SlideShare ist ein Scribd-Unternehmen logo
1 von 41
Downloaden Sie, um offline zu lesen
Security 101
Training, awareness, and strategies
Stephen Cobb, CISSP
Senior Security Researcher
ESET NA
The SMB Sweet Spot for the
cyber-criminally inclined
Enterprises
SMB
“Sweet Spot”
Consumers
Assets
worth
looting
Level of protection
The challenge
• Organizations of every type rely on
computers to handle information
• Everyone today is a computer user
• Most have no security training
• Lack of security
training leads
to problems
How big is the challenge
We asked U.S. consumers if they had ever
received any computer security training
No:
68%
Yes:
32%
*Savitz Research for ESET, 2012
68% is sadly consistent
We asked working adults in the U.S. if they had
ever received any computer security training
No:
68%
Yes:
32%
*Harris poll for ESET, 2012
73% is even worse
We asked adults in U.S. who use social media if
they had ever received online safety training
No:
73%
Yes:
27%
*Harris poll for ESET, 2012
Security training is not yet part
of our society*
• This has serious implications for your
business
• 93% of American adults say they’ve
had no computer security training in
the last 12 months
• How many of them work for you, or for
your clients, suppliers, etc?
*Savitz Research for ESET, 2012
Some problems that lack of security
training can cause
• Unauthorized access to information
• Loss of access to information
• Loss of information
• Corruption of information
• Theft of information
The implications are non-trivial
• Loss of revenue
• Loss of business
• Fines, lawsuits, headlines
• Unbudgeted expenses
– Breach costs currently estimated at
around $190 per record exposed*
– 5,263 records = $1 million hit
*Ponemon Institute
Trojan terminates escrow firm
• $1.1 million wired to China and could
not be retrieved
• Firm was closed by state law, now in
receivership, 9 people out of a job
• So what’s the best weapon for keeping
that kind of Trojan code out of your
company’s system?
A well-trained workforce
• Knows not to click on suspicious links
in email or social media
• Knows to report strange activity (e.g.
the two-factor authentication not
working)
• Knows to scan all incoming files for
malware
– Email, USB drives
Does training make a difference?
• Yes
• A significant percentage of problems
can be averted, or their impact
minimized, if more employees get
better security training and education*
*A bunch of different studies in recent years
Security training or awareness
• What’s the difference?
• Training makes sure people at different
levels of IT engagement have the right
knowledge to execute their roles
securely
• Awareness makes sure all people at all
levels know what to look out for
Not that kind of actor…
Do your employees know what
motivates bad actors?
IMPACTADVANTAGEMONEY
CREDENTIALS
Do you know how the bad guys
operate?
Taken to exploit site
Malware server
Popular
Attack
Technique
!?**!
User clicks a link Gets infected/owned
Command & Control
Cyber Security 101: Training, awareness, strategies for small to medium sized business
Cyber Security 101: Training, awareness, strategies for small to medium sized business
• RAT has full access to victim PC
• And its network connections
• Search and exfiltrate files
• Access to webcam and audio
• Scrape passwords
• Execute system functions
• Chat with victim
What happens next?
Cyber Security 101: Training, awareness, strategies for small to medium sized business
Cyber Security 101: Training, awareness, strategies for small to medium sized business
Cyber Security 101: Training, awareness, strategies for small to medium sized business
So how do we move forward?
The road map: A B C D E F
• Assess your assets, risks, resources
• Build your policy
• Choose your controls
• Deploy controls
• Educate employees, execs, vendors
• Further assess, audit, test
A B C D E F
F E D C B A
Technology
Assess assets, risks, resources
• Assets: digital, physical
– If you don’t know what you’ve got you
can’t protect it!
• Risks
– Who or what is the threat?
• Resources
– In house, hired, partners, vendors,
trade groups, associations
Build your policy
• Security begins with policy
• Policy begins with C-level buy-in
• High-level commitment to protecting
the privacy and security of data
• Then a set of policies that spell out the
protective measures, the controls that
will be used
Choose controls to enforce policies
• For example:
– Policy: Only authorized employees can
access sensitive data
– Controls:
• Require identification and authentication of
all employees via unique user name and
password
• Limit access through application(s) by
requiring authentication
• Log all access
Deploy controls, ensure they work
• Put control in place; for example,
antivirus (anti-malware, anti-phishing,
anti-spam)
• Test control
– Does it work technically?
– Does it “work” with your work?
– Can employees work it?
Educate everyone
• Everyone needs to know
– What the security policies are
– How to comply with them through
proper use of controls
• Pay attention to any information-
sharing relationships
– Vendors, partners, even clients
• Clearly state consequences of failure
to comply
Who gets trained?
• Everyone, but not in the same way,
break it down:
– All-hands training
– IT staff training
– Security staff training
How to deliver training
• In person
• Online
• On paper
• In house
• Outside contractor
• Mix and match
• Be creative
Incentives?
• Yes!
• To launch programs, push agendas
• Prizes do work
• But also make security part of every
job description and evaluation
Use your internal organs
• Of communication!
• Newsletter
• Intranet
• Bulletin board
• Meetings
• Company-wide email
How to do awareness
• Make it fun
• Make it relevant
• Leverage the news
• Bear in mind that everyone benefits
from greater awareness, at work and at
home
Resources to tap
• Industry associations
• FS-ISAC, NH-ISAC, others
• CompTIA, SBA, BBB
• ISSA, ISACA, SANS, (ISC)2
• Local colleges and universities
• Securing Our eCity
Need more motivation?
• Security training is the law
– HIPAA
– Red Flag Identity Theft Prevention
– Gramm-Leach-Bliley, Sarbanes-Oxley
– FISMA
• Or required by industry
– PCI Data Security Standard
Or just plain required
• To get that big juicy contract
• Many companies now require suppliers
to certify that they have security
training and awareness programs in
place as a condition of doing business
Further assess, audit, test…
• This is a process, not a project
• Lay out a plan to assess security on a
periodic basis
• Stay up-to-date on emerging threats
• Stay vigilant around change such as
arrivals, departures, functionality
A B C D E F
F E D C B A
Backup and archive
Firewall
and scan:
Incoming traffic
emails
files
devices
media
Encrypt
Monitor
Filter and
monitor
outbound
Authenticate
users
The Technology Slide
Thank you!
• stephen.cobb@eset.com
• WeLiveSecurity.com
• www.eset.com
• More info in the lobby

