This presentation is given as a 30-minute intro to information security and cybersecurity for organizations that are interested in quick wins to improve their security posture.
2. • 2+ years in federal cybersecurity for federal agency focusing on national
security
• 18 years of public safety experience, 11 years were in law enforcement
(patrol, detectives, sergeant, lieutenant)
• The last 7 years in law enforcement were spent as the commander of a
Cyber Crimes Task Force. Sworn in by both the FBI and the US Marshal’s
Service
• Handled hundreds of investigations and forensic cases including murder,
terrorism, cybercrime, hacking, child pornography, extortion, human
trafficking, intellectual property, fraud, misconduct, etc. and performed
thousands of forensic examinations
• Have been qualified as an expert witness in state and federal court
• Multiple certifications in law enforcement, cybersecurity, and forensics
• Graduated Summa Cum Laude with a Bachelor’s degree and hold a Master’s
degree in Information Security and Assurance
• Adjunct Instructor for college teaching computer security
Background
5. InfoSec for you and your Business
• Passwords and multifactor authentication
• Encryption of data and devices
• Enforced policies and procedures (especially an AUP)
• Disaster Recovery and Continuity Plans
• Employee Training and Awareness
• Social Engineering Attacks and Recon
• Wireless Networking
• Least Privileged Access
• Endpoint Security, Patching, and Security Controls
Security costs…you can pay now, or you can pay later –
but if you pay later, you always pay more.
6. Passwords and Multifactor Authentication
• Want at least two factor
authentication (2FA):
– Something you have
– Something you know
– Something you are
• Website to locate
compatibles sites:
https://twofactorauth.org/
7. Passwords and Multifactor Authentication
• Strong passwords should include uppercase,
lowercase, numbers, and special characters
• Password attacks are extremely common
(Brute force, dictionary, or hybrid)
• Simple passwords can be cracked in seconds
• Consider a password management tool (e.g.,
KeyPass, LastPass, etc.)
• Consider passphrases
• Never reuse passwords
8. Encryption
• Encryption should be mandatory on all portable
devices (tablets, phones, laptops, USB devices, etc.)
• Encryption should also be used to transmit sensitive
data via email (especially PII and IP)
• Many free and inexpensive encryption programs
available
9. Policies and Procedures
• Policies are a must, especially if you are in any
type of regulated business (HIPAA, SOX, GLBA,
PCI-DSS,etc.)
• Polices are only good if they are enforced
• If nothing else, have a well written Acceptable
Use Policy (AUP) and have all employees sign
it (preferably annually)
• The AUP should discuss several items,
particularly that there is no expectation of
privacy on the business network
10. Disaster Recovery / Continuity
• 93% of companies that lost their data for 10
days or more filed for bankruptcy within one
year
• 50% of companies that lost their data for 10
days or more filed for bankruptcy immediately
• Every week 140,000 hard drives crash in the
United States
• Have a backup plan for home and work
• Consider offsite backup solutions as well and
geographic location is important
http://www.concertonenetworks.com/files/DriveSavers_Industry%20Facts_stats.pdf
11. Employee Awareness Training
• The most common security violations
include:
– Failing to encrypt data and devices
– Clicking on links within phishing email
messages
– Downloading unauthorized software
(p2p, malware)
– Misuse of company IT assets
– Plugging in unauthorized devices such
as USB devices or home computers to
company assets
12. Social Engineering Attacks & Recon
• Phishing, Vishing, Smishing, Spear Phishing,
Whaling, pharming…the list goes on and on
• Be aware of what is on the Internet about you
and your company (OPSEC)
• Social engineering also includes dumpster
diving, tailgating, diversion, etc.
13. Wireless Networking
• NEVER use public open Wi-Fi access points for
anything sensitive (or maybe at all)
• If accessing work, make sure you use a Virtual Private
Network (VPN) solution
• SMS messages sent over Wi-Fi are all plaintext
• At home take the following precautions on your
wireless router:
– Don’t broadcast the SSID
– Change the default username/password for the router
– Enable WPA2 encryption (Not WEP)
– Use MAC address filtering
14. Least Privileged Access
• Usually a culture change and
not popular (but absolutely
essential)
• Limit who has administrative
privileges
• No one should ever use an
admin account for their day-to-
day work
• Admin account should never be
used to check email or surf the
Internet
15. Endpoint Security, Patching & Security
Controls
• Endpoint Security is essential – on everything
including mobile devices
• Have up to date anti-malware software
• Use host firewalls
• Keep operating system and third-party
software patched from security vulnerabilities
• Make sure your business network is secure
and you have an incident response plan
16. The Life Cycle of a Cyber-attack
Source: Mandiant M-Trends 2012