This document provides an overview of cybersecurity risks and strategies for risk reduction. It discusses how cyber attacks are growing threats for both businesses and individuals. Common attacker motives are financial gain and espionage. Popular attack methods include phishing emails and exploiting known software vulnerabilities. The document recommends practicing basic "cyber hygiene" behaviors like using strong passwords, updating software, and being wary of unsolicited messages. It also outlines the US National Cybersecurity Workforce Framework for implementing comprehensive cybersecurity programs in organizations.
2. About the Author- Mike Ahern
Director, Corporate and Professional Education
Worcester Polytechnic Institute
Leads the development of WPI’s Corporate and Professional Graduate
Education Programs in: Cybersecurity; Electrical and Computer
Engineering and Power Systems
Previous Experience:
– Vice-President, Northeast Utilities (responsibilities included: Distribution
Engineering; Training; Planning, Performance and Analysis)
– Member, Executive Compliance and Internal Controls Committee
– Member, Executive Steering Committee for Cyber Security
– Director, Transmission Operations and Planning
– Director, Distribution Engineering
– Director, Nuclear Oversight, Millstone Nuclear Power Station
B.S. from Worcester Polytechnic Institute
M.S. and M.B.A. from Rensselaer Polytechnic Institute
Professional Engineer - Connecticut
NERC Certified System Operator - Transmission (2005 to 2010)
Human Firewall Trained . . . Back at the turn of the century!
3. About WPI
Non-profit, top quartile national
university (U.S. News and World
Report ranking)
Founded in 1865 to teach both
“Theory and Practice”
Strong Computer Science,
Engineering and Business Schools
DHS/NSA Designated Center of
Excellence in Information Security
Research
5. Cyber Hygiene
Outline:
• The Growing Menace
• Risk Reduction
• Attacker Motives and Methods
• Where Do We Start?
• Covering All the Bases
• Questions and Answers
6. The Growing Menace
We’ve been seeing news articles about the threat of hackers for quite a while
JPMorgan and other banks struck by
cyberattack
Nicole Perlroth
Wednesday, 27 Aug 2014 | New York Times
U.S. notified 3,000 companies in 2013
about cyberattacks
By Ellen Nakashima March 24, 2014
The Washington Post
DOD Needs Industry’s Help to Catch Cyber
Attacks, Commander Says
By Lisa Daniel March 27, 2012
American Forces Press Service, DoD News
7. The Growing Menace
Remember Target?
Missed Alarms and 40 Million Stolen Credit Card Numbers: How
Target Blew It
By Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack BloombergBusinessweek 3/13/14
8. Target’s Story . . . Continued
Cyber attack takes toll on Target
By Elizabeth Paton in New York Financial Times 8/20/14
Cyber attack cost Target $148M
To win back sales, Target took another $234M charge for discounting
The new CEO was announced on 8/1/14
The new CEO lowered the annual earnings forecast by ~15%
9. What About Me?
OK, a company lost a lot of money . . .how does this affect me?
Thieves also want to steal your money!
How?
Hacking Your Debit Account(s)
Identity Theft
Ransomware
10. What About Me?
Is this a big threat to me?
The FBI reports that in 2014:
US Citizens reported losses of over $800,000,000 from over
123,000 cyber attacks
The median loss was $530 but the average was $6,472
The trend is to more frequent Ransomware attacks
80% of the losses were to both men and women between
the ages of 20 and 60
Source: http://www.ic3.gov/media/annualreport/2014_IC3Report.pdf
11. Risk Reduction Through Cyber Hygiene
With cybersecurity attacks and threats growing . . .
What personal behaviors can reduce my risk?
Let’s start by understanding attackers motives and methods . . .
13. Attacker Methods
The Most Recent Verizon Data Breach Investigations Report* gives us some
insights into methods attackers use
Top “attack vectors”:
1. Behavioral – 80%+ of the attackers are
external people but insiders can cause
the extensive damage
2. Behavioral – Phishing in 2/3 of attacks,
used all by itself in 20% of attacks
3. Technical – 80% of attacks use malware;
almost always exploiting known
vulnerabilities
*http://www.verizonenterprise.com/DBIR/2015/
14. Attacker Methods
The FBI Reports growing use of:
Click-jacking - Concealing hyperlinks beneath legitimate clickable content which,
when clicked, causes a user to unknowingly perform actions, such as downloading
malware, or sending personal information to a website. Numerous click-jacking
scams have employed “Like” and “Share” buttons on social networking websites.
