I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.

1. Security 101
Training, awareness, and strategies
Stephen Cobb, CISSP
Senior Security Researcher
ESET NA

2. The SMB Sweet Spot for the
cyber-criminally inclined
Enterprises
SMB
“Sweet Spot”
Consumers
Assets
worth
looting
Level of protection

3. The challenge
• Organizations of every type rely on
computers to handle information
• Everyone today is a computer user
• Most have no security training
• Lack of security
training leads
to problems

4. How big is the challenge
We asked U.S. consumers if they had ever
received any computer security training
No:
68%
Yes:
32%
*Savitz Research for ESET, 2012

5. 68% is sadly consistent
We asked working adults in the U.S. if they had
ever received any computer security training
No:
68%
Yes:
32%
*Harris poll for ESET, 2012

6. 73% is even worse
We asked adults in U.S. who use social media if
they had ever received online safety training
No:
73%
Yes:
27%
*Harris poll for ESET, 2012

7. Security training is not yet part
of our society*
• This has serious implications for your
business
• 93% of American adults say they’ve
had no computer security training in
the last 12 months
• How many of them work for you, or for
your clients, suppliers, etc?
*Savitz Research for ESET, 2012

8. Some problems that lack of security
training can cause
• Unauthorized access to information
• Loss of access to information
• Loss of information
• Corruption of information
• Theft of information

9. The implications are non-trivial
• Loss of revenue
• Loss of business
• Fines, lawsuits, headlines
• Unbudgeted expenses
– Breach costs currently estimated at
around $190 per record exposed*
– 5,263 records = $1 million hit
*Ponemon Institute

10. Trojan terminates escrow firm
• $1.1 million wired to China and could
not be retrieved
• Firm was closed by state law, now in
receivership, 9 people out of a job
• So what’s the best weapon for keeping
that kind of Trojan code out of your
company’s system?

11. A well-trained workforce
• Knows not to click on suspicious links
in email or social media
• Knows to report strange activity (e.g.
the two-factor authentication not
working)
• Knows to scan all incoming files for
malware
– Email, USB drives

12. Does training make a difference?
• Yes
• A significant percentage of problems
can be averted, or their impact
minimized, if more employees get
better security training and education*
*A bunch of different studies in recent years

13. Security training or awareness
• What’s the difference?
• Training makes sure people at different
levels of IT engagement have the right
knowledge to execute their roles
securely
• Awareness makes sure all people at all
levels know what to look out for

14. Not that kind of actor…
Do your employees know what
motivates bad actors?
IMPACTADVANTAGEMONEY
CREDENTIALS

15. Do you know how the bad guys
operate?

16. Taken to exploit site
Malware server
Popular
Attack
Technique
!?**!
User clicks a link Gets infected/owned
Command & Control

19. • RAT has full access to victim PC
• And its network connections
• Search and exfiltrate files
• Access to webcam and audio
• Scrape passwords
• Execute system functions
• Chat with victim

20. What happens next?

24. So how do we move forward?

25. The road map: A B C D E F
• Assess your assets, risks, resources
• Build your policy
• Choose your controls
• Deploy controls
• Educate employees, execs, vendors
• Further assess, audit, test
A B C D E F
F E D C B A
Technology

26. Assess assets, risks, resources
• Assets: digital, physical
– If you don’t know what you’ve got you
can’t protect it!
• Risks
– Who or what is the threat?
• Resources
– In house, hired, partners, vendors,
trade groups, associations

27. Build your policy
• Security begins with policy
• Policy begins with C-level buy-in
• High-level commitment to protecting
the privacy and security of data
• Then a set of policies that spell out the
protective measures, the controls that
will be used

28. Choose controls to enforce policies
• For example:
– Policy: Only authorized employees can
access sensitive data
– Controls:
• Require identification and authentication of
all employees via unique user name and
password
• Limit access through application(s) by
requiring authentication
• Log all access

29. Deploy controls, ensure they work
• Put control in place; for example,
antivirus (anti-malware, anti-phishing,
anti-spam)
• Test control
– Does it work technically?
– Does it “work” with your work?
– Can employees work it?

30. Educate everyone
• Everyone needs to know
– What the security policies are
– How to comply with them through
proper use of controls
• Pay attention to any information-
sharing relationships
– Vendors, partners, even clients
• Clearly state consequences of failure
to comply

31. Who gets trained?
• Everyone, but not in the same way,
break it down:
– All-hands training
– IT staff training
– Security staff training

32. How to deliver training
• In person
• Online
• On paper
• In house
• Outside contractor
• Mix and match
• Be creative

33. Incentives?
• Yes!
• To launch programs, push agendas
• Prizes do work
• But also make security part of every
job description and evaluation

34. Use your internal organs
• Of communication!
• Newsletter
• Intranet
• Bulletin board
• Meetings
• Company-wide email

35. How to do awareness
• Make it fun
• Make it relevant
• Leverage the news
• Bear in mind that everyone benefits
from greater awareness, at work and at
home

36. Resources to tap
• Industry associations
• FS-ISAC, NH-ISAC, others
• CompTIA, SBA, BBB
• ISSA, ISACA, SANS, (ISC)2
• Local colleges and universities
• Securing Our eCity

37. Need more motivation?
• Security training is the law
– HIPAA
– Red Flag Identity Theft Prevention
– Gramm-Leach-Bliley, Sarbanes-Oxley
– FISMA
• Or required by industry
– PCI Data Security Standard

38. Or just plain required
• To get that big juicy contract
• Many companies now require suppliers
to certify that they have security
training and awareness programs in
place as a condition of doing business

39. Further assess, audit, test…
• This is a process, not a project
• Lay out a plan to assess security on a
periodic basis
• Stay up-to-date on emerging threats
• Stay vigilant around change such as
arrivals, departures, functionality
A B C D E F
F E D C B A

40. Backup and archive
Firewall
and scan:
Incoming traffic
emails
files
devices
media
Encrypt
Monitor
Filter and
monitor
outbound
Authenticate
users
The Technology Slide

41. Thank you!
• stephen.cobb@eset.com
• WeLiveSecurity.com
• www.eset.com
• More info in the lobby