Regina Llopis, CEO, Grupo AIA
Download
Report
Transcript Regina Llopis, CEO, Grupo AIA
2015 Global Summit for Women
Breakout Sessions III. Entrepreneurial Track:
Protecting Your Business in the Internet Age.
Vulnerability of Business Assets to Security Risks
Regina LLopis
Sao Paulo - Brazil
May 16th 2015
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
1
SMEs
IMPORTANCE OF CIBERSECURITY
SOME NUMBERS
2010, the U.S. Secret Service and Verizon Communications
Inc.'s forensic analysis unit responded to a combined 761
data breaches.
63% at SME’s <100 employees
2011 ,Visa estimated
95% of the credit-card data breaches it discovers
were at SME’s
Source FCC’ss Small Biz Cyber Planner
2012, Symantec states cyberattacks for SME <250em rose to
31% from 18% in 2011
Source CNN money
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
2
SMEs
SECURITY RISK VULNERABILITY
Lower risk and
high returns (H)
Data is Valuable
Inadequate tools
Guard is down
Easier target
Source Fireeye.com
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
3
SMEs
AGENDA TOPICS
FCC’s Small Biz Cyber Planner
https://www.fcc.gov/cyberplanner
Scams and Fraud
Privacy and Data Security
Network Security
Website Security
Email (Not the hosting services)
Mobile Devices
Employees
Facility Security
Operational Security
Payment Cards
Incident Response and Reporting
Policy Development, Management
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
4
SMEs
AGENDA TOPICS
1. Scams and Fraud
2. Privacy and Data Security
3. Network Security
4. Mobile Devices
5. Employees
6. Twente U Report
7. EXAMPLE OF ONE SME (G:AIA)
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
5
Scams and Fraud
Vocabulary
E-infections:virus
OL fraud
trojans, worm,
phishing
botnets
DofSA, flooding
Social eng.
Pretexting
www.aia.es
Mal/scare/
spy/adware
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
6
Scams and Fraud
Protection
Update the
antivirus soft
NO personal Info
Employee awareness
Never click links
Layered access protection
Verify identity
Info seekers
www.aia.es
Don’t fall for
Fake antivirus
Update soft patches
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
7
Privacy and Data Security
INFORMATION ASSETS AND SECURITY
Inventory data
types,access,
location
Compliant Privacy Policy:
PII, PHI,
Clients, Biz IP other
Backup, Plan for Loss
Contextual access to
Data: HC,Sen,Int.UO
Secure Data 2Factor
Encription
www.aia.es
Protection for Data from
Internet
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
8
Privacy and Data Security
INFORMATION ASSETS AND SECURITY
Customers
•
•
•
•
•
•
Employees
Business
Policy
Recovery
Customer sales records
Customer credit card transactions
Customer mailing and email lists
Customer support information
Customer warranty information
Patient health or medical records (If in the health
industry)
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
9
Privacy and Data Security
INFORMATION ASSETS AND SECURITY
Customers
Employees
Business
Policy
Recovery
•Employee personal information
•Employee payroll records
• Employee email lists
• Employee health and medical records
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
10
Privacy and Data Security
INFORMATION ASSETS AND SECURITY
Customers
Employees
Business
Policy
Recovery
•
•
•
•
•
Business and personal financial records
Marketing plans
Business leads and enquiries
Product design and development plans
Protect IP Assets Patents, Copyright,
Trademarks
• Legal, tax and financial correspondence
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
11
Privacy and Data Security
INFORMATION ASSETS AND SECURITY
Customers
Employees
Business
Policy
Recovery
• Develop Privacy Policy compliant with Legislation
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
12
Privacy and Data Security
INFORMATION ASSETS AND SECURITY
Customers
Employees
Business
Policy
Recovery
• Develop security, backup and Recovery from Loss
processes
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
13
Network Security
PROTECTION
Secure Internal Network
and Cloud Services
(Audit rights)
Strong Password and HC
& Sen DATA encryption
Safe use of flash drives
SHIFT KEY
Wireless separation public and
Secure web browsing
Only VPN (Virtual Private internal WPA2 (WiFiProtected
Network) for remote access Access) encryption level
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
14
Mobile Devices
THREATS
Devise as well as
Social Engineering
data loss, danger
and Malware
of policy BYOD
Web, Network Based Attacks
Resource Abuse (using Data Integrity threat
the compromised
devise)
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
15
Mobile Devices
PROTECTION
Same earlier
Security Software recommendations on
and update , use of phishing, social engineering
different networks other
when BYOD
Encrypt on mobile devices
Ensure all devices are
wiped clean prior to
disposal
www.aia.es
Users aware of
surroundings , follow
reporting policy
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
16
Employees
PROTECTION
Develop a
Access control for employees
demanding hiring based on need to use, clean
process as well as
desk shred when disposing
background check HC,Sen
(Outsc).
