Cybersecurity: Steps you can take to protect yourself at work and at home
Today’s Webinar is entitled “Cybersecurity,
Steps You Can Take to Protect Yourself at Work and at Home.” Before I introduce them
our speakers have asked that you take a moment to respond to two polling questions showing
now on your screen. Question 1, the majority of security breaches take minutes, hours or
days to succeed. And question 2, average time to discover a security breach is measured
in days, weeks or months. Please select your answers and hit submit to record your responses.
These questions and others will be referred to later in the session. Looks like we have
a different poll question up. We’re going to take that one down and we’ll get to these
questions in a moment. So it’s now my pleasure to introduce our esteemed
presenters today, RIT alumna Kim VanGelder, Chief Information Officer and senior vice
president at Kodak, and alumnus Jeff Wright, vice president and Chief Information Security
Officer at Allstate Insurance Company. Two experts in cybersecurity who are here with
us today to share some simple steps we can take to better ensure our cyber safety at
work and home. I know I’m eager to learn what I should be doing, so Kim and Jeff, let’s
get started!>>KIM VANGELDER: Thank you, Lisa and hello
everyone. We’re glad to be with you to discuss the topic of cybersecurity. For today’s agenda
I’ll start by giving background and then Jeff will take over to discuss specific types of
threats and steps we can take to protect ourselves. Please feel free to submit questions along
the way, and we’ve got a few more polling questions for you as well.
By way of introduction, a Chief Information Officer is the person in charge of the information
technology strategy and the computer systems required to run a company’s business processes,
so this would include manufacturing, ordering, shipping, billing, marketing, and customer
service. This involves selecting which products to use, purchasing those products, and implementing
and supporting the system. In years past these (inaudible) around mainframe computers, in
locked data centers owned by the company and were accessed by (inaudible) terminal. Today
many companies use cloud computing where your hardware and software is purchased as a service
via the Internet and provided by a third party such as Microsoft or Amazon or Google and
accessed by people from their smartphones, so as you can see, an entirely different situation
from a security standpoint. And cybersecurity, which means the measures
taken to protect a computer or computer system against unauthorized access or attack, is
now a board-of-directors-level issue. A guiding principle according to the national association
of corporate directors is to approach cybersecurity as an enterprise-wide risk management issue
and not just an IT issue. It’s the increasing cybersecurity risk that has led to the increasing
prominence of the Chief Information Security Officer role, which Jeff will now describe
for you. Jeff, over to you.>>JEFFREY WRIGHT: Great, yes, thanks, and
hopefully everyone can hear me okay. The Chief Information Security Officer role has really
emerged recently, as Kim mentioned as a critical position in many large companies and it has
to do with understanding and managing cyber risk as a component, for instance of a company’s
risk statement when they make their annual filings to the SEC. Investors and stakeholders
want to know that a company has the capacity to identify and manage the risks associated
with cyber-attacks. But beyond technical aptitude in cybersecurity, a successful CISO I think
is expected to be able to communicate successfully with executive leadership and more frequently,
going back to what Kim mentioned, with the board of directors and potentially, hopefully
not, media shareholders. So it’s the ability to communicate effectively and influence key
decisions within the company and even these days’ legislative matters that are important
aspects of a CISO’s role. From a reporting relationship perspective,
it varies at virtually every company. Oftentimes a CISO reports to the CIO, but it’s certainly
not uncommon for the CISOs to report in to top-level risk management positions or even
in some cases directly to the CEO. And it’s probably worth pointing out the federal government
identified earlier this year cyber-attacks one of the most challenging threats that faces
us as a nation and so they appointed both a CIO as well as a cyber czar and have taken
steps recently to introduce both an executive order as well as legislation to help us improve
our nation’s security posture. But for a lot of us it may feel like we’re challenged with
squaring off against well-funded criminal groups and nation-state actors, and hopefully
this material will help you understand some of the facts behind what’s going on in cyber
space and how by taking some relatively simple steps you can better protect yourself and
your company.>>KIM VANGELDER: Thanks, Jeff. So while a
CIO is responsible for developing the overall IT strategy and plans and runs really the
IT shop for the company, the CISO has the responsibility to evaluate those plans and
make sure from a security standpoint that they’re acceptable, and as Jeff mentioned,
they focus an awful lot on employee education, which we’ll certainly cover more in this session.
