Thank you all for being here. The global phenomenon of cybercrime has grown enormously. It’s the rare person or company that hasn’t been attacked, either on purpose in a targeted effort or accidently because of spam, phishing, or malware that made its way into the organization. Whose job is it to worry about this? Is it yours, as the individual employee? Is it the responsibility of the IT department? The CEO, CIO, or other C-level executive? Maybe. We’ll come back to that in a bit.
Cybercrime is a massive global problem. (cite: 2012 Norton Cybercrime Report stats)Global consumer cybercrime costs are estimated to reach $110 billion each year. And it’s far bigger in the corporate world. HP and Ponemon did a study in 2011 that found the average per year cost to a corporation was about $6 million but it ranged from 1 million to $37 million for the 50 firms they surveyed. 2/3 of online adults have already been hit by cybercrimes that can range from online stalking and bullying (the most serious forms) to malware, online scams and fraud. What is actually lost in cybercrime? On a personal side, they can wipe out your bank account, use your credit cards, destroy your credit and use your computer to stage attacks on others. In a corporate environment they can steal money and steal corporate information and use your systems to stage attacks on others. They can also shut down your website so you can’t do business; damage your machinery so you can’t manufacture goods; even post things on your website or send out newsletters that ruin your reputation. Or more. or worse. 1 in 6 users of social networks have had their accounts hacked. That’s up from 1 in 10 only a year ago. And we’re seeing huge growth in new forms of malware every day. in fact, the Symantec Security Response group, the people who research all these threats and how to stop them, are now seeing a huge growth in different and new malware types every day. They report a million variants a day. How is this even possible? Cybercriminals have simple to use toolkits that can customize or “morph” a threat on the fly, so when it gets to your computer, it appears as something entirely new. Some of these toolkits are traded or sold online to less technically savvy hackers known as “script kiddies”. And now the very employees of organizations are under attack with methods like spear phishing, which I’ll get to in a bit. Cybercriminals do what they do for a variety of reasons. Usually it’s simple: they want to get rich. Sometimes it’s political in nature: witness the online hacking group known as “Anonymous” and their exploits. Even scarier are the terrorists who are now using cybercriminal methods to take down targeted industries, specific corporations or an individual nation. You might have seen in the news here in the US about orchestrated efforts by Iran to attack our banks and energy companies. We’re talking about a new wave of cybercrime; state-sponsored cyber terrorism. We’re in the midst of a cybercrime era that covers a lot of turf, from the personal to the national; from the social networks to machinery and infrastructure.
Who is Symantec? We’re one of the world’s largest software companies, providing security, storage and systems management solutions. Our consumer brand is Norton. We partner with you and your employer to keep you and your work protected. Who am I? My name is Marian Merritt. I’m the Norton Internet Safety Advocate. I’ve been with Symantec/Norton for over 15 years; long enough to see the world of cybercrime turn on its head. No longer are virus writers a bunch of bored teenagers sitting in their mom’s basement causing digital mischief. Cybercrime is big business. It impacts each of us sitting here every single time we go online, regardless of device. Go online on your computer? You had better have security software installed. Go online on your mobile device? How are you connected? Wifi? What is on your device to protect you?
Let’s look at our mobile apps. Who here checked Facebook today on your phone? Show of hands. I check my social network account multiple times a day from a variety of devices. Did you play Angry Birds or Temple Run on your phone? Are you playing them now?So What do you think happened when you used these apps Let’s say you’re using the Facebook app and you’ve just updated your status, “listening to the most amazing speaker on Internet safety”. Really, go ahead, I can wait. OK, never mind.
Different example, you’re playing a Vegas-style gambling game. When you installed it, you authorized certain permissions to send information to the game’s server. Information like your score, your name, where you are right now, how long you’ve been playing, ooh, how about your IP address, your age and gender, maybe your entire Facebook friend list so the game can invite them to play? This is most likely a completely safe game. I’m not suggesting you shouldn’t use it. What I’d like you to do is to pay attention to these apps and the rights or permissions you are giving them in exchange for a little entertainment or utility. There’s a great Norton website at www.mobilesecurity.com. Look up your favorite app on the tab at the top of the page marked “App View”. You can see how many so called “permissions” you’re allowing that app. A permission is a level of access you allow the app to have to your private information and to send or share that information. Some are necessary like allowing a messaging app to notify you with a vibration, or an audible tone when you get a new message. But should a gaming app designed for small children require geolocation (information about the child’s physical location)? Probably not. Or access and use your friend list? Maybe not. But they often have these rights and you’ve allowed it. If you’ve added apps on your tablet or phone and don’t remember why or rarely use them, consider removing them. Disable apps in your social network if you don’t need them. All of them get some level of access to your private data, your friend’s lists, your profile info, their contact details, etc.