Employee Password protected access
Training on security for
Implement Employee
Employees
Departure Checklist
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
17
Twente U Report
Attacks on Assets and Actions
Most common Cyber Security threats in SMEs
(credit: The Impact of Cyber Security on SMEs, N. Amrin, U. of Twente)
Attack
Compromised Asset
SME’s Preventive Action
1
Automated exploit of a known
vulnerability
Operating System of
computers
· Use patch management software
· Train the employees to comply with updates
· Implement prevention policy
2
Malicious HTML email
Devices that view email
· Implement spam filtering
· Raise employee awareness
· Implement prevention policy
3
Reckless web surfing by employees
Computers, laptop, etc.
· Web filtering solutions to block URLs
· Use a firewall
4
Web server compromise
Website and server
· Audit the web code to fix all the security holes
· Use firewall for malicious traffic
5
Data lost on a portable device
Portable devices and data
· Encrypt data on the devices,
· Use of Mobile Device Management (MDM) software
6
Reckless use of Wi-Fi hot spots
Company’s data
· Use encrypted Wi-Fi connection
7
Reckless use of hotel networks and
kiosks
Employee’s device.
· Use updated anti-virus/spyware/malware
· Use a firewall
8
Poor configuration leading to
compromise
Entire network
· Always change factory default user & passwords
· Implement prevention policy
9
Lack of contingency plan
Entire IT infrastructure
· Develop policy based on the company’s need
· Implement prevention policy
10
Insider attacks
Entire IT infrastructure
· Check the basic background of employees
· Do not concentrate all IT authority on one employee
· Implement prevention policy
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
18
EXAMPLE
CIBERSECURITY AT GROUP AIA
GENERAL GUIDELINES OVERVIEW
• Network security
• Intrusions (tip: separate your Internet-facing services
as much as you can from your internal network;
outsource it whenever possible)
• WiFi challenges and security levels
• Min: use WPA2 and change passwords often
• Medium: add RADIUS to control users accesses
• Max: air-gap with separate Internet access, and
use VPN to access the internal network
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
19
EXAMPLE
CIBERSECURITY AT GROUP AIA
• Information theft
• The challenge of BYOD
• Theft or loss of laptops (use two-factor auth using
USB or SmartCards)
• Disaster Recovery and Business Continuity Plans
• Don’t be your worst enemy, be prepared!
• Redundancy (RAID) is not the same as backup
• Always keep regular, point-in-time backups, à la
Time-Machine in Macs
• On-premises copies are not backup! — Ship them
off-site regularly
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
20
EXAMPLE
CIBERSECURITY AT GROUP AIA
Our view on BYOD (Bring your own device):
• It is true that people sometimes want to be able to use their own
devices at work, but…
• Does it really save the business having to buy a device for the
worker?
• How will the IT department enforce security policies on the
worker’s device?
• Vendors will be happy to sell you BYOD-management software,
but it adds cost and complexity
• We think the savings are not worth it for an SME
• Simple solution:
1. Deploy a separate, isolated WiFi, with its own independent
connection to the internet. After all, most people just want to use
their phone/tablet.
2. For those that do want to use their device for work, make them
go through VPN as any other remote worker.
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
21
EXAMPLE
CIBERSECURITY AT GROUP AIA
Server room
50% Virtualized
Corporate
LAN
(may include
isolated VLANs) outsourced
housing and support
Internet
Private WiFi
access point
•
•
•
•
Users
Corporate
DMZ
Demo servers
Product
downloads
www.aia.es
Google email+
Amazon EC2
Harvest (time)
Webhoster
(website host)
VPN gateway
Mobile and remote Users
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
22
EXAMPLE
CIBERSECURITY AT GROUP AIA
Security best practices:
In our infrastructure:
•A mixed Windows/Linux environment, all user
permissions based on roles, and managed from
Active Directory.
•All software developers and admin desktops &
laptops are managed by Active Directory
•BYOD policy: not allowed on the network (use the
Facilities’ public WiFi ) & Private WiFi: access
through RADIUS(802.1X/WPA2)
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
23
EXAMPLE
CIBERSECURITY AT GROUP AIA
•Remote VPN access only given if needed for work
•Possibility to segment isolated VLANs at the
switch level, if a client (typically Banks) request
isolated project teams.
