Embed Size (px)
DESCRIPTION
Slide deck from the May 10, 2016 CSIO TSX webinar: Security 101 for Brokers.
Citation preview
Security 101 for Brokers
May 10, 2016
Increase CSIO member security awareness
Explore security audits
Key components
Benefits
Purpose
Define some key security terms
Scan current cyber threat landscape
Quick tips - how to protect yourself
Going beyond the basics: security audits
What are they?
Why do one?
CSIO example
Questions
Agenda
TSX Webinar Presenters
Sheldon Wasylenko General Manager, Rayner Agencies
Board Member, CSIO
Hans Gantzkow Senior Architect
CSIO
According to digital security company Gemalto, at least 59
data breaches involving more than 40 million records occurred
in Canadian companies in 2015.
Cybercriminals unleash 3.5 new threats targeting small and
medium businesses every second. (Canadian Lawyer)
In a 2015 Forrester survey, only 55% of Canadians indicated
that they think their financial providers are committed to
protecting their personal privacy and security.
Interesting Security Statistics
Malware: It is software that is installed and executes without your
knowledge or consent
Broad category: includes viruses, Trojans, worms,
spyware, ransomware
Malware can damage or disable the computer
Affects performance of your system
Spam/Phishing: Anonymously emailed, unsolicited and unwanted by its
recipient, typically distributed en masse
Phishing is a specific type of spam that poses as a
trustworthy organization to solicit personal information
Attackers often take advantage of current events and
certain times of year Video: https://www.youtube.com/watch?v=9TRR6lHviQc
Social Engineering: Biggest threat to organizations today.
An attacker will use human interaction and/or social skills
to obtain information
They may be unassuming, respectable, authentic, credible
Video: https://www.youtube.com/watch?v=1byRtf2r-B8
Current Cyber Threat
Landscape
Malware
Source: Symantec: 2015 INTERNET SECURITY THREAT REPORT KEY FINDINGS
In 2014, Symantec observed that 70 percent of social
media scams were manually shared, meaning
cybercriminals are tricking people into scamming their
friends.
Social Media
Scams
Mobile was also ripe for attack, as many people only
associate cyber threats with their PCs and neglect even
basic security precautions on their smartphones. In 2014,
Symantec found that 17 percent of all Android apps
(nearly one million total) were actually malware in
disguise. Additionally grayware apps, which aren’t
malicious by design but do annoying and inadvertently
harmful things like track user behavior, accounted for 36
percent of all mobile apps.
Mobile
1 in 4 admitted, they did not know what they agreed to
give access to on their phone when downloading an
application.
68% of users were willing to trade their privacy for
nothing more than a free app.
Mobile Users
Zero day vulnerabilities
Heartbleed
Heartbleed security bug disclosed in April 2014 affected many
businesses, including the Canada Revenue Agency, which revealed
that at least 900 social insurance numbers were compromised. The
attack exploited a standardized, commonplace security protocol that
had not been implemented correctly or maintained with the most
current updates and patches.
By now, most websites have successfully patched the Heartbleed bug
to eliminate the vulnerabilities. But the lesson from Heartbleed is that
regular patching of your infrastructure (not just your website) is required
– those who do not maintain regular patching remain at risk.
Internet-Enabled Automobiles
Patching of vulnerabilities is not limited to basic computer systems
anymore; the Internet of Things (IoT) is changing that.
Security researchers demonstrated in July 2015 that they could
remotely hack a 2014 Jeep Cherokee to disable its transmission
and brakes.
“When you put technology on items that haven’t had it before, you
run into security challenges you haven’t thought about before.”
Source: WIRED
Url: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
Notable Data Breaches 2015
CareFirst BlueCross BlueShield
Breach discovered as part of a
security review. All in all, 1.1
million members had their
names, birth dates, email
addresses and subscriber
information compromised, but
member password
encryption prevented
cybercriminals from gaining
access to Social Security
numbers, medical claims,
employment, credit card and
financial data.
Army National Guard The July data breach of the Army National Guard was the result of an improperly handled data transfer to a non-accredited data center by a contract employee. The breach possibly exposed the Social Security numbers, home addresses and other personal information of approximately 850,000 current and former National Guard members.. Highlights the importance of having strong security practices for internal threats, including those posed by third-party contractors.
Ashley Madison When the online affair site was
breached, hackers released
millions of names and email
addresses of Ashley Madison
users. 37,000,000 affected users.
Root cause: poor password use
by developers and users.
NSA (technically this occurred in 2013.)
Edward Snowden a former National Security Agency subcontractor who made headlines in 2013 when he leaked top secret information about NSA surveillance activities.
