The information provided here is for informational and ... · (Source: CompTIA International Trends in Cybersecurity 2016) Cyber Threats + Use Policies + Security products Securing

10/1/2019

1

Securing Your Users Cyber Safe Workforce LLC


Michelle WardStarted Cyber Safe Workforce in 2015

Spent 12 prior years as a systems engineer in federal civilservice and defense contracting

Technical background in secure web app development

Pen testing, compliance

CISSP®, CSSLP

Passionate about Information Security

Volunteer organizations:Cyberthon, FDLE RDSTF1 Cyber Committee,WiCyS, Girl Scouts

Lives in Fort Walton Beach, FL with husband and two kids


Why Users?

The information provided here is for informational and educational purposes and current as of the date of publication. The information is not a substitute for legal advice and does not necessarily reflect the opinion or policy position of the Municipal Association of South Carolina. Consult your attorney for advice concerning specific situations.

10/1/2019

2



Employees check e-mail

@ Version 2019 DBIR

Phishing was involved in 32% ofbreaches

Majority of malware is delivered byemail

Business E-mail Compromise (BEC)was responsible for loss of $10billion from U.S. victims(Oct 2013 – Jul 2019)


Employees go online

Hacked websites trick users intodownloading malicious code

Webroot®’s 2019 Threat Reportstates that 40% of malicious URLswere found on good domains

10/1/2019

3


Employees also…

Receive Calls Work On-the-GoHandle Sensitive

Information


While employees are at work…

They touch

Data/Information

Network

Resources


“

”Nothing badcould happen…Right?

10/1/2019

4



True Stories

Pasquotank-Camden EmergencyMedical Services had over 40kmedical records compromised due toa third party vendor vulnerability.

NC / Feb 2019

The City of Thomasville accidentallyreleased the Social Security numbersof 269 employees when answering apublic records request.

NC / Feb 2018


True Stories

Orange County was infected withransomware which led to several daysof service disruptions.

NC / Mar 2019

City of Greenville had slowed orstopped operations because ofransomware.

NC / Apr 2019

10/1/2019

5


True Stories

Jackson County pays $400k ransomdemand.

GA / Mar 2019

Dorchester School District 2 paid a$2,900 ransom to have the data on 25servers decrypted after a ransomwareattack.

SC / Aug 2017


Shoring up the Weakest Link

A Security Awareness and Training Program is meant to reduce therisk that HUMANS introduce

Do you need to have it?

State of SC Information Security Policy on Human Resources andSecurity Awareness

HIPAA §164.308.(a).(5).(i)

PCI DSS §12.6

NIST Cybersecurity Framework (PR.AT)

ISACA COBIT 5 APO07.03, BAI05.07

ISO/IEC 27001:2013 A.7.2.2

CIS20


10/1/2019

6


Big Picture

NIST Cybersecurity Framework

Identify

Protect

Detect

Respond

Recover

Cyber Threats +

Use Policies +

Security products


Aware vs. Unaware

Aware employees will never give outpasswords

Unaware employees will fall for an ITadmin impersonator scam and revealtheir password


Aware vs. Unaware

Aware employees will call the helpdesk when their antivirus shows analert

Unaware employees will go home forthe day while ransomware encryptstheir files and files on mapped drives

10/1/2019

7


Aware vs. Unaware

Aware employees will encrypt e-mails containing PII/PHI

Unaware employees will send PII/PHIunencrypted, download it to USBstorage, and upload it to personalcloud storage


Aware vs. Unaware

Aware employees will alert you tosecurity issues or ask questions whenunsure

Unaware employees will shrug it off assomeone else’s responsibility


Awareness AND Training

Awareness (Why, What)

Our password policy is…

You must change your passwordevery X days because…

Training (How)

How to create a strong password

How to change your password

How to reset your password

10/1/2019

8


Big Picture *EDIT*

Employees are your unintentionalinsider threats

52% of databreaches arecaused by humanerror(Source: CompTIA InternationalTrends in Cybersecurity 2016)

Cyber Threats +

Use Policies +

Security products


Program StructureWHAT DO I PUT IN A SECURITY AWARENESS AND TRAINING PROGRAM?

CAN I DO THIS JUST ONCE?


Security Awareness and TrainingLifecycle (SATL)

10/1/2019

9




Identify & Define

Define scope, roles & responsibilities,compliance requirements, update interval(NIST SP800-53r4 AT-1)

Identify curriculum and learning objectives,the company’s goals, goal measurement,training delivery methods, time frames


Topics

PasswordsHow to create a strongpassword you can remember

PhishingRecognize and report

Physical SecurityLock workstations, questionaccess, clean desk

10/1/2019

10


Topics

Confidential InfoWhere to store?How to send?