Weitere ähnliche Inhalte

Was ist angesagt?

Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Programdavidcurriecia
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness ProgramBill Gardner
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalAtlantic Training, LLC.
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxDinesh582831
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyoneYasir Nafees
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...David Menken
 
Cybersecurity tips for employees
Cybersecurity tips for employeesCybersecurity tips for employees
Cybersecurity tips for employeesPriscila Bernardes
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information SecurityKen Holmes
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and SecurityNoushad Hasan
 

Was ist angesagt? (20)

Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness Program
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyone
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Cyber security training
Cyber security trainingCyber security training
Cyber security training
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
 
Cybersecurity tips for employees
Cybersecurity tips for employeesCybersecurity tips for employees
Cybersecurity tips for employees
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and Security
 

Andere mochten auch

End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityAtlantic Training, LLC.
 
Security Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by PedrazaSecurity Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by PedrazaAtlantic Training, LLC.
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeAtlantic Training, LLC.
 
Security Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana ChapterSecurity Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana ChapterAtlantic Training, LLC.
 
Cyber security awareness for students
Cyber security awareness for studentsCyber security awareness for students
Cyber security awareness for studentsKandarp Shah
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security pptLipsita Behera
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationBijay Bhandari
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
Computer Malware
Computer MalwareComputer Malware
Computer Malwareaztechtchr
 
Cyber security
Cyber securityCyber security
Cyber securitySiblu28
 
Cybercrime.ppt
Cybercrime.pptCybercrime.ppt
Cybercrime.pptAeman Khan
 
Trustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education CatalogTrustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education CatalogTrustwave
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
 
Social Media Cyber Security Awareness Briefing
Social Media Cyber Security Awareness BriefingSocial Media Cyber Security Awareness Briefing
Social Media Cyber Security Awareness BriefingDepartment of Defense
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Cyber Awareness presentation for Parents
Cyber Awareness presentation for Parents Cyber Awareness presentation for Parents
Cyber Awareness presentation for Parents lisluandaprimary
 

Andere mochten auch (20)

End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier University
 
Security Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by PedrazaSecurity Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by Pedraza
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community College
 
Security Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana ChapterSecurity Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana Chapter
 
Cyber security awareness for students
Cyber security awareness for studentsCyber security awareness for students
Cyber security awareness for students
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Computer Malware
Computer MalwareComputer Malware
Computer Malware
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cybercrime.ppt
Cybercrime.pptCybercrime.ppt
Cybercrime.ppt
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
 
Trustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education CatalogTrustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education Catalog
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
 