Snowden "may have persuaded between 20 and 25 fellow workers" to give him their logins and passwords "by telling them they were needed for him to do his job as a computer systems administrator
Lessons learned: Grant user entitlements appropriately and keep them updated.
Managing and monitoring privileged users is necessary.
Targets and Threats
Targets Threats
Customer names, addresses, credit cards
numbers
Hackers/cyber criminals
IP, strategies, financial data Competitors
Employee names, salary, roles Disgruntled customers
Strategies, project plans, IP Terrorists
Assets computers, laptops, files Rogue states/gov’t
Reputation attacks Organized crime
Employees/business partners
Quick tips - how to protect
yourself
Malware:
Don’t download content from dubious or unknown
websites.
Avoid or keep a close eye on downloads made
over P2P networks. Do not use P2P networks at
work.
Keep antivirus programs up-to-date
Protection
Spam/phishing:
Be wary of emails asking for confidential information -
especially financial information. Legitimate organisations will
never request sensitive information via email.
Don't get pressured into providing sensitive information.
Phishers like to use scare tactics, and may threaten to
disable an account or delay services until you update certain
information. Be sure to contact the merchant directly to
confirm the authenticity of their request.
Protection
Spam/phishing:
Watch out for generic-looking requests for
information. Fraudulent emails are often not
personalised, while authentic emails from your bank
often reference an account you have with them.
Many phishing emails begin with "Dear Sir/Madam",
and some come from a bank with which you don't
even have an account.
5.Never submit confidential information via forms
embedded within email messages. Senders are
often able to track all information entered.
6.Never use links in an email to connect to a
website unless you are absolutely sure they are
authentic. Instead, open a new browser window and
type the URL directly into the address bar. Often a
phishing website will look identical to the original -
look at the address bar to make sure that this is the
case.
7.Make sure you maintain effective software to
combat phishing. Norton™ Internet Security
automatically detects and blocks fake websites. It
also authenticates major banking and shopping
sites.
Protection
Social Engineering:
Be wary of emails, instant messages and phone
calls for unsolicited people such as service
providers. Verify the source of message before
giving out any information.
Go slow and pay keen attention to fine details in
emails and messages. Never let the urgency in
attacker’s message cloud your judgment.
Protection
Additional tips:
Reject requests for online tech support from strangers no
matter how legitimate they may appear.
Secure your computer space with a strong firewall, up to
date antivirus software and set your spam filters to high.
Patch up software and operating systems for Zero day
vulnerabilities. Follow up on patch releases from your
software providers and patch-up as soon as humanly
possible.
Protection
Ad blocking:
Ads are 182 times more likely to give you a virus
than visiting an adult website, according to Cisco.
Surf faster: Block online advertising that slows
down your web browsing
Save bandwidth: Ad blockers saves bandwidth
by not downloading intrusive ads
Protection
Show Ghostery example
Security audits - going beyond
the basics
Why do a security audit
• The only way to truly know how secure your organization is, is to test.
o Measure the efficiency current defenses.
o Identify gaps in your existing defenses.
o Input to help quantify your organization's risk exposure.
• Having a second set of eyes check out a critical computer system is a good security practice.
Key questions asked during a security audit
1. What processes do we have in place to identify and repair system
vulnerabilities?
2. How are we protecting the data we have stored in the cloud?
3. Do we have an information security strategy and policy?
4. How can we improve upon our cyber governance and controls?
5. Do we have a response protocol to mitigate damage in the event of
a cyber-attack?
Source: Grant Thornton LLP
Typical components of a security audit
• Scope
o Governance/policy review (paper)
o Penetration testing (hardware/software)
o Social engineering (humans)
• Output
o Audit report
Key policies to be aware of
• 5 key policies: Clean Desk
• Password Management
• Bring your own device
• *Credit Card Handling Security
• See Cisco: http://www.cisco.com/web/about/security/intelligence/mysdn-social-engineering.html
Policy Short description
Password Management Guidelines such as the number and type of characters that each
password must include, how often a password must be
changed, etc.
Clean desk policy Set guidelines to reduce the risk of a security breach, fraud, and
information theft caused by documents being left unattended.
Credit Card Processing Outline the acceptable handling and processing of cardholder
data used at CSIO.
Vulnerability Management Policy and procedures for managing patches.
System Acquisition,
Development and
Maintenance Policy
Helps drive security planning efforts when starting a new IT
project.
Risk Management The identification, assessment, and prioritization of risks.
Involves attributing Likelihood and Impact.
Incident Management Policy to identify, analyze, and correct hazards to prevent a
future re-occurrence.
Penetration Testing
• Penetration testing is the process of attempting to
gain access to resources without knowledge of
usernames, passwords and other normal means of
access.
