This presentation is given as a 30-minute intro to information security and cybersecurity for organizations that are interested in quick wins to improve their security posture.

1. Cybersecurity Threatscape
Quick Information Security Tips for Business and Individuals
Joshua S. Moulin, MSISA –
ACE,CAWFE,CCENT,CEECS,CEH,CFCE,CHFI,DFCP,GCFA,GSEC

2. • 2+ years in federal cybersecurity for federal agency focusing on national
security
• 18 years of public safety experience, 11 years were in law enforcement
(patrol, detectives, sergeant, lieutenant)
• The last 7 years in law enforcement were spent as the commander of a
Cyber Crimes Task Force. Sworn in by both the FBI and the US Marshal’s
Service
• Handled hundreds of investigations and forensic cases including murder,
terrorism, cybercrime, hacking, child pornography, extortion, human
trafficking, intellectual property, fraud, misconduct, etc. and performed
thousands of forensic examinations
• Have been qualified as an expert witness in state and federal court
• Multiple certifications in law enforcement, cybersecurity, and forensics
• Graduated Summa Cum Laude with a Bachelor’s degree and hold a Master’s
degree in Information Security and Assurance
• Adjunct Instructor for college teaching computer security
Background

4. The Adversaries are Real
Source: Mandiant M-Trends 2012

5. InfoSec for you and your Business
• Passwords and multifactor authentication
• Encryption of data and devices
• Enforced policies and procedures (especially an AUP)
• Disaster Recovery and Continuity Plans
• Employee Training and Awareness
• Social Engineering Attacks and Recon
• Wireless Networking
• Least Privileged Access
• Endpoint Security, Patching, and Security Controls
Security costs…you can pay now, or you can pay later –
but if you pay later, you always pay more.

6. Passwords and Multifactor Authentication
• Want at least two factor
authentication (2FA):
– Something you have
– Something you know
– Something you are
• Website to locate
compatibles sites:
https://twofactorauth.org/

7. Passwords and Multifactor Authentication
• Strong passwords should include uppercase,
lowercase, numbers, and special characters
• Password attacks are extremely common
(Brute force, dictionary, or hybrid)
• Simple passwords can be cracked in seconds
• Consider a password management tool (e.g.,
KeyPass, LastPass, etc.)
• Consider passphrases
• Never reuse passwords

8. Encryption
• Encryption should be mandatory on all portable
devices (tablets, phones, laptops, USB devices, etc.)
• Encryption should also be used to transmit sensitive
data via email (especially PII and IP)
• Many free and inexpensive encryption programs
available

9. Policies and Procedures
• Policies are a must, especially if you are in any
type of regulated business (HIPAA, SOX, GLBA,
PCI-DSS,etc.)
• Polices are only good if they are enforced
• If nothing else, have a well written Acceptable
Use Policy (AUP) and have all employees sign
it (preferably annually)
• The AUP should discuss several items,
particularly that there is no expectation of
privacy on the business network

10. Disaster Recovery / Continuity
• 93% of companies that lost their data for 10
days or more filed for bankruptcy within one
year
• 50% of companies that lost their data for 10
days or more filed for bankruptcy immediately
• Every week 140,000 hard drives crash in the
United States
• Have a backup plan for home and work
• Consider offsite backup solutions as well and
geographic location is important
http://www.concertonenetworks.com/files/DriveSavers_Industry%20Facts_stats.pdf

11. Employee Awareness Training
• The most common security violations
include:
– Failing to encrypt data and devices
– Clicking on links within phishing email
messages
– Downloading unauthorized software
(p2p, malware)
– Misuse of company IT assets
– Plugging in unauthorized devices such
as USB devices or home computers to
company assets

12. Social Engineering Attacks & Recon
• Phishing, Vishing, Smishing, Spear Phishing,
Whaling, pharming…the list goes on and on
• Be aware of what is on the Internet about you
and your company (OPSEC)
• Social engineering also includes dumpster
diving, tailgating, diversion, etc.

13. Wireless Networking
• NEVER use public open Wi-Fi access points for
anything sensitive (or maybe at all)
• If accessing work, make sure you use a Virtual Private
Network (VPN) solution
• SMS messages sent over Wi-Fi are all plaintext
• At home take the following precautions on your
wireless router:
– Don’t broadcast the SSID
– Change the default username/password for the router
– Enable WPA2 encryption (Not WEP)
– Use MAC address filtering

14. Least Privileged Access
• Usually a culture change and
not popular (but absolutely
essential)
• Limit who has administrative
privileges
• No one should ever use an
admin account for their day-to-
day work
• Admin account should never be
used to check email or surf the
Internet

15. Endpoint Security, Patching & Security
Controls
• Endpoint Security is essential – on everything
including mobile devices
• Have up to date anti-malware software
• Use host firewalls
• Keep operating system and third-party
software patched from security vulnerabilities
• Make sure your business network is secure
and you have an incident response plan

16. The Life Cycle of a Cyber-attack
Source: Mandiant M-Trends 2012

17. Questions?
Email: Josh@JoshMoulin.com
@JoshMoulin
https://www.linkedin.com/in/joshmoulin