Corporate cybercrime is usually blamed on outsiders, but sometimes, your employees can represent the biggest threat to your organization’s IT security. In this presentation, Kaspersky Lab’s Mark Villinski, will provide practical advice for educating your employees about cybersecurity. Attend to learn:
• How to create efficient and effective security policies
• Overview and statistics of the current threat landscape
• The importance of keeping your employees updated about the latest threats and scams
• Security solutions that can help keep your systems updated and protected
2. Why do we have to educate employees about
cybersecurity?
3. 2015 Corporate Threats Survey
http://media.kaspersky.com/en/IT_Security_Risks_Survey_2015_Global_report.pdf?_ga=1.57626858.1152823312.1404311525
• 90% of business’s
experienced some
form of external
threat
• Nearly 46% of
companies lost
confidential data as
the result of a
security incident
• Average direct cost
of a security breach:
– $38K for SMB’s
– $551K for
Enterprise
5. PERCEPTION VS. REALITY
B2B International and Kaspersky Lab, “IT Security Threats and Data Breaches,” October, 2014.
REALITY TODAY
6. How bad is it out there?
Malware
1994
One new virus every hour
2006
One new virus every minute
2011
One new virus every second
Or 70.000 samples/day
Kaspersky Lab
is currently
processing
310,000
unique malware
samples
EVERY DAY
7. The Basic Theory for Staying Secure
Simple math for advanced protection…
InvestmentinSecurity
Chance of getting infected
The chance of getting infected drops
exponentially while the cost of an attack
increases linearly
8. Tip #1: Regularly talk to employees about
cybersecurity.
Explain the potential impact a
cyberincident may have on company
operation
Annual review and signing of a “I have read
and understood company IT policies” is not
enough!
10. Tip #2: Remember that top management and
IT staff are employees too!
Top managers are often targeted because:
They have access to more information
IT bends the rules for them
The damage/payoff can be much bigger!
IT folks are vulnerable, too
Unlimited power over the network!
11. Tip #2: Remember that top management and
IT staff are employees too!
12. Tip #3: Explain to the employees that while you
make the best effort to secure company
infrastructure, a system is only as secure as the
weakest link
You don’t want them to just comply, you want
them to cooperate
You can’t create a policy sophisticated enough to
cover all possible vectors of attack
You can’t totally dehumanize humans. Humans
have weaknesses and make mistakes.
13. Tip #4: Have regular focused sessions with
employees to explore different types of
cyberattacks
Consider different formats (lunch and learn?)
Make it useful
Most of them have PCs at home and relatives who also
need help
Make it relevant and responsive to real-world examples
Notice how much more often these topics hit the
nightly news
Those topics are big on social networks!
14. Malware-What is it?
Malware, short for malicious software, is software
(or script or code) designed to disrupt computer
operation, gather sensitive information, or gain
unauthorized access to computer systems.
Characteristics:
– Single instance signature to evade anti-virus
– Activates programmatically
– Connects to a Command & Control Center
– Keylogger, Ransomware, Remote Access Tool (RAT), and Man in
Browser
Once a system is owned, it can’t be restored.
15. • Never click a link in an email
• Never open unexpected attachments
• Never provide information, no matter how
innocuous it may seem, to unsolicited phone
callers, visitors or email requests
• Never agree to an unsolicited remote control
session (such as WebEx, GoToMeeting, LogMeIn)
• Your best defense: “Can I call you back?”
Phishing Prevention-The 100% rules!
16. Phishing Prevention-The 100% rules!
July 2012 – Yahoo
Passwords Hacked
435,000 usernames and
passwords hacked.
Particularly troubling? The
login credentials are in
plaintext, not even
encrypted.
TOP TEN PASSWORDS FROM
THE YAHOO HACK
1) 123456 (38%)
2) password (18%)
3) welcome (10%)
4) ninja (8%)
5) abc123 (6%)
6) 123456789 (5%)
7) 12345678 (5%)
8) sunshine (5%)
9) princess = (5%)
10) qwerty = (4%)
17. Ramsomware
• More than 40% of
CryptoLocker victims agreed
to pay
• A Dell SecureWorks report
estimates that ransomware
rakes in $30 million every 100
days
• Expanding victim base means
unlimited financial potential
20. How did this happen?
20
• Trickery. A spear-phishing attack.
