2. Agenda
• Continuing Trends
• New Elements
• Defensive Techniques
• Scaling to “X”
• Questions
3. Recent News
60 Minutes did a story on the first known control system attack
Source: CBSnews.com
4. Last Week’s News
Rock Center did a story on a Trojan used to steal money
Source: MSNBC.MSN.com
5. FBI says we are behind
Executive Assistant Director of the FBI thinks criminals are ahead.
6. Identity trading is rampant
Stolen credit cards are sold in large lots for prices as
low as $.40 to $10 depending on interval and method
used to collect the information.
Personal Identity information commands $25 to $50
(depending on quality).
8. Internal vs. External
• Historical threats
• Us vs. them
• Inbound Only (except for “inside
jobs”)
• Advanced Persistent Threats
• Blended attacks/RSA
• SPAM/Phishing
9. New Frontiers
• Small Business is expanding online
• Offering Online “Experiences”
• Member-Only Areas
• Monetize Social Media
• Group-on Discounts
• Gift Cards
10. New Dangers
• Web sites that store your data
• Financial Risks
• Personal Information Leakage
• Internal Threats
• Zombies
• FBI and the DNSChanger scam
• Brand Exposure (and explosion)
11. New SPAM Vectors
US Postal Service couldn’t deliver your package
American Airlines wants you to get that $19 fare to NY you left
behind during your failed web session
The National Check Clearing Center says you are about to bounce a
check
VISA Security department says your credit card has been blocked
PAYPAL says you are suspected of illegal activity
A gentleman in the Philippines would like you to hold his
inheritance check while he travels to the US.
A lawyer in Thailand wants to see if you know a guy who died and
will handle his $10 million estate.
12. New Questions
• What’s it worth to you?
• What can you actually do?
• What can be done for me?
• How often do I look?
In a corporate environment the bigger question is:
X vs. 10X vs. 100X
13. New Personal Tools
Identity Monitoring
• Epic.org (Electronic Privacy Info Center)
• http://www.youhavedownloaded.com/
• https://www.pwnedlist.com/
• http://www.Google.com
• http://www.Pipl.com
• Donttrack.us
15. What we do
• Penetration testing
• Network
• Application
• Physical
• Security Awareness
• Compliance
• Security Practice
• Policy lifecycle
• Security team augmentation
16. Who is ISON?
• Managed IT Services Firm
• Focus on small to medium business
• Extension of an organization
– With IT personnel
– Without IT personnel
• 30+ years industry experience
17. Wrap up
• Technical Corporate
• Use a patch management process
• Implement a secure baseline
• Monitor your network
• Manage your vulnerabilities
• Be careful with remote access
• Behaviors
• Put security and acceptable use policies in place
• Conduct security awareness training regularly
• Be careful with your data