Social Media Cyber Security Awareness Briefing
Social Media Cyber Security Awareness BriefingSocial Media Cyber Security Awareness Briefing
Social Media Cyber Security Awareness Briefing
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Cyber Awareness presentation for Parents
Cyber Awareness presentation for Parents Cyber Awareness presentation for Parents
Cyber Awareness presentation for Parents
 

Ähnlich wie Cyber Security 101: Training, awareness, strategies for small to medium sized business

Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityStephen Cobb
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingKimberly Hood
 
Aetna information security assurance program
Aetna information security assurance programAetna information security assurance program
Aetna information security assurance programSiddharth Janakiram
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?PECB
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition:  MePush Cyber Security for Small BusinessBe More Secure than your Competition:  MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessArt Ocain
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataStephen Cobb
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessCBIZ, Inc.
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...Stephen Cobb
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceSurfWatch Labs
 

Ähnlich wie Cyber Security 101: Training, awareness, strategies for small to medium sized business (20)

Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber Security
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and Training
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
 
Aetna information security assurance program
Aetna information security assurance programAetna information security assurance program
Aetna information security assurance program
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
 
Team black
Team blackTeam black
Team black
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition:  MePush Cyber Security for Small BusinessBe More Secure than your Competition:  MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient Data
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
How To Become An IT Security Risk Analyst
How To Become An IT Security Risk AnalystHow To Become An IT Security Risk Analyst
How To Become An IT Security Risk Analyst
 
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
13734729.ppt
13734729.ppt13734729.ppt
13734729.ppt
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security Awareness
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 

Mehr von Stephen Cobb

Cybercrime-as-health-crisis-shared.pptx
Cybercrime-as-health-crisis-shared.pptxCybercrime-as-health-crisis-shared.pptx
Cybercrime-as-health-crisis-shared.pptxStephen Cobb
 
Cybersecurity Risk Perception and Communication
Cybersecurity Risk Perception and CommunicationCybersecurity Risk Perception and Communication
Cybersecurity Risk Perception and CommunicationStephen Cobb
 
What Makes a Good CISO
What Makes a Good CISOWhat Makes a Good CISO
What Makes a Good CISOStephen Cobb
 
Sizing the Cyber Skills Gap
Sizing the Cyber Skills GapSizing the Cyber Skills Gap
Sizing the Cyber Skills GapStephen Cobb
 
Security and Wearables: Success starts with security
Security and Wearables: Success starts with securitySecurity and Wearables: Success starts with security
Security and Wearables: Success starts with securityStephen Cobb
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technicalStephen Cobb
 
The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?Stephen Cobb
 
2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-securityStephen Cobb
 
NCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and ResourcesNCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and ResourcesStephen Cobb
 
The Evolution of Cybercrime
The Evolution of CybercrimeThe Evolution of Cybercrime
The Evolution of CybercrimeStephen Cobb
 
HIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessHIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessStephen Cobb
 
Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeMalware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeStephen Cobb
 
Malware and the risks of weaponizing code
Malware and the risks of weaponizing codeMalware and the risks of weaponizing code
Malware and the risks of weaponizing codeStephen Cobb
 
Safer Technology Through Threat Awareness and Response
Safer Technology Through Threat Awareness and ResponseSafer Technology Through Threat Awareness and Response
Safer Technology Through Threat Awareness and ResponseStephen Cobb
 
The Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 editionThe Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 editionStephen Cobb
 
Endpoint and Server: The belt and braces anti-malware strategy
Endpoint and Server: The belt and braces anti-malware strategyEndpoint and Server: The belt and braces anti-malware strategy
Endpoint and Server: The belt and braces anti-malware strategyStephen Cobb
 
Enjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber CriminalsEnjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber CriminalsStephen Cobb
 
Cyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage:Where is the cyber workforce of tomorrowCyberskills shortage:Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowStephen Cobb
 
Getting Started with Business Continuity
Getting Started with Business ContinuityGetting Started with Business Continuity
Getting Started with Business ContinuityStephen Cobb
 

Mehr von Stephen Cobb (20)

Cybercrime-as-health-crisis-shared.pptx
Cybercrime-as-health-crisis-shared.pptxCybercrime-as-health-crisis-shared.pptx
Cybercrime-as-health-crisis-shared.pptx
 
Cybersecurity Risk Perception and Communication
Cybersecurity Risk Perception and CommunicationCybersecurity Risk Perception and Communication
Cybersecurity Risk Perception and Communication
 
What Makes a Good CISO
What Makes a Good CISOWhat Makes a Good CISO
What Makes a Good CISO
 
Sizing the Cyber Skills Gap
Sizing the Cyber Skills GapSizing the Cyber Skills Gap
Sizing the Cyber Skills Gap
 
Security and Wearables: Success starts with security
Security and Wearables: Success starts with securitySecurity and Wearables: Success starts with security
Security and Wearables: Success starts with security
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technical
 
The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?
 
