Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Wfh security risks - Ed Adams, President, Security Innovation

689 Aufrufe

Veröffentlicht am

Our security practices need to evolve in order to address the new challenges propped up by the rapid adoption of technologies and products to enable the world to WFH. The mantra of the attacker remains consistent -- attack that which yields maximum result -- and that is usually something used by a very very large number of users. This webinar will discuss the Top 10 Security Gaps that CISOs should be aware of as they brace for long WFH periods.

What will you learn :
-New Attack techniques hackers are using targeting WFH
-How to handle decentralisation of IT and technology decisions?
-Application risks as enterprises pivot to online/new business model(s)
-New risks in the Cloud and due to Shadow IT
-Security risks due to uninformed employees & their home infrastructure
-How to handle Misconfigurations & Third party risks
-How to build a robust breach response and recovery program?
Full video - https://youtu.be/bQLfnmhDnQs

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Wfh security risks - Ed Adams, President, Security Innovation

  1. 1. 1 • Securing software in all the challenging places…. • ….while helping clients get smarter Assessment: show me the gaps Standards: set goals and make it easy Education: help me make good decisions Over 3 Million Users Authored 18 Books Named 6x Gartner MQ About Security Innovation
  2. 2. 2 • CEO by day; engineer by trade (and heart) • Mechanical Engineer, Software Engineer • Ponemon Institute Fellow • Privacy by Design Ambassador, Canada • In younger days, built non-lethal weapons systems for Federal Government About Me
  3. 3. 3 My Topics Ø Uninformed Employees Ø Home Networks and Practices Ø Insecure Applications as Enterprises Pivot
  4. 4. 44 Uninformed Employees
  5. 5. 5 Security is Fundamentally a People Problem • Email is an attack vector in 96% of incidents with social actions* • Increase in phishing scams with COVID-19 WFH • Spear, Pharming, SMiShing, Spy-Phishing, Vishing, Whaling, etc • Plethora of info on web and social networks is making it easy • Education is helping but unrealistic users won’t click in mass phishing campaign • 4% of people will fall for any given phish* • Anti-virus/malware is helping but • Sophisticated techniques are circumventing it and prolonging exposure time • Doesn’t help social engineering and credential theft Small adjustments in user behavior has a large impact on security & privacy * Verizon Data Breach Investigations Report
  6. 6. 6 Defense In Depth • Often the goal is to gain initial entry to the network, then do more damage • For an attack to be successful, it must complete three steps: 1. Email must make its way through the gateway to the user's inbox 2. User must successfully execute the payload 3. Payload must successfully communicate with external command/control server • During each step, there are defenses to thwart the attack and minimize impact • Informed staff can serve as a human firewall • Reduced attack surface keeps doors to a minimum • Mitigating controls can prevent, delay and detect
  7. 7. 7 Using a Password Manager • You only need to remember ONE password for all your sites § Make it a good one • Uses very strong encryption to protect passwords • Auto-fill forms, auto-capture passwords, 2-factor authentication support, etc. • I use Password Safe but there are other good ones, too: § LastPass § Dashlane § Password Boss § https://haveibeenpwned.com/
  8. 8. 8 Leverage Email Client Settings • Some mail clients allow you to mark any email to/from people outside of your organization • Use digital signatures so recipient knows it’s you sending the mail
  9. 9. 9 • Those annoying “update” notifications § Ignore at your own risk § >90% successful attacks exploit unpatched software* § Equifax breach anyone? • What about safe texting/browsing § Disable message preview § Use private browsing for o Sites you don’t want “remembered” e.g., banking o Any shared device (including giving a friend your phone) • Location services Safe Texting/Browsing * sources: Ponemon Institute, Verizon, Gartner
  10. 10. 10 Insecure Wi-Fi Comes at a Cost Convenience often outweighs consequence • Home Wi-Fi should be password protected (the stronger the better) • “Evil Twin” attack: Hi1ton Free Wi-Fi • FireSheep: automated cookie stealing § https://en.wikipedia.org/wiki/Firesheep Counter-measures: • Use HTTPS and/or VPN https://www.pcmag.com/picks/the-best-vpn-services • Avoid public Wi-Fi for online shopping, banking • Turn off the automatic Wi-Fi connectivity feature on your phone, so it won’t automatically seek out hotspots • Buy an unlimited data plan for your device and stop using public Wi-Fi altogether • Implement two-factor authentication when logging into sensitive sites even if malicious users have password they won’t be able to log in
  11. 11. 11 Use 2-Factor Authentication What is 2-factor authentication (aka 2FA)? • Pick 2: something you know, possess, or are • Examples: Password+PhoneCode or Password+Fingerprint Why is 2FA Important? • Avoid single point of failure • Not necessary for all sites, but ones with sensitive data… oh yeah! • Can help thwart many phishing attacks *Not all sites/apps support 2FA
