Cyber security awareness & training 2.1
•Download as PPTX, PDF•
1 like•201 views
This is a short presentation Skibo has been delivering to companies over the past 12 months, based on real-world experience in dealing with cyber security incidents,
Recommended
More Related Content
What's hot
What's hot (20)
Recently uploaded
Recently uploaded (20)
Cyber security awareness & training 2.1
- 3. All other crime 47% Computer Misuse 17% Cyber Enabled Fraud 36% Cyber Crime as a proportion of UK crime in 2015 (Source: ONS) All other crime Computer Misuse Cyber Enabled Fraud
Editor's Notes
- Hello and welcome to this short presentation on Cyber Security. My name is Mark Mair and I’m a cyber security consultant working for Skibo Technologies and for the past 11 years I have been working in the field of information security, helping business of all sizes understand the threats posed by cyber crime and advising on the measures to mitigate against those threats. At the end of this presentation there are links to e-learning based training we have developed to assist with this, including a free course on Phishing Awareness.
- In this presentation I’ll be covering several topics around Cyber Security and why it should be high on the priority list of any organisation. I’ll start by covering the Threat Landscape. I’ll discuss the scale of cyber crime in the UK and the impact it’s having on organisations of all sizes. This will include real world examples of cyber crime Skibo has dealt with in the past 18 months. For obvious reasons these examples will be redacted in order to keep the identity of the organisations in question confidential. The topics covered will include: Who I’ll discuss the different groups and individuals that pose a threat and why each group will have different motives for wanting to attack an organisation. Why I will cover the why? What motivates cyber criminals to target organisations and individuals? Once you understand what your organisation has that is valuable to a criminals you can’t start to formulate an action plan to mitigate against the risks. How In the how section I’ll go over some of the most common methods used by criminals to gains access to a company’s assets, whether that’s financial, intellectual property or other market sensitive information as well as the computer network itself.
- Cyber-crime is the fastest growing area of crime in the UK and very organisation, regardless of its size, geographic location or industry sector is a target. To put that in context, the latest UK Government report on Cyber-crime compiled by the Office of National Statistics for 2105 reports that there were 2.11 victims of cyber crim in the UK. Of that number only 16.5K cyber dependent and approximately 700,000 cyber-enabled incidents were reported to Action Fraud. It’s estimated that 85% of computer based fraud & cyber-related crime goes unreported. Cyber-crime is estimated to cost the UK upwards of 27 billion pounds per year. Cyber-enabled fraud in 2015 accounted for 36% of all UK crime, with computer misuse accounting for another 17%. In other words more than half of all UK crime is cyber related. I’m sure you have all seen the news reports of high profile data breaches with the likes of Sony, Yahoo and Linked to name a few. It’s estimated that the first ransomware attack, ransomware being software that indiscriminately encrypts company information and demands payment before releasing the unlock codes netted the criminals behind it $30million dollars in the first 100 days of its release. In the past 18 months in the Aberdeenshire area, Skibo have been involved in the aftermath of several security breaches as a result of cyber-crime. At one end of the scale we dealt with a hospitability business that had all its business data encrypted by ransomware. This included all financial data, customer details and bookings. This information was lost. The immediate financial impact to the business run tens of thousands of pounds in terms of remedial action and lost business. The long term reputational damage is harder to calculate but the impact is still being felt over a year later. At the other end of the scale we dealt with a business that had their financial systems compromised. This resulted in a loss of £1.2million pounds that had been taken from their bank account and routed to overseas banks. Every individual within an organisation is also a target. The most sophisticated and expensive defences can be breached by simply targeting an individual within a company. This doesn’t necessarily mean senior people or those in privileged positons. I’ll be covering that in more detail later.
- There are several different types of cyber-criminals or hackers. The categories of each type are the subject of much debate within the cyber-security community but for the purposes of this presentation I will concentrate on the six most common types. Script Kiddies, this a pejorative term used to describe amateur hackers. This type of hacker uses various hacking tools that are freely available on the internet. They typically lack the skills that other hackers have. They are usually easy to detect as they are not very good at covering their tracks. That said, a poorly protected network can still be easily breached by this type of hacker and the subsequent damage caused can still be significant. Black Hack Hackers – these are the bad guys that have the skills necessary to penetrate a businesses network and gain access to a company’s assets such as financial systems, intellectual property or other market sensitive information. They are typically motived by financial gain. Hacktivists – are motivated by politics or religion and will attack organisation's that are run counter to their beliefs. For example animal testing labs are the target of animal rights groups. Drilling companies exploring in sensitive areas such as the arctic can be the target of environmental groups. Spy Hackers – similar to black hat hackers, they have the skills and are often hired by organisations in order to gain market advantage by stealing information from competitors or to disrupt a competitors operations for example by taking down their website. State Sponsored Hackers – also known as advanced persistent threat or APT. These groups are highly skilled, well funded and as there name suggests persistent. They will often target organisations such as political parties or trade organisations in order to steal or influence national governmental policies. The controversy around the alleged hacking of the democratic party servers in the US presidential election is a good example of State Sponsored Hackers. Its is estimated that the Peoples Army of China has up to 100,000 individuals employed in cyber-related espionage. Cyber Terrorists – this is by far the most dangerous group who’s motives are to cause fear, terror and murder by attacking critical infrastructure such as air traffic control systems or SCADA systems.