•Centralized antivirus software that pushes
updates to all desktops/laptops.
•Daily backups performed as efficient incremental
snapshots, on standard external HDs. Monthly
copies are shipped off-site to a Bank Vault.
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
24
EXAMPLE
CIBERSECURITY AT GROUP AIA
Security best practices: In our OUTSOURCING VENDOR ‘s
Infrastructure:
• Professionally trained IT staff (5 to 6 people)
• Centralized Firewall (FortiGate)
• Intrusion Detection Systems (monitors traffic to detect
anomalies)
• Segmentation of different company LANs through
managed switches VLANs
• Server room: fully backed up power supply, continuous
monitoring. Restricted physical access.
• Internet links: triple-redundant link to different ISPs
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
25
EXAMPLE
CIBERSECURITY AT GROUP AIA
We were recently hit by ransomware:
1.One of our secretaries inadvertently executed an
attachment in a deviously crafted email.
2.Our user do not have admin privileges, malware was
contained to run with regular user permissions
3.All files that the secretary had access to, locally and on
server, were being encrypted!!!
4.It is virtually impossible to crack this crypto, and the
original contents are overwritten, so they cannot be
recovered. The malware points the victim to a website
with instructions to pay a ransom in order to decrypt the
files.
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
26
EXAMPLE
CIBERSECURITY AT GROUP AIA
How we reacted:
1.Our secretary had been trained on how to deal with
malware, phishing scams, etc.
2.She immediately called the IT support. Realizing the
malware was running locally, she was instructed to
disconnect from the network right away, and then switch
her PC off.
3.Cleaning the malware from the PC was quite easy, but
some damage had already been done: several
documents on the server had been encrypted.
4. Those documents had to be recovered from the day
before backup,. Luckily only a few hours of editing work
were lost.
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
27
EXAMPLE
CIBERSECURITY AT GROUP AIA
Take away from our story:
• Invest in training your users against malware. Keep
them updated on the latest trends.
• Backups, backups, backups!
• For an SME, Disaster Recovery and Business Continuity
Plans are mostly about backups. More so in an era of
virtualized IT.
Beware of the new ransomware threat. It is a trend that is alarmingly on the
rise. According to Tom Kellermann, chief cybersecurity officer for Trend Micro
Inc., about 30% of ransomware victims pay to regain their data.
See: http://www.wsj.com/articles/ransomware-a-growing-threat-to-smallbusinesses-1429127403
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
28
END
THANK YOU FOR YOUR ATTENTION
Questions?
More Information?
Need Biblio?
•
•
Regina LLopis
[email protected]
Grupo AIA has innovated in the area of Knowledge Generation and
Business Analytics for Decision Support for over twenty-five years
BUILDING ALGORITHMS FOR A BETTER WORLD
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
29
FINAL
COMPLEMENTARY TERMNOLOGY
DMZ stands for “De-Militarized Zone”: it’s a separate LAN in
which all Internet-facing servers are put, to isolate them from the
internal LAN. The Firewall thus separates the three main Zones:
Internal LAN, DMZ, and the Internet.
A VLAN is a virtually isolated LAN, a feature provided at a lowerlevel hardware implementation (and therefore quite hackerresistant) by network switches. It’s like having two (or more)
different switches in one. When configured properly, they are
bullet proof (I mean, there is no way someone on VLAN1 can ever
hop onto VLAN2).
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
30
FINAL
COMPLEMENTARY TERMNOLOGY
Radius is a server for remote user authentication and
accounting. Its primary use is for Internet Service
Providers, though it may as well be used on any
network that needs a centralized authentication and/or
accounting service for its workstations.
Time Machine-style backups were invented in UNIX a
long time ago, and provide a cheap and efficient way to
keep several incremental snapshots of a file-system (the
files that haven’t changed only take space once). This is
what we use, on external USB HDs. Then they should
be renewed every 2--3 years, for reliability.
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
31
HQ Barcelona
Av. de la Torre Blanca, 57
08172 Sant Cugat del Vallès
Barcelona
Tel. +34 93 504 49 00
San Francisco
48 Terra Vista Ave. # D
San Francisco, CA 94115
Tel. 1 415 978 98 00
Fax. 1 415 978 98 10
www.aia.es
APLICACIONES EN INFORMÁTICA AVANZADA, S.L.
32