Security 101 for No- techies
5 Mar 2017•0 j'aime•156 vues
Télécharger pour lire hors ligne
Signaler
Technologie
Security is now a c-level responsibility and can't just be outsourced to the IT manager. These are slides from a 90 hour session I run for some business owners and C-Levels in July 2016
Brenton JohnsonSuivre
Contenu connexe
En vedette
後期第八回ネットワークチーム講座資料densan_teacher
JeopardyPelon Gonar
Amarillo College Poverty InitiativeSam Smith
Ponemon Institute Data Breaches and Sensitive Data RiskFiona Lew
презентация вороноваyuyukul
4 Rules for Successful Threat Intelligence TeamsRecorded Future
Similaire à Security 101 for No- techies
Tackling data securityPeter Bassill
Information Security in a Compliance WorldEvan Francen
Data Protection, Humans and Common Senseusbcopynotify
Privacy for tech startups Marc Gallardo
Information security challenges in today’s banking environmentEvan Francen
Cyber Security and the Impact on your BusinessLucy Denver
Dernier
Product Research Presentation-Maidy Veloso.pptxMaidyVeloso
Solving today’s Traffic Problems with Sustainable Ride Hailing SolutionOn Demand Clone
EuroBSDCon 2023 - (auto)Installing BSD Systems - Cases using pfSense, TrueNAS...Vinícius Zavam
"Building Asynchronous SOA for Modern Applications", Sai Pragna Etikyala Fwdays
Product Research PresentationDeahJadeArellano
Mule Meetup Calgary- API Governance & Conformance.pdfNithaJoseph4
Security 101 for No- techies
- 3. Introduction to IT Security Understanding the Modern Business Landscape Where IT Leaders are focusing Understanding the core principles of IT Security 3 Focus Areas Ransomware Passwords Wi-Fi Security Short 5 Minute Break Barnier Law Legal Side of IT Security Format
- 4. Before We Start Ground Rules
- 6. Tell me if this is what you hear!
- 7. Slides will be availible afterwards!
- 10. The World Has Changed!
- 15. Top 3 Focus Areas of IT Leaders around the world
- 16. Top Challenges Focus on Users
- 18. “It Takes The Entire Organization— Not Just The Latest Technology—to Keep Sensitive Data And People Safe”
- 19. What’s Your Security Strategy?
- 20. Security Through Risk Management Security Through Obscurity
- 21. Security Through Obscurity • We store our passwords at uptakedigital.com.au/passwords – but no one knows its there so we are safe. • Our staff are good people and would never steal or compromise data in our organisation. • We are only a small business, we are one of millions. who will attack us when they can attack the big targets?
- 22. The End of Security Though Obscurity
- 24. Security Through Risk Management • We use a Password Manager to encrypt, control and store company passwords. • We have strong policies and procedures to protect company information from being compromised • We encrypt our sensitive files to protect our customers information.
- 26. The Two Most Important Ideas of IT Security
- 28. Think Layers
- 29. Think Trust
- 31. Ransomware
- 32. 50% of Hospitals have had Ransomware
- 37. Antivirus doesn’t work like it used to
- 38. Typical Scenario
- 39. • Very Busy • Manages Finances/HR
- 44. Time to Enact The Ransomware Plan
- 45. “No Worries Mate We Will Just Restore the Backup”
- 46. Backup Encrypted
- 48. “You left the backup plugged in, we will have to pay the ransom mate”
- 49. Hello Sir I will help you get the bitcoins you need.
- 51. Files Decrypted
- 53. Preventing and Preparing for a ransomware attack
- 54. First take some preparatory steps • Ransomware DR Plan • Build a strong security stack • Improve IT Planning and Audit Process
- 55. The most important thing • Secure Offsite Backup • Documented Continuity Plan • Regular Backup Testing
- 57. Passwords
- 58. 63% of confirmed data breaches involved hackers leveraging weak, default, or stolen passwords.
- 59. Passwords in the wild Passwords in the Wild
- 60. 174 million passwords cracked in one week
- 61. So what can you do?
