SlideShare uma empresa Scribd logo

Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014

John Bambenek
John Bambenek

Every day we hear more and more about credit cards getting stolen, businesses getting hacked and national secrets being pilfered from our government. In this seminar, you’ll learn: - what threats small businesses need to be aware of - what threats are hype - how small businesses can protect themselves in a cost-effective way - you’ll walk away with 5 things you can do in your small business to be more secure without having to buy a single piece of software

Negócios
1 de 53
Baixar para ler offline
Cybersecurity Seminar: How to Protect Your Small Business John Bambenek, President, Bambenek Consulting Champaign EDC, March 25, 2014
About me 15 years experience in cyber security, been in IT 30 years. Part-time faculty in Computer Science at UIUC. Started with Ernst & Young as a project manager, then to U of I as professional IT and security staff, then as a consultant and now own my own firm. Lecture and teach internationally on cybersecurity, forensics and threat intelligence.
About you What industry is your company in? Do you process payments electronically? Roughly how many employees? How many computers? What keeps you awake at night from a cybersecurity perspective?
Spoiler Alert Employ risk management and be skeptical Keep your computer operating systems and security software up-to- date Have regular backups and disaster recovery Limit access to resources Use strong and unique passwords
Why bother? For most (or probably all) of you, security will only cost you money, it will likely NOT help you earn money. You may have laws, regulations or contracts that require some measure of security… or maybe not (and this is less and less true). You may not be a “prime beef” target… but you’re still a target. You may not have credit cards but you do have a payroll account. Cryptolocker example.
Don’t think you are affected by regulation? From Illinois Law: "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (1) Social Security number. (2) Driver's license number or State identification (3) Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Who pays when fraud happens? Generally, if a consumer has their credit card stolen consumer doesn’t pay Same is true with debit cards (though more hassle) How many people here were affected by Schnuck’s breach? If funds are directly withdrawn from a consumer’s bank account, usually (though not always) bank protects them from losses. Electronic commerce requires consumers “trust” it, so everyone has the incentive to at least protect consumers from losses.
Who pays when a business is defrauded? If your business has its credit card defrauded, bank account emptied, or other fraud against your organization… You pay. General approach is, you have the means to protect yourself because you are a business owner who can just hire someone. If your payroll account is emptied, your bank will likely help you with a nice line of credit. Can you afford to eat those losses? Can you insure against them?
It gets worse... If you lose consumer records, the payout can be substantial. HIPAA fines can easily get into millions depending on records sold. Usually need to pay for credit monitoring for all victims. Banks pay $40-$50 per new card issued, they are starting to sue for their costs. And of course, the bad publicity… But there are things you can do, which is why you are here today.
Item #1 - Risk management Employ risk management and be skeptical… What secrets and confidential information do you have? What are your essential business functions? What information could some use for fraud if they stole? What information could be used for competitive advantage by your competitors? You are not paranoid if they are really all out to get you.
A brief note about who attacks SMBs Generally cybercriminals can be broken down to these groups: Nation states Organized crime Disorganized crime Hacktivists Disgruntled insiders Your competitors Depending on the group will depend on how, why and when they attack and at what skill level.
Hacktivism example
How much to spend on security? If you wanted, you could spend unlimited amounts of money on security your IT resources… and you’d still be breached eventually. Just ask the NSA. Security vendors will happily charge you lots of money to protect you against unknown threats that aren’t reasonable for you to worry about. Example: Nation states However, a lot of ground can be covered by basic (and generally free) steps that follow.
How much to spend on security? Beyond “free” steps, how much should be spent? What are the reasonable threats and what is a reasonable amount to spend to mitigate them? (Mitigate does not mean 100% stop) There is no magic formula. If you can show after a breach has occurred you made reasonable, intelligent decisions, you will often be in a far better place. (Especially if you do the free stuff that follows).
How much to spend on security? What about outsourcing risks? Some risks you need to take, but some you don’t. For instance, do you really need to be in the business of processing and storing credit card information yourself or can that be outsourced to a payment gateway provider? Do you need to maintain your own webserver, email server, etc, or can you find a provider to do that? You still have to make sure the provider is reputable.
Example: nation states Nation states are constantly attacking either for national security related material or for industrial trade secrets to advantage their own economies. Actors are highly trained, highly funded, and operating with overt (or tacit) state sanction. If they want to get in, they will get in and it is unreasonable to expect a small business to stand against the collective cyberpower of another nation. We don’t have to make it easy for them but there is no point in starting with this as the point of reference.
Example: disorganized crime People send spam all the time claiming all sorts of outrageous things usually using similar content or similar infrastructure. Anti-spam solutions exist to prevent those messages from getting to your inbox (and some are even free). If you never see malicious messages, they cannot infect your machine. Commodity attacks are easily handled by off-the-shelf commodity tools (anti- virus, anti-spam, simple firewalls, etc).
Be skeptical Most computer attacks rely on the end-user to do something, usually by abusing their trust. E-mail, social media, SMS messages, webpages and robo-calls can be easily spoofed. (How many of you have gotten those fake Busey phone calls?) Avoid blindly trusting what your technology is telling you. Emergency text messaging example. If something seems odd, verify out-of-band (i.e. not using the same medium that you just got the message on).
