Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

What your personal security score means to you and your family

120 views

Published on

Presentation delivered to HSBC employees worldwide on 10/15/2019 as part of their Cyber Awareness Month campaign; Week #3: Cybersecurity in Our Personal Lives/Cybersecurity on the Move.

Published in: Lifestyle
  • Be the first to comment

  • Be the first to like this

What your personal security score means to you and your family

  1. 1. What your personal security score means to you and your family Cyber Week #3: Cybersecurity in Our Personal Lives / Cybersecurity on the Move Evan Francen, CISSP CISM CEO SecurityStudio
  2. 2. Introduction Today’s Agenda • Introduction • The Role People Play in Security • Security @Home • The S²Me Assessment • Our S²Me Scores & Questions • Security @Home & Security @Work • Now what? Thank you to everyone who participated!
  3. 3. Agenda I do a lot of security stuff… • Co-founder and CEO of FRSecure • Co-founder and CEO of SecurityStudio • Co-inventor of SecurityStudio®, S²Org, S²3P, and S²Me/S²Team • 25+ years of practical information security experience (started as a Cisco Engineer in the early 90s) • Worked as CISO and vCISO for hundreds of companies. • Developed the FRSecure Mentor Program; six students in 2010/500+ in 2019 • Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.)Nickname: “Truth”
  4. 4. Agenda Are you a reader? • Published UNSECURITY: Information Security Is Failing. Breaches Are Epidemic. How Can We Fix This Broken Industry? in January, 2019 • Three more books in the works. Are you a listener? Co-host of the UNSECURITY Podcast with Brad Nigh. Are you a social networker? Follow me on Twitter; @evanfrancen “Information security isn’t about information or security as much as it is about people.”
  5. 5. The Role People Play in Security First, some truth. SIMPLE is your friend. Complexity is the enemy of information security.
  6. 6. The Role People Play in Security More truth. • The most significant risk is people. • Information security is not a technical (or IT) issue. Information security is a people issue. • Cybersecurity != Information Security • There are two types of people; information security pros (~800,000 in U.S.) and information security amateurs (~320,000,000 in U.S.). • 350,000+ job openings. • One analyst group predicts 3,500,000 openings by 2021.
  7. 7. 7 United States population Pro s
  8. 8. The Role People Play in Security More truth. • Don’t expect the professionals to protect you; we/they can’t. • We need to help each other, and we need to work together. • You need to do your part, and we need to do ours. But, what’s your part?Inconvenient truth: nobody cares about your security like you should
  9. 9. The Role People Play in Security Theory People are creatures of habit. A person at home is the same person at work. People want to do the right thing. Therefore, create good habits. Therefore, create good habits at home. 71% of Americans want to protect their information, but most don’t know how.
  10. 10. 10 Security @Home Traditional training and awareness programs fail to motivate because they don’t resonate. • There’s a difference between protecting someone else’s information versus protecting your own. • @Home, there are (at least) three distinct motivators for building good security habits: 1. Financial security. 2. Personal privacy. 3. Online safety.
  11. 11. Security • “We collected more than 1.4 million fraud reports, and people said they lost money to the fraud in 25% of those reports. People reported losing $1.48 billion (with a ‘b’) to fraud last year – an increase of 38% over 2017.” – FTC • “Younger people reported losing money to fraud more often than older people. Let that sink in. It’s what the data have been telling us for a while, but it’s hard for people to grasp. Last year, of those people who reported fraud and their age, 43% of people in their 20s reported a loss to that fraud, while only 15% of people in their 70s did.” – FTC • The top reports in 2018 were: imposter scams, debt collection, and identity theft. - FTC Privacy • 16.7 million annual victims of identity fraud • 95% of Americans are concerned about businesses collecting and selling personal information Safety • 54% of teens report that if parents knew what actually happened on social media, they’d be a lot more worried about it. • At least one in four teens are receiving sexually explicit texts and emails, and at least one in seven are sending sexts. • Children are accessing pornography via mobile devices. PornHub said its users watched 4.6 billion hours of pornography in 2016, 61% via smartphone and 11% via tablet. Security @Home