So large corporations, as we discussed, tend to have both a CIO and a CISO. Smaller companies
may just have a director of security in the IT organization. The structure for cybersecurity
in the government does remain a topic of debate and Jeff alluded to that. At this point there’s
not a separate Chief Information Security Officer, so somebody with a budget and staff
to do this work, but there is an advisor to the president on the National Security Council
that cyber czar as Jeff referenced. As recently as late September of this year,
the chief strategist for (inaudible), a leading security software firm, recommended that the
president appoint a CISO to focus in the intelligence network, so those are covered by the Department
of Defense, and to pay particular attention to quality infrastructure which we talked
about earlier. I’m sure you’ve talked heard about the two major cybersecurity breaches
last year, databases pulling personnel and security files of 22 million people including
federal employees and contractors, people that had undergone a background check and
their friends and families. The office of personnel management suffered from a breach
a month earlier than that compromised the data of over 4 million federal employees.
For over a decade the federal government has had a Chief Information Officer. Tony Scott
is the third federal CIO and he was named to that position in February of this year.
Clearly cybersecurity is a top priority of his. In fact, on June 12 of this year the
Office of Management & Budget launched what they call a cybersecurity sprint, and here’s
the case reaction. Quote, the president has identified the cybersecurity threat as one
of the most serious national security, public safety and economic challenges we face as
a nation. Ultimately the cybersecurity challenge in federal government is not just a technology
issue, it’s an organizational, people and performance issue requiring creative solutions
to address emerging and increasingly sophisticated threats and new vulnerabilities introduced
by rapidly changing technology. So they have a plan that covers from 2015 to 2017, cross
agencies to cover things like assessing and monitoring each agency’s cybersecurity theft,
ensuring that users authenticate the resources and only use those they use for their job
and to reduce the risk of malicious software, and compromised email, which is a type of
risk we’ll talk about more in a few minutes. For our personal lives we’re not only the
chief executive officer of our homes and the chief financial officer of our homes, but
we are the CIO and the CISO as well. We decide how to use IT in our personal lives and how
to ensure we’re keeping ourselves and our families safe.
It is astonishing to see what’s happened in such a short period of time. The first email
was sent in 1971 and the first Web site went live in 1991, so fairly recent events. You
may have heard the term “digital native” and “delegate immigrants.” Digital natives are
individuals who are born after the widespread of technology and delegate immigrants are
born before the widespread technology. An example for my life, for some, like my mom,
all of this is overwhelming, she has never and will never use a computer. Once to my
shock when she said she sent an email, my dad, who does use a computer, clarified that
he printed out one of his emails, which my mom then sent in the U.S. mail (laughter).
I, on the other hand, immigrated, so in the 1980s I was early in my IT career and learned
how to use computers in the business context, and my kids are in their 20s and are native.
They grew up with the technology so it’s natural for them to use it and of course use social
media. Who could have imagined the role social media
would take in so many people’s lives. This year from data from we are social out of 7.2
billion people in the world, 3 billion or 42% access the Internet. 30% are active on
social media. At the other end of the spectrum we now conduct our personal finances, our
banking on the Internet and all of this not just done with PCs but with mobile devices
as well. So where is this all headed? You may have
heard the term “The Internet of Things.” The Internet of Things is the network of physical
objects embedded with electronics, software, sensors, and network connectivity which enables
these objects to collect and exchange data. The Internet of Things is enabled by cloud
computing, which we discussed earlier and networks of cheap data gathering sensors.
The data gathered by the sensors is stored in the clouds and analyzed real time. Companies
are (inaudible) with unique ways to use these capabilities.
So The Internet of Things includes every device that’s connected to the Internet so everything
then becomes smart, so you have smart service, you have smart TVs, smart watches, smartphones,
smartphones, smart roads that sense the conditions and communicate to your car, smart parking
that can tell you availability of parking spots, smart refrigerators, and the list goes
on. Smart lighting (inaudible) lights and turn them back on to full power when the movement
of a car or person is detected. And companies are working on medical wearable devices so
a remote physician can do everything from diagnosing a condition to a treatment without
ever actually seeing the patient. Companies announcing plans on the Internet includes
the giants of Google and Apple and many more and the number of Internet of Things devices
is growing at a tremendous rate. However, as more of the devices in our lives,
our homes, our cars, our wearables become connected to the Internet and those devices
are used to collect data, many people are worried about the risk, not just of personal
data getting in the wrong hands but also the increased number of access points for a breach.
So this is clearly an area of focus for vendors in this space.
