Idwg bimonthly security exchange cyber only section
•Download as PPTX, PDF•
1 like•119 views
Had a great time sharing with OSAC today on Cyber Security trends, We went over some practical steps organizations, and their staff can take to secure their information and privacy better.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Idwg bimonthly security exchange cyber only section
Similar to Idwg bimonthly security exchange cyber only section (20)
More from Ernest Staats
More from Ernest Staats (20)
Recently uploaded
Recently uploaded (20)
Idwg bimonthly security exchange cyber only section
- 1. IDWG BI-MONTHLY SECURITY EXCHANGE JANUARY 2019 A 2018 SECURITY REVIEW AND A 2019 LOOK AHEAD U.S. DEPARTMENT OF STATE OVERSEAS SECURITY ADVISORY COUNCIL
- 2. A GLOBAL SUMMARY ON INFORMATION SECURITY IN 2018 AND LOOK AHEAD TO 2019 U.S. DEPARTMENT OF STATE OVERSEAS SECURITY ADVISORY COUNCIL
- 3. Looking Back 2018 • A hacker attack every 39 seconds • 62% of Org had phishing & social engineering • [Since 2013] 3,809,448 records stolen every day 158,727 per hour 2,645 per minute • 2018 Billions impacted by breaches
- 4. • Artificial Intelligence & Machine Learning • Increase Attacks on Identity & Edge Devices • Fileless, Self-Propagating Malware • Nation State Attacks • Social Engineering, the Most Dangerous Threat • AV is Dead But Necessary (Mine) • Over $2 Trillion in 2019 credit: Dan Lohrmann
- 5. Key Takeaways Game Changed: Monitoring and Reaction more important than prevention Secure/Monitor: Mobile & IoT Manage Risk: Organizationally & Personally Focus on Human Factor (proactive), not Technology (reactive) 2Factor Authentication Monitor your Digital Shadow
- 6. Action Steps Mobile – Handout on Steps-better-safety-home-abroad Monitor- Endpoint Detection Response, Email, + Google Alerts Multi-factor – Password manager + 2Factor Authentication No Borders use Cyber Hygiene (CIS top 20) & Digital Detox VPN Use only Trusted VPN (Never Free) Human Factor. Train Staff (Give Why) Make it Personal Risk Management – Table Top EX & Know Your Risks & Data
- 7. Resources Steps for Better Safety at Home or Abroad Step-by-Step tips to secure your device and online life https://www.linkedin.com/pulse/steps-better-safety-home-abroad-ernest-staats/ Digital Detox https://datadetox.myshadow.org/en/home Remove Personal Information Online : https://drive.google.com/open?id=1hazILe1PW4QD3ujN3vZ6ONHmKAHCnN7K Multi-Factor Login How-to https://www.turnon2fa.com/tutorials/ CIS Top 20 Controls AuditScripts Critical Security Control Executive Assessment Tool AuditScripts Critical Security Control Manual Assessment Tool AuditScripts Critical Security Controls Master Mapping Use a Password Manager i.e. (LastPass https://lastpass.com or 1Password https://1password.com/) Set Alerts For Your Name and Your Organization Google https://www.google.com/alerts Email https://haveibeenpwned.com/ Open Source Phishing Training https://getgophish.com/
- 8. QUESTIONS? U.S. DEPARTMENT OF STATE OVERSEAS SECURITY ADVISORY COUNCIL
Editor's Notes
- There is a hacker attack every 39 seconds : the University of Maryland is one of the first to quantify the near-constant rate of hacker attacks of computers with Internet access— every 39 seconds on average, affecting one in three Americans every year —and the non-secure usernames and passwords we use that give attackers more chance of success. 43% of cyber attacks target small business 64% of companies have experienced web-based attacks. 62% experienced phishing & social engineering attacks. 59% of companies experienced malicious code and botnets and 51% experienced denial of service attacks. Since 2013 there are 3,809,448 records stolen from breaches every day 158,727 per hour, 2,645 per minute and 44 every second of every day reports Cybersecurity Ventures. 