- As I’ve already touched on, different groups are motivated by different goals. Financial Gain The most obvious one is money or other financial gain. Accessing a company’s network can provide a criminal with access the company’s financial systems. In many cases a criminal that has gained access to those system will not act immediately, they will study the business, understand who its suppliers and clients are. What type of payments they make and receive. In one example Skibo dealt with a company that had been breached. The criminal had been accessing the company’s network and computer systems for over 6 months. They worked out the main financial system exported a payments file that was uploaded to the banking system to pay suppliers. The file was in plain text file, and contained the name of payee, the bank account and sort code and the figure to be paid. In this case all the criminal had to do was to modify the bank account and sort code to an account that was under their control. Banking payment software doesn’t use the payee field. The financial controller looked at each payment line to check the amount being transferred and the payee was correct. One the file was processed by the back, almost five hundred thousand pounds was redirected to the criminals. This only came to light when the suppliers credit controller’s contacted the company to find out when they were getting paid. To steal trade secrets and IP In addition to money, stealing a company’s trade secrets, IP is another motive. It may not be information that belongs to the company being targeted but information they hold on behalf of their clients. As larger organisations have the resources to implement expensive defences, so criminals will work their way down the supply chain. Think not only about the valuable information you hold about your own organisation but also your clients. Increasingly invitation to tender requests are asking about what Information Security Management System potential bidders have in place. After quality and environmental standards, ISO 27001 is increasingly being asked for. To take control of a company’s network In some cases controlling a company’s network and the PCs and laptops attached to that network is the goal of the criminals. It allows them to use the network as a base from which to launch attacks against other targets. Computers controlled by criminals are referred to a zombie machines and collectively make up botnets. When a attacks are launched against website in what is known as a distributed denial of service attack, tens of thousands of compromised computers making it extremely difficult to combat. To embarrass a company or other organisation This can sometimes involve defacing a company’s website as happened recently to Aberdeen City Council or stealing and publishing subscriber details as in the case of the marital affair site, Ashley Maddison. Peer group recognition In some cases simply hacking a network and boasting about it to fellow hackers in the hacking community is motivation enough. To disrupt the operations of a company With many companies, especially those that sell online, any impact to their website can be expensive, cause reputational damage and lose sales. Denial of service attacks are used to flood a website with requests that cause the site to crash or go offline for extended periods of time. This type of attack can be purchased on the dark web for as little as $500 to take out a site for a week during core business hours. To disrupt national infrastructure Cyber terrorists will try and disrupt critical national infrastructure such as power plants, air traffic control systems and banking infrastructure. A good example of this is the Stuxnet virus that was responsible for causing substantial damage to Iran’s nuclear program by targeting industrial computer systems. It’s been widely reported that governments believe the next world war will be waged online.
