Will Your Business Get Hacked? - #HumberBizWeek: 08.06.2016 @ Smailes Goldie
•Download as PPTX, PDF•
0 likes•152 views
Phil Denham from HBP Systems & Ed Jennison from Rollits LLP presented a dual aspect IT security and employee/employer cyber relations seminar for Humber BizWeek 2016 @ Smailes Goldie in Hull.
Recommended
Recommended
More Related Content
Viewers also liked
Viewers also liked (14)
Similar to Will Your Business Get Hacked? - #HumberBizWeek: 08.06.2016 @ Smailes Goldie
Similar to Will Your Business Get Hacked? - #HumberBizWeek: 08.06.2016 @ Smailes Goldie (20)
Recently uploaded
Recently uploaded (20)
Will Your Business Get Hacked? - #HumberBizWeek: 08.06.2016 @ Smailes Goldie
- 1. 1
- 2. 2 Large Companies 81% £600k - £1.5m Small Companies 60% £65k - £115k Large Companies 90% £1.46m - £3.14m Small Companies 75% £75k - £311k
- 3. 3 2016: The year of the bigger problems?
- 4. 4 4,000 data breaches in 3 years Computing.co.uk
- 5. 5 Over 170 law firms investigated in 1 year Computing.co.uk
- 6. 6 ALL major UK banks and lenders reported data breaches Computing.co.uk
- 7. 7 ¾ of customers would reconsider using a company Computing.co.uk
- 9. 9 159,959 accounts compromised Computing.co.uk Nearly 300,000 customers lost
- 10. 10 Total cost £40- £45 million Computing.co.uk £15 million lost in trading value
- 11. 11 BT picked up 40% of unhappy customers Computing.co.uk
- 12. 12 5.5 million things connected every day 1 20 15 10 5 Billions 2001 20202014 1.2B 20.8B 6.4B 2016
- 13. 13 “For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe.” Tim Cook, CEO of Apple
- 14. 14 Up to 35% would Sell company information Computing.co.uk
- 15. 15 Passwords… 1. 123456 2. password 3. 12345678 4. qwerty 5. 12345 6. 123456789 7. football 8. 1234 9. 1234567 10. baseball 11. welcome 12. 1234567890 13. abc123 14. 111111 15. 1qaz2wzx 16. dragon 17. master 18. monkey 19. letmein 20. login
- 16. 16 “Two things are infinite: The universe and human stupidity, and I’m not so sure about the former.” - Albert Einstein
- 17. 17 Trends Security Breaches on the rise
- 18. 18 Firewall Web Email Wireless Reducing the threat - Protect Endpoint Encryption Server Mobile Insight & Analysis Better Protection Intelligence Sharing 18
- 19. 19 IT Control Configuration Visibility Reducing the threat - Control
- 20. 20 Reducing the threat - Educate Passphrases not passwords Think before you click Verify the call
- 21. 21 Layered defense & automation Analytics Next-Gen Firewall Wireless Web Email Disk Encryption UTM File Encryption Endpoint Next-Gen Endpoint Mobile Server Cloud Intelligence Centralized Policy Management
- 22. 22 Will your business get hacked? 8 June 2016
- 23. 23 rollits.com How can you help to protect yourself against your weakest link? Your Employees!
- 24. 24 rollits.com Cybercriminals use social Engineering No longer kids in their bedroom This is serious organised crime
- 25. 25 rollits.com
- 26. 26 rollits.com Employers have a duty to train employees • Tell them ○ Be vigilant, if something looks strange be cautious ○ Be aware of Spoofing ○ Are you expecting it? ○ Would you expect more/less detail? ○ Do not click the link in an unexpected email ○ Browse on safer devices if possible (such as tablets)
- 27. 27 rollits.com At home … • Keep anti-virus software up to date • Ensure your firewall is turned on and up to date • Keep your devices operating system and Apps/Programs up to date • Browse using a tablet (only download apps from official app stores (Google/Apple) • Be cautious!
- 28. 28 rollits.com Browsing at work because we keep security system up to date can be not safe. Key in web site addresses, don’t click on links to them
- 29. 29 rollits.com Criminals gain trust of employees Trust is power to the criminals Everyone from receptionist to MD/Chairman is duped
- 30. 30 rollits.com What if an employee causes a security breach? What action can be taken? • Misconduct? • Incompetence?
- 31. 31 rollits.com What loss has been suffered? Carry out a proper investigation to establish the facts. Look at the training record. Apply appropriate sanction following a disciplinary/ capability hearing with employee.