Example: fake subpoena
Be skeptical Don’t give passwords on request to those who call or e-mail. Avoid clicking on links for sensitive transactions (i.e. type full URL instead). Be careful of typos when typing URLs. (Whitehouse example) The more something seems to require immediate action, the more you should verify its authenticity. No legitimate person will object to you attempting to verify they are who they say they are.
Takeaways Have some understanding of the kinds of threats you will face. Make reasonable decisions about protecting yourself without breaking the bank. Take advantage of free things you can do (to follow). Be skeptical of what your technology tells you and be willing to verify out-of- band if something appears off. Limit (or eliminate) the sensitive information you give someone on request.
Item #2 - Stay up-to-date Almost all modern major software has means to update itself for bugs and vulnerabilities on a routine basis. Microsoft, for instance, releases updates on the second Tuesday of every month (and occasionally at other times). Adobe Reader, Flash, Java, all have their own updates. Anti-virus also needs to be updated daily to retrieve the latest signatures to detect threats.
Microsoft Updates
Microsoft updates key points Update automatically (for most people, this is the best option and it takes away the need for you to spend time on it). Make sure to include other Microsoft products in updates (for instance, Office). This does not include other non-Microsoft products you may have. Some of these have their own ability to update automatically, others will pop-up and let you “click to upgrade”. Please, take these seriously. Don’t have to drop what you are doing immediately, but before you go home for the day get all those updates installed. This is one of the single, biggest causes of security breaches.
Old versions Anyone still use Windows XP? After a product has been out there long enough, software publishers no longer support it (i.e. no more updates for vulnerabilities). Find a way to fit version upgrades into routine costs to make sure you don’t have orphan software out there. Often systems will not necessarily tell you they are “too old”. And what about those applications that don’t tell you they need an update? Anyone have an iPhone?
Security software Do you have a comprehensive security software solution on every machine in your company? (e.g. McAfee Complete Endpoint Protection, Norton Internet Security, etc.) These do more than block viruses and they are generally auto-updated and auto-managed… as long as you keep your subscription up to date. Limitation: they only block against already-known threats. Small cost, high return and you don’t have to think about it. You could try to manage it to do more secure and neat things with it if you wanted to.
One point on security Sometimes good computer hygiene can prevent headlines like this: “Russia Takes Cyber-Swipe at Illini” - News-Gazette, 3/17/2014 Due to vulnerable and misconfigured servers, someone was able to reflect an attack off UIUC servers and point it at Russia. It’s all fun and games until someone causes an international incident with your network...
Takeaways Have updates applied automatically where possible. When pop-ups ask for updates, make sure to apply them within that day. Be aware of when old software is no longer supported and/or make sure to update major versions on a routine basis. Install and make sure security software is updated on a nightly basis.
Item #3 - Regular backups Remember cryptolocker? Sometimes computer failures happen, are you able to recover your data? What happens if your computer fails or your server? What would it take to get back online? What is critical for your business to run? What are things that are nice to have but you could live without? Some viruses will destroy systems or malicious attacks will require a full reinstall of a system.
Backups What is critical data? Your financial records? Your customer records? Your employee records? Your e-mail address book? Any piece of data that if you lost forever would cause irreparable harm. A commercial solution is best (i.e. tape) but you can do simple forms of backups to external drives… but it’s important to keep more than one and keep some off site. You could backup to the cloud, but make sure its encrypted.
Disaster Recovery It is very easy to spend a lot of money on this to protect against a wide variety of situations. But many of those situations might be overkill for you. Obvious situation is what to do if your systems fail. Failures can be spawned by malicious activity (and not unusual to be insider activity). If you have your webserver, e-mail server, etc hosted by a third-party provider, what do you do if they fail? Hosting provider example. Usually the best way to deal with an infected computer is to wipe it and reinstall.
Takeaways Failures happen, the difference between recovering and going out of business is planning. All critical information for your business should be identified and backed up with some being stored off site (e.g. safe at home). Have a plan for system failures and have a plan if your third-party providers fail.
Item #4 - Limit access Sometimes basic attacks will be successful, people will make mistakes, someone’s kid uses the employee’s laptop to play games… That mistake should not immediately give an attacker full access to everything. Sometimes disgruntled employees (or ex-employees) will retaliate. Sometimes people just make mistakes and didn’t mean to erase an entire disk. Important to limit what foothold an attacker can get, what damage a disgruntled employee can do and what damage an accident can cause.
Limiting file access People tend to always want more access than they need. General practice is to grant access based on need-to-know. Avoid giving people administrator privileges on their computers. Upside: makes attacks harder to execute. Downside: usually means someone has to maintain their computer. If you have a server, does everybody need access to everything. Answer: no Back to cryptolocker.
Limiting stored data The first rule: create no evidence. Avoid storing passwords in your web browser. Avoid creating files with sensitive information. Limit what you put online that could be useful to an attackers. Be careful what you email out (secretary at UIUC sent out spreadsheet that included SSNs of every engineering student).
Now to pick on the NSA
Still picking on the NSA
Limiting access to systems Do your employees have laptops they bring home? Do you? Avoid familial use of those systems (kids games often have malware) Practice good physical security (avoid leaving unattended) Recreational use can lead to infections (e.g. malvertising). Have all machines protected by a password required to login. Have all machines lock after 15 minutes of inactivity. Control who has keys to the building. Do you have a “guest” wireless network? Make sure it is separate from your internal business network.
