SlideShare a Scribd company logo

Webinar - Cyber Hygiene: Stay Clean at Work and at Home

W
WPICPE

This document provides an overview of cybersecurity risks and strategies for risk reduction. It discusses how cyber attacks are growing threats for both businesses and individuals. Common attacker motives are financial gain and espionage. Popular attack methods include phishing emails and exploiting known software vulnerabilities. The document recommends practicing basic "cyber hygiene" behaviors like using strong passwords, updating software, and being wary of unsolicited messages. It also outlines the US National Cybersecurity Workforce Framework for implementing comprehensive cybersecurity programs in organizations.

Related slideshows

Cyber crime.pptx
Cyber crime.pptxCyber crime.pptx
Cyber crime.pptx
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
CHFI v10
CHFI v10CHFI v10
CHFI v10
 
1 of 21
Download to read offline
Cyber Hygiene Stay Clean at work and at Home!
About the Author- Mike Ahern Director, Corporate and Professional Education Worcester Polytechnic Institute Leads the development of WPI’s Corporate and Professional Graduate Education Programs in: Cybersecurity; Electrical and Computer Engineering and Power Systems Previous Experience: – Vice-President, Northeast Utilities (responsibilities included: Distribution Engineering; Training; Planning, Performance and Analysis) – Member, Executive Compliance and Internal Controls Committee – Member, Executive Steering Committee for Cyber Security – Director, Transmission Operations and Planning – Director, Distribution Engineering – Director, Nuclear Oversight, Millstone Nuclear Power Station B.S. from Worcester Polytechnic Institute M.S. and M.B.A. from Rensselaer Polytechnic Institute Professional Engineer - Connecticut NERC Certified System Operator - Transmission (2005 to 2010) Human Firewall Trained . . . Back at the turn of the century!
About WPI  Non-profit, top quartile national university (U.S. News and World Report ranking)  Founded in 1865 to teach both “Theory and Practice”  Strong Computer Science, Engineering and Business Schools  DHS/NSA Designated Center of Excellence in Information Security Research
WPI- Accreditations Computer Science Engineering Business Whole University
Cyber Hygiene Outline: • The Growing Menace • Risk Reduction • Attacker Motives and Methods • Where Do We Start? • Covering All the Bases • Questions and Answers
The Growing Menace We’ve been seeing news articles about the threat of hackers for quite a while JPMorgan and other banks struck by cyberattack Nicole Perlroth Wednesday, 27 Aug 2014 | New York Times U.S. notified 3,000 companies in 2013 about cyberattacks By Ellen Nakashima March 24, 2014 The Washington Post DOD Needs Industry’s Help to Catch Cyber Attacks, Commander Says By Lisa Daniel March 27, 2012 American Forces Press Service, DoD News
The Growing Menace Remember Target? Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It By Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack BloombergBusinessweek 3/13/14
Target’s Story . . . Continued Cyber attack takes toll on Target By Elizabeth Paton in New York Financial Times 8/20/14  Cyber attack cost Target $148M  To win back sales, Target took another $234M charge for discounting The new CEO was announced on 8/1/14 The new CEO lowered the annual earnings forecast by ~15%
What About Me? OK, a company lost a lot of money . . .how does this affect me? Thieves also want to steal your money! How?  Hacking Your Debit Account(s)  Identity Theft  Ransomware
What About Me? Is this a big threat to me? The FBI reports that in 2014:  US Citizens reported losses of over $800,000,000 from over 123,000 cyber attacks  The median loss was $530 but the average was $6,472  The trend is to more frequent Ransomware attacks  80% of the losses were to both men and women between the ages of 20 and 60 Source: http://www.ic3.gov/media/annualreport/2014_IC3Report.pdf
Risk Reduction Through Cyber Hygiene With cybersecurity attacks and threats growing . . . What personal behaviors can reduce my risk? Let’s start by understanding attackers motives and methods . . .
Attacker Motives Source: http://www.slideshare.net/NortonSecuredUK/cybercrime-attack-of-the-cyber-spies
Attacker Methods The Most Recent Verizon Data Breach Investigations Report* gives us some insights into methods attackers use Top “attack vectors”: 1. Behavioral – 80%+ of the attackers are external people but insiders can cause the extensive damage 2. Behavioral – Phishing in 2/3 of attacks, used all by itself in 20% of attacks 3. Technical – 80% of attacks use malware; almost always exploiting known vulnerabilities *http://www.verizonenterprise.com/DBIR/2015/