Now, before we discuss how we can protect ourselves on the Internet, it’s useful to
have some basic understanding of how the Internet works. The Internet is a decentralized interconnected
network-based on standards. Think of it as a network of networks that needs to operate
around the world as if it were one. A key point is that the Internet was originally
designed for research and exchanging ideas, not for commerce. So some of the vulnerabilities
in the underlying design of the Internet is, one is the address and our naming system,
which allows hackers to send you to the wrong Web site, a look alike Web site. Secondly,
the way patches of data are routed across the Internet is based on trust (inaudible)
directions are, in fact, authentic. Also most information is sent unencrypted, so noting
that we do encrypt connections for logging in and purchasing but most information goes
unencrypted and most of the traffic flows with few checks.
The Internet Society is the international group that was formed in 1992 and they have
the mission to promote the open development, evolution and use of the Internet for the
benefit of all people throughout the world. One aspect of that work is facilitating the
open development of standards and protocols and administration and the infrastructure
of the Internet. In their words, the Internet works because open standards allow every network
to connect to every other network. Also, this is what makes it possible for anyone to create
content, offer services and sell products without requiring permission from any central
authority. So it levels the playing field for everyone and it’s the reason that we have
the rich diversity of applications and services that many of us enjoy on the Internet today.
So who’s in charge of the Internet? As the Internet Society would say, no one is but
everyone is, or we may look at that as everyone is but no one is but unlike things like the
telephone network, which for years was highly regulated and in many countries the government
owned it, the global Internet consists of hundreds of thousands of interconnected networks
from service providers, by companies, universities, governments and others. There’s no real governance.
So the Internet design and the self-regulation certainly allowed for massive growth, but
the Internet was not designed with security in mind, so security issues also grew.
As we think about the consequences of being connected, it is effective and convenient.
Think how much more effective doctors and police officers can be with networks of information
available to them. Think of the convenience that our home automation systems can provide
us, but all of this interconnectedness also increases risk. It’s more convenient to transfer
money from your savings account to your checking account at Starbucks than standing in line
at the bank, but it’s also riskier, and this proliferation of new technologies has increased
the attack surface and made protection more difficult, as we’ve discussed briefly with
mobile, with cloud, with The Internet of Things. So we need to stay informed and if we’re going
to use technology for our convenience, we need to be educated on the risks and how to
mitigate them. We’ll pals the ball to Jeff in just a minute to talk about risks and what
we can do about them, but first, Lisa, why don’t we pause at this point to see if there
are any questions.>>LISA CAUDA: We have a question that goes
to both of you, actually. You mentioned before about getting messages from — to your investors
and stakeholders. So the question is, what are some of the questions you as cyber leaders
get from your CEOs, investors and stakeholders? Jeff? Do you have a thought on that?
>>JEFFREY WRIGHT: Yeah, I think I’ll tell you a for-instance. We had our shareholders
meeting a couple of months ago, and I was pleasantly surprised, although part of me
was shocked, when someone asked directly, you know, what are you — what are you doing
to stay on top of all of these — all of these data breaches and threats? So I would say
the questions vary. Our shareholders want to make sure that we’re taking the steps necessary
to protect their information. No one likes having to deal with their personal information
having been put on-line, having to enroll a new credit card and go through all of the
effort to transfer over those payments, and so I think people are more cautious, hopefully,
with how and where they use their personal information and their payment card information,
and so they’re asking — they’re asking questions of the companies that they trust this information
with just to make sure that they’re thinking about these sorts of risks.
You know, internally, you know, I think in the corporate side of things it’s been — the
questions I’ve observed over the last two years have been very much what you would expect,
an organization coming up the learning curve rapidly, so they’ve evolved from how serious
is this thing and will it go away to understanding and appreciating it’s probably pretty serious
and it’s not going away. It’s just going to get a lot worse in the future. So what are
the sorts of things that we need to do, what does it mean to accept risk, and how do we
create a facility for doing that. So the questions, I think, on the corporate side are getting
much more sophisticated, as they should, and really what that’s doing is causing internally
stakeholders to — as I always put it, use a different lens, you know? What is the cybersecurity
lens to this new business process or this new product or this new technology? How does
this thing maybe cause us to have to think differently about the cyber risk that comes
along with it. So those are all the right questions to be
asking. The answers aren’t all out there yet, and it has to do with developing a culture
around risk tolerance and risk management. Kim, I don’t know if you want to embellish
on that at all.>>KIM VANGELDER: I think that you’ve hit
it exactly right, and I think there’s increasingly an understanding that there’s the investment
in technology that needs to be made, but an understanding that technology alone can’t
protect us, and a recognition of the need for educating people, because it’s like living
in a home with a sophisticated security system. If you open the door for the intruder, you’re
going to have issues.>>JEFFREY WRIGHT: Yes.