- 62. Passwords you need to remember
- 64. Hard to Guess, Not in the PW Dictionary
- 66. Passwords you don’t need to remember
- 67. 100+ Passwords
- 69. Passwords I must memorise • Password Manager (PM) • Laptop Password • Office 365 Password • Phone Lock code Passwords the PM can remember • Banking Password • Mailchimp Password • Facebook Password • Credit Card Details • 100+ other passwords
- 70. Password for my laptop Dish-Tide-Engineer-Horizontal-7 (bad at remembering characters) Password for my zip archive jo&^sNG,j(}Ip|"9jo&^sNG,j(}Ip|"9 (good at remembering characters)
- 71. Password Managers • Store Passwords in an encrypted form • Help come up with passwords on your behalf • Can automatically change passwords for you (and alert you of breaches) • Allow you to share passwords securely • Have reporting mechanisms to alert the organisation to weak passwords
- 77. something you have something you know something you are
- 80. SSO – Single Sign On
- 81. Wi-Fi Security
- 82. Outside of the Office
- 85. Avoid Public Wi-Fi like the plague
- 86. When outside the safety of your firewall…
- 87. Inside of the Office
- 88. Have you ever let an external party on your internal network?
- 91. OPEN, WEP, WPA (insecure) WPA 2 Enterprise (Radius) WPA 2 Personal (PSK)
- 97. Think Layers
- 98. Think Trust
- 99. SECURITY MINDSET
- 100. Any Questions?
- 101. Bulletproof Security for Non-Techs Your Legal responsibility and how to manage it
- 102. Your Business / Company • Sole Trader • Family business • Partnerships • Joint ventures • Companies – small, medium, large
- 103. Your Business / Company Owner / Directors • Sole Trader/ Owner • Partners • Family member management committee • Board
- 104. Your Business / Company Owner / Directors Employees • Family members • Relatives • Staff • Employees • contractors
- 105. Your Business / Company Owner / Directors Employees Customers Your Customers • Customer personal information • Name, address, mobile • Bank Acc. / Credit card details • Age / gender
- 106. The Wake-up Call Here’s the rest of the story...
- 107. Your Business / Company Owner / Directors Employees Customers Duty of Care Duty of Care to keep customer information private: • Likely harm if disclosed (eg. reputational / financial) • Reasonable care to avoid harm by disclosure • Negligence leading to a breach of duty of care
- 108. Your Business / Company Owner / Directors Employees Customers Duty of Care Basic Business Risk: – leak of confidential information, including • customer personal information • trade secrets (eg. suppliers, procedures, client list) • Staff personal information Basic Business Structure
- 109. Your Business / Company Owner / Directors Employees Customers Duty of Care IT Dept / Ext Provider Storing Customer & Business information: • Hardware / Software • Internet / Intranet • Specialist programs / Fire-walls • Information security
- 110. Your Business / Company Owner / Directors Employees Customers Duty of Care IT Dept / Ext Provider Employment Contract Contract Clauses include: • Confidentiality & non disclosure of information • Act honestly & with integrity • Comply with organisation policies / directions
- 111. Your Business / Company Owner / Directors Employees Customers Duty of Care IT Dept / Ext Provider Employment Contract Board Policies • Risk Identification & minimisation • Confidentiality • Code of Conduct • Delegation of Authority & Governance
- 112. Your Business / Company Owner / Directors Employees Customers Duty of Care IT Dept / Ext Provider Employment Contract Board Policies Management Procedures • Confidentiality & Disclosure of information • Privacy Policy / Staff Code of Conduct / Internal Procedures • Intranet / Internet / Email use
- 113. Your Business / Company Owner / Directors Employees Customers Duty of Care IT Dept / Ext Provider Employment Contract Board Policies Management Procedures Elements of reducing your Liability for damages from a breach of the Duty of Care you owe to your Customers
Notes de l'éditeur
- With all of the recent security breaches in the news, it's easy to get caught up in the "technical" side of information security. Sure, there is a lot of work to be done to keep your information safe from hackers and malicious software programs, however, there's another side to the coin, and that's physical security. Many offices don't enforce best practices for physical information security, and frankly may just not be aware of them. As their MSP, your job is to educate them on these best practices, both from a technology standpoint and from a physical standpoint. So, time to put your knowledge to the test. Can you find the 13 security flaws in this picture?