Sensitive systems Consider having a separate computer for use ONLY for sensitive transactions like payroll or large dollar transfers. Recreational use of a computer can lead to infections through no fault of your own. If you use the same system to process payroll, now malicious individuals can process ghost payroll too. Those systems need to be updated and secured too. Access should be limited to only those who need to execute those functions. By converse, if you have employees who bring kids in and you’re ok with it, get a throwaway computer for recreational use and that’s all its for.
Takeaways Limit access of employees to only what they need to know. Avoid familial use of computers by yourself and employees. If relevant, have a separate computer for sensitive business functions that is only used for sensitive business functions.
Item #5 - Use Strong Passwords Usually, your password is the key to your digital identity. If someone has that, they now ARE you. Simple passwords can be cracked easily, even 8 character passwords can be cracked without too much effort. Secure passwords should be at least 12 characters and include upper-case, lower-case, numbers and special characters. And you should never reuse passwords between sites. Or at least not between “meaningless” sites and critical accounts.
The 25 worst passwords in the world according to PCWorld 123456 iloveyou monkey password adobe123 shadow 12345678 123123 sunshine qwerty admin 12345 abc123 1234567890 password1 123456789 letmein princess 111111 photoshop azerty 1234567 1234 trustno1 000000
Weak passwords There are plenty more weak passwords than this, but those show up the most frequently. Anything that is a dictionary word. Anything that is all numbers (say your birthday). Anything that can be easily derived from you. Anything that can be easily derived from your business. Anything that’s less than 8 characters. Anything not changed within 90 days.
Password reuse One of the biggest causes of people having their accounts accessed is password re-use. Scenario: You have one central e-mail account, you have facebook, you have credit card logins, bank logins, logins for your commercial bank account and you are a commenter on the News-Gazette website. All have the same password. Compromising the News-Gazette would be the easiest and weakest link. Most people wouldn’t think twice about it. But if I have your e-mail address and your password, I can get everything else.
Password reset features Almost everything has a password reset feature to recover a lost password. The questions, however, I not hard to guess if you know something about the person and some of it may be public record. Make sure password resets either e-mail your primary e-mail address, send you a text message or do some other out-of-band notification or verification. If that isn’t an option, consider putting in fake information for those questions… but fake enough so you can remember. Sarah Palin example.
How to make a strong password Passwords should be long (more than 12 characters) and contain upper & lower case, numbers and special characters. Microsoft’s Advice: Create an acronym from an easy-to-remember piece of information. For example, pick a phrase that is meaningful to you, such as My son's birthday is 12 December, 2004. Using that phrase as your guide, you might use Msbi12/Dec,4 for your password. Substitute numbers, symbols, and misspellings for letters or words in an easy-to-remember phrase. For example, My son's birthday is 12 December, 2004 could become Mi$un's Brthd8iz 12124 (it's OK to use spaces in your password). Relate your password to a favorite hobby or sport. For example, I love to play badminton could become ILuv2PlayB@dm1nt()n.
Use unique passwords If you don’t use the same password for everything then one compromised password would infect the rest of your digital identity. If the ideal is too much, try to have at least three passwords you change regularly: One for your sensitive business logins One for e-mail / computer logins and general business use One throwaway for blogs, fantasy sports, games… stuff that doesn’t matter How to make strong, unique passwords: Msbi12/Dec,4### (where ### is some unique identifier for the login, e.g. EDC for here)
Never share your password Avoid situations where you share your password with anyone, even coworkers. Try to always have unique logins for individuals if they really need access. How did Edward Snowden steal so much information from the NSA that he was able to later publish? He asked his coworkers for their passwords and used their accounts to access information he was otherwise not entitled to. Avoid shared accounts and if you must use them, escrow passwords in a safe.
Two-factor Authentication Where possible for sensitive applications, use two-factor authentication. This requires something you physically have, not an additional piece of info. Most banks for commercial accounts will require or at least permit you to select two-factor authentication to access the account (or send money). Usually in the form of sending you a text message. Many other services (like GMail) will also send you a text message before letting you fully log in. Some applications can be configured to use your phone to give you a unique code to log in. Example.
Takeaways Your password and often your primary e-mail is the key to your entire digital identity. If someone gets that, they can get everything. Use long and strong passwords and try to use unique passwords for each site. At the least have 3 passwords which includes a throwaway password for inconsequential stuff. For the really important stuff, try to use two-factor authentication that requires you to physically possess something (like your cell phone) to fully login to do things. Seems basic, but even defense contractors have fallen to password reuse problems.
Last point Basic computer maintenance goes a long way towards security. If someone isn’t assigned in your office to maintain computers (or you aren’t doing it yourself), having general tech support handy can help security. Or having someone in the office with some basic computer support skills can work too (and giving them freedom to get some training/knowledge to do the job). May or may not make sense for your given situation.
Remember these 5 things Employ risk management and be skeptical (they really all are out to get you) Keep your computer operating systems and security software up-to- date Have regular backups and disaster recovery Limit access to resources Use strong and unique passwords
Questions? John Bambenek Bambenek Consulting, Ltd. jcb@bambenekconsulting.com 217.493.0760

