Cyber 101 for smb execs v1
•
2 likes•1,007 views
This document provides an overview of cybersecurity risks facing small and medium-sized businesses. It notes that 62% of cyber attacks target small businesses and over 50% experience a data breach. Common goals of attackers are stealing money, data, and accessing customer networks. However, many SMBs lack formal security policies, blueprints, or breach response plans. The document outlines various attack methods like phishing, pharming, SQL injection, and others. It stresses that employees are a major security risk and provides tips on creating security policies, training staff, complying with regulations, implementing technologies, and using managed security services for protection.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Cyber 101 for smb execs v1
Similar to Cyber 101 for smb execs v1 (20)
Recently uploaded
Recently uploaded (20)
Cyber 101 for smb execs v1
- 1. Cyber 101 Training For SMB Execs Http://Defensative.com www.Defensative.comwww.Defensative.com
- 2. 62% of Cyber Attacks are aimed at Small Business -- Verizon Cyber Crime Survey >50% of small-to-medium sized businesses had experienced at least one data breach -- Ponemon Institute www.Defensative.com
- 3. • Money – Ransom-ware • Your companies data – Personally Identifiable Info (PII) – Protected Health Information (PHI) – CC Numbers and/or Financial Info – Intellectual property – copyrights, trademarks & patents, business plans, customer lists, etc. • Your customers data & access to your customers networks… – The Target breach happened due to an HVAC vendor (more) What are they after? www.Defensative.com
- 4. Yet? • 86% of businesses said they are "satisfied" with the level of security they have in place to defend customer or employee data • 87% of respondents have not written a formal security policy for employees • 83% lack any security blueprint at all • 59% have no plan in place to respond to a security incident --National Cyber Security Alliance (NCSA) and Symantec “National Small Business” survey www.Defensative.com Yet SMB’s are not prepared! www.Defensative.com
- 6. www.Defensative.com What Is A Breach Going to Cost You? A National Cyber Security Alliance study showed that 36 percent of cyber attacks are conducted against SMBs. Of those, up to 60 percent go out of business within six months of an attack.
- 7. You or one of your employees may receive a fake email or text message with a website created to look like it’s from an authentic company. What it does: • Trick you into giving them information by asking you to update, validate or confirm your account. It is often presented in a manner than seems official and intimidating, to encourage you to take action. • Convince you to download Malware 39 Percent of Employees Admit to Opening Suspicious Emails www.Defensative.com How Will You Be Attacked: Phishing (social engineering) – The #1 attack vector! www.Defensative.com Example:
- 8. • Pharming • Cross Site Scripting • Denial of Service • SQL Injection • Dictionary Attack • Botnets • Scanning **see appendix for details www.Defensative.com How Will You Be Attacked: Others… www.Defensative.com
- 9. You can have all the Prevention tools (Anti-Virus, Firewalls, Automatic Patching, Backups, Robust Password Protection etc..) and still be vulnerable to the introduction of code onto your network that can Sniff your traffic, Copy your data or Control your devices… • Cyber Security --Your employees are your weakest link… • Unmanaged BYOD and employees clicking on things they shouldn’t are what let bad actors through the front door… Your employees are your weakest link…
- 10. • Ensure you have the appropriate Cyber Insurance coverage for both 1st party liability and 3rd party liability • Common first-party costs when a security failure or data breach occurs include: – Forensic investigation of the breach – Legal advice to determine your notification and regulatory obligations – Notification costs of communicating the breach – Offering credit monitoring to customers as a result – Public relations expenses – Loss of profits and extra expense during the time that your network is down (business interruption) • Common third-party costs include: – Legal defense – Settlements, damages and judgments related to the breach – Liability to banks for re-issuing credit cards – Cost of responding to regulatory inquiries – Regulatory fines and penalties (including Payment Card Industry fines) • Ensure your coverage covers remediation! www.Defensative.com What You Must Do – Cyber Liability Insurance
- 11. www.Defensative.com General • Acceptable Encryption Policy • Acceptable Use Policy • Clean Desk Policy • Disaster Recovery Plan Policy • Digital Signature Acceptance Policy • Email Policy • Ethics Policy • Password Construction Guidelines • Password Protection Policy • Security Response Plan Policy • End User Encryption Key Protection Policy Network Security • Acquisition Assessment Policy • Bluetooth Baseline Requirements Policy • Remote Access Policy • Remote Access Tools Policy • Router and Switch Security Policy • Wireless Communication Policy • Wireless Communication Standard • Third Party Access Policy Infrastructure • Database Credentials Policy • Technology Equipment Disposal Policy • Information Logging Standard • Lab Security Policy • Server Security Policy • Software Installation Policy • Workstation Security (For FINRA) Policy • Web application security policy Examples: • Sample Policy (here) • SANS (here) What You Must Do - Create a Corporate Cyber Policy
