Upload File

the human firewall - renaissance · how your company might be part of a larger plot: “if you were...

  • Home
  • Documents
  • THE HUMAN FIREWALL - Renaissance · how your company might be part of a larger plot: “If you were trying to get into a big enterprise, you might think the best way in would be through
2
50 | The Sunday Business Post | February 2016 CYBER CRIME SECURITY WATCH yber criminals only need to get lucky once. Make sure your people are mak- ing it hard for them In 2016, cyber crime is an ev- er-changing thing, with agile at- tackers employing increasingly creative, exhaustive methods to find their prey. ‘Spear phishing’ rather than reg- ular phishing, ransomware, exploit kits and ‘crimeware’ sold on the deep web have all played their part in fuelling a global cybersecurity market worth $75 billion. For victims of these attacks, the consequences go beyond fi- nancial loss – a single hack can destroy your reputation, or have a ripple effect and compromise every company you interact with. ose who are least prepared suffer the worst consequences: weeks can go by without notic- ing the fraud, and by the time it’s discovered the money has been moved from account to account and rendered untraceable. For Michael Conway, director of Renaissance, IT security dis- tributors and business continuity experts, the first step is knowing your enemy. “We get asked ‘how do I stay one step ahead of the bad guys?’, and the answer is you don’t. You can’t stay one step ahead of them. If you’re doing really well you’ll be one step behind them . . .” It’s important to note that ev- eryone is at risk: you’ll have read headlines about incidents like 2015’s Talk Talk hack (cost: an esti- mated £35 million), a DDoS attack on the National Lottery and anoth- er on Irish government websites in January of this year, but more and more SMEs find themselves targeted and opt to pay off their attackers and stay silent rather than reporting them. Derek Mizak, solutions con- sultant with IT provider Ergo, described the compromise many businesses find themselves in: “a state-sponsored DDoS attack re- quires significant resources, but ransomware requires very little, and can target even the smallest businesses. And by paying the ran- som, these businesses are feeding cybercrime. We always tell our clients not to pay, but they don’t always have the means to recov- er. Which leads to the question, what can they do as prevention, instead?” “A lot of incidents aren’t big sexy data breaches,” said Pat Larkin, chief executive of Ward Solutions, which provides information se- curity services and consultancy “It’s the relatively small incidents which happen all the time. “ere’s a 91 per cent increase in targeted, custom attacks levelled at specific organisations, individuals or verticals. ey target the chief executive or chief financial officer, the person with the most rights in the organisation. It’s a move from phishing attacks to ‘whale phish- ing’ attacks. e return is more substantial. Engineering these attacks takes time and information, all too read- ily available in the age of social media. e attackers compile a profile on their target, including their email address, their role in the organisation, and their rela- tionship to coworkers and other outside businesses. ey then spoof the email ad- dress of an associate, often claim- ing to be the chief executive, and asking for an immediate financial transfer to be carried out in the next ten minutes. “It all looks very credible,” Lar- kin said. “You’re not transferring funds to Australia or something. e spelling mistakes, the clumsy representation of company logo, that’s all gone.” Another tactic is to imitate or hack a supplier doing busi- ness with a larger company, the end target, and to send an email claiming to have changed bank accounts. ey’ll also often attach what appears to be an invoice, but is instead loaded up with a Trojan virus. Jonathan Boyle, security spe- cialist at Data Solutions, explained how your company might be part of a larger plot: “If you were trying to get into a big enterprise, you might think the best way in would be through a smaller HR firm that they deal with. To hack into the HR firm infects the files and contacts they have, and then the real tar- get can be compromised through a hack on the smaller business”. Ransomware also poses a threat, with security professionals report- ing a reporting a rise in the number of incidences. Conway explained how the typical attack works: “It’s nastier and more horrible. You innocent- ly click on something, a PDF or letter or email, and instantly get infected. Typically it’s a zero day attack, which normal antivirus software won’t be able to find. en suddenly you get a message saying ‘Good news, your data is very well encrypted. Bad news, unless you send us money your data will be left encrypted and unavailable to you.’” Often this ransom, which for smaller business averages €1,000, will double if it isn’t paid within twenty-four hours. A yet more nefarious outcome is when the criminals start sort- ing through your data, selling off email addresses and bank infor- mation, or leaking personal details as per the Ashley Madison hacks. Prevention serves far better than a cure: back up your systems as frequently as possible, and lim- it employee access to your most sensitive data. Dr Vivienne Mee, founder of VM Forensics, sees ‘social engineer- ing’ attacks (aka attacks reliant on human error) all too often. “Humans, at the end of the day, are your weakest link. ey’re the ones with the passwords. reats are generated differently every time, and they’re getting cleverer. You can have the best tech mea- sures in place, but if the user still opens that attachment or clicks the wrong link, it doesn’t make any difference.” Mee stressed the importance of encryption and setting up fire- walls, but acknowledged that such measures are only the start. “User awareness training is key. We do a roadshow with security training seminars, giving people challenges. We might even do a couple of attacks on a corporation ourselves before we go in. We find it more practical to show people how they fell for something al- ready,” she said. Mee also noted how after these seminars clients are less afraid to ask questions, or doubt the verac- ity of email requests. “We always say there’s no such thing as a stupid question. Better to ask now than get hauled in after work hours and asked if you’re the reason the whole network is down.” And once you’ve done all you can to educate and strengthen your ‘human firewall’? It’s time to bring in the professionals. As Mizak puts it, “It’s like your health. Prevention is better than cure, but if you do get sick don’t go on internet trying to find a way to cure yourself. Go to a GP instead.” Hadi Hosn, EMEA managing principal for Security and Risk Consulting at Dell Secureworks, pointed out that an outside se- curity expert might well work longer with you than your own employees: “Retaining skilled security staff is difficult even for large organisations, so employing a Managed Security Services Pro- vider (MSSP) will help to alleviate some of this pressure.” Cover the basics – don’t store passwords in browsers, avoid sus- picious free wifi and stay on top of updates to both your web browser and your operating system – then invest in security software. Hosn recommended a pass- word manager (be sure to choose a complex master password and change it every six months), an THE HUMAN FIREWALL The first step in fighting off cyber criminals successfully is to know your enemy, writes Róisín Kiberd C Derek Mizak, solutions consultant, Ergo Jonathan Boyle, security specialist, Data Solutions