  12. 12. 12 The S²Me Assessment We built the assessment to help people at home. • There are no “standards” defined for information security at home like there are for information security within an organization. • There are ten (10) topics in the assessment, one for each primary area of concern. • Everything is scored, to give people context and to create an environment of goal setting (maybe some herd manipulation).
  13. 13. The S²Me Assessment We built the assessment to help people at home. Scores are plotted in a range between 300 – 850, not unlike a credit score (a language that people already understand). Yes, this is my score.
  14. 14. The S²Me Assessment We built the assessment to help people at home. The ten (10) Topics…
  15. 15. The S²Me Assessment We built the assessment to help people at home. The ten (10) Topics…
  16. 16. The S²Me Assessment We built the assessment to help people at home. The ten (10) Topics…
  17. 17. The S²Me Assessment We built the assessment to help people at home. The ten (10) Topics…
  18. 18. 18 The S²Me Assessment We built the assessment to help people at home. • Completing an assessment is one thing, doing something about it is another. • Risk management vs. Risk elimination; you have choices. • Get help, if you need it.
  19. 19. Our S²Me Scores & Questions Nobody knows your score but you. We only have the metadata (data about data) Overall, this is impressive!
  20. 20. Our S²Me Scores & Questions Nobody knows your score but you. We only have the metadata (data about data)
  21. 21. Our S²Me Scores & Questions Weakest areas. - #1 I maintain a list (inventory) of all systems and devices and associated information; manufacturer, model number, serial number, support information, logins, etc. RISK: Your systems and devices are more at risk of compromise if you can’t account for them. We can’t effectively protect the things we don’t know we have (and the things we’ve forgotten we have).
  22. 22. Our S²Me Scores & Questions Weakest areas. - #2 I have a documented personal information security incident response plan that I can follow when I become aware of different types of breaches affect me. RISK: You are more likely to miss important response steps and potentially suffer more damage from an information security and/or privacy incident.
  23. 23. Our S²Me Scores & Questions Weakest areas. - #3 Where I must use passwords, I use a reputable password manager application (e.g. LastPass, KeePass, Keeper) to keep them organized and secure. RISK: Reputable password manager programs are a good place to store your account passwords, and usually they are better than some alternatives; writing them down, storing them in a word processor program, etc. Storing passwords insecurely increases the likelihood that they’ll be disclosed to an attacker.
  24. 24. Our S²Me Scores & Questions Weakest areas. - #3 Where I must use passwords, I use a reputable password manager application (e.g. LastPass, KeePass, Keeper) to keep them organized and secure. RISK: Reputable password manager programs are a good place to store your account passwords, and usually they are better than some alternatives; writing them down, storing them in a word processor program, etc. Storing passwords insecurely increases the likelihood that they’ll be disclosed to an attacker.
  25. 25. Our S²Me Scores & Questions Weakest areas. - #4 I change all of my passwords regularly (e.g. quarterly or semi-annually), even if I'm not forced to. RISK: The longer a password exists, the more prone it becomes to compromise through accidental disclosure, brute force, and/or password guessing. Once a password is compromised, the account and all the information it protects is also compromised.
  26. 26. Our S²Me Scores & Questions Weakest areas. - #5 I have placed a security freeze on my credit report with all three credit reporting agencies (Experian, Equifax, and TransUnion). RISK: Unauthorized changes to your credit report are more likely.
  27. 27. Our S²Me Scores & Questions Weakest areas. - #5 I have placed a security freeze on my credit report with all three credit reporting agencies (Experian, Equifax, and TransUnion). RISK: Unauthorized changes to your credit report are more likely. https://www.consumer.ftc.gov/articles/0497- credit-freeze-faqs