Why should you care? Our mobile devices are not just fancy toys; they are serious business tools as well. When you consider the programs you install, it’s as if you are selecting business partners. Maybe you should care about the impact to your privacy? Have you ever noticed that after you look at something like shoes on a shopping website, those same shoes manage to follow you around the web in all the ads you see. More frustrating is even if you bought the shoes, you still see the ads. Those darn cookies in your browser history allow this, even when it doesn’t make sense. You can remove cookies from your history but remember, some cookies are helpful, like the ones that remember you are already logged into an account you use all day long. Let’s consider the sorts of threats we deal with every day on our social networks.
Have you ever seen some of these crazy images in your newsfeed or a friend’s? They are all fake. Bad guys want us to click. If we click, they can infect us with malware
OMG or LOL videos are very effective. You see strange headlines Like “You won’t believe what this dad did when his daughter broke curfew?” or “I like this video of you!” I like funny videos, we all do, so you click on the link or the video image to watch the video, right? Then what happens? Perhaps your browser goes to another website where you might see a Facebook login page that looks real and you re-enter your user name and login password. Sometimes you get asked to download a special media player to watch the video. Or fill out a survey so they can steal your information. This is called a click jacking attack and is one of the most personal forms of cybercrime. Click jacking because you are told to click on something and your browser is hijacked to download or visit something else. Or they insist on your mobile number so they can send you your score but it’s really to sign you up for premium messaging. Sometimes, even to escape the page, there are hidden tricks so no matter where you click, you’ve “liked” the malware and then it shows up in your newsfeed to trick all your friends and send out spam.
This next one, the profile viewer. We all want to know who is checking us out on Facebook. But these viewers don’t actually work. Again, this is an example of click jacking. This time with a special app to show you something you’d like to know, who is viewing your Facebook page.
The dislike button? You can like a friend’s post but sometimes you want to dislike it. Right now, there is no app or facebook method to add a dislike button, no matter what these fake things says. So why would they do any of these things. The bad guys want to steal access to Facebook accounts and re-sell that to other bad guys. They can infect your computer with a program to steal other private information like your banking logins. Sometimes just getting you to visit, however briefly, a dangerous website is all they need. They can slip malware onto your computer through a hole in your browser software. These are called “drive by downloads”. You stop them by 1) being careful what you click on, 2) using security software, 3) patching all your programs, browser, operating system, etc when you are prompted. Remember, earlier on the slide that showed 1 in 6 consumers have had their social network account hacked? These click jacking efforts are one example of the methods used to pull that off. And as you can tell, they are effective. One more problem I want to mention is the so-called smishing attack . The name comes from SMS and phishing so you might have guessed this is a trick message sent to your phone as a text message. You click on the link or call a number and the next thing you know, you’ve authorized premium services on your phone or infected your phone with malware that steals other private information. Sounds far fetched but we saw huge growth last year. And globally this is the trend. 2/3 of people connect to the internet on mobile devices so the opportunity to get rich with smishing is good. And in our Norton Cybercirme report (www.norton.com/2012cybercrimereport) we saw that 31% reported having received a text message from an unknown sender with a request to click a link or dial a number to retrieve a message. These are really personal kinds of threats and threats that can start with a naïve child or teen who responds to them, infects the family network of computers and in turn Mom and Dad’s work computer
in the first 3 months of 2012, 40% of attacks targeted companies with fewer than 500 employees. These firms may have fewer layers of protection, no contingency plans and are unprepared to deal with data loss. Often a small business is targeted because of ties to bigger companies. They could be a division of a bigger company or a vendor with ties and connections. Doesn’t matter to the cybercriminal. they can make money no matter the entry point. And sometimes small business is even more attractive because it’s less protected. According to a new NCSA/Symantec study: 83% of small businesses in the US have no cybersecurity plan.