Upload: others

Post on 30-Sep-2020

0 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: THE HUMAN FIREWALL - Renaissance · how your company might be part of a larger plot: “If you were trying to get into a big enterprise, you might think the best way in would be through

50 | The Sunday Business Post | February 2016

CYBER CRIMESECURITY WATCH

yber criminals only need to get lucky once. Make sure your people are mak-

ing it hard for themIn 2016, cyber crime is an ev-

er-changing thing, with agile at-tackers employing increasingly creative, exhaustive methods to find their prey.

‘Spear phishing’ rather than reg-ular phishing, ransomware, exploit kits and ‘crimeware’ sold on the deep web have all played their part in fuelling a global cybersecurity market worth $75 billion.

For victims of these attacks, the consequences go beyond fi-nancial loss – a single hack can destroy your reputation, or have a ripple effect and compromise every company you interact with.

Those who are least prepared suffer the worst consequences: weeks can go by without notic-ing the fraud, and by the time it’s discovered the money has been moved from account to account and rendered untraceable.

For Michael Conway, director of Renaissance, IT security dis-tributors and business continuity experts, the first step is knowing your enemy.

“We get asked ‘how do I stay one step ahead of the bad guys?’, and the answer is you don’t. You can’t stay one step ahead of them. If you’re doing really well you’ll be one step behind them . . .”

It’s important to note that ev-eryone is at risk: you’ll have read headlines about incidents like 2015’s Talk Talk hack (cost: an esti-mated £35 million), a DDoS attack on the National Lottery and anoth-er on Irish government websites in January of this year, but more and more SMEs find themselves targeted and opt to pay off their attackers and stay silent rather than reporting them.

Derek Mizak, solutions con-sultant with IT provider Ergo, described the compromise many businesses find themselves in: “a state-sponsored DDoS attack re-quires significant resources, but ransomware requires very little, and can target even the smallest

businesses. And by paying the ran-som, these businesses are feeding cybercrime. We always tell our clients not to pay, but they don’t always have the means to recov-er. Which leads to the question, what can they do as prevention, instead?”

“A lot of incidents aren’t big sexy data breaches,” said Pat Larkin, chief executive of Ward Solutions, which provides information se-curity services and consultancy “It’s the relatively small incidents which happen all the time.

“There’s a 91 per cent increase in targeted, custom attacks levelled at specific organisations, individuals or verticals. They target the chief executive or chief financial officer, the person with the most rights in the organisation. It’s a move from phishing attacks to ‘whale phish-ing’ attacks. The return is more substantial.

Engineering these attacks takes time and information, all too read-ily available in the age of social media. The attackers compile a profile on their target, including their email address, their role in the organisation, and their rela-tionship to coworkers and other outside businesses.

They then spoof the email ad-dress of an associate, often claim-ing to be the chief executive, and asking for an immediate financial transfer to be carried out in the next ten minutes.