- Understanding the Modern Business Landscape Understanding the core principles of IT Security Where IT Leaders are focusing
- Ask Questions, Challenge Assumptions, Be Brave
- This is a Non Technical Workshop – No Techno Gibber Gabber Allowed!
- If anyone shares anything, its important you keep that confidential.
- Over 90% of you feel SMB's are more or less vulnerable to risk today than it was five years ago. Why?
- Almost all customer information and interactions are digitally recorded. - 1 billion messages are sent between people and businesses each month on Facebook Disruption has forced companies to go digital or go home. This has introduced new challenges around security
- How do we protect users inside and outside the office? How do we streamline processes to allow organisations to move faster than they do now? Agility and Mobility bring new challenges security challenges we haven’t had to deal with before. Example Setting up an instant publishing account within 60 seconds (twitter) Users working outside of the office where a firewall won’t protect them
- IT security used to be owned and controlled by IT. Now it requires a whole organisational approach and relies more on the literacy of the users than the expertise of the techs. There are more potential access points into a organisation making it more difficult than every to manage and lock down. There are no silver bullets, everything is constantly changing and evolving and orgs need to keep up.
- https://www.spiceworks.com/it-articles/it-security/
- Top security challenges are related to end users. More specifically, IT pros are worried about the vulnerabilities created when employees don’t understand or aren’t invested in avoiding risky behavior around company data. They’re muscling up security measures. IT pros expect to increase security in 2016, with plans to implement even some of the newer security solutions such as intrusion detection, penetration testing, and advanced threat protection. IT pros believe their role is key in maintaining security. According to our survey respondents, it takes the entire organization—not just the latest technology—to keep sensitive data and people safe. That said, they ultimately feel that the responsibility for their organization’s security is in the hands of IT. LAYER 8
- They’re muscling up security measures. IT pros expect to increase security in 2016, with plans to implement even some of the newer security solutions such as; intrusion detection, penetration testing, and advanced threat protection. For example. MFA grow from 1bn to 13bn in 5 years.
- IT pros believe their role is key in maintaining security. According to our survey respondents, it takes the entire organization—not just the latest technology—to keep sensitive data and people safe. That said, they ultimately feel that the responsibility for their organization’s security is in the hands of IT. Technology is not a Panacea
- Write these two things down, this is what you must remember.
- Does anyone know how bulletproof glass works?
- Simply, who has access to what and why? Customer Lockbox – Microsoft Knowing and making purposeful decisons
- Who has heard of ransomware, crypolocker etc?
- Polls are suggesting 50% of hospitals have been hit. – Open DNS
- Ransomware as a Service, or RaaS, where affiliates can join in order to distribute the ransomware, while the Cerber developers earn a commission from each ransom payment. http://www.bleepingcomputer.com/news/security/the-cerber-ransomware-not-only-encrypts-your-data-but-also-speaks-to-you/ Swiss Ransomware Awareness Day https://www.melani.admin.ch/melani/en/home/dokumentation/newsletter/ransomwareday.html
- http://www.itnews.com.au/news/the-3-billion-it-security-problem-420126?eid=1&edate=20160527&utm_source=20160527_AM&utm_medium=newsletter&utm_campaign=daily_newsletter
- Massive growth is pretty much all ransomware related Who is being targeted
- Antivirs
- Over 20 seconds you will see ransomware at work
- The CryptoWall gang is well known for its excellent customer service, such as giving victims deadline extensions to gather the ransom, providing information on how to obtain bitcoins (the preferred method of payment), and promptly decrypting the files upon payment. Other malware families, such as TeslaCrypt, Reveton, and CTB-Locker, have less reliable reputations. Which can really be trusted? Paying to find out is not the best strategy. http://www.crn.com.au/news/cyber-criminals-offer-live-chat-support-for-victims-420713
