Data Perceptions Inc. - Produits, offres, nouvelles

Articles

Human firewalls the key to preventing cyber attacks by Scott Murphy

il y a un mois

Human firewalls: the key to preventing cyber attacks?
By Scott Murphy
First Published October 3, 2017 Sprint Business https://business.sprint.com/blog/human-firewalls-cyber-attacks/

The Equifax hack is a reminder that cybersecurity is an ongoing threat. Employees should play a role in every cyber defense program, according to security experts from Data Perceptions. Scott Murphy addresses how companies should create human firewalls to decrease their exposure of being hacked.

Following high-profile security compromises such as the Equifax breach or the global WannaCry attack, there is always a call for technology fixes to improve enterprise security. Advisors will tell you that you need better firewalls, enhanced governance, faster patching, and more security staff.

While most of that may be true, it is critical to remember that most security breaches involve a human failure. It may be one employee’s decision to click on a link in a well-crafted phishing email, or it may be an internal decision or patch process that delays patching a known vulnerability, but commonly involves one or more breaches of the “human firewall” in the organisation.


Attacks in traditional and new ways

The most common attacks are simple. A fake but very legitimate-looking phishing email comes to an employee. It may be spoofed to appear that it comes from that employee’s boss, with all the right words and terms used.

The employee is fooled into clicking on a link, at which point malware is downloaded and the hacker begins collecting information and expanding the breach. The malware provides a remote connection for command and control by the hacker, to get their foot in the door and find ways to access and essentially take charge of networked services.

The hacker may insert ransomware and let it sit for some time. Then at the appointed time, they encrypt some or all files, demanding payment in cryptocurrency to give control back to the organization.

There are other devious methods. One is a USB drop, where a hacker places a USB drive near someone’s vehicle in the parking garage, knowing someone may pick it up and check it. Or, they may pose as a helpful passerby who comes to the company’s front desk and says they found a USB drive and wanted to turn it in. Natural curiosity compels us to plug that drive in. When that happens, the hacker has just gained access to the company network.

Or a person might piggyback onto an employee’s physical access, sneaking in behind a legitimate employee who has used a badge to enter giving the hacker physical access.

People by nature want to be helpful and customer-focused. That is why even wary IT help desk people can be fooled by a phone caller pretending to be an employee needing help with a login. Sophisticated hackers can weave such a believable story that the help desk person – whose job is to help people with network access – can become a victim.

Train, then train some more

To mitigate the risks of these types of attacks, an organization needs to keep employees constantly aware of security and always acting in safe ways. Reducing the human vulnerabilities requires training, with targeted effort to increase both physical and digital security awareness.

Challenges with any training includes making sure it’s available across the organization, ensuring participation of staff and service providers, and making it appealing enough to resonate with them. Then ensuring that they apply it at the proper times by making the right choices in various situations.

Two good ways to improve people’s retention in security safety awareness training are:

  • Gamification. Award points and other forms of recognition to people who do the right thing during the training modules.
  • Social Engineering Indicators. This uses simulated social engineering attacks such as phishing emails to train people how to identify hacking attempts.

​Both of these techniques are most effective when they are ongoing. Employees can be periodically tested by sending simulated phishing emails, doing a USB drop, or having someone show up in the office who is unfamiliar and not properly identified or badged. When employees do the right thing – delete the email, turn in the USB device, or engage the unfamiliar person – they can be rewarded with recognition or points.

Proven success

Training does work. Statistics have shown that when you train for a phishing email attack, for instance, at first you may have 15 to 20 percent of employees clicking on the potentially malicious emails, depending on how well crafted they are. After six months of periodic and ongoing training, you can get that down to one or two percent. You may never get to zero, but you can certainly improve.

There are additional steps an enterprise can take to supplement the human firewall, such as:

  • Email gateways with sophisticated malware, virus, phishing and spear-phishing detection
  • Next-generation Layer 7 firewalls that can detect social engineering attacks and phishing threats
  • Limiting permissions for network shares to only those roles that require access
  • Processes that require two-person approval of payment requests with appropriate due diligence based on the payment size
  • Systems and tools for device/asset management that can deal with lost or stolen devices
  • Security monitoring tools or services that identify user errors such as clicking on a phishing email or a missed patch being applied
  • Incident response processes that address smaller events as they are identified and before they become a security breach

​Neglecting the human firewall in an organisation can unlock the risk of a potential security breach that could impact intellectual property assets, revenue streams, or the corporate image or brand, possibly even leading to the catastrophic failure of the organisation.

https://www.dataperceptions.com/2017-10-03

About Scott Murphy
Scott Murphy is Vice President of Business Development for Data Perceptions Inc. and is a board member of the Society
email: scott.murphy@dataperceptions.com | twitter: @ScottMurphyDPlinkedin: https://ca.linkedin.com/in/scottmurphy | web: www.dataperceptions.com

The Human Firewall in a Hyper-Connected World by Scott Murphy (May 2017)

il y a 5 mois

The Human Firewall in a Hyper-Connected World

The human firewall is the first and last line of defense for an enterprise, and investments should be made in security awareness training across the enterprise.

In the security landscape, there are few easier opportunities for hackers to compromise an enterprise than by targeting the human beings that make up the workforce. People in an organization (employees, contractors, senior executives, and board members) are almost always the weakest link in the security ecosystem. They have been taught since they were toddlers to be helpful, curious, and, as adults, customer focused. Hackers take advantage of these ingrained traits using a wide variety of social engineering techniques to exploit access to an organizations' resources and assets.