Recomendados

IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John Bambenek
John Bambenek
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
Matthew Pascucci
 
Staying Safe and Secure Online
Staying Safe and Secure OnlineStaying Safe and Secure Online
Staying Safe and Secure Online
evolutionaryit
 
Phil Grimes - Penetrating the Perimeter: Tales from the Battlefield
Phil Grimes - Penetrating the Perimeter: Tales from the BattlefieldPhil Grimes - Penetrating the Perimeter: Tales from the Battlefield
Phil Grimes - Penetrating the Perimeter: Tales from the Battlefield
centralohioissa
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
Security Unplugged
Security UnpluggedSecurity Unplugged
Security Unplugged
sean_mckim
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Sandra (Sandy) Dunn
 
No National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law PleaseNo National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law Please
William McBorrough
 

Recomendados

IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John Bambenek
John Bambenek
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
Matthew Pascucci
 
Staying Safe and Secure Online
Staying Safe and Secure OnlineStaying Safe and Secure Online
Staying Safe and Secure Online
evolutionaryit
 
Phil Grimes - Penetrating the Perimeter: Tales from the Battlefield
Phil Grimes - Penetrating the Perimeter: Tales from the BattlefieldPhil Grimes - Penetrating the Perimeter: Tales from the Battlefield
Phil Grimes - Penetrating the Perimeter: Tales from the Battlefield
centralohioissa
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
Security Unplugged
Security UnpluggedSecurity Unplugged
Security Unplugged
sean_mckim
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Sandra (Sandy) Dunn
 
No National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law PleaseNo National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law Please
William McBorrough
 
Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018
Wendy Knox Everette
 
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
UISGCON
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
Don Grauel
 
Cognitive automation with machine learning in cyber security
Cognitive automation with machine learning in cyber securityCognitive automation with machine learning in cyber security
Cognitive automation with machine learning in cyber security
Rishi Kant
 
Hacking_SharePoint_FINAL
Hacking_SharePoint_FINALHacking_SharePoint_FINAL
Hacking_SharePoint_FINAL
Ian Naumenko, CISSP, CRISC
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Rishi Singh
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radar
SaraJayneTerp
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Stephanie McVitty
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security Forum
CCIAOR
 
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
UISGCON
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6
Chinatu Uzuegbu
 
HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITY
Priyanshu Ratnakar
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
Mark Lanterman
 
2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation
SaraJayneTerp
 
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Shawn Tuma
 
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Withum
 
Risk, SOCs, and mitigations: cognitive security is coming of age
Risk, SOCs, and mitigations: cognitive security is coming of ageRisk, SOCs, and mitigations: cognitive security is coming of age
Risk, SOCs, and mitigations: cognitive security is coming of age
Sara-Jayne Terp
 
Cyber 101 for smb execs v1
Cyber 101 for smb execs v1Cyber 101 for smb execs v1
Cyber 101 for smb execs v1
NetWatcher
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Withum
 
Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case Studies
Praetorian
 
Cybersecurity a short business guide
Cybersecurity a short business guideCybersecurity a short business guide
Cybersecurity a short business guide
larry1401
 
Cybersecurity: How to be Proactive
Cybersecurity: How to be ProactiveCybersecurity: How to be Proactive
Cybersecurity: How to be Proactive
Brown Smith Wallace
 

Mais conteúdo relacionado

Mais procurados

Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
UISGCON
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Stephanie McVitty
 
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
UISGCON
 
HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITY
Priyanshu Ratnakar
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
Mark Lanterman
 
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Shawn Tuma
 
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Withum
 
Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case Studies
Praetorian
 

Mais procurados (20)

Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018
 
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
Cognitive automation with machine learning in cyber security
Cognitive automation with machine learning in cyber securityCognitive automation with machine learning in cyber security
Cognitive automation with machine learning in cyber security
 
Hacking_SharePoint_FINAL
Hacking_SharePoint_FINALHacking_SharePoint_FINAL
Hacking_SharePoint_FINAL
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radar
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security Forum
 
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6
 
HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITY
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
 
2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation
 
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
 
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
 
Risk, SOCs, and mitigations: cognitive security is coming of age
Risk, SOCs, and mitigations: cognitive security is coming of ageRisk, SOCs, and mitigations: cognitive security is coming of age
Risk, SOCs, and mitigations: cognitive security is coming of age
 
