The Human Side of Security

30
The Human Side of Security How to Secure Your Workforce without Ruining Their Lives

Transcript of The Human Side of Security

Page 1: The Human Side of Security

The Human Side of SecurityHow to Secure Your Workforce without Ruining Their Lives

Page 2: The Human Side of Security

Cyberattacks Are Everywhere

Page 3: The Human Side of Security

Malware - Quick Stats - Q2 2017

+ 62 million malware detections

+ 677,000 average daily volume

+ 16,582 malware variants

+ 2,534 different malware families

+ 18% of firms saw mobile malware

Page 4: The Human Side of Security

Your Biggest Security Weak Spot?

Page 5: The Human Side of Security

Human Beings.

Your Biggest Security Weak Spot?

Page 6: The Human Side of Security

You Are the First Line of DefenseIn survey after survey, users feel that security is

someone else’s job, not theirs.

Page 7: The Human Side of Security
Page 8: The Human Side of Security

Someone invites you to download important files.

Malware hides among these files.

This tactic slips innocuous files into your system…

...In order to deliver malicious payloads later.

How Malware Gets Inside

Page 9: The Human Side of Security

Why People Are the Weak Link

+ For many employees, clicking on attachments and searching the Internet is part of their job.

+ Phishing attacks have become very convincing.

+ How do you maintain the appropriate level of skepticism and get your work done on time?

Page 10: The Human Side of Security

So What Can You Do?

Page 11: The Human Side of Security

Don’t Trust Unknown Files

Best Practices:

● Do not download files.

● Do not click on email attachments.

● Don’t follow unsolicited web links in emails.

● Don’t collaborate on Google docs from people you don’t know.

If you don’t have a tool for secure file sharing, get one!

Page 12: The Human Side of Security

Patch Your S#!T

This doesn’t apply only to server admins.

● Automate patching where possible.

○ Restart your PC/laptop!

● If not automated, run your updates.

○ Especially anti-malware apps

● Include your mobile devices, OS, and apps.

DON’T depend on after-the-fact breach identification!

Page 13: The Human Side of Security

Patch Your S#!T

"...Attackers show no sign of discrimination against elderly vulnerabilities. A full 90% of organizations recorded exploits

for vulnerabilities that were at least three years old."

Page 14: The Human Side of Security

Install, Use, and Regularly Update a Strong Anti-Malware Suite

Page 15: The Human Side of Security

How Not to Pay Ransomware

You don’t have to pay if you have your data backed up!

● Syncing solutions are not backups.

● Backups must be:

○ Regular– if they don’t happen they aren’t any good

○ Frequent– you lose data since the last backup

○ Offline– they are only safe if they can’t be reached electronically

Page 16: The Human Side of Security

Backups Made Easy

There are lots of good backup tools and SaaS options.

+ I use Cobian on Windows.

Page 17: The Human Side of Security

Ransomware: How Not to Pay It

It is always better to prevent than to recover.

● Update AntiVirus on all devices

● Keep OS and Browser updated

● Use pop-up blocker

● Don’t open attachments from unsolicited emails

● Use attachment encryption to avoid tampering

● Strong password practice

Page 18: The Human Side of Security

Passwords for Smart People

Use high-entropy passwords

○ Combination of words, numbers, symbols, and both upper- and lower-case letters

○ Or very long - 12 to 15 chars min - is even better

That are hard to guess/generate

○ No info related to you

○ No dictionary words

Unique to each site/application

○ Great password useless if their DB is hacked

Page 19: The Human Side of Security

Great Tips, Right?But... I have 718 unique logins!

Page 20: The Human Side of Security

Use a Password Manager

● Remember only 1 password

● Generate random, strong passwords

● Easily change passwords

● Many have easy auto-fill features

● Use across multiple devices

● Multi-factor authentication options

● Security review of your passwords

The same principle applies at work - use a Password Manager - restrict access.

Passwords for Smart People

Page 21: The Human Side of Security

Two-Factor Authentication

Key principle:

● Something you Know

● Something you Have/Are

Things you Have/Are:

● Phone - Google Authenticator, LastPass Authenticator, etc.

● Hardware token - e.g. Yubikey

● Fingerprint scanner

Page 22: The Human Side of Security

1 in 5 Firms See Mobile Malware

Page 23: The Human Side of Security

Mobile Security

Use the same precautions on mobile devices as you would on a computer:

● Good Password Practice (PW Manager mobile apps)

● Lock device, require authentication!

● 2FA (Google Authenticator, LastPass Authenticator,etc.)

● Use a VPN (yes, for a phone)

● Use a lock-down tool like Prey

Page 24: The Human Side of Security

Lock Your Mobile Device!8% of U.S. users and 14% of U.K. users lack a lock

screen password on their mobile devices.

Page 25: The Human Side of Security

Mobile Password Protection

Lock your mobile device!

“8 percent of U.S. users and 14 percent of U.K. users lack a lock screen password on their mobile devices”

Page 26: The Human Side of Security

Mobile Password Protection

Using a Password Manager on Mobile

● Tedious - but getting easier

● LastPass announces Auto-Fill for Android Oreo same day as Oreo is announced

Page 27: The Human Side of Security

Mobile Security

Mobile devices are more likely to be lost, need to be able to:

● Locate them if possible, if not

● Shut them down and

● Secure the data

Example on right: Preyproject.com

Page 28: The Human Side of Security

Excessive Security Can Slow You Down

Page 29: The Human Side of Security

Giveaway Winners!

Page 30: The Human Side of Security