Cyber Security Training for Real Estate Agents


Published on

A short slide show describing online security threats designed for real estate agents.

Published in: Real Estate, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Welcome to this cyber security awareness training for X. I will be walking you through some of the key things to watch for as you are performing your customer service and/or help desk activities here at the bank.
  • Although we’ll be talking about many different things today, always remember that the main objective of this training is two-fold: to protect the security of the data you handle and to ensure that all of your customers’ personally identifiable information (or “PII”) is completely secure.
  • Here is a high-level overview of what we’ll be covering in this training session. First I want to show you some charts and graphs that illustrate how significant the world-wide cyber crime phenomenon really is. Then, I’ll walk you through some typical scenarios that you might encounter during the day; at work, on the phone, or online at home or on your personal mobile devices. I will then outline some of the countermeasures and identify some additional best practices you can use in your own personal online computing practices to help you avoid being victimized.
  • We’ll start by taking a look at some of the most recent data on the magnitude of the cyber crime problem. One thing to remember is that there are persistent threats that extend well beyond what we would normally consider our online time. Cyber criminals are very stealthy and the stakes are very high; therefore it really pays to be constantly aware about your surroundings and the people that approach you.
  • Although we live in a beautiful place here in X city, there are cyber threats coming from all around the world. This is an interactive map that illustrates where, geographically, some of the most significant threats are coming from. Notice that you can both move your cursor to any country on the planet, but you can also screen for very specific kinds of threats by using one or more of the seven filters given in the white box on the top right. Then, when you click on a specific country, the overall ranking within the HostExploit Index will be shown in the box on the lower right. This interactive map shows just how significant the problem has become worldwide. It also illustrates how we are not isolated from these events, even though we live here in this beautiful place.
  • In a recent report published by Symantec they showed that 50% of the targeted attacks were aimed at big businesses, as shown on this slide. Now, let me see a show of hands, how many of you use a mobile device? Android? iPhone? iPad? Kindle? Other? Note also that the number of vulnerabilities identified for many of these devices are going up significantly, year-by-year.
  • Moving on, and still looking at some of the data from the Symantec report. They have found that 1 in 239 emails is infected with some kind of virus or malware. Long term trends have shown that spam is actually going down, from 62 billion in 2010 to 42 billion in 2011. Does anyone have any idea why spam might be going down?! .]
  • So let’s break down some of the different types of cyber crime attacks. Today we’ll be looking at eMail, and how spam is used to “phish” for vulnerable people and vulnerable computers. We’ll also look at how browsing to websites can also open up your computer or mobile device to malicious code. I’ll introduce some simple concepts associated with “spoofed” websites and how you can inadvertently be sent to one of these sites through cross-site scripting (XSS). I’ll also talk about a technique that cyber criminals use called SQL injection. Finally, I’ll talk a little about how the various networks you use, both here at work, and at home can be subject to network penetration.
  • So, in the earlier discussion we talked about why spam is going down. We learned that the take-down of some very large-scale botnets and affiliate programs (e.g., the Spamit Affiliate program, control servers for the Pushdo botnet, and the MegaD and Bredolab botnets) by joint efforts by the FBI, Interpol and several global technology firms have had a discernible effect on the volume of spam.
  • I mentioned earlier that spam is, for the most part, really intended to deliver a specific payload. These are called “phishing” attacks. We see in this figure from Trustwave that, for their total global data set phishing attacks via spam channels can be broken down into 11 main categories. Here we see that for 2011 pharmaceutical pills and pornography spam made up 88% of the volume.
  • For those phishing attacks that plant malware on unsecured computers there is some good data on the types of malware we are now seeing. This Panda Security figure shows that 66.18% of the malware they detected in their worldwide operations in 2011 was of the variant called: Trojan.
  • But email is not the only way that your computer or mobile devise can become infected by using the Internet. There are also attack vectors that come by way of browsing on the Internet. How many of you use the Google Chrome browser? How many use the Microsoft Explorer Browser? How many use Mozilla Firefox? How many use Apple’s Safari? Others? You’ll find that different browsers have different levels of security and that by properly configuring your browsers you can increase your security while online. We’ll talk about these configurations when we move to the countermeasures section of the training. Now, let’s take a look at this slide. Almost all of you raised your hands when I asked about mobile devices. How many of you have downloaded ‘apps’ from the respective ‘apps’ stores onto your mobile devices? How many of you have downloaded apps onto your laptops? This figure illustrates some of the aggregate data for 2010 about the vulnerabilities in some of those online apps. Do you remember that I mentioned the use of SQL injection and cross site scripting as a method of attack against people browsing the Internet? Here we can see from 2011 data published y InformationWeek and DarkReading that those two categories alone made up about 40% of the web application vulnerabilities discovered in 2010. There is also another 3.8% from ‘Authentication’. Can anyone tell me what authentication means? Also, look at the purple wedge called ‘Buffers’ – another 16.8% comes from what is known as a buffer over-flow condition. We will not cover this in the training today but do know that it is one of many different types of vulnerabilities that have been found. Although this is a very complex diagram, you get the point that web apps can sometimes open up your device to unknown risks that need to be managed.
