Elements That Comprise a “Secure Network”

CYBER SECURITY

Presenter: Ray Gasnick IIIDirector of IT EngineeringMiles Technologies

Awareness Example

Local Network Security

“Secure” networks aren’t just those comprised of multi-factor authentication mechanisms and multiple layers of firewalls.

Data Breaches: Facts & Figures

In the past 10 years per the Privacy Rights Clearinghouse: 534 breaches were due to insider access 771 breaches were due to “accidental”

disclosure 1066 breaches were due to hacking or

malware 1822 breaches were due to physical loss

(electronic or non-electronic)Source: http://www.privacyrights.org/data-breach/new

Does This Look Familiar?

Local Network SecurityThe Human Element The biggest risks to most

networks are NOT “evil” hackers on the internet.

Most compromises stem from the users themselves either misusing their authority or “leaking” data accidentally.

Misuse of Access

In most organizations, access is governed in a hierarchal fashion.

Despite this, someone usually has greater access due to responsibility.

The “honor” system is all that governs this/these users.

Perceived Authority If a user isn’t entrusted with access to

sensitive data, he or she may be able to coerce information leakage with perceived authority.

Examples: Name dropping of managers to subordinate

employees Downright requests for information by hiding

the real purpose

The Social Game

Another very common method for data leakage is social engineering.

Takes on the form of: Calls Phishing Emails The most brazen would

show up in person

Social Engineering Leverages some technique to coerce

an employee to divulge information: Tailgating Outright asking

for the information

Perceived authority

Assumed access Empathy

All of these avenues of attack cannot be stopped even with the most sophisticated firewalls in the world.

Combatting the Social Attack: Awareness

Everybody “assumes” they could never be duped into handing over information from a social attack.

Awareness/Education is the best method for prevention.

Awareness Smaller companies are less susceptible.

There is generally a higher degree of awareness when someone/something is out of the ordinary.

Larger companies are more likely to fall victim to social tactics. There is a higher degree of anonymity

between departments if they do not interact regularly.

Awareness/Physical Security Methods

Distinguish employees from visitors (badges, sign in sheet, etc.).

Promote an environment where it is acceptable to clarify when a request sounds unusual.

Ensure that sensitive “data” is secured by some means.

Ensure that those who are custodians for sensitive data are known.

Promoting Awareness

Employee awareness is the best defense but it is not a one-time deal.

Recurring training sessions are the best way to keep secure practices fresh in everyone’s minds.

Questions?

Parting Gift