Cyber Security User Overview Martin Dinham Martin.Dinham@cfsystems.co.uk 01209 340030
Some context…
Daily Mail online, April 2017
52 % the number of small businesses that had a security breach in 2016 UK Government Cyber Security Breaches Survey 2017
57% of companies that suffered a breach, experienced a serious business impact UK Government Information Security Breaches Survey 2017
2016 US social engineering report – the cyberminute • 108,333 phishing emails • 1,080 victims • 100 new phishing pages created • 1,214 ransomware attacks • 14.5 malvertising incidents • $856,164
Consequences • Loss of critical company data • Loss of critical client data • High cost to recover data • Lost days due to recovery process • Fraudulent unauthorised access to company funds • Censure or prosecution • Damage to company reputation
How can an attack happen? • Browsing the internet • Malware infected devices • Social engineering • Lost or stolen devices • Social media • Public Wi-Fi • Disgruntled or untrained employees • Poor physical security
Malware “Software used to disrupt computer operations, deliver viruses, gather sensitive information, gain access to systems or display unwanted advertising”
Zero Day Exploit “A cyber attack that occurs on the same day that a vulnerability is discovered, it is zero day because the attack is launched before a fix becomes available.”
Phishing/Spear Phishing • Phishing - An email that falsely claims to be a legitimate organisation or individual in an attempt to scam the user into surrendering confidential information • Spear phishing – A phishing attack that is not random but aimed at a specific organisation
CEO/BEC CEO/BEC Fraud – Chief Executive / Business Email Crime - Impersonating senior executives to coerce staff into taking certain actions, often financially detrimental 1 in 3 companies have been victims of CEO fraud emails
Whaling Phishing campaigns that are targeted at senior level executives. Whaling emails are highly customised, and due to their highly focused nature can be harder to detect than standard phishing attacks.
Ransomware A malware that encrypts or locks files, and then demands payment of the “ransom” to decrypt or unlock them. Paying the ransom encourages the criminals and there is no guarantee that you will retrieve all your files. Regular backups are the key to combating ransomware.
Malvertising The use of online advertising to distribute malware or scams with little or no user interaction required. Executed by hiding malicious code within relatively safe online advertisements. The ads can lead the victim to unreliable content or directly infect a victim’s device. Links in social media can be particularly dangerous
IT Security A security infrastructure should be built using multiple security controls to safeguard network resources and data Antivirus is not sufficient and has led to a false sense of security
IT User Security • Keep your anti-virus up to date • Always apply operating system updates • Always renew security subscriptions for devices
The Human Factor – Social Engineering Technique used by cybercriminals to lure unsuspecting users into revealing confidential data, infecting devices or taking other actions for the benefit of the criminals. Humans are: Phishing → Trusting CEO/BEC Fraud Generally helpful by nature Whaling Support scams Inquisitive The more sophisticated attacks will not just use email and social media, cybercriminals will add authenticity with telephone calls to “back up” their chosen scam.
The Human Factor – Social Engineering
Emails are dangerous! Email is the prime delivery mechanism for cyber crime attempts • Phishing emails • Spear-phishing • CEO/BEC Fraud
Because….. • 269 billion emails are sent per day • 2.1 billion each day contain malicious links or attachments • 9 million are opened
Ransomware statistics • 72% of infected businesses lost access to data for two days or more • 1 in 5 businesses that paid a ransom never got their files back
Web browsing • For online transactions look for the “lock” icon and https in the URL • Never click on ads in pop-ups – one click could take you to malware infected or phishing websites • If you are suspicious, type the web address in the search bar • Don’t fall for ads tempting you to download free software – these often contain malware
Passwords
Passwords Bad Practice • Using same passwords for multiple accounts/sites • Using weak passwords • Sharing passwords • Passwords that include – Actual names Telephone numbers Family/pet names Simple sequences Birthdays Favourites (eg teams/holidays)
Worst Passwords of 2017
Portable storage • University of Illinois, 2016 study • 300 USB drives “dropped” around campus • 98% were picked up • At least one file was opened on 45%.. • 2012 MOSSAD attack on Iranian nuclear facility
Critical issues • Policies – do you have clear policies and do staff understand them? • Do you use staff induction to explain and reinforce your policies? • Do staff understand the value of the data to the business? • Staff Awareness training is critical
Lost or stolen devices? The value of the data on a device usually exceeds the value of the device itself – Often by a factor of 100
The business significance of cyber security • 86% of UK procurement managers would remove an SME supplier that suffered a data breach • 47% of UK supplier contracts are embedding cyber security clauses KPMG
What does this mean ? • A multi layered defence is critical – anti virus is not enough… • But its about people and their behaviour as much as technology • You can train, but you also need to test…. • Ongoing training and testing the only strategy
@CFSystems Tel 01209 340030 CF Systems Ltd Martin.dinham@cfsystems.co.uk CF Systems Ltd www.cfsystems.co.uk
Recommend
More recommend
