The Unpleasant Truths of Modern Business Cybersecurity
Phillip D. [email protected]
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 2
Phillip “Sherlock” Shade (Phill)[email protected] Certified instructor and internationally recognized
network security and forensics expert with more than 30 years of experience
Retired US Navy and the founder of Merlion’s Keep Consulting, a professional services company specializing in network and forensics analysis
A member of the Global Cyber Response Team (GCRT), FBI InfraGard, Computer Security Institute, and the IEEE and volunteer at Cyber Warfare Forum Initiative
Holds numerous certifications, including Certified Network Expert (CNX)-Ethernet, CCNA, Certified Wireless Network Administrator (CWNA), and WildPackets Certified Network Forensics Analysis Expert (WNAX)
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 3
Thank You for Joining Us Today
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 4
Another Day, Another Hacking Victim
Inquiries begin into nude celebrity photo leaksBy Associated Press
Updated: 16:39 EST, 1 September 2014
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 5
…and Most Recently
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 6
A Simple, Unavoidable Truth
Perception
Remember, the odds are dramatically in an attacker’s favor.Since an attacker only needs to get one attack through,
you need to stop all attacks.
Reality
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 7
Poll #1
How Many of You have been hacked or
had a Computer Virus?
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 8
Today’s Agenda
1. The current gap between what we think is secure and modern realities
2. Training and equipping current cyber professionals
3. The impact of not having trained personnel and end-user awareness training
4. The pros and cons of hiring outside vs. training internal personnel
Case Study 1:
Current Gap Between What We Think is Secure and Modern
Realities
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 10
I Have an IT Security Staff: I’m Secure...
Cisco ASR 2015
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 11
Some Sobering Statistics
Unisys Security Insights United States 2015
The rise of Cyber Espionage and
Cyber Crime are interesting as both
lead to a corresponding increase in the
number of financial fraud reports.
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 12
The News Gets Even Better
2015 Data Breach Investigations Report (DBIR)
Case Study 2:
Training and Equipping Current Cyber Professionals
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 14
Poll #2
How Many of You had one or More Credit / Debit Cards replaced because of the Target
Breach?
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 15
Target - Setting the Stage
The company has bought, installed, and configured a state-of-the-art cybersecurity suite centered around a powerful Universal Threat Management (UTM) system
While the initial security staff received comprehensive training by the system vendor, as well as ongoing technical and system update support, subsequent new-hires received cursory training
The senior, well-trained staff delegated the less desirable weekend and late-night shifts to the junior, less-trained personnel
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 16
Scene of the Crime
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 17
Forensic Reconstruction of the Crime
HVAC Contractor
PoS Server
(Stolen Credentials)
1
2
3
4
Sold online5
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 18
So Where did They End up?
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 19
The Bad News - Results of the Investigation
1. Three separate teams were brought in to perform independent investigations2. The forensic investigation revealed some shocking facts:
a. The UTM system was properly configured and operating correctlyb. The security system actually detected the initial breachc. Log file analysis revealed that the poorly trained system operator disabled the alarms to deal with other issues
The Good News: Target Data Hack Optioned for Big Screen Movie3/21/14 9:40am - jezebel.com/target-data-hack-optioned-for-big-screen-movie-1548629671
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 20
Economic Impact
$40 million in penalties and numerous lawsuits Consumer credit monitoring Stock price collapsed by more than 11.3 percent
The Wall Street Journal
Case Study 3:
Impact of Not Having Trained Personnel
and End User Awareness Training
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 22
Cybersecurity Skills Crisis
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 23
Security is a moving target
Just like building a computer or network, security training requires constant updates
Unfortunately, too many organizations consider “security” to be a bullet point on a presentation to
This becomes even worse at the user levelMany users are given a security brief once—when they
are hired—and little or no refresher training
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 24
Sources of a Network Security Breach
federal-cybersecurity-survey-2015
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 25
Causes of Insider-Based Breaches
federal-cybersecurity-survey-2015
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 26
Time to Meet the Hacker’s Best Friend: YOU
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 27
Your Gaming Data is Valuable
Value of Personal Data Costs 2015 - Gartner
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 28
How Can We Fix This?
Commitment of resources from the top down!Annual training, certification, and penetration testing for
security professionals Certified Ethical Hacking (CEH) Certified Security Information Professional (CISSP) Network forensics training
Periodic basic security training for user personnelTips of the monthBanner screensPostersAudits
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 29
OK, I’m Scared. What Do I Do?
Layers of SecurityFirewall/Anti-Virus/Anti-Malware toolsEncrypt your traffic: Consider VPNs and use HTTPs for your
browser sessionsEncrypt your data: VeraCrypt, Microsoft BitLocker, or Apple
FileVault Passwords are the weak point in any system
Change them oftenDon’t use an online password storage service
Disable automatic updates on unneeded programsSelect “notify me to install updates” instead
Pay attention to the behavior of your computer so you can recognize when something is wrong
Case Study 4:
Pros and Cons of Hiring Outside vs.
Training Internal Personnel
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 31
To Outsource or Not to Outsource
To many IT personnel, the idea of handing over control of network security to an outsider is controversial to say the least
However, recent studies indicate the practice may be growing as companies place net cost over in-house control of security
Says Gavan Egan, VP sales at Verizon: “Nothing is ever as simple as it seems. Part of the complexity of security is that its requirements are interwoven throughout the whole business. It’s not just hardware; it’s business processes and structures, it’s staff and attitudes, and it’s data.”
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 32
Factors to be Considered
Factors for: Reduce administrative, office, and
operational overhead to recruit, screen, train, schedule, manage, and pay personnel
Increase efficiency and productivity by concentrating on core business functions
Improve management and quality due to focus of the contractor
Increase ability to define service requirements
Leverage contractors’ project management experience, security expertise and investment in people, equipment and technology
Minimize requirements to track and implement changing standards
Factors against: Tighter control, supervision, and the
ability to control, correct, and modify negative behaviors
Better training; maintaining in-house provides more extensive and continuous training to security personnel
Employee loyalty; in-house security operations create a much stronger sense of ownership vs. perceived “outsiders.”
Culture integration; it’s easier to achieve a high level of integration of a companies culture and values
Experience and familiarity with existing infrastructure, policies, and procedures
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 33
A Final Example
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 34
Some Final Thoughts
You Control What You Choose to ClickMost end-user threats are targeted specifically in hopes that you will click on a harmful link, attachment, picture, video, or icon in an email or web page, including social media applications
STOP, and THINK, BEFORE you CLICKYou need to be aware, alert, and diligent; always look for the signs that someone may be trying to gain access to your network
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 35
Phill Shade: [email protected]
Merlion’s Keep Consulting: [email protected]
International: [email protected]
Instructor Contact Information
© 2015 Global Knowledge Training LLC. All rights reserved. 05/02/2023 Page 36
Learn More
Recommended Global Knowledge Courses
Network Forensics using Wireshark Cybersecurity Foundations CEH v8 ECSA v8 CASP Prep Course Security+ Prep Course Fundamentals of Information
Systems Security Request an On-Site Delivery
We can tailor our courses to meet your needs
We can deliver them in a private setting
Visit Our Knowledge Center Assessments Blog Case Studies Demos Lab Topologies Special Reports Twitter Videos Webinars White Papers