Upload
randy-earl
View
28
Download
0
Embed Size (px)
Citation preview
The Human Side of SecurityHow to Secure Your Workforce without Ruining Their Lives
Cyberattacks Are Everywhere
Malware - Quick Stats - Q2 2017
+ 62 million malware detections
+ 677,000 average daily volume
+ 16,582 malware variants
+ 2,534 different malware families
+ 18% of firms saw mobile malware
Your Biggest Security Weak Spot?
Human Beings.
Your Biggest Security Weak Spot?
You Are the First Line of DefenseIn survey after survey, users feel that security is
someone else’s job, not theirs.
Someone invites you to download important files.
Malware hides among these files.
This tactic slips innocuous files into your system…
...In order to deliver malicious payloads later.
How Malware Gets Inside
Why People Are the Weak Link
+ For many employees, clicking on attachments and searching the Internet is part of their job.
+ Phishing attacks have become very convincing.
+ How do you maintain the appropriate level of skepticism and get your work done on time?
So What Can You Do?
Don’t Trust Unknown Files
Best Practices:
● Do not download files.
● Do not click on email attachments.
● Don’t follow unsolicited web links in emails.
● Don’t collaborate on Google docs from people you don’t know.
If you don’t have a tool for secure file sharing, get one!
Patch Your S#!T
This doesn’t apply only to server admins.
● Automate patching where possible.
○ Restart your PC/laptop!
● If not automated, run your updates.
○ Especially anti-malware apps
● Include your mobile devices, OS, and apps.
DON’T depend on after-the-fact breach identification!
Patch Your S#!T
"...Attackers show no sign of discrimination against elderly vulnerabilities. A full 90% of organizations recorded exploits
for vulnerabilities that were at least three years old."
Install, Use, and Regularly Update a Strong Anti-Malware Suite
How Not to Pay Ransomware
You don’t have to pay if you have your data backed up!
● Syncing solutions are not backups.
● Backups must be:
○ Regular– if they don’t happen they aren’t any good
○ Frequent– you lose data since the last backup
○ Offline– they are only safe if they can’t be reached electronically
Backups Made Easy
There are lots of good backup tools and SaaS options.
+ I use Cobian on Windows.
Ransomware: How Not to Pay It
It is always better to prevent than to recover.
● Update AntiVirus on all devices
● Keep OS and Browser updated
● Use pop-up blocker
● Don’t open attachments from unsolicited emails
● Use attachment encryption to avoid tampering
● Strong password practice
Passwords for Smart People
Use high-entropy passwords
○ Combination of words, numbers, symbols, and both upper- and lower-case letters
○ Or very long - 12 to 15 chars min - is even better
That are hard to guess/generate
○ No info related to you
○ No dictionary words
Unique to each site/application
○ Great password useless if their DB is hacked
Great Tips, Right?But... I have 718 unique logins!
Use a Password Manager
● Remember only 1 password
● Generate random, strong passwords
● Easily change passwords
● Many have easy auto-fill features
● Use across multiple devices
● Multi-factor authentication options
● Security review of your passwords
The same principle applies at work - use a Password Manager - restrict access.
Passwords for Smart People
Two-Factor Authentication
Key principle:
● Something you Know
● Something you Have/Are
Things you Have/Are:
● Phone - Google Authenticator, LastPass Authenticator, etc.
● Hardware token - e.g. Yubikey
● Fingerprint scanner
1 in 5 Firms See Mobile Malware
Mobile Security
Use the same precautions on mobile devices as you would on a computer:
● Good Password Practice (PW Manager mobile apps)
● Lock device, require authentication!
● 2FA (Google Authenticator, LastPass Authenticator,etc.)
● Use a VPN (yes, for a phone)
● Use a lock-down tool like Prey
Lock Your Mobile Device!8% of U.S. users and 14% of U.K. users lack a lock
screen password on their mobile devices.
Mobile Password Protection
Lock your mobile device!
“8 percent of U.S. users and 14 percent of U.K. users lack a lock screen password on their mobile devices”
Mobile Password Protection
Using a Password Manager on Mobile
● Tedious - but getting easier
● LastPass announces Auto-Fill for Android Oreo same day as Oreo is announced
Mobile Security
Mobile devices are more likely to be lost, need to be able to:
● Locate them if possible, if not
● Shut them down and
● Secure the data
Example on right: Preyproject.com
Excessive Security Can Slow You Down
Giveaway Winners!