Safer Web SurfingRecognize online scams

Acceptable UseReminders about usage, sharingaccounts, installingsoftware/extensions


Baseline

Gather data and statistics related togoals prior to training

Put mechanisms in place to track goals


Baseline

Record baseline results

10/1/2019

11


Train

Format

In-person presentations

CBTs

Who

New employees

Existing employees

High-risk groups


Train

Catch new employees asthey arrive…


Train

Participation logs and scores foreach training activity recorded

10/1/2019

12


“

”

How do you know yourmessage made animpact?

What you measure affects how people behave


Track & Measure

Audit participation

Gather goal-related metrics

Survey users

Conduct tests (social engineering,phishing, walkthrough inspections)


Track & Measure

Participation stats/scores

Feedback

Test Results

10/1/2019

13


Train, Track & Measure


Evaluate & Update

Review Training Report

New Threat Information?

New Technology/Policies/Controls?

Frequent Issues?


“

”

Did you meet your goals?

10/1/2019

14


Evaluate & Update

Review and update as needed


Security Awareness and TrainingArtifacts


But I Have No…support, budget, time, or content

10/1/2019

15


One Thing at a Time

What is your greatest threat?

Determine Cost & Likelihood

Focus on one outcome to improve


One Thing at a Time

Problem: Unlocked, unattended computers


Identify & Define

Outcomes:

All users voluntarily enable the screen lock on theircomputer

Users voluntarily secure work-issued smartphones andtablets in locked spaces while away

Measure:

Conduct walkthrough inspections

10/1/2019

16


Baseline

►Conduct a walkthrough inspection withoutrevealing your purpose

► Record each instance of a violation


Train

DEFINE the use policy onunattended workstations andmobile devices

WHY is it important?

HOW to lock your workstationor secure your devices



Several weeks after the training activity

Conduct an ANNOUNCED walkthrough inspection

Record results

10/1/2019

17


Track & Measure

Several weeks after the training activity

Conduct a discreet walkthrough inspection

Record results



Repeat as necessary


Evaluate & Update

If it’s not working, change it up!

10/1/2019

18


ResourcesSecurity awareness resources to use


Catch Their Attention

Gift Card Scam Stories

Tax Refund Fraud

Direct Deposit Diversions

The Internet Crime ComplaintCenter reports a 1240% increase ingift card scam complaintsbetween Jan 2017 and Aug 2018.(https://www.ic3.gov/media/2018/181024.aspx)

USE STORIESRelay stories whereindividual people wereaffected by cyber crime.


Passwords: Longer is BetterOFFER A STRATEGYProvide the “how” tocomplying with a strongpassword policy.

10/1/2019

19


Passwords: Breaches

haveibeenpwned.com/passwords

RUN A CONTESTHow many times has this password“1qaz2wsx” been seen?Use HaveIBeenPwned.com/passwords


Passwords: Social Engineering

Jimmy Kimmel: What’s your password?https://youtu.be/UzvPP6_LRHc

USE HUMORReinforce that youshould never share yourpassword with ANYONE.


Phishing

“Some emails are harmful”

Steal your information

Install malicious code onyour computer

10/1/2019

20


Phishing: What’s suspicious?

Unrecognized Sender

Unexpected

Involves money or valuableinformation

Out-of-character or unusual

SHOW vs. TELLShow how you can lookat email addresses evenon mobile devices.


Phishing: Unrecognized SenderEMAIL SAFETYLESSONSReinforce emailsafety with regularlessons or tests.


Phishing: Web Addresses

https://teachme.cybersafeworkforce.com

SHOW WEBSITE URLSUse our free resource toteach people to look atURL bars.

10/1/2019

21


Phishing: LinkAware

https://www.cybersafeworkforce.com/linkaware.html

A FREE BROWSER TOOLUse our free browser toolto help people identifywhat website they’rereally visiting.


Phishing: Additional Resources

Free Four-Minute Trainingtraining.cybersafeworkforce.com/s3/inbox-danger

New Storieswww.cybersafeworkforce.com/cyber-roundups.html

Google Phishing Quizphishingquiz.withgoogle.com


Conclusion

Are you helping users comply with security?

10/1/2019

22


Security products are necessary, but…

Give your users the know-how to complywith security-related policies and be on thelookout for cyber threats




“

”

Users become security-minded and start securityconversations.

Users identify security “gray” areas to be mitigated

Cyber security continues to improve

And… You’re compliant!

10/1/2019

23


How We Can Help


How We Can Help

Bite-sized Security Awareness

Quick tips on a regular basis

Phish & Learn

Email safety lessons and simulations/tests

Online Courses

Employee on-boarding

Mandatory training requirement


[email protected] Security Awareness Tips and Tactics atblog.CyberSafeWorkforce.com

Documents

The information provided here is for informational and ... · (Source: CompTIA International Trends in Cybersecurity 2016) Cyber Threats + Use Policies + Security products Securing