Attacker Methods The FBI Reports growing use of:  Click-jacking - Concealing hyperlinks beneath legitimate clickable content which, when clicked, causes a user to unknowingly perform actions, such as downloading malware, or sending personal information to a website. Numerous click-jacking scams have employed “Like” and “Share” buttons on social networking websites. Research other ways to use your browser options to maximize security.  Doxing - Publicly releasing a person’s identifying information online without authorization. Caution should be exercised by users when sharing or posting information about themselves, family, and friends.  Pharming - Redirecting users from legitimate websites to fraudulent ones for the purpose of extracting confidential data. Type in an official website, instead of “linking” to it from an unsolicited source. Source: http://www.ic3.gov/media/annualreport/2014_IC3Report.pdf
Risk Reduction – Where to Start Start with Behaviors! Training for basic cyber defense For you and your family - how to be “human firewalls”  Don’t Store Sensitive Information On Your Computer  Password Protect your Phones and Computers  Never Share Passwords Outside Your Family  Defeat Decoders - Use Strong Passwords, unrelated to public information (your name, your pet’s name, your birthday)  Defeat Phishers –  Be Skeptical  Hover Over Links To See Where They’re Taking You  Don’t Click in Suspect Dialog Boxes – Quit The Application Instead  Defeat Known Vulnerabilities – Have Everyone In Your Family Install Software Updates As Soon As They’re Available
Cyber Defense Against Phishing How do I stop phishing? • Keep your spam filter switched on to reduce spam (which can contain viruses or be used for phishing); • Be suspicious of unsolicited advertising and offers; • Be on the alert if you do not know the sender; • A trusted website or online payment processor will never ask you to confirm sensitive information like passwords or account details; • Delete any suspected spam immediately and do NOT open any attachments. A phishing email may appear to come from a trusted source. Some warning signs are if the e-mail: • Is sent from a free webmail address, not from an organization’s official address; • Opens with a generic greeting, and is not personalized with your name; • Contains a threat, for example that your account is not secure or may be shut down; • Requests personal information such as username, password or bank details; • Includes a link to a website with a URL (web address) that is different from the organization’s official address. Source: http://www.interpol.int/Crime-areas/Cybercrime/Online-safety
Covering All The Bases The US National Cybersecurity Workforce Framework* * http://csrc.nist.gov/nice/framework/ The U.S. National Initiative for Cybersecurity Education (NICE) issued the National Cybersecurity Workforce Framework (“the Framework”) – Developed with more than 20 Federal departments and agencies and numerous national organizations from within academia and general industry. – The categories, serving as an overarching structure for the Framework, group related specialty areas together. – Within each specialty area, typical tasks and knowledge, skills, and abilities (KSAs) are provided. You can use the Framework to make sure your organization is “covering all the bases”
US National Cybersecurity Workforce Framework Covers All the Bases Framework Category Specialty Areas Include: Securely Provision Systems Security Architecture Software Assurance and Security Engineering Secure Acquisition Test and Evaluation Systems Development Operate and Maintain System Administration Systems Security Analysis Network Services Protect and Defend Computer Network Defense Analysis Incident Response Vulnerability Assessment and Management Investigate Digital Forensics Cyber Investigation Collect and Operate Federal Government Role Collection Operations Cyber Operations and Planning Analyze Federal Government Role All Source Intelligence Exploitation Analysis / Targets / Threat Analysis Oversight and Development Legal Advice and Advocacy Strategic Planning and Policy Development Training, Education and Awareness Security Program Management Knowledge Management http://csrc.nist.gov/nice/framework/national_cybersecurity_workforce_framework_03_2013_version1_0_interactive.pdf Draft Version 2.0: http://niccs.us-cert.gov/sites/default/files/documents/files/DraftNationalCybersecurityWorkforceFrameworkV2.xlsx
Risk Reduction At Work Threat Actions Measures Insider Background Checks Training – Everyone, IT, HR, Leadership Remove Access Promptly Regular Exception Reports External Hacker Patches to Keep Software Updated Anti-Virus for Known Malware Limited Administrative Rights Two-factor Authentication Regular Time Delay Reports and Rights Reviews Successful Intrusion Certified IT Professionals Access Log Reviews Intrusion Detection Software Exfiltration Software “White-listing” for Control Systems Frequent (Daily?) Results Reports Successful Attack “Loss of IT” Business Continuity Exercises Engage/Develop Forensic Capability Exercise Frequency and Results
Cybersecurity Webinar Series
Thank you Mike Ahern Director, Corporate and Professional Education 508-831-6563 mfahern@wpi.edu What do you think? Your feedback is welcome!

