using technology and techno-people to improve your threat resistance and cyber security stephen...

Using Technology and Techno-People to Improve your Threat Resistance and Cyber Security

Stephen Cobb, CISSPSenior Security Researcher, ESET NA

Protecting federal data systems

• Requires: – technical and human elements– properly synchronized

We have the technology

• Anti-malware• Firewalls• 2-factor authentication• Encryption• Network monitoring• Filtering

And the technology is getting smarter

• Cloud-based reputation, signatures, big data

• But technology is undermined when your workforce is not trained to play defense

Waiting for technology alone to solve the data security problem? Dream on…

Techno-people

• Not everyone needs to be technical, but:

• We are all computer users• Data security is everyone’s

responsibility• Everyone needs to understand the

threats• And the defensive strategies

Today’s agenda

• Scale of the problem • Nature of our adversaries• Information security’s 9 patterns• Patterns applied to federal agencies• How to improve the coordination of

people and technology to address those patterns

April 2014 GAO report

• Information Security– Federal Agencies Need to

Enhance Responses to Data Breaches

• (GAO-14-487T)

• A lot of work still to be done, across numerous agencies– Improve security– Improve breach response

2009 2010 2011 2012 2013

29,999

41,776 42,85448,562

61,214

The scale of the problem

• Information security incidents reported to US-CERT by all agencies

• Number of incidents up• More data to defend?• Improved reporting?

Exposure of PII is growing

• More incidents involving Personally Identifiable Information (PII)

• Why?– Thriving black market for

PII

• Impact– Seriously impacts

individuals– Growing public displeasure– Heads may roll

2009 2010 2011 2012 2013

10,48113,028

15,584

22,156

25,566

A federal PII breach example

• July 2013, hackers get PII of 104,000+ people– From a DOE system

• Social Security numbers, birth dates and locations, bank account numbers– Plus security questions and answers

• DOE Inspector General: cost = $3.7 million– Assisting affected individuals and lost productivity

What happens to the stolen data?

• Sold to criminal enterprises – For identity theft, raiding bank accounts, buying

luxury goods, laundering money

• Lucrative scams like tax identity fraud

The market for stolen data has matured

All driven by proven business strategies

Specialization Modularity

Division of labor Standards

Markets

An overwhelming problem?

• Not if we analyze security incidents• 2014 Verizon Data Breach Investigation

Report• 92% of incidents can categorized into 9

patterns– True for 100,000 incidents over 10 year period– True for 95% of breaches in the last 3 years

The Big 9

• Point-of-sale intrusions• Web app attacks• Insider/privilege misuse• Physical theft and loss• Miscellaneous errors• Crimeware• Payment card skimmers• Denial of service• Cyber-espionage• Everything else

Industry sectors not affected equally

34%

24%

21%

19%

2%

Miscellaneous

Insider Misuse

Crimeware

Theft/Loss

Everything Else

Just 4 patterns where victim industry = Public

2014 Verizon Data Breach Investigation Report

Let’s count down the top 4

• Miscellaneous• Insider and privilege misuse• Crimeware• Physical theft/loss• Everything else

Pattern #4: Physical theft and loss

• Cause of 19% of public sector security incidents

• It’s people!• Screen, educate,

supervise• Reduce impact by

using encryptionDatabase

Tapes

Other

Flash drive

Desktop

Documents

Laptop

Other

11

36

39

102

108

140

308

892


Pattern #3: Crimeware

• Accounts for 21%• It’s people

abusing technology

• Can be solved with the right anti-malware strategy

• Endpoint AND server scanning Removable media

Unknown

Remote injection

Other

Download by malware

Email link

Email attachment

Network propogation

Web download

Web drive-by

1%

1%

1%

2%

2%

4%

5%

6%

38%

43%


Pattern #2: Insider and privilege misuse• 24% of incidents• Again it’s people!• Can be fixed!– Education– Awareness– Screening

Auditor

System admin

Developer

Other

Executive

Call center

Manager

Finance

End-user

Cashier

1%

6%

6%

7%

7%

9%

13%

13%

17%

23%


Pattern #1: Miscellaneous Errors

• 34% of incidents• Human error!• Can be fixed!– Training– Awareness– Oversight

Maintenance error

Other

Omission

Gaffe

Programming error

Malfunction

Misconfiguration

Disposal error

Publishing error

Misdelivery

1%

1%

1%

1%

3%

3%

6%

20%

22%

44%


Strategy for doing better

• Technologies and people working together• If they don’t you get: Target

– Malware was detected– Exfiltration detected– But nobody reacted– Training and awareness?– Clearly lacking

Security training and awareness

• You need both, but what’s the difference?• Training

– Ensure people at different levels of IT engagement have the knowledge they need

• Awareness – Ensure all people at all levels know the threats

and the defensive measures they must use

Who gets trained?

• Everyone, but not in the same way:– All-hands training– IT staff training– Security staff training

How to deliver training

• In person• Online• On paper• In house• Outside contractor• Mix and match• Be creative

Incentives?

• They work!– Drive engagement– Encourage compliance

• But need reinforcement– Security in job descriptions– Evaluations– Rewards

Use your internal organs

• Of communication!• Newsletter• Internal social media• Physical posters• Add to meeting agendas• Email blasts

How to do awareness

• Make it fun• Make it relevant• Leverage the news• Remember:

– Everyone now has a vested interested in staying current on threats to their/your data

Awareness example: phish traps

• Train on phishing• Send out a phishing

message• Track responses• Report card and re-

education– No naming &

shaming

Awareness example: flash phish

• Train on media scanning• Sprinkle USB/flash drives

– Sample file/autorun

• Track results – Inserted? Scanned? Reported?

• Rewards or re-education– Again, avoid name+shame

Resources to tap

• CompTIA• ISSA • SANS• (ISC)2

• Vendors• Websites

Thank you!

• Stephen Cobb• [email protected]

• We Live Security• www.welivesecurity.com

• Webinars• www.brighttalk.com/channel/1718

• Booth Number 826