- 12. • Who is responsible for developing and maintaining our cross-functional approach to cybersecurity? To what extent are business leaders (as opposed to IT or risk executives) owning this issue? • Which information assets are most critical, and what is the “value at stake” in the event of a breach? • What promises—implicit or explicit—have we made to our customers and partners to protect their information? • What roles do cybersecurity and trust play in our customer value proposition—and how do we take steps to keep data secure and support the end-to-end customer experience? • How are we using technology, business processes, and other efforts to protect our critical information assets? How does our approach compare with that of our peers and best practices? • Is our approach to security continuing to evolve, and are we changing our business processes accordingly? • Are we managing our vendor and partner relationships to ensure the mutual protection of information? www.Defensative.com What You Must Do – Ensure you and your board have answers to the following questions…
- 13. • Training - Continually raise your staff and contractors awareness on cyber security best practices (email, web, phone, text etc…) • Train employees – To recognize an attack – On step-by-step instructions about what to do if they’ve witnessed a cyber incident – On your corporate cyber policies www.Defensative.com What You Must Do – Employee Training
- 14. • Do your suppliers / partners / contractors have access to your network or Line of Business systems? • Audit your suppliers / partners / contractors for their cyber liability insurance coverage, their corporate cyber policies and their infrastructure protection www.Defensative.com What You Must Do – Your Suppliers
- 15. • PCI-DSS Service for Small to Medium Businesses • FINRA Service for Small to Medium Businesses • HIPAA Service for Small to Medium Businesses www.Defensative.com Understand Regulatory/Policy Compliance for Your Industry Big Fines…
- 16. • Systems – Ensure your computer systems’ and security software stay up to date • Especially Java, Flash and Windows security updates – Secure & Encrypt laptops and mobile phones – Ensure Backup are scheduled and tested – Firewalls, latest routers/switches with up to date software • Move your Line of Business systems to secure cloud providers – Offsite cloud providers will require more stringent firewalls, access credentials and security protocols than onsite stored data. – Offsite cloud applications are stored within the walls of a 24/7/365 physically secured data center facility. – Cloud application providers build threat assessment models that will work to identify possible leaks within business cloud applications, and constantly work to break those security measures, in an effort to make them stronger and stronger. • Software you have built – Needs to be secure by design (here) www.Defensative.com What You Must Do - Technology
- 17. • Use a Managed Cyber Security Services like Defensative’s NetWatcher™ services to continuously monitor your network for security threats and vulnerabilities – Http://Defensative.com • Consider end-point technology from companies like http://triumfant.com – Triumfant integrates seamlessly into Defensatives’s NetWatcher service. www.Defensative.com What You Must Do - Technology
- 20. You or one of your employees may be pointed to a malicious and illegitimate website by redirecting the legitimate URL. Even if the URL is entered correctly, it can still be redirected to a fake website. What it can do: • Convince you that the site is real and legitimate by looking almost identical to the actual site down to the smallest details. You may even enter your personal information and unknowingly give it to someone with malicious intent. • Convince you to download Malware. www.Defensative.com How Will You Be Attacked: Pharming
- 21. You or one of your employees opens a website that has embed hidden scripts, mainly in the web content, to steal information such as cookies and the information within the cookie (eg passwords, billing info). www.Defensative.com How Will You Be Attacked: XSS Cross Site Scripting
- 22. A bad actor will attempt to make one of your network resources unavailable to its intended users by saturating the target with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. www.Defensative.com How Will You Be Attacked: Denial of Service (DOS)
- 23. A bad actor may try to get valuable information from your website by exploiting vulnerabilities in the sites databases. www.Defensative.com How Will You Be Attacked: SQL Injection
- 24. www.Defensative.com A brute force attempt to guess your network assets passwords, by using common words and letter combinations, such as “Password” or “abc123”. How Will You Be Attacked: Dictionary Attack
- 25. A collection of software robots, or 'bots', that creates an army of infected computers (known as ‘zombies') that are remotely controlled by the originator. Yours may be one of them and you may not even know it. What they can do: • Send emails on your behalf • Spread all types of malware • Can use your computer as part of a denial of service attack against other systems How Will You Be Attacked: Botnets
- 26. Your hosts are being scanned daily by server farms all over the world looking for current vulnerabilities (example: Heartbleed) that you may not have patched yet… What they can do: • Take control of your company…. How Will You Be Attacked: Scanning
Editor's Notes