2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security
 
NCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and ResourcesNCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and Resources
 
The Evolution of Cybercrime
The Evolution of CybercrimeThe Evolution of Cybercrime
The Evolution of Cybercrime
 
HIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessHIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good Business
 
Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeMalware is Called Malicious for a Reason: The Risks of Weaponizing Code
Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
 
Malware and the risks of weaponizing code
Malware and the risks of weaponizing codeMalware and the risks of weaponizing code
Malware and the risks of weaponizing code
 
Safer Technology Through Threat Awareness and Response
Safer Technology Through Threat Awareness and ResponseSafer Technology Through Threat Awareness and Response
Safer Technology Through Threat Awareness and Response
 
The Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 editionThe Year Ahead in Cyber Security: 2014 edition
The Year Ahead in Cyber Security: 2014 edition
 
Endpoint and Server: The belt and braces anti-malware strategy
Endpoint and Server: The belt and braces anti-malware strategyEndpoint and Server: The belt and braces anti-malware strategy
Endpoint and Server: The belt and braces anti-malware strategy
 
Enjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber CriminalsEnjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber Criminals
 
Cyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage:Where is the cyber workforce of tomorrowCyberskills shortage:Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrow
 
Getting Started with Business Continuity
Getting Started with Business ContinuityGetting Started with Business Continuity
Getting Started with Business Continuity
 

Kürzlich hochgeladen

Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsRoxana Stingu
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpressssuser166378
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024Jan Löffler
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfmchristianalwyn
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilitiesalihassaah1994
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSedrianrheine
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdfShreedeep Rayamajhi
 
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptxA_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptxjayshuklatrainer
 
world Tuberculosis day ppt 25-3-2024.pptx
world Tuberculosis day ppt 25-3-2024.pptxworld Tuberculosis day ppt 25-3-2024.pptx
world Tuberculosis day ppt 25-3-2024.pptxnaveenithkrishnan
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSlesteraporado16
 
Niche Domination Prodigy Review Plus Bonus
Niche Domination Prodigy Review Plus BonusNiche Domination Prodigy Review Plus Bonus
Niche Domination Prodigy Review Plus BonusSkylark Nobin
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxnaveenithkrishnan
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteMavein
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Shubham Pant
 

Kürzlich hochgeladen (15)

Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpress
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilities
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
 
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptxA_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
 
world Tuberculosis day ppt 25-3-2024.pptx
world Tuberculosis day ppt 25-3-2024.pptxworld Tuberculosis day ppt 25-3-2024.pptx
world Tuberculosis day ppt 25-3-2024.pptx
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
 
Niche Domination Prodigy Review Plus Bonus
Niche Domination Prodigy Review Plus BonusNiche Domination Prodigy Review Plus Bonus
Niche Domination Prodigy Review Plus Bonus
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptx
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a Website
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024
 

Cyber Security 101: Training, awareness, strategies for small to medium sized business