  • So we’ve talked about browsing and web apps. What happens when a website is actually hacked, like for example, if our own corporate website were hacked? Here is a figure that shows that when websites were successfully hacked in 2011 34% had a “leakage of information”
  • So let’s take a moment and look at the cost of “leakage of data.” Consumer fraud and identity theft are two key concerns of financial services sector companies for defining and implementing security of organizational information. Empirical data derived from the 2011 Cost of Data Breach Study by Poneman Institute and sponsored by Symantec, indicates that across all sectors studied the cost of data breaches actually declined in 2011 (2012). In this benchmark study a total of 49 companies in 14 different industries were analyzed. Across all industries, for the first time in seven years, both the cost per stolen record and the total organization cost declined. The average cost per record declined from $214 per record in 2010 to $194 per record in 2011. The average organizational cost declined from $7.2 million to $5.5 million.This appears to demonstrate that the safeguards and controls that have been put into place by companies are beginning to work. However, if we look more closely at the financial services sector we see that the cost per record was $247, well above the average.
  • Now let’s take a moment and talk about some of the other types of tricks that cyber criminals are using to trap victims and gain access to their computers or their customers’ information. Have any of you ever heard the term “social engineering”? How about “dumpster diving”? – Also, how many of you remember the news coverage of the “occupy Wall Street” movement and the political activism around that movement? There are a number of different motivations that people have for using cyber techniques for malfeasance. We’ll look at that as well. In this section we’ll go over some of these techniques. Remember, my quick overview here today just provides a sampling of some of the techniques that are used. My main objective is to alert you to the fact that these types of tricks are being used so that you will be constantly vigilant.
  • There are a number of tricks that cyber criminals use to gain access to confidential information. Remember, they are always looking for ways to gain access to the computer networks that hold highly valuable PII. One way they have done this in the past is to load a piece of malware that will send information to a remote computer onto a flash drive and simply drop a flash drive in the bank parking lot. They are hoping someone will pick up that flash drive and put it into the USB port of the computer at work. The lesson here is to never accept a USB Flash Drive and never place one into your work computer. And, if you use them on your home network, make sure they are from a source that you trust. Another social engineering trick is for a cyber criminal to gain the trust of a worker in a bank to try to gain access to user name/password credentials and other authentication codes. Once again, always watch for signs that might convey the motivation of a person that comes into your social life.
  • Another way that criminals seek to gain access to confidential information is through dumpster diving. It is exactly what it sounds like, they actually look for paper that has been discarded in the dumpsters of corporations or bank workers that might have PII on it. The lesson here is to ALWAYS use the paper shredder located in the employee work room.
  • I introduced the concept of a political activist or hacktivist a moment ago. What is the motivation for these people and where do they fall on a continuum from the highly skilled to the low skilled hacker? You can see here That they are relatively low-skilled and their main motivation is for political reasons. Notice also that the criminal syndicates that are responsible for the advanced persistent threats that are becoming a more significant problem for banking entities are at the other end of the continuum. Their motivation is profit.
  • This figure from shows us that these criminal syndicates operate outside of the world wide web that most of us are familiar with. These “Dark Nets” use a completely different set of protocol from what typical users like us use (TCP/IP).
  • Now let’s take a quick look at some of the threats you might encounter at work.
  • Here is where you have the greatest vulnerabilities –
  • [I will talk the audience through each point.]
  • Now we will talk about some of the things you can do to counter the attack vectors I have described.
  • [I will talk the audience through each point.]
  • Here are some examples of commercial products you can use to protect yourself.
  • Screenshots from the Trusteer tool.
  • [I will talk the audience through each point.]
  • It is important to remember that cyber criminals are always developing new and unique methods to gain access to banking resources. That includes our technology, our business processes and our people. It is an evolving threat landscape. It is important to be aware of the threats and to be on the lookout.