• Testing the ability of network defenders to
successfully detect and respond to the attacks.
Social Engineering Testing
• Used as a way to test an organization's so-called "human network."
• Social Engineering Testing helps answer the following questions
o How susceptible is our company to social engineering attacks?
o Are our physical security controls working against an onsite
attacker?
o Are our email filters catching targeted phishing emails?
o How effective is our security awareness training?
Audit Report
• Executive summary stating the security posture of the organization.
• Summary of gaps
o Source of threat
o Probability of exploitation
o Impact of the exposure
o Recommended actions/fixes
• Cyber liability insurance: typical CGL policy covers liability for physical
damage to tangible rather than electronic property, like buildings, vehicles
and equipment. For intangible property like data, a separate cyber liability
policy or an endorsement to the CGL would come into play.
Learn More: Create a CSIO Member Account
Broker Corner
Advisory Hub
White papers & videos
Twitter: @CSIO
Email: [email protected]
Free Member Resources:
Thank you for attending our Talk, Share, eXchange!
A link to the recorded webinar will be emailed to all
participants shortly.
Stay tuned for the next TSX! Visit CSIO.com
Rootkits
These are programs designed to hide objects, such as
processes, files or Windows Registry entries. This type of
software is not malicious in itself, but is used by malware
creators to cover their tracks in infected systems. There are
types of malware that use rootkits to hide their presence on a
system.
Similarly, these programs go hand-in-glove with the new
cyber-crime malware dynamic: for malware to be exploited for
financial gain, stealth is vitally important. Rootkits enable
malware to remain hidden on a computer for much longer
without being detected.
Appendix – Malware examples
Exploits
This is a technique or program that exploits a security flaw -a vulnerability-
in a certain communication protocol, operating system or IT tool.
This flaw allows operations that can cause abnormal functioning of the
application and can be caused intentionally by malicious users, allowing
them to execute code remotely, launch denial of service attacks, disclose
information or escalate privileges.
Appendix – Malware examples continued
Adware
Adware programs display advertisements associated to the products or
services offered by the creator of the program or third-parties. Adware can
be installed in a number of ways, in some occasions without users’ consent,
and either with or without users’ knowledge of its function.
The classification of this type of program is controversial, as there are
those who consider it a type of spyware. While this may be true to a certain
extent, adware programs, as such, are not used with criminal intent, but to
advertise products and services, and the information collected does not
include users’ bank details, but web pages visited or favorites, etc.
Appendix – Malware examples continued
Dialers
Generally, a dialer tries to establish a phone connection with a premium-
rate number.
However, dialers only affect computers that use a modem to connect to
the Internet, as it modifies the phone and modem configuration, changing
the number provided by the ISP (Internet Service provider), which is
normally charged at local rates, for a toll-rate number.
This type of malware is gradually disappearing as the number of users
with modem connections decreases.
Appendix – Malware examples continued
Cookies Cookies are small text files stored on a computer by the Internet browser
when visiting web pages. The information stored by cookies has a number of
objectives: it can be used to personalize web pages, to collect demographic
information about visitors to a page or to monitor statistics of banners
displayed, etc.
For example, in the case of a user that frequently visits a certain web
page, the cookie could remember the user name and password used to log
in to the page.
Though cookies do not pose a risk by themselves, malicious use by other
software could threaten affected users’ privacy, as cookies can be used to
create user profiles with information that the user is unaware of, and sent to
third parties.
Appendix – Malware examples continued
Security videos – about 3-5mins each
Phishing
https://www.youtube.com/watch?v=9TRR6lHviQc
Creating Passwords
https://www.youtube.com/watch?v=aEmF3Iylvr4
Social Engineering
https://www.youtube.com/watch?v=1byRtf2r-B8
Appendix – Educational Links
Security videos – about 3-5mins each
From Lynda.com
http://www.lynda.com/Security-tutorials/Evaluating-risks-threats-vulnerabilities/410329/430046-4.html
http://www.lynda.com/Security-tutorials/Adhering-principle-least-privilege/410329/430047-4.html
http://www.lynda.com/Security-tutorials/Recognizing-social-engineering/410329/430048-4.html
http://www.lynda.com/Security-tutorials/Minimizing-attack-surface/410329/430049-4.html
http://www.lynda.com/Security-tutorials/Avoiding-worms-viruses/410329/430052-4.html
http://www.lynda.com/Security-tutorials/Understanding-Trojans/410329/430053-4.html
http://www.lynda.com/Security-tutorials/Protecting-your-system-from-spyware/410329/430054-4.html
http://www.lynda.com/Security-tutorials/Recognizing-secure-websites/410329/430058-4.html
Appendix – Educational Links