95% of cybersecurity breaches are due to human error Last year, Ginni Rometty, IBM’s chairman, president and CEO, said: “Cybercrime is the greatest threat to every company in the world.” And she was right. During the next five years, cybercrime might become the greatest threat to every person, place and thing in the world https://www.cybintsolutions.com/cyber-security-facts-stats/ The 21 scariest data breaches of 2018 Paige Leskin Dec. 30, 2018, 10:42 AM Here are the 14 biggest data breaches that were revealed this year, ranked by the number of users affected: 14. Cathay Pacific Airways — 9.4 million What was affected: 860,000 passport numbers; 245,000 Hong Kong identity card numbers; 403 expired credit card numbers; and 27 credit card numbers without the card verification value (CVV). When it happened: Activity was discovered in March 2018 How it happened: Passenger data was accessed "without authorization." Source: Reuters 13. Careem — 14 million What was affected: Names, email addresses, phone numbers, and trip data. When it happened: January 14, 2018 How it happened: "Access was gained to a computer system that stored customer and driver account information." Source: Reuters 12. Timehop — 21 million What was affected: Names, email addresses, and some phone numbers. When it happened: December 2017 — July 2018 How it happened: "An access credential to our cloud computing environment was compromised ... That cloud computing account had not been protected by multifactor authentication." Source: Business Insider 11. Ticketfly — 27 million What was affected: Personal information including names, addresses, email addresses, and phone numbers. When it happened: Late May 2018 How it happened: A hacker called "IsHaKdZ" compromised the site's webmaster and "gained access to a database titled 'backstage,' which contains client information for all the venues, promoters, and festivals that utilize Ticketfly's services." Source: The Verge 10. Facebook — 29 million What was affected: Highly sensitive data, including locations, contact details, relationship status, recent searches, and devices used to log in. When it happened: July 2017 — September 2018 How it happened: "The hackers were able to exploit vulnerabilities in Facebook's code to get their hands on 'access tokens' — essentially digital keys that give them full access to compromised users' accounts — and then scraped users' data." Source: Business Insider 9. Chegg — 40 million What was affected: Personal data including names, email addresses, shipping addresses, and account usernames and passwords. When it happened: April 29, 2018 — September 19, 2018 How it happened: According to Chegg's SEC filing: "An unauthorized party gained access to a Company database that hosts user data for chegg.com and certain of the Company's family of brands such as EasyBib." Source: ZDNet 8. Google+ — 52.5 million What was affected: Private information on Google+ profiles, including name, employer and job title, email address, birth date, age, and relationship status. When it happened: 2015 — March 2018, November 7 — November 13 How it happened: Earlier this year, Google announced it would be shutting down Google+ after a Wall Street Journal report revealed that a software glitch caused Google to expose the personal profile data of 500,000 Google+ users. Then again in December, Google revealed it had experienced a second data breach that affected 52.5 million users. Google has now decided it will shut down Google+ for good in April 2019. Source: Wall Street Journal,Google 7. Cambridge Analytica — 87 million What was affected: Facebook profiles and data identifying users' preferences and interests. When it happened: 2015 How it happened: An personality prediction app called "thisisyourdigital life," developed by a University of Cambridge professor, improperly passed on user information to third parties that included Cambridge Analytica, a data analytics firm that assisted President Trump's presidential campaign by creating targeted ads using millions of people's voter data. Only 270,000 Facebook users actually installed the app, but due to Facebook's data sharing policies at the time, the app was able to gather data on millions of their friends. Source: Business Insider 6. MyHeritage — 92 million What was affected: Email addresses and encrypted passwords of users who have signed up for the service. When it happened: October 26, 2017 How it happened: "A trove of email addresses and hashed passwords were sitting on a private server somewhere outside of the company." Source: Business Insider 5. Quora — 100 million What was affected: Account info including names, email addresses, encrypted passwords, data from user accounts linked to Quora, and users' public questions