The Human Side of Security

The Human Side of SecurityHow to Secure Your Workforce without Ruining Their Lives

Cyberattacks Are Everywhere

Malware - Quick Stats - Q2 2017

+ 62 million malware detections

+ 677,000 average daily volume

+ 16,582 malware variants

+ 2,534 different malware families

+ 18% of firms saw mobile malware

Your Biggest Security Weak Spot?

Human Beings.

Your Biggest Security Weak Spot?

You Are the First Line of DefenseIn survey after survey, users feel that security is

someone else’s job, not theirs.

Someone invites you to download important files.

Malware hides among these files.

This tactic slips innocuous files into your system…

...In order to deliver malicious payloads later.

How Malware Gets Inside

Why People Are the Weak Link

+ For many employees, clicking on attachments and searching the Internet is part of their job.

+ Phishing attacks have become very convincing.

+ How do you maintain the appropriate level of skepticism and get your work done on time?

So What Can You Do?

Don’t Trust Unknown Files

Best Practices:

● Do not download files.

● Do not click on email attachments.

● Don’t follow unsolicited web links in emails.

● Don’t collaborate on Google docs from people you don’t know.

If you don’t have a tool for secure file sharing, get one!

Patch Your S#!T

This doesn’t apply only to server admins.

● Automate patching where possible.

○ Restart your PC/laptop!

● If not automated, run your updates.

○ Especially anti-malware apps

● Include your mobile devices, OS, and apps.

DON’T depend on after-the-fact breach identification!

Patch Your S#!T

"...Attackers show no sign of discrimination against elderly vulnerabilities. A full 90% of organizations recorded exploits

for vulnerabilities that were at least three years old."

Install, Use, and Regularly Update a Strong Anti-Malware Suite

How Not to Pay Ransomware

You don’t have to pay if you have your data backed up!

● Syncing solutions are not backups.

● Backups must be:

○ Regular– if they don’t happen they aren’t any good

○ Frequent– you lose data since the last backup

○ Offline– they are only safe if they can’t be reached electronically

Backups Made Easy

There are lots of good backup tools and SaaS options.

+ I use Cobian on Windows.

Ransomware: How Not to Pay It

It is always better to prevent than to recover.

● Update AntiVirus on all devices

● Keep OS and Browser updated

● Use pop-up blocker

● Don’t open attachments from unsolicited emails

● Use attachment encryption to avoid tampering

● Strong password practice

Passwords for Smart People

Use high-entropy passwords

○ Combination of words, numbers, symbols, and both upper- and lower-case letters

○ Or very long - 12 to 15 chars min - is even better

That are hard to guess/generate

○ No info related to you

○ No dictionary words

Unique to each site/application

○ Great password useless if their DB is hacked

Great Tips, Right?But... I have 718 unique logins!

Use a Password Manager

● Remember only 1 password

● Generate random, strong passwords

● Easily change passwords

● Many have easy auto-fill features

● Use across multiple devices

● Multi-factor authentication options

● Security review of your passwords

The same principle applies at work - use a Password Manager - restrict access.

Passwords for Smart People

Two-Factor Authentication

Key principle:

● Something you Know

● Something you Have/Are

Things you Have/Are:

● Phone - Google Authenticator, LastPass Authenticator, etc.

● Hardware token - e.g. Yubikey

● Fingerprint scanner

1 in 5 Firms See Mobile Malware

Mobile Security

Use the same precautions on mobile devices as you would on a computer:

● Good Password Practice (PW Manager mobile apps)

● Lock device, require authentication!

● 2FA (Google Authenticator, LastPass Authenticator,etc.)

● Use a VPN (yes, for a phone)

● Use a lock-down tool like Prey

Lock Your Mobile Device!8% of U.S. users and 14% of U.K. users lack a lock

screen password on their mobile devices.

Mobile Password Protection

Lock your mobile device!

“8 percent of U.S. users and 14 percent of U.K. users lack a lock screen password on their mobile devices”

Mobile Password Protection

Using a Password Manager on Mobile

● Tedious - but getting easier

● LastPass announces Auto-Fill for Android Oreo same day as Oreo is announced

Mobile Security

Mobile devices are more likely to be lost, need to be able to:

● Locate them if possible, if not

● Shut them down and

● Secure the data

Example on right: Preyproject.com

Excessive Security Can Slow You Down

Giveaway Winners!