More Related Content

Webinar - Cyber Hygiene: Stay Clean at Work and at Home

  • 1. Cyber Hygiene Stay Clean at work and at Home!
  • 2. About the Author- Mike Ahern Director, Corporate and Professional Education Worcester Polytechnic Institute Leads the development of WPI’s Corporate and Professional Graduate Education Programs in: Cybersecurity; Electrical and Computer Engineering and Power Systems Previous Experience: – Vice-President, Northeast Utilities (responsibilities included: Distribution Engineering; Training; Planning, Performance and Analysis) – Member, Executive Compliance and Internal Controls Committee – Member, Executive Steering Committee for Cyber Security – Director, Transmission Operations and Planning – Director, Distribution Engineering – Director, Nuclear Oversight, Millstone Nuclear Power Station B.S. from Worcester Polytechnic Institute M.S. and M.B.A. from Rensselaer Polytechnic Institute Professional Engineer - Connecticut NERC Certified System Operator - Transmission (2005 to 2010) Human Firewall Trained . . . Back at the turn of the century!
  • 3. About WPI  Non-profit, top quartile national university (U.S. News and World Report ranking)  Founded in 1865 to teach both “Theory and Practice”  Strong Computer Science, Engineering and Business Schools  DHS/NSA Designated Center of Excellence in Information Security Research
  • 4. WPI- Accreditations Computer Science Engineering Business Whole University
  • 5. Cyber Hygiene Outline: • The Growing Menace • Risk Reduction • Attacker Motives and Methods • Where Do We Start? • Covering All the Bases • Questions and Answers
  • 6. The Growing Menace We’ve been seeing news articles about the threat of hackers for quite a while JPMorgan and other banks struck by cyberattack Nicole Perlroth Wednesday, 27 Aug 2014 | New York Times U.S. notified 3,000 companies in 2013 about cyberattacks By Ellen Nakashima March 24, 2014 The Washington Post DOD Needs Industry’s Help to Catch Cyber Attacks, Commander Says By Lisa Daniel March 27, 2012 American Forces Press Service, DoD News
  • 7. The Growing Menace Remember Target? Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It By Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack BloombergBusinessweek 3/13/14
  • 8. Target’s Story . . . Continued Cyber attack takes toll on Target By Elizabeth Paton in New York Financial Times 8/20/14  Cyber attack cost Target $148M  To win back sales, Target took another $234M charge for discounting The new CEO was announced on 8/1/14 The new CEO lowered the annual earnings forecast by ~15%
  • 9. What About Me? OK, a company lost a lot of money . . .how does this affect me? Thieves also want to steal your money! How?  Hacking Your Debit Account(s)  Identity Theft  Ransomware
  • 10. What About Me? Is this a big threat to me? The FBI reports that in 2014:  US Citizens reported losses of over $800,000,000 from over 123,000 cyber attacks  The median loss was $530 but the average was $6,472  The trend is to more frequent Ransomware attacks  80% of the losses were to both men and women between the ages of 20 and 60 Source: http://www.ic3.gov/media/annualreport/2014_IC3Report.pdf
  • 11. Risk Reduction Through Cyber Hygiene With cybersecurity attacks and threats growing . . . What personal behaviors can reduce my risk? Let’s start by understanding attackers motives and methods . . .
  • 13. Attacker Methods The Most Recent Verizon Data Breach Investigations Report* gives us some insights into methods attackers use Top “attack vectors”: 1. Behavioral – 80%+ of the attackers are external people but insiders can cause the extensive damage 2. Behavioral – Phishing in 2/3 of attacks, used all by itself in 20% of attacks 3. Technical – 80% of attacks use malware; almost always exploiting known vulnerabilities *http://www.verizonenterprise.com/DBIR/2015/
  • 14. Attacker Methods The FBI Reports growing use of:  Click-jacking - Concealing hyperlinks beneath legitimate clickable content which, when clicked, causes a user to unknowingly perform actions, such as downloading malware, or sending personal information to a website. Numerous click-jacking scams have employed “Like” and “Share” buttons on social networking websites. Research other ways to use your browser options to maximize security.  Doxing - Publicly releasing a person’s identifying information online without authorization. Caution should be exercised by users when sharing or posting information about themselves, family, and friends.  Pharming - Redirecting users from legitimate websites to fraudulent ones for the purpose of extracting confidential data. Type in an official website, instead of “linking” to it from an unsolicited source. Source: http://www.ic3.gov/media/annualreport/2014_IC3Report.pdf