- Research The success of any attack will increase greatly if the criminal has done his or her homework on the target. As an example, let’s take the fictitious company Azimuth Drilling. Azimuth Drilling is an engineering company that has developed a new drilling technology that will revolutionise Oil & Gas exploration. The company has been working on this technology for several years and has cost the millions of pounds in R&D, the product is ready to be launched and marketed. The criminals are interested in gaining access to the company network in order to steal the engineering drawings and test data. Google The first stop is Google. The criminals will use Google to get as much information as they can that’s in the public domain. Press releases, awards, news items on contracts won etc. It provides a high level view of the company. The company website Next stop the company website. This will more often than not provide wealth of information, including key personnel, geographic locations etc. Companies’ house Companies’ house will provide a list of the directors, their home addresses and any interests they have in other businesses. Social Media From the details of key personnel from the companies own website and a list company directors the criminals have identified two candidates that they will target. The operations director and the financial director. Next stop is social media to get more information on the targets. Facebook provides a wealth of information. For a start, the FD hasn’t set his privacy settings correctly so it’s easy to see the photographs on his timeline, his relationships including his mother and father’s names, and the places he’s visited on holiday. The operations director can’t be located on FB but he is on LinkedIN. Using one of the many fake LinkedIN profiles, a LI request is sent to OD and he accepts. They now have access to the OD’s previous work history as well as a list of current and former colleagues. Facebook, Twitter, LinkedIN, Instagram etc. Genealogy sites Armed with the FD date of birth from companies house, his mother and fathers first name and surname as search of the marriages section of a genealogy site quickly locates his mother’s maiden name. Google Street View Entering the address of both the FS & OD home address into Google Street View the criminals are able to assess the type of property the targets live in. In the case of the OD, a small boat on a trailer can be seen in the driveway, this would suggest that he is a keen sailor, could this information be useful in designing an attack? So with nothing more than access to the internet the criminals have profiled the company, identified two likely targets, know the FD’s mother’s maiden name (a standard security question), from FB they know he likes golf and skiing, is married, has no children and is counting down the days until he goes on holiday to Portugal in 10 days time. They know the OD likes sailing, who he has previously worked for and what interests him by the content of the articles he has commented on or shared in Linked IN, as well has what industry interest groups he belongs to. Pretexting With this information, the criminals have enough to create a pretext of how the aim to get access to the company network. To do this they plan to user Social Engineering techniques to get the FD to install malware on his PC and get the OD to reveal the password he uses to access the company network. Road Apples Another method that can be used by criminals is known as “road apples”, this involves dropping, typically a USB thumb drive in a common area such as the car park or bathroom knowing it will more than likely be picked up in plugged into a network computer. Once it’s plugged in it will install software that allows the criminals access to the network.
- With this information, the criminals have enough to create a pretext of how the aim to get access to the company network. To do this they plan to user Social Engineering techniques to get the FD to install malware on his PC and get the OD to reveal the password he uses to access the company network
- Phishing, spelt with a PH, is defined as the fraudulent practice of sending emails purporting to be from reputable sources in order to induce the individuals targeted to perform an action such as revealing information e.g. passwords or installing software. Spear Phishing is a phishing scam where the criminals have researched their target in order to increase the likelihood of getting the target to perform the action required.
- In the case of the FD, the criminals create carefully crafted email offering the chance of a week’s golfing holiday in the Algarve. All the FD has to do is answer a short quiz on a website the criminals have already created. When the quiz starts a popup box appears with a message that his “Adobe Flash Software is out of date” and needs updating. Press update to continue. After he presses update and follows the instruction he continues to the quiz. The “update” actually installed malware on his PC allowing the criminals access to his computer, including all his documents and spreadsheets as well as recording the keystrokes he types which includes usernames and passwords to other sites.
- A watering hole is defined as website designed for the purposes of getting the target to hand over sensitive information such as usernames and passwords. In the case of the Operations Director, he is sent a carefully crafted email asking for submissions to a new industry awards gala for innovation in O&G. To be considered he has to register his interest on the events website. He does this, using is work email address as his username, and the same password he uses to logon to the company network. He has too many passwords to remember and uses the same combination for all the sites he accesses. The criminals now have the details the need to logon to the company network, as the OD and gain access to all the information he has access to, including engineering drawings and test data.
- Another method that can be used by criminals is known as “road apples”, this involves dropping, typically a USB thumb drive in a common area such as the car park or bathroom knowing it will more than likely be picked up in plugged into a network computer. Once it’s plugged in it will install software that allows the criminals access to the network.