Cyber 101 for smb execs v1
Cyber 101 for smb execs v1Cyber 101 for smb execs v1
Cyber 101 for smb execs v1
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
 
Social Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case StudiesSocial Engineering - Strategy, Tactics, & Case Studies
Social Engineering - Strategy, Tactics, & Case Studies
 

Semelhante a Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014

Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
Is Cloud the new home for Cyber Criminals? How to be Safe?
Is Cloud the new home for Cyber Criminals? How to be Safe?Is Cloud the new home for Cyber Criminals? How to be Safe?
Is Cloud the new home for Cyber Criminals? How to be Safe?
Web Werks Data Centers
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
Agree or disagree SMBs deal with various types of informatio.docx
Agree or disagree SMBs deal with various types of informatio.docxAgree or disagree SMBs deal with various types of informatio.docx
Agree or disagree SMBs deal with various types of informatio.docx
simonlbentley59018
 

Semelhante a Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014 (20)

Cybersecurity a short business guide
Cybersecurity a short business guideCybersecurity a short business guide
Cybersecurity a short business guide
 
Cybersecurity: How to be Proactive
Cybersecurity: How to be ProactiveCybersecurity: How to be Proactive
Cybersecurity: How to be Proactive
 
Robust Software Solutions.pptx
Robust Software Solutions.pptxRobust Software Solutions.pptx
Robust Software Solutions.pptx
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
Security Transformation
Security TransformationSecurity Transformation
Security Transformation
 
Assess risks to IT security.pptx
Assess risks to IT security.pptxAssess risks to IT security.pptx
Assess risks to IT security.pptx
 
Cyber security
Cyber securityCyber security
Cyber security
 
Is Cloud the new home for Cyber Criminals? How to be Safe?
Is Cloud the new home for Cyber Criminals? How to be Safe?Is Cloud the new home for Cyber Criminals? How to be Safe?
Is Cloud the new home for Cyber Criminals? How to be Safe?
 
I’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take NextI’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take Next
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Guarding the Digital Fortress Unmasking 10 Common Types of Cybersecurity Thre...
Guarding the Digital Fortress Unmasking 10 Common Types of Cybersecurity Thre...Guarding the Digital Fortress Unmasking 10 Common Types of Cybersecurity Thre...
Guarding the Digital Fortress Unmasking 10 Common Types of Cybersecurity Thre...
 
Guarding the Digital Fortress.pdf
Guarding the Digital Fortress.pdfGuarding the Digital Fortress.pdf
Guarding the Digital Fortress.pdf
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with ai
 
Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015
 
Security Minded - Ransomware Awareness
Security Minded - Ransomware AwarenessSecurity Minded - Ransomware Awareness
Security Minded - Ransomware Awareness
 
Agree or disagree SMBs deal with various types of informatio.docx
Agree or disagree SMBs deal with various types of informatio.docxAgree or disagree SMBs deal with various types of informatio.docx
Agree or disagree SMBs deal with various types of informatio.docx
 
Ways To Protect Your Company From Cybercrime
Ways To Protect Your Company From CybercrimeWays To Protect Your Company From Cybercrime
Ways To Protect Your Company From Cybercrime
 
Security Threats for SMBs
Security Threats for SMBsSecurity Threats for SMBs
Security Threats for SMBs
 
Panda Adaptive Defense 360 - Cyber Extortion Guide
Panda Adaptive Defense 360 - Cyber Extortion GuidePanda Adaptive Defense 360 - Cyber Extortion Guide
Panda Adaptive Defense 360 - Cyber Extortion Guide
 

Mais de John Bambenek

SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
John Bambenek
 
I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the Nazis
John Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
John Bambenek
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
John Bambenek
 

Mais de John Bambenek (18)

THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
 
I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the Nazis
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political Breaches
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat Intelligence
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat Intelligence
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
 

Último

FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
dlhescort
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
kapoorjyoti4444
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Dipal Arora
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
Renandantas16
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
rajveerescorts2022
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
dlhescort
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
amitlee9823
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
lizamodels9
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
lizamodels9
 

Último (20)

FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...
 
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptBusiness Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture concept
 

Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014

  • 1. Cybersecurity Seminar: How to Protect Your Small Business John Bambenek, President, Bambenek Consulting Champaign EDC, March 25, 2014
  • 2. About me 15 years experience in cyber security, been in IT 30 years. Part-time faculty in Computer Science at UIUC. Started with Ernst & Young as a project manager, then to U of I as professional IT and security staff, then as a consultant and now own my own firm. Lecture and teach internationally on cybersecurity, forensics and threat intelligence.
  • 3. About you What industry is your company in? Do you process payments electronically? Roughly how many employees? How many computers? What keeps you awake at night from a cybersecurity perspective?
  • 4. Spoiler Alert Employ risk management and be skeptical Keep your computer operating systems and security software up-to- date Have regular backups and disaster recovery Limit access to resources Use strong and unique passwords
  • 5. Why bother? For most (or probably all) of you, security will only cost you money, it will likely NOT help you earn money. You may have laws, regulations or contracts that require some measure of security… or maybe not (and this is less and less true). You may not be a “prime beef” target… but you’re still a target. You may not have credit cards but you do have a payroll account. Cryptolocker example.
  • 6. Don’t think you are affected by regulation? From Illinois Law: "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (1) Social Security number. (2) Driver's license number or State identification (3) Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.
  • 7. Who pays when fraud happens? Generally, if a consumer has their credit card stolen consumer doesn’t pay Same is true with debit cards (though more hassle) How many people here were affected by Schnuck’s breach? If funds are directly withdrawn from a consumer’s bank account, usually (though not always) bank protects them from losses. Electronic commerce requires consumers “trust” it, so everyone has the incentive to at least protect consumers from losses.
  • 8. Who pays when a business is defrauded? If your business has its credit card defrauded, bank account emptied, or other fraud against your organization… You pay. General approach is, you have the means to protect yourself because you are a business owner who can just hire someone. If your payroll account is emptied, your bank will likely help you with a nice line of credit. Can you afford to eat those losses? Can you insure against them?
  • 9. It gets worse... If you lose consumer records, the payout can be substantial. HIPAA fines can easily get into millions depending on records sold. Usually need to pay for credit monitoring for all victims. Banks pay $40-$50 per new card issued, they are starting to sue for their costs. And of course, the bad publicity… But there are things you can do, which is why you are here today.
  • 10. Item #1 - Risk management Employ risk management and be skeptical… What secrets and confidential information do you have? What are your essential business functions? What information could some use for fraud if they stole? What information could be used for competitive advantage by your competitors? You are not paranoid if they are really all out to get you.
  • 11. A brief note about who attacks SMBs Generally cybercriminals can be broken down to these groups: Nation states Organized crime Disorganized crime Hacktivists Disgruntled insiders Your competitors Depending on the group will depend on how, why and when they attack and at what skill level.
  • 13. How much to spend on security? If you wanted, you could spend unlimited amounts of money on security your IT resources… and you’d still be breached eventually. Just ask the NSA. Security vendors will happily charge you lots of money to protect you against unknown threats that aren’t reasonable for you to worry about. Example: Nation states However, a lot of ground can be covered by basic (and generally free) steps that follow.
  • 14. How much to spend on security? Beyond “free” steps, how much should be spent? What are the reasonable threats and what is a reasonable amount to spend to mitigate them? (Mitigate does not mean 100% stop) There is no magic formula. If you can show after a breach has occurred you made reasonable, intelligent decisions, you will often be in a far better place. (Especially if you do the free stuff that follows).
  • 15. How much to spend on security? What about outsourcing risks? Some risks you need to take, but some you don’t. For instance, do you really need to be in the business of processing and storing credit card information yourself or can that be outsourced to a payment gateway provider? Do you need to maintain your own webserver, email server, etc, or can you find a provider to do that? You still have to make sure the provider is reputable.
  • 16. Example: nation states Nation states are constantly attacking either for national security related material or for industrial trade secrets to advantage their own economies. Actors are highly trained, highly funded, and operating with overt (or tacit) state sanction. If they want to get in, they will get in and it is unreasonable to expect a small business to stand against the collective cyberpower of another nation. We don’t have to make it easy for them but there is no point in starting with this as the point of reference.
  • 17. Example: disorganized crime People send spam all the time claiming all sorts of outrageous things usually using similar content or similar infrastructure. Anti-spam solutions exist to prevent those messages from getting to your inbox (and some are even free). If you never see malicious messages, they cannot infect your machine. Commodity attacks are easily handled by off-the-shelf commodity tools (anti- virus, anti-spam, simple firewalls, etc).
  • 18. Be skeptical Most computer attacks rely on the end-user to do something, usually by abusing their trust. E-mail, social media, SMS messages, webpages and robo-calls can be easily spoofed. (How many of you have gotten those fake Busey phone calls?) Avoid blindly trusting what your technology is telling you. Emergency text messaging example. If something seems odd, verify out-of-band (i.e. not using the same medium that you just got the message on).
  • 20. Be skeptical Don’t give passwords on request to those who call or e-mail. Avoid clicking on links for sensitive transactions (i.e. type full URL instead). Be careful of typos when typing URLs. (Whitehouse example) The more something seems to require immediate action, the more you should verify its authenticity. No legitimate person will object to you attempting to verify they are who they say they are.
