Cyber Security User Overview Martin Dinham - - PowerPoint PPT Presentation

Cyber Security User Overview

Martin Dinham Martin.Dinham@cfsystems.co.uk 01209 340030

Some context…

Daily Mail online, April 2017

52 %

the number of small businesses that had a security breach in 2016

UK Government Cyber Security Breaches Survey 2017

57%

• f companies that suffered

a breach, experienced a serious business impact

UK Government Information Security Breaches Survey 2017

2016 US social engineering report – the cyberminute

• 108,333 phishing emails
• 1,080 victims
• 100 new phishing pages created
• 1,214 ransomware attacks
• 14.5 malvertising incidents
• $856,164

• Loss of critical company data
• Loss of critical client data
• High cost to recover data
• Lost days due to recovery process
• Fraudulent unauthorised access to company funds
• Censure or prosecution
• Damage to company reputation

Consequences

• Browsing the internet
• Malware infected devices
• Social engineering
• Lost or stolen devices
• Social media
• Public Wi-Fi
• Disgruntled or untrained employees
• Poor physical security

How can an attack happen?

Malware

“Software used to disrupt computer operations, deliver viruses, gather sensitive information, gain access to systems or display unwanted advertising”

Zero Day Exploit

“A cyber attack that occurs on the same day that a vulnerability is discovered, it is zero day because the attack is launched before a fix becomes available.”

• Phishing - An email that falsely claims to be a legitimate
• rganisation or individual in an attempt to scam the user

into surrendering confidential information

• Spear phishing – A phishing attack that is not random but

aimed at a specific organisation

Phishing/Spear Phishing

CEO/BEC

CEO/BEC Fraud – Chief Executive / Business Email Crime - Impersonating senior executives to coerce staff into taking certain actions, often financially detrimental 1 in 3 companies have been victims of CEO fraud emails

Whaling

Phishing campaigns that are targeted at senior level

• executives. Whaling emails are highly customised, and

due to their highly focused nature can be harder to detect than standard phishing attacks.

Ransomware

A malware that encrypts or locks files, and then demands payment of the “ransom” to decrypt or unlock them. Paying the ransom encourages the criminals and there is no guarantee that you will retrieve all your files. Regular backups are the key to combating ransomware.

Malvertising

The use of online advertising to distribute malware or scams with little or no user interaction required. Executed by hiding malicious code within relatively safe

• nline advertisements.

The ads can lead the victim to unreliable content or directly infect a victim’s device. Links in social media can be particularly dangerous

A security infrastructure should be built using multiple security controls to safeguard network resources and data Antivirus is not sufficient and has led to a false sense of security

IT Security

IT User Security

• Keep your anti-virus up to date
• Always apply operating system updates
• Always renew security subscriptions for devices

Technique used by cybercriminals to lure unsuspecting users into revealing confidential data, infecting devices or taking other actions for the benefit of the criminals. Humans are:

Trusting Generally helpful by nature Inquisitive

The more sophisticated attacks will not just use email and social media, cybercriminals will add authenticity with telephone calls to “back up” their chosen scam.

The Human Factor – Social Engineering

Phishing CEO/BEC Fraud Whaling Support scams

→

The Human Factor – Social Engineering

Emails are dangerous!

Email is the prime delivery mechanism for cyber crime attempts

• Phishing emails
• Spear-phishing
• CEO/BEC Fraud

Because…..

• 269 billion emails are sent per day
• 2.1 billion each day contain malicious links or

attachments

• 9 million are opened

Ransomware statistics

• 72% of infected businesses lost access to data for two

days or more

• 1 in 5 businesses that paid a ransom never got their files

back

Web browsing

• For online transactions look for the “lock” icon

and https in the URL

• Never click on ads in pop-ups – one click could

take you to malware infected or phishing websites

• If you are suspicious, type the web address in the

search bar

• Don’t fall for ads tempting you to download free

software – these often contain malware

Passwords

Bad Practice

• Using same passwords for multiple accounts/sites
• Using weak passwords
• Sharing passwords
• Passwords that include –

Favourites (eg teams/holidays)

Passwords

Telephone numbers Simple sequences Actual names Family/pet names Birthdays

Worst Passwords of 2017

Portable storage

• University of Illinois, 2016 study
• 300 USB drives “dropped” around campus
• 98% were picked up
• At least one file was opened on 45%..
• 2012 MOSSAD attack on Iranian nuclear facility

Critical issues

• Policies – do you have clear policies and do staff

understand them?

• Do you use staff induction to explain and reinforce

your policies?

• Do staff understand the value of the data to the business?
• Staff Awareness training is critical

The value of the data on a device usually exceeds the value of the device itself – Often by a factor of 100

Lost or stolen devices?

The business significance of cyber security

• 86% of UK procurement managers would remove

an SME supplier that suffered a data breach

• 47% of UK supplier contracts are embedding

cyber security clauses

KPMG

What does this mean ?

• A multi layered defence is critical – anti virus is not

enough…

• But its about people and their behaviour as much as

technology

• You can train, but you also need to test….
• Ongoing training and testing the only strategy

Tel 01209 340030 Martin.dinham@cfsystems.co.uk www.cfsystems.co.uk

@CFSystems CF Systems Ltd CF Systems Ltd