The document provides guidance on improving cybersecurity through basic training and awareness. It discusses how people are often the biggest vulnerability and outlines common social engineering tactics like playing on emotions, creating a sense of urgency, and using hyperlinks or attachments in emails. It recommends continuous education and emphasizes that antivirus alone is not sufficient, and that email filtering and training are important defenses against phishing attacks. Additional resources are provided to help test for phishing vulnerabilities and check if email addresses have been involved in data breaches. Physical security controls and separating financial duties are also recommended to reduce fraud risks.
3. Who is Art Ocain? What is MePush?
• Current President/COO
• Business-minded tech with 20
years of experience
• Love designing & architecting
solutions
• Went to UMD for Math
• Married, father of 3 (another
on the way), and have a farm
• Interested in permaculture,
sustainability, environment
• Weightlifter and competitor in
strength sports
MSP:
• Managed Service Provider
MSSP:
• Managed Security Service Provider
What we do:
• Network, server, and workstation management
• Managed compliance, auditing, and remediation
• Firewall and security incident management
• Helpdesk and support
• Web design and management
Who we are:
• 20 people strong!
• Most of our techs have 10-20 years of experience.
• All techs are Microsoft certified professionals.
• Many of our techs also have certifications from
Vmware, Veeam, Cisco, Google, and CompTIA.
4. Agenda Compliance vs security: not same
Scared by statistics
STEP 1: Basic training and awareness
STEP 2: Protecting intellectual property and fraud-proof people
STEP 3: Physical controls
STEP 4: Plan for the inevitable
STEP 5: Basic security controls
5. Compliance &
Security
• Compliance and security are NOT the same.
• Being PCI, HIPAA or NIST compliant does NOT mean you are secure.
• Being secure does NOT mean you are compliant.
Compliance: Conforming to a rule, policy, standard, or law.
• Changes periodically with regulations (annually up to every decade)
• Checklists and documentation
• IT controls (standard countermeasures)
Security: Making sure you don’t get hacked or get viral.
• Changes every day
• Understanding that there is no such thing as 100% secure/unhackable.
7. Threats:
• Economic/political instability
• Market collapse
• Government regulations
• Corporate espionage
• China, costing US companies
>$57 billion a year1
• Environmental changes/hazards
• Hurricane, fire, flood, blizzard
• Previous and current employees
• Terrorists and vandals
• Power failure [other supplier failure]
• Ransomware and other viruses
1 Sullivan, Laura “As China Hacked, U.S. Businesses Turned A Blind Eye.”
https://www.npr.org/2019/04/12/711779130/as-china-hacked-u-s-businesses-turned-a-blind-eye (April 2019)
8. Cybersecurity
Threats:
Attacking Your People (including You):
• Scare scams
• Fake antivirus / ‘Microsoft’ scams
• Phishing
• Social engineering
Attacking Your Computers and Networks:
• Malware, trojans, rootkits, worms
• Ransomware
• Adware and spyware
• Denial of service attacks
• Backdoors & advanced persistent threats
9. Cybersecurity
Threats:
On Ransomware:
• ~50% of cybersecurity professionals do not believe their
organization is prepared to repel a ransomware attack. (Source:
Pwnie Express)
• Ransomware costs businesses more than $75 billion/year.