  12. 12. 12 Lock, Encrypt & Back Up Your Devices Threats • Lost or stolen device results in § all data being lost/compromised § ability to impersonate you § ability to log into your accounts • Local/online backup (encrypted!) • Full disk encryption (often enabled by default with devices password/setup) • Use and test a “lost my device” app § Enable remote wipe capabilities (never guaranteed) Defenses I sign and encrypt every message I can! - so recipient knows I am sender - so if it’s stolen it’s gibberish - …consider how it travels
  13. 13. 1313 Home Networks, Devices, and Best Practices
  14. 14. 14 Today’s IoT Devices • Devices are still devices, but… • Run on LOTS of code; made to serve single/multiple purposes • Real-time changes; no “wait for compile” and see • Make changes from anywhere via cellular or wifi connection • Sharing data is instantaneous and digital
  15. 15. 15 Recent IoT Trouble Consumer & Medical Devices • 465,000 vulnerable pacemakers from St. Jude • Implantable cardiac devices have vulnerabilities • Unauthorized remote access • Deplete battery, change pacing, or deliver shocks • Owlet WiFi Baby Heart Monitor • Alerts parents when babies have heart troubles • Connectivity element makes them exploitable Best intentions exploited via careless manufacture configuration
  16. 16. 16 Dyn DDoS Attack: A not so oldie but goodie • Domain Name System (DNS) service disrupted • Affected nearly 1/3 of all Internet users in US and Europe • No access to (short list): • Amazon.com • Comcast • DirecTV • GitHub • Netflix • Twitter • PayPal • Starbucks • Verizon • Visa • Walgreens • Xbox Live • PlayStation Network • iHeart Radio • BBC • NY Times • GrubHub • Slack Millions of IoT Devices (printers, IP cameras, baby monitors) infected with Mirai malware and used to flood Dyn with traffic (DDoS)
  17. 17. 17 Smart Home Devices • Consider disconnecting for sensitive business, e.g., legal • Some are always in “listen” mode • Require authorization • To access device • For device to access home Wi-Fi • Put them all on a separate network (or segment)
  18. 18. 1818 Business Pivot: New Apps = New Risks
  19. 19. 19 Businesses Pivot to Conduct More Online • Creating and Deploying New Software Applications • Curbside pickup/delivery • Customer self-service • Support staff no longer in secure call centers • Web applications have become the #1 target for the exploitation of vulnerabilities* • 20.4%: Share of web traffic carrying malicious bots* Need to secure software never greater than right now *https://techbeacon.com/security/31-cybersecurity-stats-matter
  20. 20. 20 Education & Guidance • Train your team to understand the implications of insecure applications to prevent code- and business- logic mistakes • InfoSec & GRC • Executive • Technical/Practitioner (Dev, IT, Audit) • Arm your personnel with knowledge and resources to design, develop, and deploy software securely • Train staff to “think like an attacker” • Reducing attack vectors is everyone’s responsibility • Hands on simulations are most effective at fostering this attitude
  21. 21. 21 Training Software Teams on Security – from Gartner • InfoSec team can help, but not scalable • Practitioners can serve as mentors • Determine when to engage the security team • Single point of contact w/in their group • Clearly define goals and responsibilities • Conduct and/or verify security reviews • Guard and promote “best practices” • Raise issues for risks in existing/new software • Build threat models for new features • Should be knowledgeable (and passionate) about software engineering Gartner Report: 3 Steps to Integrate Security Into DevOps: https://web.securityinnovation.com/gartner-report-devops
  22. 22. 22 COTS: Co-Owning the Software • 73% of breaches from 3rd-party ecosystem • Quest Diagnostics: hacker accessed data via billing collections software • Facebook: passwords & email addresses exposed via 3rd party app • Focus Brands: Point of Sale (PoS) software hacked • Target fined and sued • Point of entry was 3rd-party HVAC vendor software • Ruling is they failed to identify and mitigate data risks • Can’t just rely on patching - vendor can’t anticipate all deployed scenarios • Inaccessibility to code forces you to take a more risk-based approach • Need to train ALL stakeholders from requirement definition to live deployment *2019 Verizon Data Breach Report:
  23. 23. 23 Final Thoughts • People can be critical elements of a proper defense – treat them like other IT defenses • The are distributed across the network like sensors • They can act like firewalls, allowing or blocking attacks • They can detect attacks and raise alarms • They need “configuration and patching” • Reduce smart device access during WFH • Segment or remove • Secure with authorizations • Train software teams on security • New Apps = New Threats • All stakeholders need education (not just developers) • Understand attacker techniques to build situational awareness
  24. 24. 24 How Can We Help? DevOps/SDLC Risk Review • Fill compliance gaps with tools, activities and skills • Roadmap with optimal sequencing Computer Based Training • Specific to DevOps roles • Covers all major technologies, roles, frameworks Cyber Range • Turn-key, fun • Automated scoring • Real-world applications, platforms, systems