>>KIM VANGELDER: So I think there’s a greater appreciation of that among the questions that
we receive as well.>>LISA CAUDA: Great. Jeff, why don’t we turn
it back to you?>>JEFFREY WRIGHT: Sure. And if someone could
manipulate the slides for me, I’d appreciate it. But — you know, I’ll pick up where Kim
sort of left us, and, you know, 10 or 15 years ago were kind of lean times for us in information
security. You know, we understood the risks, and those of us, I think, in technology understood
the risks, but reading about a data breach or a cyber-attack was limited to the security
magazines or the trade publications that only we propeller-head technology folks read. It
was hardly an item on the front page of the Wall Street Journal or other popular resources,
and of course now in the last couple years the topic has grown to really frankly dominate
the headlines of virtually every newspaper. I used to measure the amount of time — or
the amount of articles over the course of a year, and again, it would be lucky if we
got one article in a popular print material, and today it seems hard to make it through
a week without being presented information about another large data breach or some sort
of planes dropping out of the sky or cars being launched into orbit because some hacker
in Tunisia found a vulnerable they were able to exploit. So it’s certainly — it’s certainly
— the frequency of these reports has increased dramatically over the past several years.
But as someone who’s responsible for trying to manage the constantly changing threat landscape,
it helps for me to understand, and I think you’ll benefit as well — to understand the
motivations behind the most common attackers or threat actors, as we refer to them as.
And there’s essentially four groups of people trying to ruin our Internet party. But maybe
to set some context first, I think it’s important to understand there is, in fact, such a thing
as a good hacker, and these are people that we typically refer to as ethical hackers.
Ethical hackers are actually highly sought after individuals. These folks have extensive
knowledge on both applications and the infrastructure, and by infrastructure I’m referring to the
servers and routers and other hardware that really make the Internet work. But they’re
called upon to perform some very sophisticated testing. They essentially try to emulate or
think like an attacker. They try to find vulnerabilities and break into our systems, primarily so we
can take action before the less than ethical hackers find those vulnerabilities and we
end up on the front page of one of the publications I mentioned a moment ago.
But back to the real bad guys. There’s essentially four different groups of people that we don’t
— we don’t look forward to encountering on a daily basis. The first is hacktivists. It’s
— word, we’ll constantly underline that as a misspelling, but it’s really a label that
we’ve associated with a particular group, and these are the individuals associated with
— you know, with a movement. They’re activists, right? You might recall Occupy Wall Street
or anonymous campaigns from several years ago, so in addition to the protests over unfair
banking practices, the demonstrators took to the Internet to conduct service attacks
against several large financial institutions and government offices. Before that we were
aware of other organizations. You’ll probably be familiar with PITA or ACT UP. Before I
was at Allstate I worked at a pharmaceutical company and ACT UP was the name of the activist
organization. They actually conducted a denial of service attack against our corporate Web
site during our annual shareholder meeting because they were unhappy with a recent and
rather abrupt increase in the cost of one of our products. So hacktivism is kind of
the norm, given how expensive it is to use the Internet to voice your dissatisfaction
over a variety of issues. What we hear more often about in the newspaper
and on the TV, though, are state sponsored organizations. And these are often much more
sophisticated groups, and we don’t have to go too far back in time here to see examples
of the types of attacks that have been attributed to foreign governments attacking one another
using computers instead of bullets. So Kim mentioned the OPM breach. Right after that
was the state department breach, or at least in close proximity. And likely several of
the large health insurance companies that have been in the news lately are often attributed
back to nation-state-sponsored activity. , you know, it’s interesting, though, I would
point out that as much as we complain about being the victims of these sorts of attacks,
the U.S. government actually engages in a fair amount of offensive action. So you all
I’m sure are familiar with the Ed Snowden debacle which exposed was a broad based phone
tapping scheme, the intelligence agencies were collecting information on a lot of people,
and a lot of people’s data that was traversing our networks, but it also led to the discovery
or disclosure of the government’s role and essentially hacking sensitive communication
facilities for foreign diplomats. And so it goes both ways, and recently there’s been
a lot of discussion between the current office, the current administration and China as to
how do we begin to get our arms around this and maybe de-escalate things and establish
some rules of the road, so to speak, before things get out of hand.