and answers. When it happened: Discovered in November 2018 How it happened: A "malicious third party" accessed one of Quora's systems. Source: Reuters 4. MyFitnessPal — 150 million What was affected: Usernames, email addresses, and encrypted passwords. When it happened: February 2018 How it happened: An "unauthorized party" gained access to data from user accounts on MyFitnessPal, an Under Armour-owned fitness app. Source: Business Insider 3. Exactis — 340 million What was affected: Detailed information compiled on millions of people and businesses including phone numbers, addresses, personal interests and characteristics, and more. When it happened: June 2018 How it happened: A security expert spotted a database "with pretty much every US citizen in it" left exposed "on a publicly accessible server," although it's unclear whether any hackers accessed the information. Source: WIRED 2. Marriott Starwood hotels — 500 million What was affected: Guest information including phone numbers, email addresses, passport numbers, reservation dates, and some payment card numbers and expiration dates. When it happened: 2014 — September 2018 How it happened: Hackers accessed the reservation database for Marriott's Starwood hotels, and copied and stole guest information. Source: Business Insider 1. Aadhar — 1.1 billion What was affected: Private information on India residents, including names, their 12-digit ID numbers, and information on connected services like bank accounts. When it happened: It's unclear when the database was first breached, but it was discovered in March 2018. " Indane hadn't secured their API, which is used to access the database, which gave anyone access to Aadhar information. Source: ZDNet SEE ALSO: The 18 biggest tech scandals of 2018
- In 2019, a new breed of fileless malware will emerge, with wormlike properties that allow it to self-propagate through vulnerable systems and avoid detection. {endpoint detection and response EDR a must!} (More) Nations developing offensive capabilities Social engineering, the most dangerous threat As biometric logins become more common, hackers will take advantage of their use as a single-factor method of authentication to pull off a major attack in 2019. Biometric login methods such as face and fingerprint readers on consumer devices like smartphones and gaming consoles present a tempting target for hackers. While biometrics are more convenient than remembering many complex passwords, and they are more secure than poor passwords, they are still just a single method of authentication. http://www.govtech.com/blogs/lohrmann-on-cybersecurity/the-top-19-security-predictions-for-2019.html One of the better reports https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-2019-threat-report.pdf As more business infrastructure gets connected, Juniper Research data suggests that cybercrime will cost businesses over $2 trillion total in 2019. “FBI Director Wray: China is ‘Most Significant’ Threat to US” https://www.businessinsider.com/fbi-director-says-china-is-the-broadest-most-significant-threat-to-the-us-2018-7 “If You Weren’t Already Worried About Russia, You Should Be Now”. CNN, 03.25.2018 “U.S. Charges 9 Iranians in Huge Theft of Intellectual Property”. New York Times, 03.23.2018 Cyberspace is the New Battlespace” Homeland Security Newswire, 03.09.2018 “The Problem Isn’t Cambridge Analytica: It’s Facebook”. Forbes, 03.19.2018 “Chinese Unrestricted Warfare Targeting American Economy, National Security” http://thehill.com/blogs/congress-blog/economy-budget/398838-chinese-unrestricted-warfare-targeting-american-economy “DHS head Nielsen forecasts 'hurricane' cyberattacks” https://www.cnbc.com/2018/07/31/dhs-head-cat-5-cyber-hurricane-is-forecast-heres-what-were-doing-a.html?__source=sharebar|linkedin&par=sharebar
- The game has changed while we’re very busy fighting with obsolete strategy with technology and cybersecurity tools that are highly fallible. Securely configure & Manage & Monitor: Mobile devices and IoT Manage Risk at the Org level and the Personal level : Extreme pervasive espionage and infiltration Cybersecurity and Unprecedented Risk must be elevated to the strategy layer (where our adversaries have had it all along) Pivot to focus to the Human Factor (proactive), not just Technology (reactive) Need for 2Factor Bio is still one factor and is hackable. Use Password Safes with 2FA Monitor your digital shadow and the Organizations Digital Shadow Set Google Alerts look to hand out: Use third party like Digital Shadows Do a digital detox Do a Doxing cleanse CEO’s, C-levels, and Boards must lead the charge