(Source: Datto)
• 75% of companies infected with ransomware were running up-
to-date endpoint protection [antivirus]. (Source: Sophos)
• Ransomware attacks have increased over 97 percent in the past
two years. (Source: Phishme)
• The average cost of a ransomware attack on a business was
$133,000. (Source: Sophos)
SCARY STATISTICS SECTION
10. Cybersecurity
Threats:
On Phishing:
• 71.4% of targeted attacks involved the use of spear-phishing emails. 2
• 83% of INFOSEC professionals experienced phishing attacks in 2018, up from
76% in 2017.3
• Email-based corporate phishing attacks quadrupled and social engineering
attacks jumped 233% vs previous quarter.3
• 93% of social attacks were phishing related.4
• 90% of incidences and breaches included a phishing element.4
• Finance faced 59% of phishing attacks in the Americas.5
• 82% of manufacturers have experienced a phishing attack in the past year.6
SCARY STATISTICS SECTION
2 Symantec “Symantec Internet Security Threat Report 2018” https://www.phishingbox.com/assets/files/images/Symantec-Internet-Security-Threat-Report-2018.pdf (April 2018)
3 ProofPoint“Protecting People: A Quarterly Analysis of Highly Targeted Attacks” https://www.proofpoint.com/us/resources/threat-reports/quarterly-threat-analysis (Q3 2018)
4 Verizon “Verizon Data Breach Investigation Report” https://www.phishingbox.com/downloads/Verizon-Data-Breach-Investigations-Report-DBIR-2017.pdf (10th Edition)
5 NTT Security “2018 Global Threat Intelligence Report” https://www.phishingbox.com/assets/files/images/NTT-Security-Global-Threat-Intelligence-Report-2018.pdf (2018)
6 Check Point “Check Point Research 2018 Security Report Summary” https://www.phishingbox.com/news/phishing-news/check-point-research-2018-security-report-summary (2018)
12. Basic Training & Awareness
NIST’s
Includes:
• Business Impact Analysis
• Action Management
• Asset Management
• Policy Management
13. Basic Training & Awareness
NIST’s
Business Impact Analysis
Identifies the operational and
financial impacts resulting
from disruption of business or
a business process. (ready.gov)
1 Week: What If?
• You can’t ship goods
• You can’t see patients
• Your credit card processor refuses
to work with you
• Your sales software stops working
• You can’t email or place phone
calls
• Your supplier orders never go
through
• You can’t access any data on your
server
14. Basic Training & Awareness
Threat & Vulnerability
Assessment
Considers the business impact analysis,
identifies the business processes of your
particular business,and inspects those business
processes for vulnerabilities and threats.
• Do you have daily backups?
Weekly? Hourly? (RPO/RTO)
• Who is responsible for ordering
materials? (separation of
powers/fraud control)
• Who has the ability to install
software? (pride vs security)
• Are all computers current and
patched? (basic hygiene: don’t be
throw your company away to save a
buck)
15. Basic Training & Awareness
Whoa! Backups…
What are RTO and RPO?!?
RTO: Restore Time Objective
> How long should it take to get your systems running again?
RPO: Restore Point Objective
> When is the most current point in time we can restore from?
People often back up their QuickBooks company file to a thumbdrive once a
quarter.
If their hard drive fails, that means we can restore to up to 3 months ago.
Do you think the rest of the last 3 months were important to that company?
16. Basic Training & Awareness
Whoa! Backups…
We are serious.
Backups are THE way to recover you from ransomware. Aside
from paying a ransom, there IS NO OTHER WAY.
Back up your critical data DAILY at worst case. Best is every
15 minutes.
SCARY BACKUP STATS
• 140,000 hard drives fail in the US every week (source Small Business Trends)
• Data loss is up 400% since 2012 (source Iron Mountain)
• 68% of small and medium-sized businesses don’t have a discovery plan (source Nationwide Insurance)
• 60% of companies who experience data loss shut down within six months (source Boston Computing)
• 58% of businesses have no backups (source Small Business Trends)
17. Basic Training & Awareness
Risk Treatment
Remediation plan and remediation action steps
to put security controls in place.
18. Basic Training & Awareness
Continuous Monitoring
Monitor the effectiveness of your security
controls and re-assess and adjust as necessary.
For instance:
• Buying AVG Internet Security or Symantec
Endpoint Security and then calling yourself
“secure” without monitoring its
effectiveness is foolish.
• Implementing a control (like a firewall) that
does not address the threat (like phishing)
might not be recognized without
monitoring.
Also, threats change:
• Without monitoring, you might not see that
controls are no longer effective.