  • 21. Takeaways Have some understanding of the kinds of threats you will face. Make reasonable decisions about protecting yourself without breaking the bank. Take advantage of free things you can do (to follow). Be skeptical of what your technology tells you and be willing to verify out-of- band if something appears off. Limit (or eliminate) the sensitive information you give someone on request.
  • 22. Item #2 - Stay up-to-date Almost all modern major software has means to update itself for bugs and vulnerabilities on a routine basis. Microsoft, for instance, releases updates on the second Tuesday of every month (and occasionally at other times). Adobe Reader, Flash, Java, all have their own updates. Anti-virus also needs to be updated daily to retrieve the latest signatures to detect threats.
  • 24. Microsoft updates key points Update automatically (for most people, this is the best option and it takes away the need for you to spend time on it). Make sure to include other Microsoft products in updates (for instance, Office). This does not include other non-Microsoft products you may have. Some of these have their own ability to update automatically, others will pop-up and let you “click to upgrade”. Please, take these seriously. Don’t have to drop what you are doing immediately, but before you go home for the day get all those updates installed. This is one of the single, biggest causes of security breaches.
  • 25. Old versions Anyone still use Windows XP? After a product has been out there long enough, software publishers no longer support it (i.e. no more updates for vulnerabilities). Find a way to fit version upgrades into routine costs to make sure you don’t have orphan software out there. Often systems will not necessarily tell you they are “too old”. And what about those applications that don’t tell you they need an update? Anyone have an iPhone?
  • 26. Security software Do you have a comprehensive security software solution on every machine in your company? (e.g. McAfee Complete Endpoint Protection, Norton Internet Security, etc.) These do more than block viruses and they are generally auto-updated and auto-managed… as long as you keep your subscription up to date. Limitation: they only block against already-known threats. Small cost, high return and you don’t have to think about it. You could try to manage it to do more secure and neat things with it if you wanted to.
  • 27. One point on security Sometimes good computer hygiene can prevent headlines like this: “Russia Takes Cyber-Swipe at Illini” - News-Gazette, 3/17/2014 Due to vulnerable and misconfigured servers, someone was able to reflect an attack off UIUC servers and point it at Russia. It’s all fun and games until someone causes an international incident with your network...
  • 28. Takeaways Have updates applied automatically where possible. When pop-ups ask for updates, make sure to apply them within that day. Be aware of when old software is no longer supported and/or make sure to update major versions on a routine basis. Install and make sure security software is updated on a nightly basis.
  • 29. Item #3 - Regular backups Remember cryptolocker? Sometimes computer failures happen, are you able to recover your data? What happens if your computer fails or your server? What would it take to get back online? What is critical for your business to run? What are things that are nice to have but you could live without? Some viruses will destroy systems or malicious attacks will require a full reinstall of a system.
  • 30. Backups What is critical data? Your financial records? Your customer records? Your employee records? Your e-mail address book? Any piece of data that if you lost forever would cause irreparable harm. A commercial solution is best (i.e. tape) but you can do simple forms of backups to external drives… but it’s important to keep more than one and keep some off site. You could backup to the cloud, but make sure its encrypted.
  • 31. Disaster Recovery It is very easy to spend a lot of money on this to protect against a wide variety of situations. But many of those situations might be overkill for you. Obvious situation is what to do if your systems fail. Failures can be spawned by malicious activity (and not unusual to be insider activity). If you have your webserver, e-mail server, etc hosted by a third-party provider, what do you do if they fail? Hosting provider example. Usually the best way to deal with an infected computer is to wipe it and reinstall.
  • 32. Takeaways Failures happen, the difference between recovering and going out of business is planning. All critical information for your business should be identified and backed up with some being stored off site (e.g. safe at home). Have a plan for system failures and have a plan if your third-party providers fail.
  • 33. Item #4 - Limit access Sometimes basic attacks will be successful, people will make mistakes, someone’s kid uses the employee’s laptop to play games… That mistake should not immediately give an attacker full access to everything. Sometimes disgruntled employees (or ex-employees) will retaliate. Sometimes people just make mistakes and didn’t mean to erase an entire disk. Important to limit what foothold an attacker can get, what damage a disgruntled employee can do and what damage an accident can cause.
  • 34. Limiting file access People tend to always want more access than they need. General practice is to grant access based on need-to-know. Avoid giving people administrator privileges on their computers. Upside: makes attacks harder to execute. Downside: usually means someone has to maintain their computer. If you have a server, does everybody need access to everything. Answer: no Back to cryptolocker.
  • 35. Limiting stored data The first rule: create no evidence. Avoid storing passwords in your web browser. Avoid creating files with sensitive information. Limit what you put online that could be useful to an attackers. Be careful what you email out (secretary at UIUC sent out spreadsheet that included SSNs of every engineering student).
  • 36. Now to pick on the NSA
  • 37. Still picking on the NSA
  • 38. Limiting access to systems Do your employees have laptops they bring home? Do you? Avoid familial use of those systems (kids games often have malware) Practice good physical security (avoid leaving unattended) Recreational use can lead to infections (e.g. malvertising). Have all machines protected by a password required to login. Have all machines lock after 15 minutes of inactivity. Control who has keys to the building. Do you have a “guest” wireless network? Make sure it is separate from your internal business network.