“It all looks very credible,” Lar-kin said. “You’re not transferring funds to Australia or something. The spelling mistakes, the clumsy representation of company logo, that’s all gone.”

Another tactic is to imitate or hack a supplier doing busi-ness with a larger company, the end target, and to send an email claiming to have changed bank accounts. They’ll also often attach what appears to be an invoice, but is instead loaded up with a Trojan virus.

Jonathan Boyle, security spe-cialist at Data Solutions, explained how your company might be part of a larger plot: “If you were trying

to get into a big enterprise, you might think the best way in would be through a smaller HR firm that they deal with. To hack into the HR firm infects the files and contacts they have, and then the real tar-get can be compromised through a hack on the smaller business”.

Ransomware also poses a threat, with security professionals report-ing a reporting a rise in the number of incidences.

Conway explained how the typical attack works: “It’s nastier and more horrible. You innocent-ly click on something, a PDF or letter or email, and instantly get infected. Typically it’s a zero day attack, which normal antivirus software won’t be able to find. Then suddenly you get a message saying ‘Good news, your data is very well encrypted. Bad news, unless you send us money your data will be left encrypted and unavailable to you.’”

Often this ransom, which for smaller business averages €1,000, will double if it isn’t paid within twenty-four hours.

A yet more nefarious outcome is when the criminals start sort-ing through your data, selling off email addresses and bank infor-mation, or leaking personal details as per the Ashley Madison hacks. Prevention serves far better than a cure: back up your systems as frequently as possible, and lim-it employee access to your most sensitive data.

Dr Vivienne Mee, founder of VM Forensics, sees ‘social engineer-ing’ attacks (aka attacks reliant on human error) all too often. “Humans, at the end of the day, are your weakest link. They’re the ones with the passwords. Threats are generated differently every time, and they’re getting cleverer. You can have the best tech mea-sures in place, but if the user still opens that attachment or clicks the wrong link, it doesn’t make any difference.”

Mee stressed the importance of encryption and setting up fire-walls, but acknowledged that such measures are only the start.

“User awareness training is key. We do a roadshow with security training seminars, giving people challenges. We might even do a couple of attacks on a corporation ourselves before we go in. We find it more practical to show people how they fell for something al-ready,” she said.

Mee also noted how after these seminars clients are less afraid to ask questions, or doubt the verac-ity of email requests.

“We always say there’s no such thing as a stupid question. Better to ask now than get hauled in after work hours and asked if you’re the reason the whole network is down.”

And once you’ve done all you can to educate and strengthen your ‘human firewall’? It’s time to bring in the professionals. As Mizak puts it, “It’s like your health. Prevention is better than cure, but if you do get

sick don’t go on internet trying to find a way to cure yourself. Go to a GP instead.”

Hadi Hosn, EMEA managing principal for Security and Risk Consulting at Dell Secureworks, pointed out that an outside se-curity expert might well work longer with you than your own employees: “Retaining skilled security staff is difficult even for large organisations, so employing a Managed Security Services Pro-vider (MSSP) will help to alleviate some of this pressure.”

Cover the basics – don’t store passwords in browsers, avoid sus-picious free wifi and stay on top of updates to both your web browser and your operating system – then invest in security software.

Hosn recommended a pass-word manager (be sure to choose a complex master password and change it every six months), an

THE HUMAN FIREWALLThe first step in fighting off cyber criminals successfully is to know your enemy, writes Róisín Kiberd

C

Derek Mizak, solutions

consultant, Ergo

Jonathan Boyle,

security specialist,

Data Solutions

Page 2: THE HUMAN FIREWALL - Renaissance · how your company might be part of a larger plot: “If you were trying to get into a big enterprise, you might think the best way in would be through

February 2016 | The Sunday Business Post | 51

CYBER CRIMESECURITY WATCH

anti-malware product with ‘heu-ristic protections’ enabled and an email with two-factor authenti-cation. Freeware is a hazard for businesses – you end up paying for it with adware or even malware which can sneak in and slow your system down.

Boyle recommended sandbox applications which can isolate and investigate threats before granting them access to your computer and its network. “Checkpoint’s Sand-Blast and Threat Emulation are good. If there’s code (in an email attach-ment) operating in the background, it’ll open it and warn you if it’s not regular. Technology like that is good, and doesn’t necessarily interfere with your business workflow.”

He also listed mobile device man-agement as key, not least when em-

ployees use the same device at work as during their off-time: “There’s software out there that can contain the business part of your phone. It gives you a separate email, separate apps, and you can still keep part of the phone for personal use. Then if the phone is lost, or stolen, you can remotely wipe files and documents from it.”