And who is a bigger target among employees? The individual employee or those at the C-level? Both are targets but only 25% of targeted attacks are aimed at the C-level. There are many methods of getting inside the organization, like with phishing attacks in spam email. Or targeting the in box of a shared account like firstname.lastname@example.org. Or HR because in a smaller organization you might still be receiving resumes as attachments in email. You’ve all heard of phishing attacks right? Those are tricky messages that look like urgent business from a bank, a government agency, even a member of a foreign royal family. But if the bad guys want to go after a particular organization, they will use what is known as a spear phishing attack. Now, what is spear phishing attack? Imagine you are the office manager for a small company.
Maybe 10 employees but you handle quite a bit of money. Maybe $2 million, $5 million a year. One day you get an email addressed to you and it appears to be from the controller. There’s an attachment which you open. The attachment looks strange maybe even blank. You might even call the controller who says she never sent the email. Nothing else seems to be happening so you ignore it, at least until you realize the firm’s bank account is empty. You were hit by the Zeus banking Trojan. This is spear phishing. It’s a targeted attack. How do they get your email? Maybe it’s on the website; or one of those shared inboxes. like HR@company.com; etc. Another variant of phishing is vishingor Voice phishing. Has Anyone here had a phone call at home or work from “Microsoft” or at least some nice person claiming to be from Microsoft. And what do they say, “Oh marian, your computer has been sending us strange error messages and we think you have a virus. If you go to this special website, we can scan it for free and find out. Naturally if you fall for a vishing attack like this, first you’ll download a fake virus tool to your computer, leading to more problems since it probably has malware inside, then you’ll give them your credit card because they are helping you clean up the so-called virus. Which will lead to credit card fraud and identity theft
We hear about data breaches all the time, maybe you have even received an email or letter from a bank or business you use telling you your data may have been stolen or compromised. 46% of the participants in our Norton cybercrime study have received such an email, most often from a bank, social network or email account requesting them to change their password. Why would someone want your login information? Passwords are valuable – often we use the same one everywhere so if they have your email address and a password for one website, they might have your user name and password for other websites. Having a password, you have a lot of power. If a bad guy has your email login, could he reset your password to your other accounts? You betcha, using the “forgot my password” link on the other websites. Data breaches are serious and can lead to id theft.
Stuxnet (infrastructure)I mentioned at the beginning threats are now implicated in cyber terrorism. The first big example was Stuxnet. An Iranian nuclear enrichment site known as Natanz went offline in 2010 after someone planted a malware infected memory stick in the plant or on the premises. Somehow, the memory stick was found and then plugged into a work computer and someone clicked, possibly innocently, on a Windows icon. This simple action unleashed the malware, designed to exploit four previously unknown Windows vulnerabilities and sent the Siemens systems connected to the network into a tizzy, causing the plant to fail. What was really interesting about Stuxnet is that the virus had spread to numerous locations around the world but only infected the Natanz plant. It was designed just to hit there. As if a flu bug spread around the world but only made one family sick. Since Stuxnet we’ve seen a few others: Duqu, Flame, and then in late September a big banking attack from some Islamist cybercrime groups. It just takes a moment of not thinking, not realizing what you’re doing to fall for these attacks, some of which are really well-crafted. We forget that each of us is really important. And when it comes to security, each of us is critical. You know that phrase, he who hesitates is lost? In this case, he who hesitates is safe!
You use technology every day. Some of you are technical, some less so but you are all smart.You have big responsibilities at work. Your company does important things. All of this means You are important. You are a gatekeeper to company networks, and company resources. Get hit by cybercrime and you just opened the gate. Now think about how you use tech. it’s not just at work and it’s not just on a computer.
Tech use is changing, now with BYOD (“Bring your own device”), more mobile and personal tech blending in work environment. We have a shared responsibility to do this safely. A third of us will lose our phone at some point (source: Norton Cybercrime report). We did a study at Symantec, we called it the Honey Stick project because we installed special tracking software in 50 phones and left them in public places around the US and Canada. So what happened? ½ of the phones were returned. Good news I guess if you think 50% are good odds.
But did anyone look at private info we had on those phones; like read the emails, try to open files marked “salary data”? Tried to login to the banking app on the phone.? Yep, the finders of our lost phones did all that, every single time. Your mobile device carries the keys to your private information, your financial life, connects to your work life and it’s at risk if you don’t secure it. My advice is to prepare now for the inevitability of a lost smart phone. Secure it with anti-theft software (available free on the iPhone and with Norton in the Android marketplace) and lock it with a screen password. Put a contact number (not the cell number) on the back of the phone with a piece of paper and some tape. That way the good people who want to return a lost phone know how to contact you, and the bad people can’t get in the phone to steal info and spy. For those phones that don’t get returned, with anti theft software you can remotely lock or wipe the data and feel safe your private information and company information is protected. PasswordContact numberSecurity anti-theft software installed.