  • Here are some useful resources if you have questions on any of the materials I’ve covered today.
  • To reiterate the key points I made when I started the training….our main objectives here today are to work together to ensure the security of our data and to maintain our customer privacy.
  • Here is what we covered in this training today. Thank you for your attention. Now I’ll open up the floor for questions.
  • Cyber Security Training for Real Estate Agents

    1. 1. Presented by: Jane GinnSedonaCyberLink
    3. 3. CONTENT Characterize magnitude of the problem Identify typical threats  Online  eMail & browsing Internet  On personal mobile devices Describe countermeasures Provide useful resources
    4. 4. GLOBAL SOURCES OF CYBER THREATSSource: Host Exploit. (2012, April). Global Security Report. In J. Armin (Ed.): Group iB, CyberDefcon,CSIS, NominetTrust, Deepend Research.
    5. 5. BUSINESSES & MOBILE DEVICES ARE TARGETSSource: Symantec. (2012, April). Internet security threat report: 2011 trends (Vol. 17). Mountain View, CA.
    6. 6. 2011 IN NUMBERSSource: Symantec. (2012, April).Internet security threat report: 2011trends (Vol. 17). Mountain View, CA.
    7. 7.  eMail Spam  Phishing  Plant malware (virus, worm, Trojan)  Botnet recruitment Web Browsing  Spoofed sites & XSS  SQL injection Network Penetration  Work, home & on-the-road
    8. 8. SPAM VOLUME GOING DOWN OVER TIMESource: M86 Security. (2011). Security Labs Report: January - June 2011 Recap. Irvine, CA: M86 Security.
    9. 9. SPAM: PHISHING ATTACK VECTORSSource: Trustwave. (2012). Global Security Report. In S. Brown (Ed.). Chicago, IL.
    10. 10. TYPE MALWARE FROM SPAM IN 2011 Source: Panda Labs. (2011). Annual Report. Bilbao, Spain.
    11. 11. BROWSING THE INTERNETSource: Causey, B.(2011, July). Stop SQLinjection: Dont letthieves in through yourweb apps:InformationWeekAnalytics &DarkReading.
    12. 12. WEB HACKING INCIDENT DATABASESource: Trustwave. (2012). GlobalSecurity Report. In S. Brown (Ed.).Chicago, IL.
    13. 13. COST OF CONSUMER FRAUD & ID THEFTSource: Poneman.(2012, March). 2011Cost of Data BreachStudy: Sponsored bySymantec.
    14. 14.  Social Engineering  Scam tricks  Seeking personally identifiable information Dumpster Diving  Shred paper Political Activism  Hacktivist attacks
    16. 16. DUMPSTER DIVINGPhoto Source:DiegoFuego via Flickr
    17. 17. MOTIVATIONS
    19. 19. ONLINE THREAT VECTORS Infection by malware via email (phishing)  Trojans, viruses, worms Recruitment into botnets  Infected computers & smartphones used as proxies Browsing to infected websites  SQL injection threat  Cross Site Scripting (XSS) attacks Network penetration  Drive-by attacks on unsecured wireless networks
    20. 20. ADDITIONAL RISKS TO SMARTPHONES +Android Operating Systems  Some Malware – From eMail  XSS – SQL injection – Buffer OverflowApple Operating Systems  Proprietary  New Target – Large Market ShareBlackberry Operating Systems  Proprietary
    21. 21. ONLINE: EMAIL Use Anti-Virus program  Configure filters for Medium to High Screening  Set up ‘Black Lists’ Use Firewall Don’t open if you don’t know sender Don’t click on suspicious links  Watch for 419 Scams  Watch for ‘spoofed’ sites at hyperlinks Delete or quarantine
    22. 22. SOME TOOLS PC • Secunia PSI Scans • A/V products Banking • Trusteer Rapport Trust • Hardware solution WiFi • PrivateWiFi Security • Other VPNs
    24. 24. ON-MOBILE DEVICES Use anti-virus software Use spam filter software Be careful opening email Don’t browse to questionable sites Take care ‘friending’ or ‘liking’ on social networks Don’t use unsecured wireless networks
    25. 25. USEFUL WEBSITES Identity Theft Privacy Rights Clearinghouse Electronic Privacy Information Center Banking Fraud Federal Trade Commission Phishing Intelligence FraudWatch International Notifications US-CERT
    27. 27. SUMMARY Characterized the problem Identified typical threats  Online: email  Online: browsing Internet  On personal mobile devices Described countermeasures Provided useful resources