Cerdant’s Director of Engineering, Joshua Skeens, presented the best ‘bets’ to increase your security odds. Josh warned customers to stop gambling with their data, and cautioned against weak, guessable passwords stating, “Use 2-Factor Authentication everywhere!” The first step in creating the best security posture possible for your business will always be just getting started, and to keep momentum Josh suggests implementing 1 new security practice each week.

1. Make Every Spin
Count:
Putting The Security Odds
In Your Favor

2. About Me:
• Director of Engineering at
Cerdant
• 13 years
• Avid Golfer, Runner and
Outdoorsman
• Nerf Gun Enthusiast
• Twitter - @joshuaskeens
• joshua.skeens@cerdant.co
m

3. Make Every Spin Count: Putting
The Security Odds In Your Favor
 How can I put the odds in my favor?
 We first need to know what our odds are
 2017 Verizon Report statistics
 Best “bets” to increase your security odds

4. Verizon Report
2017
 10th Annual DBIR Report
 65 Sources
 Includes
 Breaches
 Incidents

5. Verizon Report 2017

6. Verizon Report 2017

7. Let’s stop
gambling with
our data.
• It’s never going to happen to
me!
• I’ve got a firewall and Anti-virus
I’m unhackable!
• My users never click on links
they shouldn’t

8. Verizon Report 2017
61%
• of the data breach victims in this year’s report
are businesses with under 1,000 employees

9. Verizon Report 2017
80%
• of hacking-related breaches leveraged either stolen passwords and/or weak or
guessable passwords.
95%
• of phishing attacks that led to a breach were followed by some sort of software
installation.
• 1 in 14 people were tricked into opening a link or attachment they shouldn't
• 25% of those people were tricked into doing it again

10. Top 25 Passwords of 2016
123456
123456789
qwerty
12345678
111111
123456789
0
1234567
password
123123
987654321
qwertyuiop
mynoob
123321
666666
18atcskd2
w
7777777
1q2w3e4r
654321
555555
3rjs1la7qe
google
1q2w3e4r5
t
123qwe
zxcvbnm
1q2w3e

11. Was your password on that list??!!

12. What is a hacker?!

13. Let’s stop
gambling and
let’s starting
WINNING!
 Nothing is hack proof
 But we don’t want to make anything easy
 Most hackers don’t want to work that hard
 What steps can we take to put the
odds in our favor?

14. Stacking the Odds in your favor
 Passwords
 Enforce Password Complexity
 8+ characters
 Require Upper Case, Lower Case, Special Characters and Numbers
 Password Rotation
 Teach password creation
 Yahoo & LinkedIn
 2FA – use it EVERYWHERE!!!
 https://twofactorauth.org/
 Minimize Privileges
 No Local Admin rights
 No Domain Admin rights
 Different Local Admin for each machine
 Microsoft LAPS

15. Stacking the Odds in your favor….
 Command Line (cmd)
 Disable access
 Most users don’t need access to CMD
 PowerShell
 Disable access
 BUT…..some users do need PowerShell access
Grant Privileges via AD Groups
Enable it when needed – default should be disabled

16. Stacking the Odds in your favor….
 Network Segmentation
 VLANs, VLANs, VLANs
 Isolate devices and departments
 DMZ for public facing servers
 Wireless Segmentation
 Multiple SSIDs
Employees
BYOD
Guest

17. Stacking the Odds in your favor….
 Protect the Gateway
 Next Generation Firewall
SonicWALL!!
 Strong Access Lists
Yes strict outbound port policies
 Audit your ruleset regularly
 DPI-SSL
60% to 70% of all traffic is encrypted now
 Scan for and block Applications
 Capture ATP
 Sandbox Malicious files before they even make it onto the network

18. Stacking the Odds in your favor….
 Anti-virus
 Deploy Anti-virus at the End Point
 New Artificial Intelligence (AI) AV
Cylance
No database
No patient-zero
Doesn’t need Internet Access to pull updates
98% effective rate
Cloud Management
Signature-based AV solutions are less than 40% effective
POC – ZERODay!

19. Stacking the Odds in your favor….
 OS Patching
 Move to supported OS
 Schedule routine patching
 Application Patching
 Patch Applications
Security Patches

20. Stacking the Odds in your favor….
 Device Inventory Management
 Spiceworks
 WhatsUp
 ManageEngine
 Application Inventory Management
 Ninite
 Spiceworks
 ManageEngine

21. Stacking the Odds in your favor….
 Attached Device Management
 Should employees be allowed to connect USB drives?
 Disable feature
 Provide company USBs
Lock down USBs to specific OUIs
*Cylance*
 Data Backup
 Backup critical data daily
 Do scheduled restores to test data backup validity

22. Stacking the Odds in your favor….
 Application Whitelisting
 Only allow “Approved” Applications to run
Cylance
Windows has Application Whitelisting Built-in
 Lockdown DNS Access
 Enforce DNS access to Local Server(s) only
 Lockdown outbound DNS access to DNS Servers only
 Vulnerability/Network Assessments

23. Why the Hackers “house”
normally win

24. Stacking the Odds in your favor….
 Employees
 Single largest Security Risk
 At least 60% of all incidents can be contributed to employees
 Easiest attack angle
 What can be done?
 Train employees on proper Email and Web browsing etiquette
KnowBe4
PhishMe
 Gauge employee computer & security knowledge
 Train employees on security awareness, and reward them for
reporting suspicious activity

25. You might be feeling like this now…

26. But You can do this!
• The 1st thing is to just get started
• Don’t be paralyzed
• Create your list and implement 1 new security
practice each week
• Schedule quarterly security reviews as soon as you
get back to the office
• There is no shame in doing the easiest 1st
• Anything is better than nothing

27. THANK YOU!!!!!