The objective of nation-state attackers is multifaceted. They’re interested in everything
from economic espionage, so that would be stealing your proprietary data, company data,
all the way on the other extreme to cyber warfare. So we — many of us probably have
heard frequently about the power grid being at risk for a cyber-attack, and so these sorts
of things are almost always attributed to nation-states.
The third group that I have sort of categorized is organized crime. They also make headlines,
although it’s not often that these attacks get directly attributed back to organized
crime rings. You probably haven’t heard of the Russian business network. It’s one of
the more prominent organized crime outfits out there that operates quite a bit in cyber
space. So in the case of organized crime their objective is often, I characterize it as personal
financial gain. So this is where assets are being stolen, often resold for a profit.
Clearly many of the credit card breaches may well be attributed back to organized crime.
We all know about the target attack. Millions of credit card numbers were stolen and entire
markets were created on-line where you could actually purchase hundreds of credit card
numbers at a time. Consequently the relative value of credit card data sell off abruptly.
So it used to be that you’d buy a — making this up but an American Express gold card,
and that card number would cost you somewhere in the neighborhood of 45 to $50. Today valid
credit card numbers can be purchased for as little as $10. And here’s the thing. It actually
comes, many of these organizations (no audio).>>LISA CAUDA: Jeff, did we lose you? Sounds
like we have lost connection with Jeff.>>JEFFREY WRIGHT: I’m back.
>>LISA CAUDA: Are you back?>>JEFFREY WRIGHT: I’ve lost the air waves
there.>>LISA CAUDA: Okay. (Laughter) Maybe you
were cyber attacked (laughter).>>JEFFREY WRIGHT: Yeah, sorry, Apple was
under cyber-attack here. What I was saying — I don’t want to go back too far, but in
the Target attack there are millions of credit card numbers that were stolen and there were
markets created on-line. You could buy hundreds of credit card numbers at a time, and so what
we saw was the relative value of that credit card data fell off abruptly. You can buy platinum
card numbers for as little as $10 and they offer a money-back guarantee. So if that card
doesn’t work they’ll refund you the money or they’ll get you two new numbers.
Interestingly it’s not uncommon to see nation-states teaming up with organized crime, right, those
two threat actors teaming up, to leverage specialized skill sets or assets that one
group may have and another may need, and that certainly presents some challenges in the
world of defending — identifying your attackers and defending against them.
And the fourth group, and that’s really recently, a more recent twist on things, are the cyber
terrorists. So ISIS, as we all know, ISIS and their motivations, they have actually
done a phenomenal job of making use of the Internet to recruit — not just to recruit
new members, but to actually embark upon some fairly — not a (inaudible) sophisticated
but some fairly sophisticated attacks to further their agenda. So this whole notion of cyber
terrorists leveraging the Internet is becoming more and more a reality as the days go on
here. If we could flip to slide 8, please. I think
it’s also helpful to talk about the tools of the trade or how some of these groups go
about carrying out their work. And there’s an important difference between what we read
about is happening, so a denial of service or a Web site defacement, and how these attacks
are actually being carried out. I often get asked, how are these attacks happening?
Do you they get in? Do we need stronger controls on our Web service, more expensive or stronger
firewalls, and etcetera. It’s interesting, the answer is that in better than 85% of the
cases the initial attack factor that these are carried out in over email. All right?
And so there are some simple things, I think, that we can do, and it has to do with just
some basic awareness and using our technology differently that will — that will protect
— that will add immense layers of protection, and we emphasize here at Allstate the end
user awareness training and just that simple transfer of knowledge and the benefit that
we reap from that is manifold. So beyond the common Web site defacements
and the denial of services, there’s some malware. We probably all heard of viruses and malware,
command and control. I want to explain to you what we run into on the corporate side
of things that some of the banks often ran into with these denial of service attacks.