19. Basic Training & Awareness
Security Assessment
Based on the previous steps, how secure are you right now? What is your real risk?
For instance:
• Threat Assessment identified:
• Machines are not being patched regularly.
• Important data is stored on workstations without being backed up.
• Risk Treatment actions taken:
• Implemented a patch management solution.
• Published a policy that mandates that users save all data on the server, not on
workstations.
• Continuous Monitoring noticed:
• You check a sales laptop and see that all recent quotes, sales orders, and proposal
data is on their laptop and not on the server.
• Security Assessment determined:
• Your security controls are inadequate.
20. Basic Training & Awareness
Action Management
Corrective actions from security assessment.
21. Basic Training & Awareness
Reports
If they are important to you.
What is more important to ME is documentation
every step of the way.
25. Basic Training and Awareness
People are your biggest vulnerability
1. People are easy to trick.
2. People have common weaknesses.
• Send an email with a link looking like a Facebook share, saying
“Saw your kid’s school had a bomb scare!” and most parents will
click it.
• Send an email looking like an invoice, important shipping
statement, or important voicemail, and most people will open it.
3. Technology changes faster than people can keep up with, so the tricks
becoming trickier.
As a leader or business owner, YOU are a target.
All of your money handlers and purchasers are targets.
If you are in manufacturing, your engineers are targets.
26. Basic Training and Awareness
People are your biggest vulnerability
• Too Good To Be True - Lucrative offers and eye-catching or attention-grabbing
statements are designed to attract people’s attention immediately.
• Sense of Urgency - A favorite tactic amongst cybercriminals is to ask you to act
fast because the super deals are only for a limited time. Some of them will even
tell you that you have only a few minutes to respond.
• Hyperlinks - A link may not be all it appears to be. Hovering over a link shows
you the actual URL where you will be directed upon clicking on it. It could be
completely different or it could be a popular website with a misspelling, for
instance www.bankofarnerica.com - the 'm' is actually an 'r' and an 'n', so look
carefully.
• Attachments - If you see an attachment in an email you weren't expecting or
that doesn't make sense, don't open it!
• Unusual Sender - Whether it looks like it's from someone you don't know or
someone you do know, if anything seems out of the ordinary, unexpected, out of
character or just suspicious in general don't click on it!
27. Basic Training and Awareness
People are your biggest vulnerability
Hello,
As you may have noticed, I sent this email from your email account (if you didn't see, check the from
email id). In other words, I have full access to your email account. In fact, I can tell you that your
password is SuperSBDC1
I infected you with a malware a few months back when you visited an adult site, and since then, I
have been observing your actions.
The malware gave me full access and control over your system, meaning, I can see everything on
your screen, turn on your camera or microphone and you won't even notice about it.
I also have access to all your contacts.
1. People are easy to trick. As a leader or
business owner, YOU are a target.
28. Basic Training and Awareness
People are your biggest vulnerability
Why your antivirus did not detect malware?
It's simple. My malware updates its signature every 10 minutes, and there is nothing your antivirus
can do about it.
I made a video showing both you (through your webcam) and the video you were watching (on the
screen) while satisfying yourself. With one click, I can send this video to all your contacts (email,
social network, and messengers you use).
You can prevent me from doing this. To stop me, transfer $969 to my bitcoin address. If you do not
know how to do this, Google - "Buy Bitcoin".
My bitcoin address (BTC Wallet) is
19nRhxeBxZekzsfVRyLH5TzQgg1doLkruz
……..continues on about deleting the video upon payment
1. People are easy to trick. As a leader or
business owner, YOU are a target.
29. Basic Training and Awareness
People are your biggest vulnerability
“So, malware signatures can be changed, so antivirus is useless?
Why bother with AV?”
Yes, even though you get vaccinated as a child, you still get sick
as you grow older with other illnesses.
Yes, flu vaccines are ineffective against new strains.
But they ARE effective vaccinations against known prevalent
strains and existing crippling illnesses.
