Embed Size (px)
Citation preview
1
Copyright iSecure LLC 2014
Information Security Concerns
and Strategies by New York
State Government Professionals A Whitepaper by Oliver S. Riley, Information Secu-
rity Analyst, and Kevin Wilkins, CTO, iSecure LLC
iSecure is dedicated to finding the best solutions
for challenges facing the InfoSec community. iSe-
cure does extensive product research and inter-
acts closely with clients to develop the best recom-
mendations possible, not only from the standpoint
of product but also from the standpoint of strate-
gy.
iSecure recognizes that the perspective and needs
of the state and local government is very different
from that of a private organization. We sought to
identify the threats and trends experienced by
members of the governmental community.
iSecure partnered with The Hacker Academy to
conduct a survey to assess the security environ-
ment experienced by state and local government
community members.
At the 2014 New York State Cyber Security Confer-
ence we asked questions relating to the concerns
and perceived security posture of the various or-
ganizations represented by the event participants
and received 74 responses. After reviewing the
data, this report was generated with some high-
lights and commentary regarding the state of I.T.
Security amongst New York’s state and local gov-
ernments.
The majority of people we spoke to were members
of engineering and technical staff; people who
work daily with the intricacies and challenges of
information security.
By far, the most important points raised tie around
Employee Awareness and Phishing which will be
the focus of this paper.
We started off asking “What is the greatest challenge when it comes to managing Information Security Risk in your or-
ganization?”, and “What do you believe is the greatest Information Security risk your organization faces today?”
Top on the list were Accidental Insider threats and Employee Awareness, respectively. These results reflected previous stud-
ies conducted amongst private organizations.
Cybercriminals are persistently updating and fine-tuning the techniques they use to compromise an organization, and very
often the human element is the most easily exploited. The top defense lies in training your organization’s employees about the
importance of Security Awareness. Once an employee learns to watch out for and perceive a potential hazard, finer-tuned dis-
cretion can follow.
Develop policies and procedures detailing acceptable and safe use of an organization’s IT Infrastructure, then utilize a training
program to educate your employees about these policies and procedures. The program should have a cycle of “refresh” ses-
sions in which changes to policy can be communicated, new threats can be explained, and the importance of IT Security aware-
ness can be reinforced. Recent incidents, their causes, and corrections to behavior can also be discussed.
2
Copyright iSecure LLC 2014
Many (19%) of the organizations we spoke to had
not a single breach or cybersecurity event in the last
year, where some (7%) had eight or more breaches.
The majority (54%) of people we spoke to, most of
whom work intimately with the information infra-
structure of their organization, had no idea if they
had experienced any breaches in the last year or
were unwilling to divulge such information.
The organization that got hit eight times and knows
about it is way ahead of the organization remains in
the dark.
Previous studies have indicated that Malware was far and away the most prevalent vector for an InfoSec breach, but this
survey shows that Phishing is entering a new renaissance. Phishing attempts have become more sophisticated, carefully
tailored and directed at specific weak points within an organization. iSecure itself is targeted regularly by very convinc-
ing phishing attempts, and it is only through User Awareness that we have a baseline of defense against those attacks.
When Hacked...
Most organizations endured a disruption in
productivity, but others incurred directly
detrimental consequences when hacked.
While a loss of productivity isn’t an imme-
diate blow to the bottom line, it ultimately
can be quite costly. The other potential
outcomes are more straightforward in
their damage, but by far the worst conse-
quence is ignorance of what was taken/
damaged.
3
Copyright iSecure LLC 2014
As discussed on the previous page, Phishing was the most prevalent cause of security incidents. Phishing is an email-related
exploit. Email Security Gateways can filter the inbound emails for malicious attachments, known Phishers, and links to
Phishing Sites. Email Security Gateways can also use signatures, context and heuristics to detect messages suspected of be-
ing Phishing attacks. UTM and Next Generation Firewalls with URL filtering technology can block access attempts to known
Phishing sites. Host Based Security (Antivirus) can also block malicious payloads and detect Phishing URLs.
But these technical controls are not perfect - polymorphism, zero-day exploits, and rapidly changing lists of attack sites can
overwhelm the capabilities of technologies based on signatures and blacklists.
Continuous training which improves the Users’ Awareness of what a Phishing attack looks like is necessary.
User Awareness training can also teach what information is safe to enter into a website when prompted, and when some
additional investigation is warranted. Phishers will often lure the victim into entering Username, Passwords, and other per-
sonal information into a fake site.
What attachments were sent with the email, are they actually from a trusted source, and should they actually be opened?
Another type of a Phishing attack will appear to be from a known source with a relevant attachment. The goal is to entice a
User to open the attachment and execute its malicious payload. In some ways, these tie into Installation of Trojan/Fakeware
and Malware via Application/OS Exploit. Examples might be a “Plugin” to open encrypted Emails (Trojan), an executable
disguised as a PDF, or an Office document designed to exploit an unpatched bug in Word.
Building knowledge and awareness to prevent User follow-through on Phishing attempts is critical.
In addition to periodic training exposures, timely information is also helpful. Very often your organization will be the target
of a focused Phishing campaign, with multiple similar messages circumventing technical controls and being delivered to a
number of users. As these Phishing emails are discovered, put screenshots of the messages into a memo to be sent com-
panywide.
Beyond training users in the identification of suspicious messages, training their behavior is also key. As a general rule, us-
ers should be suspicious of everything! Unless they are specifically expecting an attachment or a communication from an
outside website, they should follow through via a separate channel to confirm its legitimacy. Safe behaviors would be to call
the sender of an attachment to verify its source and content. Or, instead of directly following a possibly fake link in an email,
manually type the known and familiar URL into a browser.
Developing an Employee Awareness program which is comprehensive and frequent can reduce your organizations exposure
to this very common and serious threat.
4
Copyright iSecure LLC 2014
While technology can do a lot to stop hackers, viruses and malware, humans remain the single biggest threat. MAD Secu-rity’s research of human nature has led to the development of a unique approach that enables our clients to effectively reduce the threat against their organizations. To help ensure a holistic approach to security, MAD has created the Hacker Academy.
The Hacker Academy is a place for organizations of all sizes to educate and secure their staff; both technical and non-technical alike. Members are provided an engaging, cloud based, training environment to practice and deploy what they have learned immediately and effectively. THA's Security Awareness training is specifically targeted for each role within an organization. This helps organizations deliver meaningful and effective content.
- Megan Horner, The Hacker Academy
At iSecure we believe that User Awareness Training is the first line of defense against an ever changing litany of cyberse-
curity threats. This ethic is shared by members of the local and state government community in majority (56%), but still
too many organizations don’t train their people on the basics of how to stay safe on the internet.
Without proper understanding of what out there is dangerous, an
organization opens itself up to a barrage of potentially completely
avoidable cybersecurity threats. With an appropriate level of user
awareness, an organization can become adept at mitigating its risk
profile and managing what threats it gives an opportunity to.
