This document discusses strategies for improving security awareness and practices among employees and organizations. It addresses issues like uninformed employees falling for phishing scams, securing home networks and devices, and ensuring new applications developed during business pivots are secure. The key recommendations are to educate employees and software teams, implement defense in depth with tools like two-factor authentication and encryption, and address security throughout the software development lifecycle when creating new applications and integrating third-party software.
Wfh security risks - Ed Adams, President, Security Innovation
1. 1
• Securing software in all the challenging places….
• ….while helping clients get smarter
Assessment: show me the gaps
Standards: set goals and make it easy
Education: help me make good decisions
Over
3 Million
Users
Authored
18
Books
Named
6x
Gartner MQ
About Security Innovation
2. 2
• CEO by day; engineer by trade (and heart)
• Mechanical Engineer, Software Engineer
• Ponemon Institute Fellow
• Privacy by Design Ambassador, Canada
• In younger days, built non-lethal weapons
systems for Federal Government
About Me
3. 3
My Topics
Ø Uninformed Employees
Ø Home Networks and Practices
Ø Insecure Applications as Enterprises Pivot
5. 5
Security is Fundamentally a People Problem
• Email is an attack vector in 96% of incidents with social actions*
• Increase in phishing scams with COVID-19 WFH
• Spear, Pharming, SMiShing, Spy-Phishing, Vishing, Whaling, etc
• Plethora of info on web and social networks is making it easy
• Education is helping but unrealistic users won’t click in mass phishing campaign
• 4% of people will fall for any given phish*
• Anti-virus/malware is helping but
• Sophisticated techniques are circumventing it and prolonging exposure time
• Doesn’t help social engineering and credential theft
Small adjustments in user behavior has a large impact on security & privacy
* Verizon Data Breach Investigations Report
6. 6
Defense In Depth
• Often the goal is to gain initial entry to the network, then do
more damage
• For an attack to be successful, it must complete three steps:
1. Email must make its way through the gateway to the user's inbox
2. User must successfully execute the payload
3. Payload must successfully communicate with external command/control
server
• During each step, there are defenses to thwart the attack and
minimize impact
• Informed staff can serve as a human firewall
• Reduced attack surface keeps doors to a minimum
• Mitigating controls can prevent, delay and detect
7. 7
Using a Password Manager
• You only need to remember ONE password for all your sites
§ Make it a good one
• Uses very strong encryption to protect passwords
• Auto-fill forms, auto-capture passwords, 2-factor
authentication support, etc.
• I use Password Safe but there are other good ones, too:
§ LastPass
§ Dashlane
§ Password Boss
§ https://haveibeenpwned.com/
8. 8
Leverage Email Client Settings
• Some mail clients allow you to mark any email to/from people outside of your organization
• Use digital signatures so recipient knows it’s you sending the mail
9. 9
• Those annoying “update” notifications
§ Ignore at your own risk
§ >90% successful attacks exploit unpatched software*
§ Equifax breach anyone?
• What about safe texting/browsing
§ Disable message preview
§ Use private browsing for
o Sites you don’t want “remembered” e.g., banking
o Any shared device (including giving a friend your phone)
• Location services
Safe Texting/Browsing
* sources: Ponemon Institute, Verizon, Gartner
10. 10
Insecure Wi-Fi Comes at a Cost
Convenience often outweighs consequence
• Home Wi-Fi should be password protected (the stronger the better)
• “Evil Twin” attack: Hi1ton Free Wi-Fi
• FireSheep: automated cookie stealing
§ https://en.wikipedia.org/wiki/Firesheep
Counter-measures:
• Use HTTPS and/or VPN https://www.pcmag.com/picks/the-best-vpn-services
• Avoid public Wi-Fi for online shopping, banking
• Turn off the automatic Wi-Fi connectivity feature
on your phone, so it won’t automatically seek out hotspots
• Buy an unlimited data plan for your device and stop using public Wi-Fi altogether
• Implement two-factor authentication when logging into sensitive sites even if malicious
users have password they won’t be able to log in
11. 11
Use 2-Factor Authentication
What is 2-factor authentication (aka 2FA)?
• Pick 2: something you know, possess, or are
• Examples: Password+PhoneCode or
Password+Fingerprint
Why is 2FA Important?
• Avoid single point of failure
• Not necessary for all sites, but ones with sensitive
data… oh yeah!
• Can help thwart many phishing attacks
*Not all sites/apps support 2FA
12. 12
Lock, Encrypt & Back Up Your Devices
Threats
• Lost or stolen device results in
§ all data being lost/compromised
§ ability to impersonate you
§ ability to log into your accounts
• Local/online backup (encrypted!)
