if the e-mail:• Is sent from a free webmail address, not from an organization’s official address;• Opens with a generic greeting, and is not personalized with your name;• Contains a threat, for example that your account is not secure or may be shut down;• Requests personal information such as username, password or bank details;• Includes a link to a website with a URL (web address) that is different from the
organization’s official address.
Source: http://www.interpol.int/Crime-areas/Cybercrime/Online-safety
Covering All The BasesThe US National Cybersecurity Workforce Framework*
* http://csrc.nist.gov/nice/framework/
The U.S. National Initiative for Cybersecurity Education (NICE) issued the National Cybersecurity Workforce Framework (“the Framework”)
– Developed with more than 20 Federal departments and agencies and numerous national organizations from within academia and general industry.
– The categories, serving as an overarching structure for the Framework, group related specialty areas together.
– Within each specialty area, typical tasks and knowledge, skills, and abilities (KSAs) are provided.
You can use the Framework to make sure your organization is “covering all the bases”
US National Cybersecurity Workforce FrameworkCovers All the Bases
Framework Category Specialty Areas Include:
Securely ProvisionSystems Security ArchitectureSoftware Assurance and Security EngineeringSecure AcquisitionTest and EvaluationSystems Development
Operate and MaintainSystem Administration
Systems Security AnalysisNetwork Services
Protect and DefendComputer Network Defense Analysis
Incident ResponseVulnerability Assessment and Management
InvestigateDigital ForensicsCyber Investigation
Collect and OperateFederal Government Role
Collection OperationsCyber Operations and Planning
AnalyzeFederal Government Role
All Source IntelligenceExploitation Analysis / Targets / Threat Analysis
Oversight and DevelopmentLegal Advice and AdvocacyStrategic Planning and Policy DevelopmentTraining, Education and AwarenessSecurity Program ManagementKnowledge Management
http://csrc.nist.gov/nice/framework/national_cybersecurity_workforce_framework_03_2013_version1_0_interactive.pdfDraft Version 2.0: http://niccs.us-cert.gov/sites/default/files/documents/files/DraftNationalCybersecurityWorkforceFrameworkV2.xlsx
Risk Reduction At WorkThreat Actions Measures
InsiderBackground Checks
Training – Everyone, IT, HR, LeadershipRemove Access Promptly
RegularException Reports
External Hacker
Patches to Keep Software UpdatedAnti-Virus for Known MalwareLimited Administrative Rights
Two-factor Authentication
Regular Time Delay Reports and
Rights Reviews
Successful Intrusion
Certified IT ProfessionalsAccess Log Reviews
Intrusion Detection SoftwareExfiltration Software
“White-listing” for Control Systems
Frequent (Daily?) Results Reports
Successful Attack
“Loss of IT” Business Continuity ExercisesEngage/Develop Forensic Capability
Exercise Frequency and
Results
Cybersecurity Webinar Series
Thank you
Mike AhernDirector, Corporate and Professional [email protected]
What do you think?Your feedback is welcome!