Research other ways to use your browser options to maximize security.
Doxing - Publicly releasing a person’s identifying information online without
authorization. Caution should be exercised by users when sharing or posting
information about themselves, family, and friends.
Pharming - Redirecting users from legitimate websites to fraudulent ones for the
purpose of extracting confidential data. Type in an official website, instead of
“linking” to it from an unsolicited source.
Source: http://www.ic3.gov/media/annualreport/2014_IC3Report.pdf
15. Risk Reduction – Where to Start
Start with Behaviors!
Training for basic cyber defense
For you and your family - how to be “human firewalls”
Don’t Store Sensitive Information On Your Computer
Password Protect your Phones and Computers
Never Share Passwords Outside Your Family
Defeat Decoders - Use Strong Passwords, unrelated to public
information (your name, your pet’s name, your birthday)
Defeat Phishers –
Be Skeptical
Hover Over Links To See Where They’re Taking You
Don’t Click in Suspect Dialog Boxes – Quit The Application Instead
Defeat Known Vulnerabilities – Have Everyone In Your Family Install
Software Updates As Soon As They’re Available
16. Cyber Defense Against Phishing
How do I stop phishing?
• Keep your spam filter switched on to reduce spam (which can contain viruses or be
used for phishing);
• Be suspicious of unsolicited advertising and offers;
• Be on the alert if you do not know the sender;
• A trusted website or online payment processor will never ask you to confirm sensitive
information like passwords or account details;
• Delete any suspected spam immediately and do NOT open any attachments.
A phishing email may appear to come from a trusted source. Some warning signs are if the e-mail:
• Is sent from a free webmail address, not from an organization’s official address;
• Opens with a generic greeting, and is not personalized with your name;
• Contains a threat, for example that your account is not secure or may be shut down;
• Requests personal information such as username, password or bank details;
• Includes a link to a website with a URL (web address) that is different from the
organization’s official address.
Source: http://www.interpol.int/Crime-areas/Cybercrime/Online-safety
17. Covering All The Bases
The US National Cybersecurity Workforce Framework*
* http://csrc.nist.gov/nice/framework/
The U.S. National Initiative for Cybersecurity Education (NICE) issued the
National Cybersecurity Workforce Framework (“the Framework”)
– Developed with more than 20 Federal departments and agencies and
numerous national organizations from within academia and general industry.
– The categories, serving as an overarching structure for the Framework, group
related specialty areas together.
– Within each specialty area, typical tasks and knowledge, skills, and abilities
(KSAs) are provided.
You can use the Framework to make sure your organization is
“covering all the bases”
18. US National Cybersecurity Workforce Framework
Covers All the Bases
Framework Category Specialty Areas Include:
Securely Provision
Systems Security Architecture
Software Assurance and Security Engineering
Secure Acquisition
Test and Evaluation
Systems Development
Operate and Maintain
System Administration
Systems Security Analysis
Network Services
Protect and Defend
Computer Network Defense Analysis
Incident Response
Vulnerability Assessment and Management
Investigate
Digital Forensics
Cyber Investigation
Collect and Operate
Federal Government Role
Collection Operations
Cyber Operations and Planning
Analyze
Federal Government Role
All Source Intelligence
Exploitation Analysis / Targets / Threat Analysis
Oversight and Development
Legal Advice and Advocacy
Strategic Planning and Policy Development
Training, Education and Awareness
Security Program Management
Knowledge Management
http://csrc.nist.gov/nice/framework/national_cybersecurity_workforce_framework_03_2013_version1_0_interactive.pdf
Draft Version 2.0: http://niccs.us-cert.gov/sites/default/files/documents/files/DraftNationalCybersecurityWorkforceFrameworkV2.xlsx
19. Risk Reduction At Work
Threat Actions Measures
Insider
Background Checks
Training – Everyone, IT, HR, Leadership
Remove Access Promptly
Regular
Exception Reports
External Hacker
Patches to Keep Software Updated
Anti-Virus for Known Malware
Limited Administrative Rights
Two-factor Authentication
Regular Time
Delay Reports and
Rights Reviews
Successful
Intrusion
Certified IT Professionals
Access Log Reviews
Intrusion Detection Software
Exfiltration Software
“White-listing” for Control Systems
Frequent (Daily?)
Results Reports
Successful
Attack
“Loss of IT” Business Continuity Exercises
Engage/Develop Forensic Capability
Exercise
Frequency and
Results