  28. 28. Our S²Me Scores & Questions Weakest areas. - #6 I have a home security/alarm system that is armed when I'm not home. RISK: Not using an alarm system will increase the risk of a break-in occurring, a break-in going undetected, and a break-in not being responded to promptly.
  29. 29. Our S²Me Scores & Questions Weakest areas. - #6 I have a home security/alarm system that is armed when I'm not home. RISK: Not using an alarm system will increase the risk of a break-in occurring, a break-in going undetected, and a break-in not being responded to promptly.
  30. 30. Our S²Me Scores & Questions Weakest areas. - #7 I have created a separate wireless network for guests and visitors so I don't share my secure wireless password with them. RISK: Sharing your WiFi connection password with others will increase the likelihood that it becomes known to a malicious user/attacker.
  31. 31. Our S²Me Scores & Questions Weakest areas. - #8 Separate, dedicated systems are used for sensitive financial transactions and access to private information. The same systems aren't used for checking email, browsing the Internet, or entertainment (e.g. gaming, movies, gambling sites, etc.). RISK: The more functions that a computer system performs, the more opportunity there is for compromise. For instance, if you use the same computer for financial transactions and checking email, an attacker is more likely to be successful in compromising your financial accounts through a phishing attack or by tricking you into installing a malicious program.
  32. 32. Our S²Me Scores & Questions Weakest areas. - #9 I do not use the same password for multiple accounts. RISK: The use of a password on multiple accounts could expose a password on one account through an inadvertent compromise of a separate account. For instance, if you use the same password for your online banking account that you do on your social networking site, a compromise of the social networking site could lead to a compromise of your online banking account.
  33. 33. Our S²Me Scores & Questions Weakest areas. - #10 I do not allow web sites to "remember my password" when logging in. RISK: When you allow a website to “remember” your password, you’re allowing your password to be stored on your computer by your browser. This password storage could expose your password to another user of your system or malicious software that inadvertently gets installed on your system.
  34. 34. Our S²Me Scores & Questions Discussion, Feedback, Scores… What can we do to make this better?
  35. 35. Security@Home/Security@Work Overall, this group score very well! Conclusions: • Password management is a pain point. • People generally don’t think that bad things will happen to them (Backing up Data/Breach and Incident Response). • Give users easy solutions for password management; a password manager, biometrics, etc. • Spend more time on incident scenarios and associated responses.
  36. 36. Next Steps - IMPORTANT Suggested Next Steps Include: • If you haven’t taken your assessment yet, you should. It’s free and it’s safe. • Share the assessment with everyone you know, and see how their score compares to yours. • Go here: https://s2me.io and create an account, no promo code needed. • Your spouse/partner. • Other family members. • Neighbors and friends. • The more feedback and data we get, the more valuable the tool becomes.
  37. 37. Next Steps - IMPORTANT Suggested Next Steps Include: • Apply what you’ve learned learned, and stick with it. We’re trying to build habits. • Look for version 2.0 of S2Me in the near future. • Based upon your feedback. • We’ll notify you, if you used your email address to signup. • We’ll be developing an S2Teen in the future, but don’t wait before starting discussions about online safety with kids. • https://www.parenting.com/child/keeping-your-child- safe-on-the-internet/ • https://www.commonsensemedia.org/
  38. 38. Next Steps - IMPORTANT Suggested Next Steps Include: • Apply what you’ve learned learned, and stick with it. We’re trying to build habits. • Look for version 2.0 of S2Me. • Based upon your feedback. • We’ll notify you, if you used your email address to signup. • We’ll be developing an S2Teen in the future, but don’t wait before starting discussions about online safety with kids. • https://www.parenting.com/child/keeping-your-child- safe-on-the-internet/ • https://www.commonsensemedia.org/
  39. 39. Next Steps Open Q&A Evan Francen @evanfrancen https://evanfrancen.com

×