- January Target (retail). In January, Target announced an additional 70 million individuals’ contact information was taken during the December 2013 breach, in which 40 million customer’s credit and debit card information was stolen.[5] Neiman Marcus (retail). Between July and October 2013, the credit card information of 350,000 individuals was stolen, and more than 9,000 of the credit cards have been used fraudulently since the attack.[6] Sophisticated code written by the hackers allowed them to move through company computers, undetected by company employees for months. Michaels (retail). Between May 2013 and January 2014, the payment cards of 2.6 million Michaels customers were affected.[7] Attackers targeted the Michaels POS system to gain access to their systems. Yahoo! Mail (communications). The e-mail service for 273 million users was reportedly hacked in January, although the specific number of accounts affected was not released.[8] April Aaron Brothers (retail). The credit and debit card information for roughly 400,000 customers of Aaron Brothers, a subsidiary of Michaels, was compromised by the same POS system malware.[9] AT&T (communications). For two weeks AT&T was hacked from the inside by personnel who accessed user information, including social security information.[10] May eBay (retail). Cyber attacks in late February and early March led to the compromise of eBay employee log-ins, allowing access to the contact and log-in information for 233 million eBay customers.[11] eBay issued a statement asking all users to change their passwords. Five Chinese hackers indicted. Five Chinese nationals were indicted for computer hacking and economic espionage of U.S. companies between 2006 and 2014. The targeted companies included Westinghouse Electric (energy and utilities), U.S. subsidiaries of SolarWorld AG (industrial), United States Steel (industrial), Allegheny Technologies (technology), United Steel Workers Union (services), and Alcoa (industrial).[12] Unnamed public works (energy and utilities). According to the Department of Homeland Security, an unnamed public utility’s control systems were accessed by hackers through a brute-force attack[13] on employee’s log-in passwords.[14] June Feedly (communications). Feedly’s 15 million users were temporarily affected by three distributed denial-of-service attacks.[15] Evernote (technology). In the same week as the Feedly cyber attack, Evernote and its 100 million users faced a similar denial-of-service attack.[16] P.F. Chang’s China Bistro (restaurant). Between September 2013 and June 2014, credit and debit card information from 33 P.F. Chang’s restaurants was compromised and reportedly sold online.[17] August U.S. Investigations Services (services). U.S. Investigations Services, a subcontractor for federal employee background checks, suffered a data breach in August, which led to the theft of employee personnel information.[18] Although no specific origin of attack was reported, the company believes the attack was state-sponsored. Community Health Services (health care). At Community Health Service (CHS), the personal data for 4.5 million patients were compromised between April and June.[19] CHS warns that any patient who visited any of its 206 hospital locations over the past five years may have had his or her data compromised. The sophisticated malware used in the attack reportedly originated in China. The FBI warns that other health care firms may also have been attacked. UPS (services). Between January and August, customer information from more than 60 UPS stores was compromised, including financial data,[20] reportedly as a result of the Backoff malware attacks. Defense Industries (defense). Su Bin, a 49-year-old Chinese national, was indicted for hacking defense companies such as Boeing.[21] Between 2009 and 2013, Bin reportedly worked with two other hackers in an attempt to steal manufacturing plans for defense programs, such as the F-35 and F-22 fighter jets. September Home Depot (retail). Cyber criminals reportedly used malware to compromise the credit card information for roughly 56 million shoppers in Home Depot’s 2,000 U.S. and Canadian outlets.[22] Google (communications). Reportedly, 5 million Gmail usernames and passwords were compromised.[23] About 100,000 were released on a Russian forum site. Apple iCloud (technology). Hackers reportedly used passwords hacked with brute-force tactics and third-party applications to access Apple user’s online data storage, leading to the subsequent posting of celebrities’ private photos online.[24] It is uncertain whether users or Apple were at fault for the attack. Goodwill Industries International (retail). Between February 2013 and August 2014, information for roughly 868,000 credit and debit cards was reportedly stolen from 330 Goodwill stores.[25] Malware infected the chain store through infected third-party vendors. SuperValu (retail). SuperValu was attacked between June and July, and suffered another malware attack between late August and September.[26] The first theft included customer and payment card information from some of its Cub Foods, Farm Fresh, Shop ‘n Save, and Shoppers stores. The second attack reportedly involved only payment card data. Bartell Hotels (hotel). The information for up to 55,000 customers was reportedly stolen between February and May.[27] U.S. Transportation Command contractors (transportation). A Senate report revealed that networks of the U.S. Transportation Command’s contractors were successfully breached 50 times between June 2012 and May 2013.[28] At least 20 of the breaches were attributed to attacks originating from China. October J.P. Morgan Chase (financial). An attack in June was not noticed until August.[29] The contact information for 76 million households and 7 million small businesses was compromised. The hackers may have originated in Russia and may have ties to the Russian government. Dairy Queen International (restaurant). Credit and debit card information from 395 Dairy Queen and Orange Julius stores was compromised by the Backoff malware.[30] Snapsave (communications). Reportedly, the photos of 200,000 users were hacked from Snapsave, a third-party app for saving photos from Snapchat, an instant photo-sharing app.[31]