Elements That Comprise a “Secure Network”
CYBER SECURITY
Presenter: Ray Gasnick IIIDirector of IT EngineeringMiles Technologies
Local Network Security
“Secure” networks aren’t just those comprised of multi-factor authentication mechanisms and multiple layers of firewalls.
Data Breaches: Facts & Figures
In the past 10 years per the Privacy Rights Clearinghouse: 534 breaches were due to insider access 771 breaches were due to “accidental”
disclosure 1066 breaches were due to hacking or
malware 1822 breaches were due to physical loss
(electronic or non-electronic)Source: http://www.privacyrights.org/data-breach/new
Local Network SecurityThe Human Element The biggest risks to most
networks are NOT “evil” hackers on the internet.
Most compromises stem from the users themselves either misusing their authority or “leaking” data accidentally.
Misuse of Access
In most organizations, access is governed in a hierarchal fashion.
Despite this, someone usually has greater access due to responsibility.
The “honor” system is all that governs this/these users.
Perceived Authority If a user isn’t entrusted with access to
sensitive data, he or she may be able to coerce information leakage with perceived authority.
Examples: Name dropping of managers to subordinate
employees Downright requests for information by hiding
the real purpose
The Social Game
Another very common method for data leakage is social engineering.
Takes on the form of: Calls Phishing Emails The most brazen would
show up in person
Social Engineering Leverages some technique to coerce
an employee to divulge information: Tailgating Outright asking
for the information
Perceived authority
Assumed access Empathy
All of these avenues of attack cannot be stopped even with the most sophisticated firewalls in the world.
Combatting the Social Attack: Awareness
Everybody “assumes” they could never be duped into handing over information from a social attack.
Awareness/Education is the best method for prevention.
Awareness Smaller companies are less susceptible.
There is generally a higher degree of awareness when someone/something is out of the ordinary.
Larger companies are more likely to fall victim to social tactics. There is a higher degree of anonymity
between departments if they do not interact regularly.
Awareness/Physical Security Methods
Distinguish employees from visitors (badges, sign in sheet, etc.).
Promote an environment where it is acceptable to clarify when a request sounds unusual.
Ensure that sensitive “data” is secured by some means.
Ensure that those who are custodians for sensitive data are known.
Promoting Awareness
Employee awareness is the best defense but it is not a one-time deal.
Recurring training sessions are the best way to keep secure practices fresh in everyone’s minds.