People were tricked by a believable e-mail message into giving their
passwords to the bad guys
• Spear-phishers and their tactics
Message crafted for ABC University
Sent to a small number of selected people
Strike on weekends & holidays, when you are less protected
• Goals
To collect information that will let them steal money:
Passwords, social security numbers, bank account or credit card numbers
26. 26
Impact to people and abc university
• The University was able to recover a good portion of the
money
• Anyone can fall for a clever phishing scam
• The University did replace paychecks
This would be very challenging on a large scale
27. 27
Lessons learned
• Understand how to know if you
are at the real University web login,
or a clever fake
• Learn how to analyze email
messages to detect ones that are
malicious
• Find out how to protect yourself
and your devices from cyber
threats
• Know common scams
28. Tip #5: Pay special attention to social
engineering
A lot of cyberincidents start with a phone
conversation with someone who poses as a co-
worker and builds his understanding of company
internal structure and operations by asking
innocent questions
A cybercriminal exploiting social weaknesses
almost never looks like one
31. The Importance of Securing Computers/Workstations
+ <L>
Windows: Mac:
• Enable screensaver
• Check “Require
password to quit
screensaver” check
box
32. Tip #6: Train your employees to recognize an attack
Communicate clear cut
step-by-step instructions on
what to do if employee
believes there’s a cyber
incident happening
If you are not trained, you
will get lost when the “show”
starts
33. Training should involve things like:
Unplug your machine from the network (physically)
Notify your administrator
Remember that any and every key stroke can be sent to
cyber criminals by a key logger
If you can’t find your mobile device – immediately notify
your administrator
Emergency Number - if you can’t find your IT emergency
number in under 20 seconds, you are doing it wrong
…and so on
34. Tip #7: Never disapprove or make fun of an
employee who raises a red flag
…even if it is a false alarm – this will
discourage employees from setting off
alarm when time of cyber attack come
I mean NEVER
If false alarms come often, improve training
approach
35. Tip #8: In case of an incident give your
employees a heads up
Even if an incident has happened already,
improper handling may (significantly) increase
impact
Issue an instruction on how to speak to
public/press about the incident
Have a plan in place BEFORE anything happens
Get insurance for cyber-incidents
36. Tip #9: Test knowledge
Regularly
Make it relevant – remember they live
digital lives. It matters!
Make it fun. Or rewarding. Or fun and
rewarding.
40. Are you cyber savvy
https://blog.kaspersky.com/cyber-savvy-quiz/
41. Tip #10: Listen to feedback
If you force employees to change passwords every
week be prepared they will write them down and
post them in their work place
If access to something they need for work is too
complicated, they will use personal email, USB
sticks, fellow employees to bypass the restrictions
If something out of balance, this will trigger unsafe
behavior. Listening to feedback is learning the root
cause of that
42. Systems Management & Actionable Patching
HW and SW inventory
Multiple vulnerability
databases
VULNERABILITY
SCANNING
Install applications
Update applications
Troubleshoot
REMOTE TOOLS
Track usage
Manage renewals
Manage license
compliance
LICENCE MANAGEMENT
Guest policy
management
Guest portal
NETWORK ADMISSION
CONTROL (NAC)
Automated prioritization
Reboot options
ADVANCED PATCHING
Create images
Store and update
Deploy
SYSTEM PROVISIONING
43. Whitelisting & Application Control
DEVICE CONTROL
WEB CONTROL
APPLICATION CONTROL
WITH DYNAMIC WHITELISTING
44. Encryption & Data Protection
Inside the Network Outside the Network
If cybercriminals seize control of the system and penetrate the
corporate network, they may try to exfiltrate sensitive data such as
configuration files, private keys and source code.
However, even if the criminals manage to download something,
they will not be able to read the content of the encrypted files.