1 / 38

I t security awareness series

I t security awareness series. IT Security 101 for Business. Introductions . Welcome . Theresa Blackbird, CISSP. Certified Information Systems Security Professional [CISSP] since 2003 More than 12 years experience managing computer systems, servers and networks Previously worked with:

alessa
Télécharger la présentation

I t security awareness series

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. It security awareness series IT Security 101 for Business

  2. Introductions Welcome 

  3. Theresa Blackbird, CISSP • Certified Information Systems Security Professional [CISSP] since 2003 • More than 12 years experience managing computer systems, servers and networks • Previously worked with: • US Department of Treasury • Federal Aviation Administration • US Office of Senate Security • General Dynamics • Lockheed Martin

  4. Agenda • A quick poll • What is IT security? • What are the bad guys after? • Who are the players? • When am I the most vulnerable? • Why do they do it? • Should I be worried? • How can I stay secure? • Q & A

  5. Quick Poll How much confidence do you have in your current security posture at your place of business? • Very Confident • Somewhat Confident • Confident • Somewhat Concerned • Very Concerned

  6. What is IT Security?

  7. Definition of Security1 • the state of being protected or safe from harm • things done to make people or places safe • freedom from fear or anxiety • A Google search of ‘IT Security’ returns 1,950,000,000 results • “Security is equal parts people, policy, process and product.” Andrew Briney, CISSP for Information Security Magazine ______________________________________________________________________________________ 1Definition provided by Merriam-Webster Dictionary

  8. Three Pillars of Security Integrity The data has not been modified and is accurate and complete Availability The data is ready and accessible by authorized users Confidentiality The data is disclosed only to authorized users

  9. Security is like layers of an onion. Each layer is a speed-bump to slow the bad guys down. NOTHING is 100% secure. If someone tells you so, they are trying to sell you something you don’t need and it won’t work as advertised. “Security in IT is like locking your house or car – it doesn't stop the bad guys, but if it's good enough they may move on to an easier target.” Paul Herbka

  10. What The Bad Guys are After

  11. Examples of Your Digital Assets The ways in which a business can be harmed by a hacker: • Theft of employee or customer - Personally Identifiable Information (PII) • Theft of customer credit card information • Denial of Service - preventing access to your business websites and/or e-commerce sites • Shutdown of critical information systems • Theft of funds from bank accounts • Loss of crucial intellectual property to a competitor • Fines in addition to any or all of the above

  12. Who are the Players?

  13. The Bad Guys aka … • Hackers • (or Crackers) a general term for someone who seeks and exploits weaknesses in a computer system or network. • Black Hats • Someone who maliciously breaks into a computer system or network for personal gain or infamy. • Hacktivists • Someone who utilizes hacking skills to announce a social, ideological, religious, or political message. • Script Kiddies • This is someone, not as experienced as a ‘Black Hat’ that utilizes pre-packaged automated tools (starting as little as $100) to gain access and exploit weaknesses.

  14. The Good Guys • White Hats • The term for ‘Ethical Hacker’; these are people like me who break security for non-malicious reasons perhaps for a penetration test or vulnerability assessment. • Grey Hats • A combination of Black Hat and White Hat. This is a person who may break into a computer system or network, notify the administrator that their system has a security flaw somewhere and then offer to correct it, for a fee. • … and YOU! 

  15. When am I the Most Vulnerable

  16. You are ALWAYS Vulnerable… • Cyber-criminals do not take vacation or holidays off … they have nothing but time, all day everyday. • Pay attention to phishing scams in your business and personal email during times of crisis. A current example: www.healthcare.gov • Open enrollment has begun for the Affordable Care Act, as well as for health insurance plans offered by many states and employers. That means it's prime time for fraudsters to target consumers with phishing scams, disguised as official-looking open enrollment messages, in an attempt to steal personal information. • Similar scams pop up shortly after natural disasters requesting donations on legitimate looking websites. This is an example of a watering hole type of attack. [Infect a legitimate website and sit and wait for them] “We only need to be lucky once. You need to be lucky every time.”The IRA to Margaret Thatcher, after a failed assassination attempt

  17. WHY They Do It

  18. Ultimately, the Motivation is MONEY • Hackers may be motivated by a multitude of reasons, such as profit, protest, fame, or just the challenge. • Criminal activity is often driven by crimes of opportunity. With cybercrimes, that opportunity appears to be with SMB. • The largest growth area for targeted attacks is businesses with fewer than 250 employees. • Other reasons: • To use your computer and ISP account for illegal activity. • To cause DDoS (distributive denial of service) attacks.

  19. What They Can Do with Your PC

  20. Really… Should I Be Worried

  21. Yes, but More Importantly…Be Educated • The reality is that theft of digital information far exceeds the loss from physical theft. • Total number of new vulnerabilities reported in 2012 = 5,291 • This figure = approximately 101 new vulnerabilities each week • Think your company is too small or not an attractive enough target to worry about IT Security? • Small businesses represent low risk and little chance of exposure for thieves.

  22. The Numbers • 37.3 million users worldwide were subjected to phishing attacks in 2012-2013 • This is up 87% from 2011-2012 • 76 % of attacks used stolen credentials [passwords] • When malware is used: • 75% of time key-loggers are used to get your password • 45% use password dumpers • 80% of the attacks would have failed if multi-factor authentication were used • Small business: • Within 6 months of a breach close their doors for good • That equates to 60% of small business go under after a security breach. --------------------------------------------------------------------------------------------------- Statistics from Symantec 2013 Internet Security Threat Report

  23. Potential Impacts Resulting from the Loss of Sensitive Information Failure to exercise due diligence in protecting sensitive information can result in: • Reputation damage • Loss of trust • Legal ramifications • Injury or damage for those who have had their private information exposed • Potential financial ramifications for those affected • Employee discipline • Criminal and/or civil penalties for employees involved

  24. how Can I Stay Secure

  25. How Can I Defend Myself? • Assume you are a target • Understand the threat • Know what data in your organization is vitally important and where it resides in your network • Protect it • Firewalls • Encryption is a great solution

  26. How Can I Defend Myself? • Employee Education • Social Engineering • A person’s propensity to trust, to help, to obey, or simply to be curious or entertained • It has become more in-person and on the phone. It's not just online. • Combination of social engineering and physical intrusion and/or technical intrusion • Spear Phishing • Someone out there wants you (the user of a system) to do something that they can’t do without you taking some form of action towards their end goal.

  27. Next Steps • Security Awareness Training for all of employees • Make sure they understand the different types of attacks like Phishing & Social Engineering so they can avoid them • Never transmit a password electronically • Look for https://www.mybank.com • Ensure the website you are visiting truly IS the website you think it is. • https://microsoft.thz.com is NOT a part of Microsoft in Redmond, WA • Implement a password policy • Use Industry Standard Complexity Pattern • Change your password every 4 months

  28. Quick Poll How much confidence do you have in your current security posture at your place of business? • Very Confident • Somewhat Confident • Confident • Somewhat Concerned • Very Concerned

  29. Q & A THANK YOU !!!!

  30. Thank you for your time and attention!

  31. Let’s Connect Theresa Blackbird, CISSP Security Engineer Safety Net, Inc. (231) 944-1100 tblackbird@safetynet-inc.com http://www.safetynet-inc.com/services/security/ : ( +

More Related