If educating your people is the first step, and investing in good technology is the second, then the third step is staying up to date. Con-way reported an inevitable apathy among clients dealing with con-stant system update notifications: “People complain and tell me they did a Windows update recently. But Window’s is not your main concern anymore. It’s Adobe. It’s Java. It’s Flash.”

Hackers find their way in through programmes, rather than the main system, which often isn’t even up to date on security in the first place.

“If you have an IT technology solution in place, and it’s stayed the same without evolving or develop-ing in the years since you bought it, then you’re probably wasting your money.” Outdated software gives businesses little more than a false sense of security: it’s as good as a disconnected house alarm.

Boyle agreed: “If a hacker gets in, and they will, you want to limit your exposure. A machine could be compromised for months without anyone noticing, so you need to install software that can spot ir-regularities straight away and lock down the system.

“A firewall that just identifies that there was an attack some time ago, without explaining if the threat is still active or how far it got, is not enough. You need instant and ac-tionable intelligence that can say ‘This is happening right now, and we can stop it right now.’”

Conway recommended clients look for software with a ‘heartbeat monitor’, which can track and re-port malicious threats instantly and address them. “They can tell you

when a computer is trying to con-nect with a malicious site. That’s how it completes the cycle of ran-somware.”

Products from names like So-phos and Heimdal offer a chance to evaluate what’s happening and clean up the infection in real time, as well as auto-updating with minimal inconvenience to their users.

“If you don’t patch your systems, you’re leaving your doors open. Ask some ‘do you want to patch this product now and restart your ma-chine?’ and no one is going to want to do it, but we’ve seen a massive uptake in the last year in silent up-dating solutions, which minimise risk and make updating easy.”

Finally, the last step for complete cybersecurity, or as ‘complete’ as it can possibly be, is to propagate information throughout every part of your company, from the high-est ranked employees to the most junior.

As Mizak put it: “Security is not a ‘technical issue’. Security should be discussed at board meetings. It comes down to training, staff screening, a proper HR department . . . there’s no one magic silver bullet here.”

Hosn said: “Better education of end users is critical - they are, after all, at the front line of secu-

rity. Endpoints including laptops, smartphones and tablets are fertile ground for security attacks, creat-ing numerous access points and vulnerabilities.”

Similarly, Boyle cited simple errors in endpoint security as the main threat: “The biggest threat to businesses in general are their users. It’s bad passwords, failure to change passwords or bad password choice, or not using two factor identifica-tion. The users are always going to be the variable that can compromise.”

The universal advice is to stay sceptical, and to educate as much as possible. It’s as much about com-munication as compliance: security measures are essential at every level of a business, and for businesses of every size.

Mee cited a client who has worked out a good way to stay on top of threats: “I work with an or-ganisation where we do security bulletins every month where we send around samples of new threats and remind employees that they can call the help desk if they’re un-certain. It’s about keeping in with the native security forums, seeing what’s trending, and relaying that knowledge back to the organisa-tion, from the top down to the end user. Knowledge is key, at the end of the day.”

We do a roadshow with security training seminars. We might even do a couple of attacks on a corporation ourselves before we go in. We find it practical to show people how they fell for something alreadyDr Vivienne Mee

Pat Larkin,

chief executive,

Ward Solutions


Firewall Suite - Firewall Configuration Guide

FortiGate 600D Next Generation Firewall Internal Segmentation Firewall · Next Generation Firewall Internal Segmentation Firewall The FortiGate 600D delivers next generation firewall

Filtering in Firewall By Fantastic 5. Agenda What is Firewall? Types Of Firewall Pros and Cons Of Different Firewalls What Firewall can do? What Firewall

FortiGate 600D Next Generation Firewall Internal ......T ST Next Generation Firewall Internal Segmentation Firewall The FortiGate 600D delivers next generation firewall capabilities

Firewall Enterprise, Multi-Firewall Edition (2150F VX) Product … · 2014-03-05 · 6 Firewall Enterprise, Multi-Firewall Edition 2150F VX Product Guide Conventions Conventions Refer

McAfee Firewall Enterprise v8.3.2 and McAfee Firewall ... Firewall... · McAfee Firewall Enterprise v8.3.2 and McAfee Firewall Enterprise Control Center v5.3.2 Security Target 17

€¦  · Web viewThe word essay means trying in French. You might say Montaigne was the OG (Original Gangster) of writing to think and Bomer believes our students might benefit

reachingtheanimalmind.comreachingtheanimalmind.com/pdfs/try_03.pdf · Clicker training requires mechanical skills. You might feel rattled by trying to do different things with each

