Webinar Cyber Risk Management: Tools & Tactics Working Together to Solve Information Security Challenges Featuring: Lee Hovermale of Project Leadership Associates Justin Hectus of Keesal, Young & Logan Tom DeSot of Digital Defense, Inc. Presented by:
59
Embed
Webinar€¦ · Webinar Cyber Risk ... Published 2016 ” “ The mission is ... • Inbound telephone calls or emails to employees • Direct user to fake website to download and
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
WebinarCyber Risk Management: Tools & TacticsWorking Together to Solve Information Security Challenges
Featuring:
Lee Hovermale of Project Leadership Associates
Justin Hectus of Keesal, Young & Logan
Tom DeSot of Digital Defense, Inc.
Presented by:
Housekeeping
• Webinar will be recorded
• Attendees are in “Listen Only” mode
• Submit questions via the Questions Panel
• Live Q&A at the end of the presentation
Today’s Presentation
State of the Legal Market Lee Hovermale, Chief Executive Officer Project Leadership Associates (PLA)
Gaining Executive Support Justin Hectus, Director Information Keesal, Young & Logan
Social engineering war stories and effective security awareness training
Tom DeSot, EVP/Chief Information OfficerDigital Defense
Cyber Risk Management: Tools & TacticsWorking Together to Solve Information Security Challenges
• External and internal validation no longer an option
• Awareness
Cyber Risk Management: Tools & TacticsWorking Together to Solve Information Security Challenges
Gaining Executive Support
Justin Hectus
Director Information
Keesal, Young & Logan
”
“Few breaches are unique. In fact, our VERIS research indicates that at any given point in time, a small number of breach scenarios comprise the vast majority of incidents we investigate. There is tremendous commonality in real-world cyber-attacks.- Verizon Data Breach Scenarios from the Field
Published 2016
”“The mission is at risk, and every individual must understand their roles, responsibilities, and actions necessary to maintain a high, persistent state of cybersecurity readiness required to deliver mission assurance.- DoD Cybersecurity Discipline Implementation
Plan (made public March 2016)
63%Stolen, weak, default, or
easily guessable passwords were involved in
of data breaches
Verizon Date Breach Scenarios from the Field 2016
Secure the Human Element
People and culture could be your greatest potential strength or your greatest potential liability. Create awareness, encourage vigilance, make security training a priority, and hold people accountable.
”“Most successful cyberspace intrusions exploit preventable and generally well-known vulnerabilities.- DoD Cybersecurity Discipline Implementation
Plan (made public March 2016)
Secure the Human Element
People and culture could be your greatest potential strength or your greatest potential liability. Create awareness, encourage vigilance, make security training a priority, and hold people accountable.
Prevent Configuration Exploitation
The simple process of prompt patching can increase your defense posture significantly. Ensure that you have visibility to every network endpoint so that you can monitor and remediate any vulnerabilities.
50% of confirmed
breaches feature malware somewhere
in the attack chain, usually in
conjunction with hacking or social
interaction.Verizon Date Breach Scenarios from the Field 2016
146Attackers spent an average
of
days inside networks before
being detectedM-Trends Special Report February 2016
Secure the Human Element
People and culture could be your greatest potential strength or your greatest potential liability. Create awareness, encourage vigilance, make security training a priority, and hold people accountable.
Prevent Configuration Exploitation
The simple process of prompt patching can increase your defense posture significantly. Ensure that you have visibility to every network endpoint so that you can monitor and remediate any vulnerabilities.
Don’t Treat all Assets Equally
An all users are authorized for all assets with the same access is a recipe for disaster. Sensitive data should be encrypted and secured on a need to know basis using two factor authentication.
CONFIDENTIALITY
INTEGRITY AVAILABILITY
Secure the Human Element
People and culture could be your greatest potential strength or your greatest potential liability. Create awareness, encourage vigilance, make security training a priority, and hold people accountable.
Prevent Configuration Exploitation
The simple process of prompt patching can increase your defense posture significantly. Ensure that you have visibility to every network endpoint so that you can monitor and remediate any vulnerabilities.
Don’t Treat all Assets Equally
An all users are authorized for all assets with the same access is a recipe for disaster. Sensitive data should be encrypted and secured on a need to know basis using two factor authentication.
Use Layered and Different Approaches
Anti-virus and anti-malware that use pattern-based recognition is no longer enough. An added approach of “white-listing” applications and comparing network function and behavior to baselines is also needed. A determined bad actor will get in. Monitor closely, detect early, respond quickly.
Instance Data Vulnerability Details Solution
CONFIDENTIALITY
INTEGRITY AVAILABILITY
Integrated Defense Architecture
Cyber Risk Management: Tools & TacticsWorking Together to Solve Information Security Challenges
“Hi, I’m Tom from IT”
Social Engineering In the Real World
Tom DeSot
EVP, Chief Information Officer
Digital Defense
What Is Social Engineering?
“…the art of manipulating people into performing actions or divulging confidential information.” (Wikipedia)
Real World Examples
• An individual called into Citibank’s customer service bureau claiming to be Paul Allen (Co-founder of Microsoft)
• Caller claimed he had misplaced his debit card (did not want to report it stolen)
• Caller was able to change the mailing address for the account to his residence in Pittsburgh over the phone
• Had a new card overnighted – Card was used to make a $658 payment
to a bank loan account – Attempted to make a $15,000 wire transfer
and a purchase at Game Stop, but transactions were denied
Source: “FBI Says Citibank Gave Paul Allen’s Debit Card to Thief”, http://www.wired.com/threatlevel/2012/03/paul-allen-debit-card-caper/
Real World Examples
A man dressed as an employee of Brinks walked into a Wachovia branch in downtown Washington D.C. and walked out with more than $350,000…
Wasn’t until the real Brink’s driver showed up did they realize they had been robbed.