Computer viruses can be programmed to evolve, and the code can
be changed. Please keep your antivirus up to date and continue to
use it. It will protect against all known variations of a virus.
AV is not foolproof, but DOES offer good protection.
1. People are easy to trick. As a leader or
business owner, YOU are a target.
30. Basic Training and Awareness
People are your biggest vulnerability
You have been phished AND/OR your information was found in a breach dump
from a major breach:
1. People are easy to trick. As a leader or
business owner, YOU are a target.
31. Basic Training and Awareness
People are your biggest vulnerability
There are a TON of tools out there. Some are expensive and some are even free.
1. People are easy to trick. As a leader or
business owner, YOU are a target.
Antivirus brands endorsed by Art™:
• Cylance
• BitDefender
• ESET
• Panda
• Vipre
• Webroot
Antivirus will NOT keep you from
getting phished.
Training and some email filtering
like Advanced Threat Protection
(Office 365) or Mimecast are your
best protection against email
threats.
32. Basic Training and Awareness
People are your biggest vulnerability
Haveibeenpwned.com
1. People are easy to trick. As a leader or
business owner, YOU are a target.
33. Basic Training and Awareness
People are your biggest vulnerability
Cofense.com/free
1. People are easy to trick. As a leader or
business owner, YOU are a target.
34. Basic Training and Awareness
People are your biggest vulnerability
Phishinsight.trendmicro.com
Free phishing campaigns to
test/train your employees.
1. People are easy to trick. As a leader or
business owner, YOU are a target.
35. Protect Intellectual Property &
Fraud-Proof People
People are your biggest vulnerability
Blockchain technologies are inherently fraud-proof due to the tracking and validation in the technology…
…but you aren’t using blockchain yet.
1. Don’t believe your caller ID. Scammers are calling from local numbers
now.
2. Don’t trust someone to be ‘real’ when they text you.
3. Don’t pay upfront for a promise.
4. Don’t give information over the phone. Whether debt relief, loan offers,
etc, they are often a scam.
5. Don’t pay people that call you over the phone.
6. Consider how you pay. Use a credit card that has significant fraud
protection built in.
7. Talk to someone and do research before giving someone money or personal
information over the phone or by text.
8. Hang up on robocalls.
9. Be skeptical about anything that is a free trial.
https://www.consumer.ftc.gov/articles/0060-10-things-you-can-do-avoid-fraud
36. Protect Intellectual Property &
Fraud-Proof People
People are your biggest vulnerability
Blockchain technologies are inherently fraud-proof due to the tracking and validation in the technology…
…but you aren’t using blockchain yet.
Never get someone that calls you remotely connected
into your computer.
• Microsoft will never call you and have you get them connected in.
• HP will never call you and have you get them connected in.
• Dell will never call you and have you get them connected in.
100% of the time it is a hacker/scammer trying to gain access to your system.
37. Protect Intellectual Property &
Fraud-Proof People
People are your biggest vulnerability
Blockchain technologies are inherently fraud-proof due to the tracking and validation in the technology…
…but you aren’t using blockchain yet.
Never call a number from a pop up and get them
remotely connected into your computer.
100% of the time it is a hacker/scammer trying to gain access to your system.
38. Protect Intellectual Property &
Fraud-Proof People
People are your biggest vulnerability
Blockchain technologies are inherently fraud-proof due to the tracking and validation in the technology…
…but you aren’t using blockchain yet.
Separate powers whenever possible.
• Separate accounts payable and accounts receivable into different people
with different permissions to QuickBooks (or Sage, etc).
• Separate the purchasing person from the person who is handling the
bookkeeping.
• Use a third-party accountant to verify bookkeeping and watch for
discrepancies.
• Track inventory and shrinkage/loss. Keep in mind that a person stealing
inventory may also do an inventory adjustment.
• Limit the number of people who can write checks and purchase materials.
39. Protect Intellectual Property &
Fraud-Proof People
People are your biggest vulnerability
Blockchain technologies are inherently fraud-proof due to the tracking and validation in the technology…
…but you aren’t using blockchain yet.