- 1. You become a bigger target As they saying goes: Do not feed the trolls -- otherwise, they'll keep making provocative statements to get a reaction. Ransomware is a little like that; paying ransom simply encourages the attackers. Criminals talk; they will tell others who paid the ransom and who didn’t. Once a victim is identified for paying up, there's nothing stopping others from jockeying for a piece of the ransom pie. Another danger looms: The same attackers can come back. Since you paid once, why not again? 2. You can't trust criminals Relying on a criminals to keep their word is a risky endeavor. It seems like a simple exchange -- money for a decryption key -- but there's no way to tell the ransomware gang can be trusted to hold up their half of the bargain. Many victims have paid the ransom and failed to regain access to files. [ ALSO ON CSO: Ransomware isn't a serious threat says threat intelligence firm ] This cuts both ways: Why pay up if you don't expect to get your data back? Reputation matters, even in the criminal world. The CryptoWall gang is well known for its excellent customer service, such as giving victims deadline extensions to gather the ransom, providing information on how to obtain bitcoins (the preferred method of payment), and promptly decrypting the files upon payment. Other malware families, such as TeslaCrypt, Reveton, and CTB-Locker, have less reliable reputations. Which can really be trusted? Paying to find out is not the best strategy. 3. Your next ransom will be higher 4. You encourage the criminals
- Separating different networks from one another Not using the admin accounts on PCs Installing better anti-virus, anti-malware, email filtering, etc. Educate users Penetration Testing as intrusion detection advanced threat protection Can you prevent it? no.
- Schodingers backup
- a cat imagined as being enclosed in a box with a radioactive source and a poison that will be released when the source (unpredictably) emits radiation, the cat being considered (according to quantum mechanics) to be simultaneously both dead and alive until the box is opened and the cat observed. Erwin Schrödinger
- https://blog.dashlane.com/dashlane-business-enterprise-identity-password-management/ According to a research, it is found that over 23 % of desk-based employees wish to share their passwords with their colleagues
- Two or Three Passwords One for Banking One for Government One for everything else What are the most important passwords though? All is not lost, you can reform.
- Lets start with Strong Passwords. I’m going to break them into two categories.
- If you analyse any of the large password leaks of the last few years you will notice that people tend to use the name of the service as part of their passwords.
- http://www.darkreading.com/risk/how-hackers-will-crack-your-password/d/d-id/1130217
- https://diogomonica.com/posts/password-security-why-the-horse-battery-staple-is-not-correct/
- PM = Password Manager
- Lastpass – Better for enterprise with tighter controls and a need for SSO
- Dashlane – Better for small businesses with basic requires. Offers easier onboarding and user experience.
- Multi-Factor Authentication Market Will Be Worth US$13.2 Billion in 2020; Driven By Demand for One-Time-Passwords, Tokens, and Security Certificates https://www.uptakedigital.com.au/mfa-multi-factor-authentication/
- Something you have – phone, 2FA device Something you know – Password Something you are - Biometrics
- Login Once Access Everything. Not the same as having the same password for every service Automated Provisioning – Turn user account provisioning into a HR process Rapidly off-board or disable access. Advantages: Implementation of Single Sign-On solution reduces the chances of forgetting username and password. Only having one ID credential, you don’t need to remember tons of passwords. One of the major problem faced by the IT department is a getting number of calls regarding the loss of password. SSO plays a vital role to solved out this problem. Implementation of SSO reduces the cost of IT help desk by allowing users to access multiple websites using single ID credentials and reduces the chances of password fatigue. The SSO’s advanced technology helps in detection of attempts made to hack a particular system and it would lock out the hacker from remaining systems. Single Sign-On is very beneficial in health care industry. If a doctor wants to login to the database for accessing patient’s file then he/she can also access to the other related data that would be on other application. Disadvantages: One of the biggest problem faced by SSO is that it is a very critical tool and always need to keep up. If it goes down then the user will lose access to all related websites. To have a good and strong password for SSO is very important because once your SSO account is hacked, all the other sites that are under the same authentication are also hacked as well. SSO lacks strong authentication backups like one-time passwords or smart cards etc. http://nomadder.tumblr.com/post/142835291941/advantages-and-disadvantages-of-single-sign-on
- Move quickly through this section.