• Full disk encryption (often enabled by default
with devices password/setup)
• Use and test a “lost my device” app
§ Enable remote wipe capabilities (never guaranteed)
Defenses
I sign and encrypt every message I can!
- so recipient knows I am sender
- so if it’s stolen it’s gibberish
- …consider how it travels
14. 14
Today’s IoT Devices
• Devices are still devices, but…
• Run on LOTS of code; made to serve single/multiple purposes
• Real-time changes; no “wait for compile” and see
• Make changes from anywhere via cellular or wifi connection
• Sharing data is instantaneous and digital
15. 15
Recent IoT Trouble
Consumer & Medical Devices
• 465,000 vulnerable pacemakers from St. Jude
• Implantable cardiac devices have vulnerabilities
• Unauthorized remote access
• Deplete battery, change pacing, or deliver shocks
• Owlet WiFi Baby Heart Monitor
• Alerts parents when babies have heart troubles
• Connectivity element makes them exploitable
Best intentions exploited via careless manufacture configuration
16. 16
Dyn DDoS Attack: A not so oldie but goodie
• Domain Name System (DNS) service disrupted
• Affected nearly 1/3 of all Internet users in US and Europe
• No access to (short list):
• Amazon.com
• Comcast
• DirecTV
• GitHub
• Netflix
• Twitter
• PayPal
• Starbucks
• Verizon
• Visa
• Walgreens
• Xbox Live
• PlayStation Network
• iHeart Radio
• BBC
• NY Times
• GrubHub
• Slack
Millions of IoT Devices (printers, IP cameras, baby monitors) infected
with Mirai malware and used to flood Dyn with traffic (DDoS)
17. 17
Smart Home Devices
• Consider disconnecting for
sensitive business, e.g., legal
• Some are always in “listen” mode
• Require authorization
• To access device
• For device to access home Wi-Fi
• Put them all on a separate
network (or segment)
19. 19
Businesses Pivot to Conduct More Online
• Creating and Deploying New Software Applications
• Curbside pickup/delivery
• Customer self-service
• Support staff no longer in secure call centers
• Web applications have become the #1 target for the
exploitation of vulnerabilities*
• 20.4%: Share of web traffic carrying malicious bots*
Need to secure software never greater than right now
*https://techbeacon.com/security/31-cybersecurity-stats-matter
20. 20
Education & Guidance
• Train your team to understand the implications of insecure
applications to prevent code- and business- logic mistakes
• InfoSec & GRC
• Executive
• Technical/Practitioner (Dev, IT, Audit)
• Arm your personnel with knowledge and resources to design,
develop, and deploy software securely
• Train staff to “think like an attacker”
• Reducing attack vectors is everyone’s responsibility
• Hands on simulations are most effective at fostering this attitude
21. 21
Training Software Teams on Security – from Gartner
• InfoSec team can help, but not scalable
• Practitioners can serve as mentors
• Determine when to engage the security team
• Single point of contact w/in their group
• Clearly define goals and responsibilities
• Conduct and/or verify security reviews
• Guard and promote “best practices”
• Raise issues for risks in existing/new software
• Build threat models for new features
• Should be knowledgeable (and passionate)
about software engineering
Gartner Report: 3 Steps to Integrate Security Into DevOps:
https://web.securityinnovation.com/gartner-report-devops
22. 22
COTS: Co-Owning the Software
• 73% of breaches from 3rd-party ecosystem
• Quest Diagnostics: hacker accessed data via billing collections software
• Facebook: passwords & email addresses exposed via 3rd party app
• Focus Brands: Point of Sale (PoS) software hacked
• Target fined and sued
• Point of entry was 3rd-party HVAC vendor software
• Ruling is they failed to identify and mitigate data risks
• Can’t just rely on patching - vendor can’t anticipate all deployed scenarios
• Inaccessibility to code forces you to take a more risk-based approach
• Need to train ALL stakeholders from requirement definition to live deployment
*2019 Verizon Data Breach Report:
23. 23
Final Thoughts
• People can be critical elements of a proper defense – treat them like other IT defenses
• The are distributed across the network like sensors
• They can act like firewalls, allowing or blocking attacks
• They can detect attacks and raise alarms
• They need “configuration and patching”
• Reduce smart device access during WFH
• Segment or remove
• Secure with authorizations
• Train software teams on security
• New Apps = New Threats
• All stakeholders need education (not just developers)
• Understand attacker techniques to build situational awareness
24. 24
How Can We Help?
DevOps/SDLC Risk Review
• Fill compliance gaps with tools,
activities and skills
• Roadmap with optimal sequencing
Computer Based Training
• Specific to DevOps roles
• Covers all major technologies,
roles, frameworks
Cyber Range
• Turn-key, fun
• Automated scoring
• Real-world applications,
platforms, systems