- So how to you prevent against attacks such as these? There are many different controls and solutions that can be put in place to mitigate against the threats posed by cyber-criminals. The key is to get the rights solutions that work for you organisations. While every organisation should put security at the forefront, the security measures required to protect a bank, will differ greatly from those of a house builder and they in-turn will be different to a life sciences company at the cutting edge of research into a break through drug. With that in mind these are some of the measures that companies should have in-place. Technical Controls Firewall – The first line of defence, it sits at the perimeter and controls access to the outside world. Today’s enterprise class Next-Generation Firewalls also provide additional features such as deep packet inspection where the traffic to and from the internal network is analysed to detect suspicious behaviour. Anti-Virus/Anti-Malware software – Any network connected device should be protected with a suitable anti-virus / anti-malware package. Modern anti-virus solutions will not just scan for known malware but will monitor for suspicious activity such as ransomware. One such product from Sophos will detect if files are being encrypted and kill any suspicious process after a third file has been encrypted and prevent further activity. A standardised network environment – The use of policies to control the computer environment should be implemented. This can control aspects of the network such as disabling USB ports on PCs to stop the spread of viruses through removable media such as thumb drives. It can be used to prevent the installation of 3rd party software, roll-out software updates etc. IDS/IPS – Intrusion detection and prevention systems are used to monitor activity on the network for suspicious behaviour and take appropriate action. If a PC starts communicating with a server in Easter Europe at 3 o’clock in the morning there is a good chance the machine has been compromised. An IDS would report this activity and allow the IT department to investigate and take remedial steps to remove the threat. Data Loss Prevention systems – are designed to protect sensitive information from being taken off-premises, either by criminals remotely accessing the company network or as is often the case employees, whether by accident or maliciously. A DLP system monitors the network and devices data deemed sensitive by search for keyword and known phrases e.g. the name of a chemical formulae and either prevent the transfer of that information, report the attempt or both. This includes users who access cloud storage such as Dropbox or iCloud to copy company information to. Penetration Testing – is a process where “white ha hackers” or the good guys are commissioned to test the security of a company’s network, assets and systems to look for vulnerabilities. They essentially act has hackers and will use the same tools and methods that criminals would use in order to attempt to gain access to the company’s digital assets. This is a requirement for any Information Security Management Systems such as ISO 27001/2 or Cyberessentials Plus. Process & Procedural Controls Roles & Responsibilities – Appoint an individual within the organisation that is responsible information security. In large organisations this will often be a dedicated position, but in smaller companies it may be a function that is allocated to an existing position such as the FD. Who is responsible will vary depending on type of company and the industry sector they operate in. For regulated industries such as financial services there can be fiduciary duties that go along with this function and should therefore be assigned at director level. Change management procedures – implement a system of change management where no one individual can make changes to systems or process without first having those changes peer –reviewed. A good example of this is changing the bank details of a supplier. Often criminals will send in a request notifying the target that their bank details have changed and to update their records. They may even call in advance to warn of the change request and to confirm it is legitimate. This is known as mandate fraud, as the new bank details belong to the criminals. Having requests such as these verified and reviewed can limit the likelihood of this type of scam being successful. Examine the processes and procedures your organisation follows and look for ways they could be compromised by criminals. Where are the weak links, where are the single points of failure. Risk management assessments – a full risk assessment should carried out to assess the level of identify the cybersecurity risk to your organisation. This should include: Identify and Document Asset Vulnerabilities Identify and Document Internal and External Threats Acquire Threat and Vulnerability Information from External Sources Identify Potential Business Impacts and Likelihoods Determine Enterprise Risk by Reviewing Threats, Vulnerabilities, Likelihoods and Impacts Identify and Prioritize Risk Responses If you lack in in-house skills necessary to perform those tasks it is strongly recommend that you partner with an IT provider that will take you through the process. Not caring out a risk assessment will leave you organisation vulnerable and non-compli ant against recognised ISMS standards such as ISO 27001 and Cyberessentials Plus. Change the culture – In the same way that the Oil & Gas industry changed the culture in the 80s to one of safety first, a similar sea change is needed to put security front and foremost in people’s minds. This change in culture needs to come from the top down, from the CEOs and Managing Directors and Partners. Staff need to understand why the company is taking information security seriously, explain what the impact is to the organisation if the culture doesn’t change, the financial impact either directly through theft or indirectly through loss of IP or market share or reputational damage. Once staff understand the impact and scale of cyber-crime it is much easier to implement the necessary change. Education, education, education – Staff training is key. Security awareness training should be part of the staff induction process and as a minimum be undertaken at least once a year.
- Awareness Training With that in mind, Skibo have developed an e-Learning based Phishing Awareness Training course which is 100% free. The course takes around thirty minutes to complete and covers how to spot a phishing attack and what actions to take. It can be accessed at the link on screen. If you want to put all your staff through this course contact me at the address at the end of this presentation and we can arrange to have their details bulk uploaded and enrolled and setup reporting who has taken the course, their success/failure and who has yet to take it, otherwise you can get individuals to self-enrol.
- We have also developed another e-learning course which goes beyond simply phishing and covers areas such as: Passwords Email & Instant Messaging Social Networking Mobile Device Security Wi-Fi Security Protections at home What to do if your 'hacked' It can be access at the link below.
- If you have any questions please feel free to email at mark.mair@skibo.com or contact me via Linked IN at the address on screen. If you’d like me to come and present to you organization please contact me by the same method.