Malware refers to malicious software, so its software that someone may send you. An email
with a Word document or an Adobe document, in addition to giving you the information
inside that document, it actually is capable of installing a very small amount of code
on your system that then gives an attacker the ability to do a variety of things. They
can see what you’re typing, they can take control of your computer, and they can copy
information off of your hard drive. That’s what we refer to as command and control. And
it was with these massive denial of service attacks where this malicious software was
being used to actually take your home computer and my home computer and tens of thousands
of other home computers and cause them to load the Web page of a particular financial
institution. And being able to do that, to be able to create that sudden and abrupt amount
of volume and direct it all at a particular Web site often overwhelms the Web server’s
ability to keep up with it and results in what we call a distributed denial of service
attack, and again, those are brought on in part by malware, often at the fingertips of
these hacktivists that are trying to make a point around unfair banking practices or
some other item that they disagree with. Beyond that you may have heard of viruses
and crypto virus — you know, viruses have been around since the ’80s with the I love
you virus, and Fox News inevitably finds some very marketable name to label these things
with. Earlier this year was the heart bleed logo that took over the news waves for about
a week or so. They were sure the Internet was going to end with this particular bug
that affected the security software that runs on a lot of Web servers, but crypto ware is
another very common piece of malware that we encounter.
I was talking to my brother a couple of weeks ago and he gets a call from Microsoft and
say that they’ve seen his computer attacking their computer and they need to come in and
remotely clean his computer. He didn’t do anything, luckily, but what they’re doing
is they’re getting you to come visit a Web site where they can download, again, some
more code on your computer that encrypts all of your data so that they can turn around
and then extort, you know, money out of you to decrypt it, usually anywhere from 250 to
$400. And I’ve spoken to folks that have done this, and they — they paid the money and
they don’t get the — they don’t get their data back. So simple things like backing up
your information on a regular basis can be very beneficial when you — when you’re faced
with dealing with an encrypted hard drive. And the last one that I want to make note
of is something called credential scraping. Credential scraping can happen in a variety
of places, but I think it’s important to bring it up here because it was credential scraping
that was — that brought about a lot of these massive credit card breaches earlier in the
year, the Target one that we mentioned, Home Depot was another one. Again, malicious software
in this case being deposited on point of sale devices, those devices where you scan your
credit card. And they were scraping not necessarily credentials, but all of that information off
the magnetic strip from the back of your card, it was scraping that and depositing a command
and control server somewhere out of the on the Internet. So hopefully — hopefully some
of these potentially foreign terms maybe are starting to come together. You’re seeing the
connection between the threat actor and what their motivation and intents are, and how
they then leverage tools to manipulate some of the technology that you and I probably
use on a very frequent basis. But there’s been a lot in the last two slides
here, so I’ll pause there and just see if there are any questions coming out of slide
7 and 8.>>LISA CAUDA: Thanks, Jeff. We have a question.
Are we at greater risk of hacking from the U.S. persons or from foreign entities?
>>JEFFREY WRIGHT: That’s a great question. Ironically, if you look at where the majority
of the attacks are coming from at your average organization, you know, I won’t name any specific
organizations, in fact, there are Web sites out there that try to correlate and present
this data for you. Most attacks are coming from the United States. So I think that’s
an interesting data point. You know, we certainly read in the news about certainly countries,
and it’s not just China, it’s — you know, it’s Estonia, it’s Latvia. There are a lot
of companies outside of the U.S. that are perpetrating very damaging and very sophisticated
attacks, but the majority of the attacks that folks see on a regular basis, on a routine
basis, the biggest volume of those are coming from the United States, and they are often
targeting U.S.-based interests.>>KIM VANGELDER: Jeff, its Kim. Should we
go over the results of the first two polling questions and I know there was another one
we were thinking of putting up on phishing.>>JEFFREY WRIGHT: I’m sorry, I may have given
away one of the –>>KIM VANGELDER: No, I don’t think you did.
(Laughter)>>LISA CAUDA: On your screen you’ll see questions
1 and 2 and the results from the group. The majority of security breaches take minutes,
hours or days. What’s the right answer, Jeff?>>JEFFREY WRIGHT: The majority of security
breaches take minutes to perpetrate.>>LISA CAUDA: Our group thought correctly.
And the average time to discover a security breach is days, weeks or months.
>>JEFFREY WRIGHT: It is easily months and in some cases it has been as long as four
years for a company to realize that they’ve been compromised.
>>LISA CAUDA: That’s a significant amount of time, and it could probably do a lot of
damage, I would suspect.>>JEFFREY WRIGHT: Yeah, and I would point
out that in many cases it is someone outside the company, so it is some organization or
some third party that is coming and knocking on your door, and it’s not always or often
the government, but someone presents information to you telling you that you’ve been compromised.
So it’s not that frequent that you’re able to identify the breach internally, unfortunately.
