O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Cyber Security Briefing Asis Nyc 10 18 12

299 visualizações

Publicada em

This is a briefing on Cyber Security threats in non-technical terms. The briefing includes statistics on the threat landscape and business readiness to address them. Contact the presenter, David A. Kondrup, CPP SPHR at dk@CyberDiligence for a copy or for further information.

  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Cyber Security Briefing Asis Nyc 10 18 12

  1. 1. ASIS International – NYC ChapterDavid A. Kondrup, CPP SPHRCyber Diligence, Inc. Electronic Dossiers, Spearing and Whaling Cyber Security Briefing
  2. 2. DisclaimerThis presentation is for informational purposes only, it does not constitute professional advice or convey a client – vendor relationship.Citations are noted and the presenter is not responsible for the contents of cited work.And ...what I knew about IT / computer security in the past, what I knew last week, and what I know today, will all change tomorrow. The threats and the defenses described here will rapidly change - You and I have to Change.
  3. 3. Risks And Your IncidentResponse Strategies Insider Threats Outsider Threats Protecting the Enterprise From Digital RisksROI to Protect: Intellectual Compliance Issues Property, Sensitive Data, (HR, EEO, Sex Harassment, HIPAA, Personal Identifiable Personal Identifiable Info, SAS 70,Information, Financial etc. etc.)
  4. 4. Emerging ThreatsCyber-Risk Control Practices of Top Management (%) Receive Reports on Security 31 Breaches / Data Loss 30 30 Review Annual Security 35 Rarely / Never Program Assessments 20 36 Occassionally Regularly Receive Reports on Privacy 39 and Security Risks 33 26 0 10 20 30 40 Sources: Security Management July 2012 page 30 citing “How Boards & Senior Executives Are Managing Cyber Risks”, Carnegie Mellon University, Cylab, May 2012
  5. 5. Types of DataBreaches (2011) Payment Card Numbers Authentication Credentials Proprietary Info Medical Records Bank Account Data Personal Info System Info Sensitive Info Trade Secrets 0% 20% 40% 60% Large Organizations Small Organizations 80% 100%Sources: Security Management June 2012 page 48 citing “Data Breach Investigations Report”, Verizon, March 2012
  6. 6. How is this being done?
  7. 7. Executive Spear- Phishing or WhalingHackers posing as federal agents (or other people) send emails to executives, department heads, technical staffers, financial staff, conning them into providing passwords to gain access to networks.Innocuous attachments are also sent. The moment an attachment is opened (or a link is clicked) a malware program is released.There is nothing complicated or innovative about phishing. It’s simple but its just dreadfully effective!Email is not like snail mail, you can’t just throw the envelop away or peak inside – once you click on a unknown link or an attachment, they’ve got you
  8. 8. Fake SubpoenasHackers target corporate executives with fake subpoenas.In 2008 US federal court officials were warning that hackers were emailing fake subpoenas that contained malware to corporate executivesThe company information is correct, so is the address, so is the executive’s name and title.The fake subpoenas were official looking and contained a link that states “Please download the entire document on this matter (follow this link) and print it for your records ...”
  9. 9. EffectiveThousands of executives and corporate officials have been engineered and fallen for this.Not just subpoenas, its been Better Business Bureau Complaints, emails to attorneys from overseas looking for representation, Invitations to Events that are of interest to the recipient.Subpoenas don’t come by email – Don’t Click on them!
  10. 10. Dossiers
  11. 11. On-Line ResearchHackers/phishers perform research before launching his or her attack.They compile dossiers on the corporation, the company executives, and their families (xref)Specifically, they locate the executive’s email address, phone numbers, addresses (home & work), and others associated with them.This information is located online: Pipl.com Who.Is.com Facebook LinkedIn Ancestry.com “Google” Corporate web sites
  12. 12. What Is Malware?
  13. 13. Malware - Botnets - ProxiesBackdoor.ProxyboxThe malware is a Trojan program with rootkit functionality that transforms a computer into a proxy server.BotnetsOne of the main tools used by cybercriminals. Send spam emails, used for distributed denial of service attacks, perform online financial (bank) fraud, click fraud, and others.People and companies do not know they have it. And their IP address is used for illegal activities.$25 a month gets 150 proxy servers, $40 gets unlimited in the country you want. Symantec believes there are 40,000 any given day.
  14. 14. What To Do
  15. 15. Cyber DefenseEducation & AwarenessEducate the executives especially, and the “at risk” members of the company (those with credentials)Technology (BYOD) PoliciesProactive ProgramsDo checks on your top executives (with permission).Regular & infrequent sweeps of systems, servers, computers.Line-up specialist – have a response plan ready.(Specialist also for reputational & shielding Info)Combined efforts and programs involving Physical Security – IT Security – Risk Management
  16. 16. www.CyberDiligence.comDavid A. Kondrup, CPP SPHRdk@CyberDiligence.com575 Underhill Blvd – suite # 209Syosset, NY 11791(516) 342-9378 office(516) 507-4322 direct