  • 39. Sensitive systems Consider having a separate computer for use ONLY for sensitive transactions like payroll or large dollar transfers. Recreational use of a computer can lead to infections through no fault of your own. If you use the same system to process payroll, now malicious individuals can process ghost payroll too. Those systems need to be updated and secured too. Access should be limited to only those who need to execute those functions. By converse, if you have employees who bring kids in and you’re ok with it, get a throwaway computer for recreational use and that’s all its for.
  • 40. Takeaways Limit access of employees to only what they need to know. Avoid familial use of computers by yourself and employees. If relevant, have a separate computer for sensitive business functions that is only used for sensitive business functions.
  • 41. Item #5 - Use Strong Passwords Usually, your password is the key to your digital identity. If someone has that, they now ARE you. Simple passwords can be cracked easily, even 8 character passwords can be cracked without too much effort. Secure passwords should be at least 12 characters and include upper-case, lower-case, numbers and special characters. And you should never reuse passwords between sites. Or at least not between “meaningless” sites and critical accounts.
  • 42. The 25 worst passwords in the world according to PCWorld 123456 iloveyou monkey password adobe123 shadow 12345678 123123 sunshine qwerty admin 12345 abc123 1234567890 password1 123456789 letmein princess 111111 photoshop azerty 1234567 1234 trustno1 000000
  • 43. Weak passwords There are plenty more weak passwords than this, but those show up the most frequently. Anything that is a dictionary word. Anything that is all numbers (say your birthday). Anything that can be easily derived from you. Anything that can be easily derived from your business. Anything that’s less than 8 characters. Anything not changed within 90 days.
  • 44. Password reuse One of the biggest causes of people having their accounts accessed is password re-use. Scenario: You have one central e-mail account, you have facebook, you have credit card logins, bank logins, logins for your commercial bank account and you are a commenter on the News-Gazette website. All have the same password. Compromising the News-Gazette would be the easiest and weakest link. Most people wouldn’t think twice about it. But if I have your e-mail address and your password, I can get everything else.
  • 45. Password reset features Almost everything has a password reset feature to recover a lost password. The questions, however, I not hard to guess if you know something about the person and some of it may be public record. Make sure password resets either e-mail your primary e-mail address, send you a text message or do some other out-of-band notification or verification. If that isn’t an option, consider putting in fake information for those questions… but fake enough so you can remember. Sarah Palin example.
  • 46. How to make a strong password Passwords should be long (more than 12 characters) and contain upper & lower case, numbers and special characters. Microsoft’s Advice: Create an acronym from an easy-to-remember piece of information. For example, pick a phrase that is meaningful to you, such as My son's birthday is 12 December, 2004. Using that phrase as your guide, you might use Msbi12/Dec,4 for your password. Substitute numbers, symbols, and misspellings for letters or words in an easy-to-remember phrase. For example, My son's birthday is 12 December, 2004 could become Mi$un's Brthd8iz 12124 (it's OK to use spaces in your password). Relate your password to a favorite hobby or sport. For example, I love to play badminton could become ILuv2PlayB@dm1nt()n.
  • 47. Use unique passwords If you don’t use the same password for everything then one compromised password would infect the rest of your digital identity. If the ideal is too much, try to have at least three passwords you change regularly: One for your sensitive business logins One for e-mail / computer logins and general business use One throwaway for blogs, fantasy sports, games… stuff that doesn’t matter How to make strong, unique passwords: Msbi12/Dec,4### (where ### is some unique identifier for the login, e.g. EDC for here)
  • 48. Never share your password Avoid situations where you share your password with anyone, even coworkers. Try to always have unique logins for individuals if they really need access. How did Edward Snowden steal so much information from the NSA that he was able to later publish? He asked his coworkers for their passwords and used their accounts to access information he was otherwise not entitled to. Avoid shared accounts and if you must use them, escrow passwords in a safe.
  • 49. Two-factor Authentication Where possible for sensitive applications, use two-factor authentication. This requires something you physically have, not an additional piece of info. Most banks for commercial accounts will require or at least permit you to select two-factor authentication to access the account (or send money). Usually in the form of sending you a text message. Many other services (like GMail) will also send you a text message before letting you fully log in. Some applications can be configured to use your phone to give you a unique code to log in. Example.
  • 50. Takeaways Your password and often your primary e-mail is the key to your entire digital identity. If someone gets that, they can get everything. Use long and strong passwords and try to use unique passwords for each site. At the least have 3 passwords which includes a throwaway password for inconsequential stuff. For the really important stuff, try to use two-factor authentication that requires you to physically possess something (like your cell phone) to fully login to do things. Seems basic, but even defense contractors have fallen to password reuse problems.
  • 51. Last point Basic computer maintenance goes a long way towards security. If someone isn’t assigned in your office to maintain computers (or you aren’t doing it yourself), having general tech support handy can help security. Or having someone in the office with some basic computer support skills can work too (and giving them freedom to get some training/knowledge to do the job). May or may not make sense for your given situation.
  • 52. Remember these 5 things Employ risk management and be skeptical (they really all are out to get you) Keep your computer operating systems and security software up-to- date Have regular backups and disaster recovery Limit access to resources Use strong and unique passwords
  • 53. Questions? John Bambenek Bambenek Consulting, Ltd. jcb@bambenekconsulting.com 217.493.0760