>>LISA CAUDA: Okay. Thank you. Would you like to move to the next phone question or
move on?>>JEFFREY WRIGHT: Let’s I think pull up the
next slide, and we can launch the next polling question here as well.
>>LISA CAUDA: Great. We’ll have a question on the screen in just a moment. What percent
of people click on a phishing email within the first hour? We have one minute for everyone
to submit their response and hit the button “submit.” They’re coming through. Do you want
to continue from here, Jeff?>>JEFFREY WRIGHT: Yeah. So what you’re looking
at here, it’s an interesting, although I think it’s one that the department of Homeland Security
has been using. I’ll tell you, we shamelessly stole it and we use it at Allstate as well.
There’s a couple of messages on here. Stop, drop and roll. Look both ways before crossing.
And stop, think and connect. Hopefully — hopefully everyone recognizes the first two. It’s been
something that’s been engrained into us since we were knee high to a grasshopper, right?
Right? If you’re on fire, stop, drop and roll. If you’re about to cross a busy intersection,
look both ways. I’ll add — I’ll add one other. For those of us that travel a lot, the TSA
I think pipes in, at least through O’Hare’s hallways, if you see something say something,
right? You can pick any one of those things. We’ve landed on stop, think, and connect as
a way to sort of drill it into people’s heads. Kim mentioned earlier the technology that
we used to combat cyber-attacks is in my mind the tip of the iceberg. You can only have
so many firewalls and so much encryption in all of this. At the end of the day the bulk
of our controls, what we rely on day in and day out is often good decision-making by our
— you know, our — our colleagues, our coworkers, our kids in the house that are keen to download
virtually every game that they can get their hands on or click on anything that’s presented
in front of them when they’re working on the computer. So stop, think and then connect
is a mantra that we use around here. Slow down and stop. Think about what — what is
being presented to you. It may be that you’re contemplating sending some information out
from your company and that information may be proprietary or trade secret. It may have
customer information, it may have payment card information on it. You may be thinking
you’re getting an awesome deal on a hover board, you know? And it can’t possibly be
this cheap. So, you know, stop, think about the site that you’re at, the information that
you’re about to send and how you’re going to send it, and then connect the dots. We
talked earlier about the different motivations and the different reasons why people are targeting
our companies and our data. Who are they? What do they want? And how could they possibly
benefit from what you’re about to send out or the link you’re about to click on, or the
action you’re about to take? So again, it’s a graphic. I believe it’s one
that the department of Homeland Security has advocated. Stop, drop and roll hopefully works
if you’re running around on fire. We’re hoping that folks will stop and think before connecting
or moving on or taking that next — that next action.
So I just wanted to share that with you while we — while we thought about our polling question
there. So do we have the results back? Is our polling question –?
>>LISA CAUDA: We’re putting them up now. What percent of people click on a phishing
–?>>JEFFREY WRIGHT: Let me see.
>>LISA CAUDA: And this okay out largely at 50%, but pretty split then at 25% to 75%,
and the correct answer is –>>JEFFREY WRIGHT: So often 75% of the breaches,
if we want to refer to them like that, are a result of human error. So that could be
— I’ll explain human error a little bit. Human error can range from a system administrator
putting a bad configuration on a Web server, or to something that we just finished talking
about, right, sending a file containing all of your customer data to a partner, but doing
it over email where it was insecure, and maybe you mistyped that email address and it landed,
you know, with the wrong recipient. All of those sorts of things get chalked up to human
error, and they account for over 75% of — of the breaches that we — that we have to deal
with.>>KIM VANGELDER: And Jeff, maybe just one
other point while this slide it up. That address that’s on here, the stopthinkconnect.org is
a site folks can go to learn more about this. As Jeff mentioned, it was a site put up by
a coalition of different folks to try to help have a common message across public and private
sectors and help people understand the risks. So we found it to be an excellent resource
as well. We’ve pulled out some of the information from the next couple of slides from that material,
but there’s really a rich set of material that we wanted to make sure we left you with
that, that awareness, so you can use it in an ongoing fashion and it’s well kept up-to-date.
>>JEFFREY WRIGHT: Yes.>>LISA CAUDA: If we can move to the next
slide I think there’s some really great details in here for you to share.