- 33. 33 rollits.com Employee walks out of the door with your most valuable assets: Customer lists / supplier lists / pricing structure / business strategy / trade secrets / product information What can an employer do to protect itself?
- 34. 34 rollits.com Look at disciplinary rules and procedure whilst in employment Look to the contract if an employee quits Post-termination restrictions Must be drafted correctly “No wider than necessary” “Legitimate business interest to protect” Take legal advice before drafting
- 35. 35 rollits.com No contract? More difficult Cannot prevent competing without express contractual provisions Cannot prevent solicitation Employee is free to use employer’s information
- 36. 36 rollits.com Policies & procedures Forwarding to home email Printing/copying Leaving things in cars/bags/trains Be clear that all of the above are misconduct
- 37. 37 rollits.com Be prepared and you can strengthen your weakest link!
Editor's Notes
- The 2014 Information Security Breaches Survey from the UK government and pwc found… These findings are unfortunately supported by almost daily stories of large scale cyber incidents, but we only hear about the stories that are going to grab our attention… and I’m afraid the scale and rate of these attacks shows little sign of abating.” And as we can see, the cost of breaches continues to soar… The number of security breaches has increased, the scale and cost has nearly doubled. Eleven percent of respondents changed the nature of their business as a result of their worst breach. Nearly 9 out of 10 large organisations surveyed now suffer some form of security breach – suggesting that these incidents are now a near certainty. Businesses should ensure they are managing the risk accordingly. 3. Despite the increase in staff awareness training, people are as likely to cause a breach as viruses and other types of malicious software.
- If 2015 was the year of big breaches, 2016 is set to be the year of bigger problems! As we saw last year, certain attacks touched organisations and people who never thought that they might be involved in such high-profile data breaches. Ashley madison breaches affected those who never had direct contact with the organisation, and certainly didn’t ever think they would be involved with such a high profile incident…. It revealed new levels of negative effect as individuals reacted to having the information put on blast. Firings, grief, divorce, ruin, and suicide were all over the news, thereby intensifying public scrutiny of many people who had no business relationship to Ashley Madison. active-duty members of the military found in the database could be subject to dishonorable discharge—meaning that unemployment and loss of pension are genuine possibilities. At the same time, technological change continues to disrupt how organizations compete and create value in ways that often alter operating models. Some of today’s most significant business trends— the explosion of data analytics, the digitization of business functions and a blending of service offerings across industries, to name a few—have expanded the use of technologies and data, and that is creating more risk than ever before.
- More than 4,000 data breaches (4,236 to be precise) occurred in local councils in a three-year period (between April 2011 and April 2014)
- More than 170 law firms investigated by ICO over data breaches in 2014
- ALL of the UK's major banks and lenders have reported data breaches in the past two years
- Three-quarters of customers would reconsider using a company in event of data breach
- Who's to blame for a data breach? It's a question that everyone has a different answer to. While some, such as Reckitt Benckiser CIO Darrell Stein, are willing to take full accountability for a data breach others, such as Johnson Matthey CIO Patrick Seeber, suggest that the CISO or CFO ought to be held accountable instead.
- CEO Dido Harding - she was accountable because cyber security is a board issue. Mention bounceback and difference between smb & enterprise. TalkTalk has lost nearly 300,000 customers since it was hit by a crippling cyber-attack in which it admitted that 156,959 customer accounts were compromised.
- The company said that the cyber attack knocked off £15m in trading value of the company, with "exceptional costs" for the attack coming in at between £40m and £45m - significantly more than the £35m that TalkTalk suggested the cyber attack would cost back in November. TalkTalk also saw its share of the home services market fall by 4.4 percentage points, quarter-on-quarter, in terms of new customers - only 1.4 per cent of whom gave reliability as a reason for joining the provider in the last three months, which Choudhary said was well below the market average. He said there was no doubt that TalkTalk also lost potential customers following the attack, and that if the company was to recover from recent events, it would need to offer more than just good value. Its latest marketing campaign involves offering broadband free to new customers. For TalkTalk, though, the news has gone from bad to worse: last week, workers at one of its outsourced call centres in India were arrested over allegations of security breaches involving customer records. Police in India arrested three employees of contractor Wipro who were accused of stealing customer data, which was then subsequently used in a bid to scam customers. The arrests were the culmination of a year or more of complaints from TalkTalk customers over phone calls from scammers who were able to quote account numbers and other details that only an insider would be able to access. Since then, the company has lost many of its existing customers in the fourth quarter of 2015, with seven per cent of its broadband base - or around 300,000 customers - dumping TalkTalk in favour of a different provider, according to research from Kantar Worldpanel ComTech.
