Using Technology and Techno-People to Improve your Threat Resistance and Cyber Security
1. Using Technology and Techno-People to
Improve your Threat Resistance and
Cyber Security
Stephen Cobb, CISSP
Senior Security Researcher, ESET NA
2. Protecting federal data systems
• Requires:
– technical and human elements
– properly synchronized
3. We have the technology
• Anti-malware
• Firewalls
• 2-factor authentication
• Encryption
• Network monitoring
• Filtering
4. And the technology is getting smarter
• Cloud-based reputation, signatures, big data
• But technology is undermined when your
workforce is not trained to play defense
6. Techno-people
• Not everyone needs to be technical, but:
• We are all computer users
• Data security is everyone’s responsibility
• Everyone needs to understand the threats
• And the defensive strategies
7. Today’s agenda
• Scale of the problem
• Nature of our adversaries
• Information security’s 9 patterns
• Patterns applied to federal agencies
• How to improve the coordination of people and
technology to address those patterns
8. April 2014 GAO report
• Information Security
– Federal Agencies Need to Enhance
Responses to Data Breaches
• (GAO-14-487T)
• A lot of work still to be done,
across numerous agencies
– Improve security
– Improve breach response
9. 29,999
41,776 42,854
48,562
61,214
2009 2010 2011 2012 2013
The scale of the problem
• Information security
incidents reported to
US-CERT by all agencies
• Number of incidents up
• More data to defend?
• Improved reporting?
10. Exposure of PII is growing
• More incidents involving
Personally Identifiable
Information (PII)
• Why?
– Thriving black market for PII
• Impact
– Seriously impacts individuals
– Growing public displeasure
– Heads may roll
10,481
13,028
15,584
22,156
25,566
2009 2010 2011 2012 2013
11. A federal PII breach example
• July 2013, hackers get PII of 104,000+ people
– From a DOE system
• Social Security numbers, birth dates and
locations, bank account numbers
– Plus security questions and answers
• DOE Inspector General: cost = $3.7 million
– Assisting affected individuals and lost productivity
12. What happens to the stolen data?
• Sold to criminal enterprises
– For identity theft, raiding bank accounts, buying luxury
goods, laundering money
• Lucrative scams like tax identity fraud
17. An overwhelming problem?
• Not if we analyze security incidents
• 2014 Verizon Data Breach Investigation Report
• 92% of incidents categorized into 9 patterns
– True for 100,000 incidents over 10 year period
– True for 95% of breaches in the last 3 years
18. The Big 9
• Point-of-sale intrusions
• Web app attacks
• Insider/privilege misuse
• Physical theft and loss
• Miscellaneous errors
• Crimeware
• Payment card skimmers
• Denial of service
• Cyber-espionage
• Everything else
19. Industry sectors not affected equally
34%
24%
21%
19%
2%
Miscellaneous
Insider Misuse
Crimeware
Theft/Loss
Everything Else
Just 4 main patterns where victim
industry = Public
2014 Verizon Data Breach Investigation Report
20. Let’s count down the top 4
• Miscellaneous
• Insider and privilege misuse
• Crimeware
• Physical theft/loss
• Everything else
21. Pattern #4: Physical theft and loss
• Cause of 19% of
public sector
security incidents
• It’s people!
• Screen, educate,
supervise
• Reduce impact by
using encryption
11
36
39
102
108
140
308
892
Database
Tapes
Other
Flash drive
Desktop
Documents
Laptop
Other
2014 Verizon Data Breach Investigation Report
22. Pattern #3: Crimeware
• Accounts for 21%
• It’s people abusing
technology
• Can be solved with
the right anti-
malware strategy
• Endpoint AND
server scanning
1%
1%
1%
2%
2%
4%
5%
6%
38%
43%
Removable media
Unknown
Remote injection
Other
Download by malware
Email link
Email attachment
Network propogation
Web download
Web drive-by
2014 Verizon Data Breach Investigation Report
23. Pattern #2: Insider and privilege misuse
• 24% of incidents
• Again it’s people!
• Can be fixed!
– Education
– Awareness
– Screening
1%
6%
6%
7%
7%
9%
13%
13%
17%
23%
Auditor
System admin
Developer
Other
Executive
Call center
Manager
Finance
End-user
Cashier
2014 Verizon Data Breach Investigation Report
24. Pattern #1: Miscellaneous Errors
• 34% of incidents
• Human error!
• Can be fixed!
– Training
– Awareness
– Oversight
0.5%
1%
1%
1%
3%
3%
6%
20%
22%
44%
Maintenance error
Other
Omission
Gaffe
Programming error
Malfunction
Misconfiguration
Disposal error
Publishing error
Misdelivery
2014 Verizon Data Breach Investigation Report
25. Strategy for doing better
• Technologies and people working together
• If they don’t you get: Target
– Malware was detected
– Exfiltration detected
– But nobody reacted
– Training and awareness?
– Clearly lacking
26. Security training and awareness
• You need both, but what’s the difference?
• Training
– Ensure people at different levels of IT engagement have
the knowledge they need
• Awareness
– Ensure all people at all levels know the threats and the
defensive measures they must use
27. Who gets trained?
• Everyone, but not in the same way:
– All-hands training
– IT staff training
– Security staff training
28. How to deliver training
• In person
• Online
• On paper
• In house
• Outside contractor
• Mix and match
• Be creative
29. Incentives?
• They work!
– Drive engagement
– Encourage compliance
• But need reinforcement
– Security in job descriptions
– Evaluations
– Rewards
30. Use your internal organs
• Of communication!
• Newsletter
• Internal social media
• Physical posters
• Add to meeting agendas
• Email blasts
31. How to do awareness
• Make it fun
• Make it relevant
• Leverage the news
• Remember:
– Everyone now has a vested
interested in staying current on
threats to their/your data
32. Awareness example: phish traps
• Train on phishing
• Send out a phishing
message
• Track responses
• Report card and re-
education
– No naming & shaming