So after hearing about the growth of threats, the scope, from the personal to the global to the mobile, how can you enjoy technology without freaking out? You’ve got to Be smart, not paranoid. The National Cyber Security Alliance came up with a slogan I quite like called Stop. Think. Connect. This simple phrase reflects a great attitude and approach to dealing with our internet and tech lives.
stop– hesitate when faced with something suspicious. An email from a stranger, a link that looks weird in email, text messages, a call you didn’t expect or a memory stick on the ground. Learn to stop for a moment to recognize, this is new or different.
THINK Think – Evaluate sender, is this from someone I know? Can I validate the sender, the caller, the texter? Who owns the website? Evaluate message – is this typical for them? Is it in character or shows personalization? Evaluate options to respond – can I call or email them to double check? Do I really need this promotion or to see this video? Is it worth the risk? Can I do this later or on another device?
CONNECT Connect – only when you’re sure, then go ahead and connect. Or deletet eh message, close the browser window, leave the memory stick on the ground and so on. You get it.
now, what if you clicked when you shouldn’t have. What if you think you’ve been hit by Cybercrime (it’s almost inevitable so best to be prepared). Remember, from the Norton study, 2/3 of online adults have been hit by some form of cybercrime.
Report it - fess up! Report compromised accounts to vendor/host/bank, etc. Get help from experts and never hesitate. If you infected a device that connects to work systems, report it to IT and ask for help. If you fell for a scam, contact the authorities, both police and feds at www.ic3.gov. Stop it : you don’t want it to spread further, so Delete app/remove malware Disconnect the device or even the account Reset passwords – and this means you need unique passwords that are different for each account. You’ll want a password manager to make this possible because who can remember the 50 or so passwords we all need nowadays. And no, a list on the computer or on yellow sticky notes isn’t a system. Neither is having one super cool password and using it for every one of your accounts. Norton includes a password manager and form filler called Norton Identity Safe in our consumer security suites: Norton 360 and Norton Internet Security. Keep Monitoring all your accounts for strange behavior
Ultimately, all this information should help us start to Change our behavior:Make sure your computers and your online devices like tablets and smart phones are secured, first with a password so if they are lost, the data is safe. Use security software to block visits to dangerous websites and programs from installing without permission. Remember, just visiting an infected page can get malware on your computer through browser vulnerabilities. And that goes for Macs as well as PCs. Use your account settings to Seek out the highest security options like requiring https on facebook and twitter accounts. Be careful who can see what you post. If you ever fell for a social network scam, remove the post from your feed so your friends don’t get infected. Turn off unneeded services like Bluetooth, WIFI, GPS, etc. Sometimes that’s best for security but on mobile devices, it can also preserve battery life. Be careful Who you socialize with:35% of adults (Norton Cybercrime study) admit they friend strangers, reducing everyone’s safetyWhen choosing mobile apps, only choose apps with reasonable permissions, pay attention to the name of the vendor, avoid the newest ones that might be fakes. Look for big, well-tested and trusted brands and only choose apps with high ratings from other users.
What have we discussed todayScope and scale of cybercrime - $110 billion lost to consumers; From the very personal kinds like online bullying and social network hacking to targeted attacks on employees to nation state-sponsored cyber terrorismHow to use the simple Stop.Think.Connect. method to avoid becoming a victimAnd some techniques for How to recover from an attack
So, If later today, you see this what will you do? Ask yourself if you know this person? Is the request or post typical of them? Does the link look authentic or suspicious? And if you’ve stopped, thought about it and think it’s ok, then go ahead and Connect. For this one, I’m guessing not.
Cybercrime is a massive global problem
of online adults
have been hit
1 in 6
on the rise
$1 million +
Bad Guys Want to Get Us to Click to:
Infect us with malware
Make us take bogus surveys to:
Gain information or
Sign us up for premium SMS services
Send spam to us and our friends
OMG! Videos get people to click
Bad guys know that people want to know who
viewed their Facebook page
Bad guys know that people want a dislike button
Which is more likely to get attacked?
Small or Medium
Only 25% of targeted attacks directed at C-Level executives
Who is most likely to be targeted in an attack?