Security 101

Training, awareness, and strategies

Stephen Cobb, CISSP

Senior Security Researcher
ESET NA
The SMB Sweet Spot for the
cyber-criminally inclined

Enterprises
Assets
worth SMB
looting Sweet Spot

Consumers

Level of protection
The challenge
Organizations of every type rely on
computers to handle information
Everyone today is a computer user
Most have no security training
Lack of security
training leads
to problems
How big is the challenge
We asked U.S. consumers if they had ever
received any computer security training

Yes:
32% No:
68%

*Savitz Research for ESET, 2012

68% is sadly consistent
We asked working adults in the U.S. if they had
ever received any computer security training

Yes:
32% No:
68%

*Harris poll for ESET, 2012

73% is even worse
We asked adults in U.S. who use social media if
they had ever received online safety training

Yes:
27%
No:
73%

*Harris poll for ESET, 2012

Security training is not yet part
of our society*
This has serious implications for your
business
93% of American adults say theyve
had no computer security training in
the last 12 months
How many of them work for you, or for
your clients, suppliers, etc?

*Savitz Research for ESET, 2012

Some problems that lack of security
training can cause
Unauthorized access to information
Loss of access to information
Loss of information
Corruption of information
Theft of information
The implications are non-trivial
Loss of revenue
Loss of business
Fines, lawsuits, headlines
Unbudgeted expenses
Breach costs currently estimated at
around $190 per record exposed*
5,263 records = $1 million hit

*Ponemon Institute
Trojan terminates escrow firm
$1.1 million wired to China and could
not be retrieved
Firm was closed by state law, now in
receivership, 9 people out of a job
So whats the best weapon for keeping
that kind of Trojan code out of your
companys system?
A well-trained workforce
Knows not to click on suspicious links
in email or social media
Knows to report strange activity (e.g.
the two-factor authentication not
working)
Knows to scan all incoming files for
malware
Email, USB drives
Does training make a difference?

Yes
A significant percentage of problems
can be averted, or their impact
minimized, if more employees get
better security training and education*

*A bunch of different studies in recent years

Security training or awareness
Whats the difference?
Training makes sure people at different
levels of IT engagement have the right
knowledge to execute their roles
securely
Awareness makes sure all people at all
levels know what to look out for
Do your employees know what
motivates bad actors?

MONEY ADVANTAGE IMPACT

Not that kind of actor

CREDENTIALS
Do you know how the bad guys
operate?
 !?**!

User clicks a link Taken to exploit site Gets infected/owned

Popular
Attack
Technique
Malware server Command & Control
 RAT has full access to victim PC
And its network connections
Search and exfiltrate files
Access to webcam and audio
Scrape passwords
Execute system functions
Chat with victim
What happens next?
So how do we move forward?
The road map: A B C D E F
Assess your assets, risks, resources
Build your policy
Choose your controls
Technology
Deploy controls
Educate employees, execs, vendors
Further assess, audit, test
A B C D E F
F E D C B A
Assess assets, risks, resources
Assets: digital, physical
If you dont know what youve got you
cant protect it!
Risks
Who or what is the threat?
Resources
In house, hired, partners, vendors,
trade groups, associations
Build your policy
Security begins with policy
Policy begins with C-level buy-in
High-level commitment to protecting
the privacy and security of data
Then a set of policies that spell out the
protective measures, the controls that
will be used
Choose controls to enforce policies
For example:
Policy: Only authorized employees can
access sensitive data
Controls:
Require identification and authentication of
all employees via unique user name and
password
Limit access through application(s) by
requiring authentication
Log all access
Deploy controls, ensure they work
Put control in place; for example,
antivirus (anti-malware, anti-phishing,
anti-spam)
Test control
Does it work technically?
Does it work with your work?
Can employees work it?
Educate everyone
Everyone needs to know
What the security policies are
How to comply with them through
proper use of controls
Pay attention to any information-
sharing relationships
Vendors, partners, even clients
Clearly state consequences of failure
to comply
Who gets trained?
Everyone, but not in the same way,
break it down:
All-hands training
IT staff training
Security staff training
How to deliver training
In person
Online
On paper
In house
Outside contractor
Mix and match
Be creative
Incentives?
Yes!
To launch programs, push agendas
Prizes do work
But also make security part of every
job description and evaluation
Use your internal organs
Of communication!
Newsletter
Intranet
Bulletin board
Meetings
Company-wide email
How to do awareness
Make it fun
Make it relevant
Leverage the news
Bear in mind that everyone benefits
from greater awareness, at work and at
home
Resources to tap
Industry associations
FS-ISAC, NH-ISAC, others
CompTIA, SBA, BBB
ISSA, ISACA, SANS, (ISC)2
Local colleges and universities
Securing Our eCity
Need more motivation?
Security training is the law
HIPAA
Red Flag Identity Theft Prevention
Gramm-Leach-Bliley, Sarbanes-Oxley
FISMA
Or required by industry
PCI Data Security Standard
Or just plain required
To get that big juicy contract
Many companies now require suppliers
to certify that they have security
training and awareness programs in
place as a condition of doing business
Further assess, audit, test
This is a process, not a project
Lay out a plan to assess security on a
periodic basis
Stay up-to-date on emerging threats
Stay vigilant around change such as
arrivals, departures, functionality
A B C D E F
F E D C B A
The Technology Slide
Authenticate
Firewall users
and scan:
Incoming traffic
emails
files Monitor
devices Filter and
media monitor
Encrypt outbound

Backup and archive

Thank you!
stephen.cobb@eset.com
WeLiveSecurity.com
www.eset.com
More info in the lobby