- bars or public transport
- Have you every used public free Wi-Fi for sensitive business use?
- Packet Sniffing, Access Point Telco Metadata retention scheme
- Give your staff 3G Set up a VPN to protect traffic on unowned networks Or consider your own 3G/4G device Preference websites with SSL (Green lock) Malicious Hotspots – can you trust it? https://www.onguardonline.gov/articles/0014-tips-using-public-wi-fi-networks
- What happens when your network isn’t secure
- Guest Wifi Set up a Guest network for other stakeholders This allows you to separate your network from your work network -pokies machine story This stops staff from giving out your wi-fi password
- Radius Server PreShared Key
- Good or Bad?
- BAD! Log in and turn it off! Change default passwords as well!
- Does anyone know how bulletproof glass works?
- Simply, who has access to what and why? Customer Lockbox – Microsoft Knowing and making purposeful decisons
- The number one thing I want you to take away from tonight is the adoption of a Security Mindset.
- These are guidelines only
- Understanding the Modern Business Landscape Understanding the core principles of IT Security Where IT Leaders are focusing
- 13 possible breaches
- Computer screen left on with no password protection - passerby has access to information on the device Unshredded files in trash could contain sensitive information File cabinet open - easy for someone to steal sensitive information Cell phone left out in the open - may display sensitive information and/or can be easily stolen Notes left on whiteboard - could contain confidential product updates, information or ideas Backpack left out and open Usernames and passwords left out in the open Key to locked drawer left out in the open - easy access to confidential files Calendar out in the open - could contain sensitive dates and/or information Credit card left out on desk Documents left out on desk that could contatin sensitive information USB drive left out in the open Wallet left on desk
- Data collected from more than 20,000 volunteers found that 87% of Android devices are exposed to at least one of 11 known critical vulnerabilities. The study places the blame for Android devices' high risk on the manufacturers themselves, noting that all large software companies today uncover security risks and then release software updates to protect users. Why IOS is safer https://www.sophos.com/en-us/security-news-trends/security-trends/malware-goes-mobile/why-ios-is-safer-than-android.aspx
- Also people need to realise you're only as strong as your own security level, Using random passwords lying on password reset information questions and other reset methods is also important. (I like to use random chunks of text [for security questions] as well as standard fake information [for Birthdates.]) Using a Password Manager is also a good option and it goes without saying a different password for each site is definitely important. Regarding Hosting and Domains Accounts and Domain Name Registration. It's normally recommended not to use an email address at your domain name as the primary email address. As in the case of Hosting and Domains Accounts if your account is suspended you most likely will lose access to that email address. and in the case of Domain Name Registration it can be possible that you will not receive important information regarding renewals on your domain name.
- You should set up your laptop so that you have to enter a password every time you boot up, or whenever you come back to it after it has switched to the screensaver. Skilled computer users may be able to bypass this feature, but it will protect your data from common thieves.
- https://www.theguardian.com/technology/2015/jan/20/laptop-stolen-what-i-learned
- Data Encryption Standard AES
- RC4 Key derivation is performed using 50,000 iterations[source] of SHA-1 (increased to 100k in SP2). Uses a 16-byte (128-bit) random salt. AES is the block cipher used to encrypt the document. By default, 128-bit key are used. There is a registry tweak to change this to 256-bit. The AES block cipher is implemented in Microsoft's CSP / CryptoAPI.
- The end of Security Through Obscurity
- 33 percent of employees have personally purchased a SaaS application without their IT department’s knowledge. Of those who purchased a SaaS app, 49 percent did it “because it was “faster without IT”. https://blog.dashlane.com/dashlane-business-enterprise-identity-password-management/
- This video is telling a different story about the productivity challenges of point solutions, rather than security concerns of shadow IT.