  • 1. Security 101 Training, awareness, and strategies Stephen Cobb, CISSP Senior Security Researcher ESET NA
  • 2. The SMB Sweet Spot for the cyber-criminally inclined Enterprises SMB “Sweet Spot” Consumers Assets worth looting Level of protection
  • 3. The challenge • Organizations of every type rely on computers to handle information • Everyone today is a computer user • Most have no security training • Lack of security training leads to problems
  • 4. How big is the challenge We asked U.S. consumers if they had ever received any computer security training No: 68% Yes: 32% *Savitz Research for ESET, 2012
  • 5. 68% is sadly consistent We asked working adults in the U.S. if they had ever received any computer security training No: 68% Yes: 32% *Harris poll for ESET, 2012
  • 6. 73% is even worse We asked adults in U.S. who use social media if they had ever received online safety training No: 73% Yes: 27% *Harris poll for ESET, 2012
  • 7. Security training is not yet part of our society* • This has serious implications for your business • 93% of American adults say they’ve had no computer security training in the last 12 months • How many of them work for you, or for your clients, suppliers, etc? *Savitz Research for ESET, 2012
  • 8. Some problems that lack of security training can cause • Unauthorized access to information • Loss of access to information • Loss of information • Corruption of information • Theft of information
  • 9. The implications are non-trivial • Loss of revenue • Loss of business • Fines, lawsuits, headlines • Unbudgeted expenses – Breach costs currently estimated at around $190 per record exposed* – 5,263 records = $1 million hit *Ponemon Institute
  • 10. Trojan terminates escrow firm • $1.1 million wired to China and could not be retrieved • Firm was closed by state law, now in receivership, 9 people out of a job • So what’s the best weapon for keeping that kind of Trojan code out of your company’s system?
  • 11. A well-trained workforce • Knows not to click on suspicious links in email or social media • Knows to report strange activity (e.g. the two-factor authentication not working) • Knows to scan all incoming files for malware – Email, USB drives
  • 12. Does training make a difference? • Yes • A significant percentage of problems can be averted, or their impact minimized, if more employees get better security training and education* *A bunch of different studies in recent years
  • 13. Security training or awareness • What’s the difference? • Training makes sure people at different levels of IT engagement have the right knowledge to execute their roles securely • Awareness makes sure all people at all levels know what to look out for
  • 14. Not that kind of actor… Do your employees know what motivates bad actors? IMPACTADVANTAGEMONEY CREDENTIALS
  • 15. Do you know how the bad guys operate?
  • 16. Taken to exploit site Malware server Popular Attack Technique !?**! User clicks a link Gets infected/owned Command & Control
  • 19. • RAT has full access to victim PC • And its network connections • Search and exfiltrate files • Access to webcam and audio • Scrape passwords • Execute system functions • Chat with victim
  • 24. So how do we move forward?
  • 25. The road map: A B C D E F • Assess your assets, risks, resources • Build your policy • Choose your controls • Deploy controls • Educate employees, execs, vendors • Further assess, audit, test A B C D E F F E D C B A Technology
  • 26. Assess assets, risks, resources • Assets: digital, physical – If you don’t know what you’ve got you can’t protect it! • Risks – Who or what is the threat? • Resources – In house, hired, partners, vendors, trade groups, associations
  • 27. Build your policy • Security begins with policy • Policy begins with C-level buy-in • High-level commitment to protecting the privacy and security of data • Then a set of policies that spell out the protective measures, the controls that will be used
  • 28. Choose controls to enforce policies • For example: – Policy: Only authorized employees can access sensitive data – Controls: • Require identification and authentication of all employees via unique user name and password • Limit access through application(s) by requiring authentication • Log all access
  • 29. Deploy controls, ensure they work • Put control in place; for example, antivirus (anti-malware, anti-phishing, anti-spam) • Test control – Does it work technically? – Does it “work” with your work? – Can employees work it?
  • 30. Educate everyone • Everyone needs to know – What the security policies are – How to comply with them through proper use of controls • Pay attention to any information- sharing relationships – Vendors, partners, even clients • Clearly state consequences of failure to comply
  • 31. Who gets trained? • Everyone, but not in the same way, break it down: – All-hands training – IT staff training – Security staff training
  • 32. How to deliver training • In person • Online • On paper • In house • Outside contractor • Mix and match • Be creative
  • 33. Incentives? • Yes! • To launch programs, push agendas • Prizes do work • But also make security part of every job description and evaluation
  • 34. Use your internal organs • Of communication! • Newsletter • Intranet • Bulletin board • Meetings • Company-wide email
  • 35. How to do awareness • Make it fun • Make it relevant • Leverage the news • Bear in mind that everyone benefits from greater awareness, at work and at home
  • 36. Resources to tap • Industry associations • FS-ISAC, NH-ISAC, others • CompTIA, SBA, BBB • ISSA, ISACA, SANS, (ISC)2 • Local colleges and universities • Securing Our eCity
  • 37. Need more motivation? • Security training is the law – HIPAA – Red Flag Identity Theft Prevention – Gramm-Leach-Bliley, Sarbanes-Oxley – FISMA • Or required by industry – PCI Data Security Standard
  • 38. Or just plain required • To get that big juicy contract • Many companies now require suppliers to certify that they have security training and awareness programs in place as a condition of doing business
  • 39. Further assess, audit, test… • This is a process, not a project • Lay out a plan to assess security on a periodic basis • Stay up-to-date on emerging threats • Stay vigilant around change such as arrivals, departures, functionality A B C D E F F E D C B A
  • 40. Backup and archive Firewall and scan: Incoming traffic emails files devices media Encrypt Monitor Filter and monitor outbound Authenticate users The Technology Slide
  • 41. Thank you! • stephen.cobb@eset.com • WeLiveSecurity.com • www.eset.com • More info in the lobby