In the aftermath of the WannaCry crypto-locker worm that infected hundreds of thousands of computers in more than 150 countries earlier this month, information security advisors worldwide are preaching that enterprises need better firewalls, enhanced governance, faster patching, and more security staff. Most of these security tactics are needed to compensate for the shortcomings of the human firewall in the organization. Most compromises cannot be completed without a human security failure. The "human firewall" is essentially security awareness spanning the organization, including physical and digital security, and is an enterprise's first and last line of defense.

How do we keep an entire workforce aware of their role in the security of the organization? Traditional security awareness includes signing off on a computer use policy, once a year videos, lunch and learns, and standard employee contracts. These cannot compete against the ingenuity of today's hacker using social engineering, phishing attacks, spear-phishing attacks, business email spoofing, malware, trojans, USB thumb drive drops, and their future inventions. All it takes is one employee to click on a hacker's link and enterprise security is compromised. In a global survey conducted by consulting firm PwC, only 73% of organizations have senior executives that are actively communicating security awareness to their employees. This means that there are still significant opportunities for social engineering hacks, even if existing security awareness communications are effective.

This highlights the need for workforce security awareness training that is effective in implementing the human firewall. It is impossible for a business to get this perfect, but you can improve employee effectiveness in combating social engineering hacking techniques. The security awareness training needs to educate the workforce so that they understand not only what they should and should not be doing but also why. They need to understand the significance of security risks.

The ongoing challenge with any training is how do you get the workforce to:

1. Complete the training, as it takes time away from doing their job
2. Utilize there training effectively and at appropriate times, by making the right choices when put into different situations
3. Make the training pervasive in the organization, being delivered in a method that appeals to everyone

Two recent trends in security awareness training that can be used either individually or in tandem are:

Gamification, which awards points and various forms of recognition to people who do the right thing during the training modulesSocial Engineering Indicators (SEI), which uses simulated social engineering breach attacks such as spear-phishing and phishing emails to train people how to identify hacking attempts

These training tools significantly improve retention and understanding of the material, particularly with respect to security awareness. Both training techniques are ongoing and not one-time events. The goal is to get the workforce thinking conscientiously in a hyper-connected world with mostly friendly, but some malevolent people.

To complement improved training techniques, technology and improved practices can make things easier for the human firewall:
• Email gateways with sophisticated malware, virus, phishing and spear-phishing detection
• Next-generation Layer-7 firewalls that can detect social engineering attacks
• Practicing good network security "hygiene" by limiting permissions for network shares to only those roles that require access
• Processes that require two-person approval of payment requests with appropriate due diligence based on the payment size
• Systems and tools for device/asset management that can deal with lost or stolen devices containing corporate data
• Human-friendly policies and incident management that allow for mistakes and reporting incidents
• Monitoring and measuring effectiveness of security awareness and rewarding people who do well

The human firewall is the first and last line of defense for an enterprise, and with that in mind, appropriate investments and sponsorship should be made for security awareness training across the enterprise. Neglecting the human firewall could result in a security breach that would negatively impact intellectual property assets, revenue streams, corporate image or brand, resulting in the catastrophic failure of the organization.

By Scott Murphy
email: scott.murphy@dataperceptions.com | twitter: @ScottMurphyDPlinkedin: https://ca.linkedin.com/in/scottmurphy | web: www.dataperceptions.com

First Published May 31st, 2017   no jitter - "SCTC Perspective" http://www.nojitter.com/post/240172684/the-human-firewall-in-a-hyperconnected-world

Scott Murphy has two decades of information technology experience and expertise in project leadership, risk management, strategic planning, directing technology deployments, managing complete project life cycles and enhancing operations through change management and process improvement.  He is the VP of Business Development at Data Perceptions Inc. and is an active member of the SCTC (Society of Communications Technology Consultants Association International) – www.sctcconsultants.org

 

Disruptive Technology and Innovation Affects Everyone By Scott Murphy and Eric Sundin

2014-08-12

Disruptive technology and innovation affects everyone; personal lifestyle, business, and the global economy. “According to the Innosight study of almost a century’s worth of market data, corporations in the S&P 500 in 1958 lasted in the index for 61 years, on average. By 1980, the average tenure had shrunk to about 25 years. Today, it stands at just 18 years based on seven year rolling averages.”* The rate of change in business marketplaces has accelerated drastically in the last 50 years driven primarily by technological change. In order to keep pace and for business to survive, strategic planning is more important now than it ever has been.

What is clear is that innovation is not accidental, it is a key part of business’ strategy. “Ultimately, the challenge faced by all companies is to grow at or above the pace of their industry without losing control of their operations. The Innosight study shows that very few companies achieve this goal.”** If they are going to grow faster than their competition, they must do something substantially different, much the way a start-up functions. They must look at their industry and look for opportunities to take strategic risks and innovate their products or services faster than their competition. This requires the c-level to view innovation within the business as strategic and important to the long term success of the business. They must support innovation with both strategic support and financial support.

“So the relationship between strategy and innovation is vital, and the important role that innovation plays in transforming the concepts of strategy into realities in the marketplace tells us that none of these companies could have succeeded without innovation.”***

The reality is that strategic innovation is no longer an option if a company is going to be successful and is becoming vital.

Scott Murphy, BMath, CMC and Eric Sundin, P.Eng are senior project strategists at Data Perceptions Inc. (www.dataperceptions.com)

Data Perceptions is a leader in Technology and Operations (Tech & Ops) consulting services, delivering strategic and operational enhancements through the use of: technology, innovative methodologies, and a skilled talent community.

*Innosight – Executive Briefing Winter 2012
**Innosight – Executive Briefing Winter 2012
***Why Innovate: The Link Between Strategy and Innovation, By: Langdon Morris