Next Generation Firewall - Forcepoint€¦ · Firewall/VPN Single Firewall elements represent firewalls that consist of one physical device. Firewall Cluster elements consist of 2–16

SISTEM KEAMANAN JARINGAN (FIREWALL) SYSTEM SECURITY NETWORK (Firewall)

Firewall Change Management - de.security.westcon.comde.security.westcon.com/documents/40108/Firewall_Change_Manage… · Firewall Change Management ... Firewall management has become

Firewall Deployment - alcatron.net - blog site Live 2013 Melbourne/Cisco Live... · Firewall Deployment Modes Firewall Policy Advanced Firewall Features ASA 9.0 Q & A 4. ... Transparent

Annual Firewall Survey Report - web.tufin.comweb.tufin.com/hubfs/resources/surveys/firewall-survey-report-2012.pdf · Insights on the state of firewall management ... firewall management

Say(Hello(to(your(Frienemy(–The(Firewall(fasterdata.es.net/assets/fasterdata/Firewall-tcptrace.pdf• Firewall(will(normally(notimpacttraffic(leaving(the ... – “Inbound”(Through(Firewall(•

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP

Dell SonicWALL Firewall Selling Services & More. 2 SonicWALL Confidential Beyond Firewall – Transform & Extend Firewall appliances “Platform” Firewall

Firewall Ercan Sancar & Caner Sahin. Index History of Firewall Why Do You Need A Firewall Working Principle Of Firewalls Can a Firewall Really Protect

Firewall Piercing - CCC Event Blog · Firewall Piercing Creative ... ... options are rarely used today, also firewall might block or remove options

MAXPRO NVR Troubleshooting Guide - Home - Video · PDF fileThis document is a guide to troubleshoot common problems that might ... † Firewall is ... NVR Troubleshooting Guide.

Trying New Things · Trying New Things Positive Negative I can… I might… learn new things. make mistakes. work with friends. have problems. become smarter. do poorly

What is a Firewall? Firewall, VPN, Firewall, VPN, IDS ...abc/teaching/bbs677/slides/...Firewall, VPN, Firewall, VPN, IDS/IPSIDS/IPS Ahmet Burak Can Hacettepe University [email protected]

Where firewalls fit in the corporate landscape. Firewall topics Why firewall? What is a firewall? What is the perfect firewall? What types of firewall

What is a firewall? Types of firewalls€¦ · A “Host-based” firewall. A.K.A. “Personal” Firewall. This is the last firewall piece in a defense in-depth strategy: load firewall

Security Firewall Firewall design principle. Firewall Characteristics. Types of Firewalls. Firewall Components & Configurations

Nis-guide on Firewall and Firewall Pol 800 41

FortiGate 3900E Series Data Sheet - nomacom.plNext Generation Firewall Internal Segmentation Firewall Data Center Firewall and IPS Carrier-Class Firewall . The FortiGate 3900E series

Firewall and IDS/IPS - polito.itsecurity.polito.it/~lioy/01krq/firewall_en_2x.pdf · better authentication (user+pwd or GSS-API) ... Firewall and IDS/IPS (fw - dec'09) firewall firewall

FIREWALL WAN HAIL FIREWALL INTERNET …FIREWALL WAN HAIL FIREWALL INTERNET SERVERS PROXY WEB ROUTER CLIENT pcs

Windows Firewall Exceptions - Docusnap€¦ · Windows Firewall Exceptions ... Editing a group policy object Windows Firewall Exceptions ... Network Connections Windows Firewall

McAfee Firewall Enterprise v8.2.0 and McAfee Firewall ... Firewall... · McAfee Firewall Enterprise Security Target McAfee Incorporated Page 7 of 65 The statement of security objectives

Comodo Firewall Pro 2.4 - Personal Firewall · PDF fileComodo Firewall Pro 2.4 – User Guide 1 Comodo Firewall Pro 2.4

Windows Malware Firewall: Remove Windows Malware Firewall

fileRouterOS / ip firewall filter add chain=forward protocol—gre : ... [admin@MikroTik) ip firewall mangle> /ping Path ... . ip firewall rule input . ip firewall rule

Managing DNS Firewall - Cisco · Managing DNS Firewall • ManagingDNSFirewall,page1 Managing DNS Firewall DNSfirewallcontrolsthedomainnames,IPaddresses,andnameserversthatareallowedtofunctiononthe

Ch 3 Firewall and Perimeter Security. Contents Firewall –packet-filter firewall: filters at the network or transport layer –proxy firewall: filters at