- https://www.linkedin.com/pulse/steps-better-safety-home-abroad-ernest-staats/ Recommendations Map your digital footprint. Use identity masking i.e. Blur https://www.abine.com to mask email, caller ID, and credit cards Google https://www.google.com/alerts Email https://haveibeenpwned.com/ Look at all the social networking sites and forums that you belong to, and search what information about you is available. Clean up your digital footprint. Remove any photos, content, and links that may be inappropriate or reveal too much information. Be selective about who you authorize to access your information. Use the privacy features of your browser and of the various websites you frequent to reduce the visibility of your information. Since many comments on public websites can be publicly seen, monitor and moderate comments associated with you to maintain a positive digital footprint. Consider using the "block comments" feature or setting your social networking profile to "private" so that only designated individuals can view your information. Think before you post. For more information: 10 Steps to Erase Your Digital Footprint The Washington Post: Beware of Privacy Policies: Time to Hide Your Digital Footprint Multi-Factor Multifactor (2FA) Login https://www.turnon2fa.com/tutorials/ CIS top 20 https://www.cisecurity.org/controls/ Also add link to spreadsheets Human Factor Use paid products but another solution is to use an open source solution https://getgophish.com/ Set Templates & Targets Gophish makes it easy to create or import pixel-perfect phishing templates. Our web UI includes a full HTML editor, making it easy to customize your templates right in your browser. Launch the Campaign Launch the campaign and phishing emails are sent in the background. You can also schedule campaigns to launch whenever you'd like. Track Results Detailed results are delivered in near real-time. Results can be exported for use in reports. Download: https://github.com/gophish/gophish/releases Practice Unprecedented Risk methods - Wargames Table Top Exercises “New Era” Human Factor awareness with adversarial intel Classify data, limit network, and physical access Always use a trusted VPN Restrict your mobile banking Think and study before you click Use separate strong passwords Use multi-factor identification Cyber hygiene begins with you and your family Cyber is now a key part of your daily life Remain alert and knowledgeable
- A Small Business No Budget Implementation of the SANS 20 Critical Controls https://www.sans.org/reading-room/whitepapers/hsoffice/small-business-budget-implementation-20-security-controls-33744 AuditScripts Critical Security Control Executive Assessment Tool AuditScripts Critical Security Control Manual Assessment Tool AuditScripts Critical Security Controls Master Mapping TED Talk: “On the Front Lines of a War You Don’t Know About” https://www.linkedin.com/slink?code=e2jricq credit ratings https://www.annualcreditreport.com/ Steps for Better Safety at Home or Abroad Step-by-Step tips to secure your device and online life https://www.linkedin.com/pulse/steps-better-safety-home-abroad-ernest-staats/ Multi-Factor Login How-to https://www.turnon2fa.com/tutorials/ CIS top 20 Controls AuditScripts Critical Security Control Executive Assessment Tool AuditScripts Critical Security Control Manual Assessment Tool AuditScripts Critical Security Controls Master Mapping Use a Password Manager i.e. (LastPass https://lastpass.com or 1Password https://1password.com/) Set alerts for your name and your organization Google https://www.google.com/alerts Email https://haveibeenpwned.com/ Open Source Phishing Training https://getgophish.com/ Use identity masking i.e. Blur https://www.abine.com to mask email, caller ID, and credit cards Several Resources and files: https://drive.google.com/open?id=1GPpyGFW3m3L1e-VfgwDPEJWrbeqSrEKy https://www.slideshare.net/erstaats/2019-cyber-security-trends-and-recommendations