- Imran Choudhary, consumer insight director at the research firm, said that BT appeared to be the biggest winner, picking up as many as 40 per cent of the customers who left TalkTalk. "Customers have lost faith in TalkTalk as a trustworthy brand," he said.
- Especially as so many people are Gearing up for the IoT By now, the Internet of Things (IoT) needs no introduction. This ecosystem of Internet-connected devices, operational tools and facilities is poised to soar in the coming years. The industry anticipates exceponential growth over the next five years. Gartner forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected every day. Most organizations understand that the Internet of Things will bring enormous advantages but also increase risks to data security and privacy. _______________ In the coming years, new vectors of access to IT and operational systems will be exposed as more businesses deploy connected sensor- based devices and machine-to- machine technologies. This type of equipment typically lacks the fundamental security safeguards of traditional enterprise IT, potentially enabling threat actors to penetrate an organization’s systems and exploit data, disrupt operations and compromise the integrity of products and services.
- Encryption is the only way to keep information safe Encryption is getting attention from news headline like these stories, and from high profile hacking. C-execs and board member now understand the importance of data privacy, and protection corporate proprietary information from hackers and other adversaries. , even government’s prying eyes. encryption has been in the press a lot recently. Apple vs FBI, encryption has always caused debates, do i have access, do i not have access, and that is crypto, it has even gone back so far as Julius Ceaser. The idea is to keep something secret, and nothing has really changed since then. Encryption is a dual purpose technology. It can be used for good and bad. If however you reduce the capability of one actor, you reduce it for both #nobackdoor – check Sophos blog. If surveillance manages time and again to seem like a white knight after terrorist incidents, encryption is often the dragon. In the days after the Paris attacks, various encryption-related debates were back, despite evidence that encryption played no role in the terrorists’ planning. The United Kingdom was already dealing with rushed calls by legislators for Internet providers and social-media sites to provide unencrypted access and/or backdoors to encrypted communications to law enforcement and spy agencies. By the end of the year some American legislators were making similar calls, stating that law enforcement is unable to access necessary data. Those arguments were countered by equally venerable arguments by crypto experts about the certainty that backdoors—or, worse, giant stores of unencrypted data—are a recipe for unwanted, sustained, and ultimately catastrophic attention from attackers. One hardware manufacturer left an entire market rather than bend to government demands for unfettered backdoor access, as BlackBerry prepared to leave the Pakistan market at year’s end rather than expose its BlackBerry Enterprise Service (BES) traffic to wholesale traffic monitoring. #NOBACKDOORS – Sophos belives: Encryption protects the fundamental rights individuals should have to privacy and security Encryption is essential for effective cybersecurity Encryption is vital for our modern, Internet-driven global economy Governments should not undermine the effectiveness of legitimate technology But there is of course another way round encryption….anyone? End users.....thats right, why bother trying to hack into the devices when you could just pay off an end user to give you the data.....How much do you think people would sell their data for? 100k, 50k?
- End users…..and the survey showed….. It found that 35 per cent of employees would be prepared to sell company information for "the right price". And, of those, three per cent would consider selling out their organisation for just £100. Eighteen per cent, meanwhile, would flog the information for £1,000 and 29 per cent for a £10,000. Even more shameless - and cheap - is the one per cent who said they'd sell it to persons unknown for just £100. No wonder companies say the biggest security risk is people, rather than technology!
- But we see sooo many examples, time and time again, where weak passwords and the fault or mis-educated actions of users leads to major security incidents. To demonstrate how bad people are at creating secure passwords, a password management company called SplashData has just released a list of the 25 worst passwords used in 2015, and it’s not pretty. SplashData created its list of worst passwords by counting up the most common passwords out of over 2 million passwords leaked in the past year.* And just like every year since 2011, when SplashData first released its list, the top two most common passwords (and therefore, the worst) are “123456” (#1) and “password” (#2).