• Lock down permissions whenever possible.
• Implement least-privileged permissions for everyone to
prevent possible loss of IP, fraud, and spread of malware.
for example:
• If the VP of Sales doesn’t need access to the HR folder and the Engineering folder
for their role, they should be locked out of it regardless of their title.
• Likewise, someone in HR should have no access to Finance, Engineering, or Sales
data.
• Someone in Finance should have no access to Engineering data.
• Nobody, including the CEO and IT manager, should be administrators on their PCs
nor the domain.
40. Physical Controls
Everything:
• Create an asset spreadsheet of all of your computers, mobile devices, network
equipment, iPads, etc. and verify that nothing goes missing.
Server:
• Get the server out of the breakroom and into a locked network closet (with
cooling, please).
• Control the key to the server room and server enclosure.
• Have a paper log, electronic access control system, or camera system monitoring
access to the network closet.
Building:
• Have a policy that does not allow USB media.
• Do not let anyone plug anything unauthorized into computers or ethernet jacks.
• Closely monitor any visitor or stranger in your space. The easiest ‘hack’ is to
plug a keylogger into a computer or an access point onto a network and walk out
of the building.
41. You’ve Been Hacked
Prepare for the Inevitable
Everyone is a victim at some point of
• A breach
• A phishing attack
• Ransomware
• Financial theft malware
Statistically, you will in the two years.
Make sure that you are prepared for the inevitable.
42. You’ve Been Hacked
Prepare for the Inevitable
Make sure that your backup and recovery plans are solid.
We always recommends at least 2 local backup methods and 1 cloud backup
method:
and do your backups often!!!
43. You’ve Been Hacked
Prepare for the Inevitable
• Have contingency plans for your core business processes.
• Have a disaster recovery plan.
• Have an incident response plan, including a breach
notification plan.
• Practice disaster recovery/incident response annually.
If you need help coming up with a DR plan for your business, get a
consultant rather than flying through an emergency by the seat of your
pants.
44. You’ve Been Hacked
Prepare for the Inevitable
Get “Cybersecurity Insurance”
or a “cyber rider” on your
General Liability.
Every company has significant insurable risk regarding cyber that is not covered
by their General Liability insurance. It is worth investing in cyber insurance.
45. Basic Security Controls
Implement least-privileged permissions and role-based access for everyone,
giving them access to ONLY what they need access to do their jobs.
Maintain a list of all of your servers, computers, phones, printers, and other
networked assets, as well as your software assets.
Implement an updating/patching strategy for every device on your network
(from your laptops to your camera system/DVR).
Make sure that every PC and server has endpoint protection antivirus.
Implement content filtering (like OpenDNS or Webroot) to protect you and
your employees from infected sites.
Implement backups and monitor them.
Implement security logging and monitor it (not easy for layperson, not cheap
to outsource).
Install a good firewall (Cisco, SonicWall, Palo Alto, etc) at your router.
46. Basic Security Controls
Encrypt your computers (free with BitLocker on Windows 10) and encrypt all of your
phones.
Put someone in charge of monitoring the health of your systems and network, as
well as the security risks involved.
Create a budget and a plan to lifecycle out old, insecure gear.
Create policies for Acceptable Internet Use for your employees.
MePush has one here for you: https://mepush.com/acceptable-use-policy-place/
Perform quarterly phishing tests and have employees complete short trainings.
Make sure that all employees have their own unique username and password. Do
NOT allow all of your clerks to sign in with username “frontdesk” and password
“frontdesk” anymore!
Create an encryption policy that ensures that all sensitive data is emailed using
encryption.
47. Basic Security Controls
IMPLEMENT Multi-factor Authentication (MFA/2FA)! This is your biggest control
against phishing!
Implement any additional controls as needed per compliance or type of business
Screen timeouts and password locking after 10 minutes
Disabling USB storage devices on computers
Geo-IP filtering, blocking traffic from certain countries