  • 15. Risk Reduction – Where to Start Start with Behaviors! Training for basic cyber defense For you and your family - how to be “human firewalls”  Don’t Store Sensitive Information On Your Computer  Password Protect your Phones and Computers  Never Share Passwords Outside Your Family  Defeat Decoders - Use Strong Passwords, unrelated to public information (your name, your pet’s name, your birthday)  Defeat Phishers –  Be Skeptical  Hover Over Links To See Where They’re Taking You  Don’t Click in Suspect Dialog Boxes – Quit The Application Instead  Defeat Known Vulnerabilities – Have Everyone In Your Family Install Software Updates As Soon As They’re Available
  • 16. Cyber Defense Against Phishing How do I stop phishing? • Keep your spam filter switched on to reduce spam (which can contain viruses or be used for phishing); • Be suspicious of unsolicited advertising and offers; • Be on the alert if you do not know the sender; • A trusted website or online payment processor will never ask you to confirm sensitive information like passwords or account details; • Delete any suspected spam immediately and do NOT open any attachments. A phishing email may appear to come from a trusted source. Some warning signs are if the e-mail: • Is sent from a free webmail address, not from an organization’s official address; • Opens with a generic greeting, and is not personalized with your name; • Contains a threat, for example that your account is not secure or may be shut down; • Requests personal information such as username, password or bank details; • Includes a link to a website with a URL (web address) that is different from the organization’s official address. Source: http://www.interpol.int/Crime-areas/Cybercrime/Online-safety
  • 17. Covering All The Bases The US National Cybersecurity Workforce Framework* * http://csrc.nist.gov/nice/framework/ The U.S. National Initiative for Cybersecurity Education (NICE) issued the National Cybersecurity Workforce Framework (“the Framework”) – Developed with more than 20 Federal departments and agencies and numerous national organizations from within academia and general industry. – The categories, serving as an overarching structure for the Framework, group related specialty areas together. – Within each specialty area, typical tasks and knowledge, skills, and abilities (KSAs) are provided. You can use the Framework to make sure your organization is “covering all the bases”
  • 18. US National Cybersecurity Workforce Framework Covers All the Bases Framework Category Specialty Areas Include: Securely Provision Systems Security Architecture Software Assurance and Security Engineering Secure Acquisition Test and Evaluation Systems Development Operate and Maintain System Administration Systems Security Analysis Network Services Protect and Defend Computer Network Defense Analysis Incident Response Vulnerability Assessment and Management Investigate Digital Forensics Cyber Investigation Collect and Operate Federal Government Role Collection Operations Cyber Operations and Planning Analyze Federal Government Role All Source Intelligence Exploitation Analysis / Targets / Threat Analysis Oversight and Development Legal Advice and Advocacy Strategic Planning and Policy Development Training, Education and Awareness Security Program Management Knowledge Management http://csrc.nist.gov/nice/framework/national_cybersecurity_workforce_framework_03_2013_version1_0_interactive.pdf Draft Version 2.0: http://niccs.us-cert.gov/sites/default/files/documents/files/DraftNationalCybersecurityWorkforceFrameworkV2.xlsx
  • 19. Risk Reduction At Work Threat Actions Measures Insider Background Checks Training – Everyone, IT, HR, Leadership Remove Access Promptly Regular Exception Reports External Hacker Patches to Keep Software Updated Anti-Virus for Known Malware Limited Administrative Rights Two-factor Authentication Regular Time Delay Reports and Rights Reviews Successful Intrusion Certified IT Professionals Access Log Reviews Intrusion Detection Software Exfiltration Software “White-listing” for Control Systems Frequent (Daily?) Results Reports Successful Attack “Loss of IT” Business Continuity Exercises Engage/Develop Forensic Capability Exercise Frequency and Results
  • 21. Thank you Mike Ahern Director, Corporate and Professional Education 508-831-6563 mfahern@wpi.edu What do you think? Your feedback is welcome!