- Social engineering – There is no patch to human stupidity! Like footprinting this is a very big aspect of hacking these days, its not something people can teach, but more of a ‘practice makes perfect’. I love the phrase there is no patch to human stupidity, while I agree, this has zero to do with social engineering as it would make you think only stupid people are stupidly engineered…. Everybody at some point in their life has been socially engineered, we have it all the time, it is not a new concept. It comes down to how humans are built, we have this very complex and rational side to us that works and does risk assessments to determine if we should do something or should we not do it….that works fine…..but we also have these very prehistoric very strong emotions that will sometimes flare up, and when they do, they outweight the rational and logical side of our brain. The way social engineering works is I want you to think emotionally, not logically. Now this doesn’t mean I have to make you angry or mad or happy with me, I can use any emotion you have, and if I can make you think emotionally, I can socially engineer you…. For the guys…..how many when you were younger went to a bar and bought a drink for a girl who you knew you never knew you had zero chance with, but you bought her a drink anyway – you were socially engineerd. Women, just like my wife, how many times do you go shopping and there is a sign for BOGOF, you had no plan on buying that to begin with but its such a good deal that you can’t pass it up – that’s social engineer. They are just knee-jerk reactions……I’ve been socially engineered, everybody has been socially engineered, we will continue to be in the future. We just have to understand when our emotions are taking over and be aware of this when someone tries to socialy engineer us and try to think logically and not perform knee-jerk reactions.
- Volume & Quality increasing More and more of the same – not just volume but quality is also increasing alongside techniques utlized in targeted attacks. To represent this, I want to Introduce threat counters…. Suspicious samples analysed - Malicious URI’s published - Suspicious Android Apps analyzed - Spam messages analyzed War against cybercrime is a war of attrition, no silver bullet for protection – Sophos perfectly positioned provide in-depth, layered security, unified security. [But what does cybercrime really entail?] BREACH With the great variety of potential vulnerabilities in any IT system, there is a similar diversity in the often highly technical and innovative mechanisms used to exploit them. Although attackers continue to develop novel techniques to exploit vulnerabilities, attackers are ultimately successful due to an unfixed flaw, misused feature or user error. Some types of attack are much more obvious or easier to detect than others. DDOS attacks are often quickly noticed by system users, as they struggle to access or simply cannot use the targeted service. On the other hand, most malware is designed to be stealthy, hiding from users and detection mechanisms alike. Preventing, detecting or disrupting the attack at the earliest opportunity limits the business impact and the potential for reputational damage. Once the attacker has consolidated their presence they will be more difficult to find and remove.
- Breaking the attack pattern Even though it’s normally the most motivated attackers who have the persistence to carry out multiple stage attacks, they will frequently do this using commodity tools and techniques, which are cheaper and easier for them to use. So putting in place security controls and processes that can mitigate these will go some way to making your business a hard target. Equally, adopting a defence-in-depth approach to mitigate risks through the full range of potential attacks will give your business more resilience to cope with attacks that use more bespoke tools and techniques. Reducing your exposure using essential security controls Fortunately, there are effective and affordable ways to reduce your organisation’s exposure to the more common types of cyber attack on systems that are exposed to the Internet. The following controls are contained in the Cyber Essentials, together with more information about how to implement them: boundary firewalls and internet gateways - establish network perimeter defences, particularly web proxy, web filtering, content checking, and firewall policies to detect and block executable downloads, block access to known malicious domains and prevent users’ computers from communicating directly with the Internet malware protection - establish and maintain malware defences to detect and respond to known attack code patch management - patch known vulnerabilities with the latest version of the software, to prevent attacks which exploit software bugs whitelisting and execution control - prevent unknown software from being able to run or install itself, including AutoRun on USB and CD drives secure configuration - restrict the functionality of every device, operating system and application to the minimum needed for business to function8 password policy - ensure that an appropriate password policy is in place and followed user access control - include limiting normal users’ execution permissions and enforcing the principle of least privilege. If your organisation is likely to be targeted by a more technically capable attacker, give yourself greater confidence by putting in place these additional controls set out in the 10 Steps to Cyber Security: security monitoring - to identify any unexpected or suspicious activity user training education and awareness - staff should understand their role in keeping your organisation secure and report any unusual activity. Mitigating the survey stage User training, education and awareness Mitigating the delivery stage Malware protection, firewalls and proxy servers. Technically enforced password policy, secure configurations of systems Mitigating the breach stage Patch management, malware protection within the gateway, gateway configuration, UAC, user training and awareness
- Simple IT controls. Visibility – using the tools you have in place. Configured things correctly? Build the house – but you still have to remember that there is some idiot in the house that can leave the keys in the door. Sr. Management
- Educate Think before you click Verify the call – check Passphrases not Passwords – you don’t need to leet speak to have a good password.