This document discusses cyber threats and strategies for improving technology security. It covers:
1. Common cyber threats like malware, hacking using passwords, and deception are discussed. Malware was involved in 69% of breaches and hacking 81% of breaches.
2. Cyber criminals' motivations include spamming, DDoS attacks, click fraud, stealing financial credentials and ransomware to extort money. Hacked devices can be used in 36 abusive ways.
3. Effective defenses include threat awareness, moving beyond passwords for authentication, and regularly scanning devices for malware before and after connecting online.
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
Safer Technology Through Threat Awareness and Response
1. Safer Technology Through Threat
Awareness and Response
Stephen Cobb, CISSP
Senior Security Researcher
2. Threat awareness = know your enemy
We all know there are
threats, but do we have a
clear picture of them?
What are the main threats?
What can we do to defend
against them?
3. What is behind data security breaches?
1. Malware involved in 69% of breaches
2. Hacking* used in 81% of breaches
Verizon 2012 Data Breach Investigations Report
*80% of hacking is passwords:
default, missing, guessed, stolen,
cracked
4. 3rd element: deception
Used in many types of
attack, like this recent
attempt to plant a Trojan
Clicking either link and you
will be infected
(Unless you are running a
good AV program)
5. What do cyber criminals want with our
digital devices and data?
6. 36 ways to abuse a hacked device
• Spam zombie
• DDoS extortion zombie
• Click fraud zombie
• Anonymization proxy
• CAPTCHA solving zombie
• eBay/PayPal fake auctions
• Online gaming credentials
• Website FTP credentials
• Skype/VoIP credentials
• Encryption certificates
• Fake antivirus
• Ransomware
• Email account ransom
• Webcam image extortion
• Bank account data
• Credit card data
• Stock and 401K accounts
• Wire transfer data
• Phishing site
• Malware download site
• Warez piracy server
• Child porn server
• Spam site
• Harvest email contacts
• Harvest associated accounts
• Access to corporate email
• Webmail spam
• Stranded abroad scams
• Facebook
• Twitter
• LinkedIn
• Google+
• Online gaming characters
• Online gaming goods/$$$
• PC game license keys
• OS license key
Based on original work by Brian Krebs: krebsonsecurity.com
Web
server
Botnet
activity
Email
attacks
Virtual
goods
Reputation
hijacking
Financial
credentials
Hostage
attacks
Account
credentials
8. The Office of Naval Research and the
rail gun
• Fires a projectile at 5,000 mph with a range of 100 miles
• Small businesses responsible for 86 individual sub-contracts
worth $20m
9. Verizon 2012 Data Breach Investigations Report
1 to 10
11 to 100
101 to 1,000
1,001 to 10,000
10,001 to 100,000
Over 100,000
0
100
200
300
400
500
600
720 breaches by size of organization (employees)
SMBs
10. The SMB sweet spot for the cyber-criminally
inclined
Assets
worth
looting
Level of protection
Big enterprise
SMB “sweet spot”
Consumers
11. Tools of the trade
To get into cyber crime you need:
A. To be a programmer? No
B. To buy equipment? No
C. To have you own servers? No
Crime kits are slick, easy-to-use,
and you can rent them.
Consider the Serenity exploit kit
21. So how do you defend your devices?
Three main attacks …. and defenses
Scanning
Authentication
Malware
Hacking
AwarenessDeception
22. Scanning doesn’t work if you don’t use it
0% 10% 20% 30% 40%
Scan devices while connected
Scan devices prior to connection
Require AV on mobile devices
Measures in use at a sample of 82 healthcare facilities
98% experienced one or more breaches of PHI
Ponemon Institute Third Annual Benchmark Study on Patient Privacy & Data Security
23. Authentication beyond passwords
Passwords exposed in 2012: 75,000,000
Need to add a second factor to authentication
2FA raises the bar for attackers trying to get at
your corporate network
24. Awareness: a powerful weapon
• Think before you click/open
• If it sounds too good…
• Just because your friend said…
• Resources:
• Securing Our eCity
• We Live Security
• Podcasts and webinars
• ESET Smart Security