/
Protection From   Within Protection From   Within

Protection From Within - PowerPoint Presentation

stefany-barnette
stefany-barnette . @stefany-barnette
Follow
344 views
Uploaded On 2019-03-14

Protection From Within - PPT Presentation

Addressing the insider threat Dan Lohrmann Chief Strategist amp CSO Security Mentor Inc September 4 2014 Key Questions Where does your biggest threat of a data breach reside ID: 756057

insider security threat work security insider work threat staff computer amp groups group threats online management check access personal

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Protection From Within" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Protection From Within Addressing the insider threat…

Dan

Lohrmann

, Chief

Strategist &

CSO

Security Mentor,

Inc.

September

4,

2014Slide2

Key QuestionsWhere does your biggest threat of a data breach reside?Internal staff, contractors and/or known business partners

External hackers, organized crime, overseas (somebody)About equal (almost 50/50)Where are you spending organizational resources?Internal staff, contractors and/or known business partnersExternal hackers, organized crime, overseas (somebody)About equal (almost 50/50)2Slide3

3Slide4

What is an Insider Threat?Security Softie: Limited security knowledge, uses work computer at home and shares with family.

Gadget Geek: Brings in a variety of devices and plug into their work computer.Squatter: Uses work computer for storing content or playing games.Saboteur: Accesses information they shouldn’t, or infect network purposely from within.Note: The Securelist insider threat categories include: the careless insider, the naïve insider, the saboteur, the disloyal insider, the moonlighter and the mole.add conscientious objector?4Source: McAfeeSlide5

Incidental Security LeaksFrom the FBI Insider Threat Program:

- Insider threats are not hackers. - Insider threat is not a technical or “cybersecurity” issue alone. - It’s a people-centric problem. - Organizations should focus first on deterrence, then on detection.5Slide6

Insider Threat Statistics21% of workers let family or friends use work laptops to access the Internet51% connect their own devices to work computer

60% admit to storing personal content on work computer62% admitted to limited knowledge of security6Source: Schneier on SecuritySlide7

What Can Happen?Threats to BusinessLoss of productivityNetwork compromise (virus, malware)

Breach of sensitive informationCopyright violationsLitigationBad publicityThreats to IndividualLoss of professional reputationLoss of personal integrityLoss of employmentCriminal penalties, fines, jail time7Slide8

Small group work(break into groups of 3-5)

What Insider Threat(s) keeps you up at night? Why?Have you had a major insider threat incident? Can you share?What actions are you taking to address the insider threat?Pick a spokesperson and be ready to report back to the group.Slide9

Are you for us or against us?Story of Personal journey on this topic of security as enabler

Linkedin series of three articlesGoal one: Understanding the problem scope Cloud, mobile, BYOD, telework, social mediaHR, productivity, talent acquisition affectedEmployees, contractors, partnersAsk: what’s really happening with policies?Check: do our practices match procedures?Perform: a good risk assessment9Photo credit to: Stockphotoforfree.com.Slide10

Changing your security culture with a new approach

Goal two: trust & verify Reexamine acceptable use and social media policiesExamine access controls for incoming and outgoing staffEnsure contract agreements are in placeAsk: Is majority of staff with you?Check: security logs, monitors, big dataPerform: background checks, as appropriate10Photo Credit: Harland Quarrington/MOD, via Wikimedia CommonsSlide11

Building Trust & Fixing the Security Culture

Goal three: enabling the doers Ask: Do staff know what to do if an incident occurs?Conduct exercisesTrain in memorable ways (more coming on this)Check: engagement with surveys and feedbackMeasure progress reward the right things – all eyes helpingEmpower security team with new tools & attitudeFocus on: risk management methodology11Slide12

Tips for three groups For Company Leadership:

Ask what’s really happening?Begin (or improve) the conversation between management and staff regarding expectations for online behaviors at work. Look at new awareness training techniques that engage staff and provide a positive difference. Offer fun, engaging, updated material to help improve the security culture and get the masses onboard. For Security Professionals: Start by rethinking how to enable secure access for the business and not just disabling access or blocking. Build trust with enterprise staff and verify controls at the same time by focusing in on most serious situations using a risk management approach.Determine what your web monitoring and log data is really telling you about where your greatest insider threats are. Don’t just “check the box” on employee engagement, but offer solutions for tips/input. 12Slide13

Tips for three groups (continued) For End Users:

Become engaged.Encourage office conversations with all levels of staff about what’s really happening online. Be part of the solution.Understand acceptable use policies, security procedures and balance personal freedom with corporate responsibility online. If you are bored at work, dig deeper at root causes. Are you are in the right job? Look in the mirror and ask: Are my actions and surfing online appropriate? EVERYONE: We need to do soul-searching and ask: How can I become more engaged in Internet safety in positive ways at work?13Slide14

Users: Our Greatest Vulnerability14

“. . . Rogers says about 80 percent of the cyber security problems can be solved with regular computer hygiene – strong password, firewall and virus protections that citizens need to exercise diligently.”Slide15

Looking Back . . . The Results15

In a word . . . FLOPApproximately 3,000 of 50,000 employees completed the voluntary training. Some employee feedback:BoringIrrelevantOutdated“Death by PowerPoint”Doesn’t apply to MESlide16

The Problem?11 Audit findings relative to user training.

Minimal actual participation.No user buy-in.16But, wait . . . New sense of urgency.New Executive management.New Michigan Cyber Initiative..Slide17

Next Generation Cyber Awareness TrainingRollout began September 2012 – 50,000 employees/partners – grown to 60K

Twelve modules (approximately 10 minutes each):Intro to Security Awareness Information ProtectionComputer Security e-Mail SecurityReporting Incidents PasswordsPhishing Office SecuritySocial Networking Web SecurityPublic WiFi Mobile SecurityNew module delivered to desktop every other monthInteractive, engaging, and “sticky”Provides measurable metricsCurrently at 87% participation – positive feedback17Slide18

Lesson #7: Phishing

18Slide19

Small group work(break into groups of 3-5)

What activities have you seen bring best cultural change results in your organization? Did change last? Why or why not? have you implemented any of the suggested items for the three groups? If yes, what happened?Any success stories to share regarding insider threats?Pick a spokesperson and be ready to report back to the group.Slide20

Thank You!20

Dan Lohrmann, Chief Strategist & CSOSecurity Mentor, Inc.dlohrmann@securitymentor.comConnect on LinkedIn or Twitter: @govcso