>>JEFFREY WRIGHT: Yeah, and so I don’t want to take more time than we probably have to
go through each of these, but I mentioned earlier, you know, Kim mentioned earlier in
the opening, there are simple things that we can do to be better stewards of not just
our customer — our corporate data but also our home data, and those behaviors, those
learned behaviors that we’ve created over decades of dealing with non-digital things,
we can begin to correct those and adopt — just with some simple steps, and they start at
a very high level. You know, keep a clean machine. It kind of goes without saying now,
keep your software up-to-date. Microsoft, Apple, you know, I’m trying to think of some
of the big ones, Adobe, they all provide frequently security patches, and just patches to their
systems in general. Those patches are designed to do two things. One is just to keep your
system running smoothly, which I’m sure we all desire, but also to protect your system
and your data from a lot of these attacks. And so just enabling those automatic updates,
keeping your security software up-to-date can go an awful long way to protecting your
data and your systems both at home and at work.
Also, you know, protecting devices that connect to the Internet, and by that I mean we all
have home routers now, we connect to Wi-Fi, hot spots. Many of the devices we use, your
PCs and some of the hand-held devices also offer firewalls or the ability to secure those
networks with passwords. All very simple things that are at your fingertips, things that you
can do to secure your system and your network and prevent misuse of either your data off
your systems. You can flip to the next slide. Protecting
your personal information. I mentioned earlier one of the shareholders at a recent meeting
just asked a very general question. (Inaudible) yourself an insurance company, the same holds
true for a banker, a medical facility. We give an awful lot of our data to an awful
lot of people, and an awful lot of organizations ask us for information on-line. So if you
stop and you think about it, you know, is sharing that information entirely necessary?
You know, do you have a strong account password on your bank Web site portal or on your benefits
administration page? You know, a lot of Web sites now give you an easy tool to gauge the
strength of your password, red, yellow or green, or 9 out of 10 or something like that.
But consider just, you know, using capital and lower case letters and mix in a number
or a symbol, makes your password infinitely more secure than, you know, poodle or your
son or daughter’s first name. Another one I’ll point out here on this slide,
and then maybe we’ll — we’ll move on to the next, is — and you’re not going to want to
hear this (chuckle) but, you know, using unique accounts and passwords. You don’t have to
go overboard with this. What I tell everybody that I work with and people that ask me about
email and account security, I have a couple email addresses. I have my work email address
but I have a Hotmail address and I have a Gmail address. I give my Hotmail address out
at the drop of a hat. If I have to register for a product or I have to enroll in something
on-line, that’s what I use my Hotmail account for. My Gmail account is what I use to correspond
with individuals and with people that I want to maintain a relationship with. The reason
you do that is because you know and you’ve seen that the minute you provide that email
address to a third party, it gets sold about ten times in the first two weeks, and before
you know it you’re getting email from organizations that want to sell you things that you didn’t
even know existed. So if you think about how you operate, you
know, how you run your business or your life, there’s an opportunity, I think, to not go
overboard but to be thoughtful about what information you share with whom, and where
that information may end up a day, a week or a month from now.
>>LISA CAUDA: Jeff, may I stop here for a question from our participant?
JoAnn asked, do you recommend a password manager?>>JEFFREY WRIGHT: I do. I recommend them.
I use one personally. I don’t advocate for them, and we don’t use them internally within
the corporate setting. There are much more sophisticated techniques that we use to minimize
the number of passwords that we ask our associates to remember, but I do use passwords — password
managers. But I will tell you, there are passwords and accounts that I do not put in there.
>>LISA CAUDA: Great. Thank you.>>JEFFREY WRIGHT: Yeah.
>>LISA CAUDA: We have one –>>JEFFREY WRIGHT: Go ahead.
>>LISA CAUDA: We have one more slide and then we’re getting ready to close.
>>JEFFREY WRIGHT: Yeah. So last slide, just some simple — again, some simple thoughts
here. Connect with care, right? When in doubt, throw it out. A quick example I’ve used in
the past, my in-laws, they — I get them all set up with their computer, and then the next
time I was over there they — you know, some virus and dozens of viruses, usually. It wasn’t
just one or two, but I’d end up having to be the computer fix-it guy on nearly an every
other week basis. And it wasn’t until I was there for one of the holidays and I noticed
my mother-in-law going through her mail, her postal mail, and she’s the type of person
that opens every single envelope from every credit card company that’s out there, reads
it, complains about getting the junk mail, and then tears it up and throws it away. And
she carries that behavior over, and many of us do, into our digital experience.
And so unfortunately opening email and clicking on the links that say click here to unsubscribe
or exploring the Web links of the attachments that are in there, are often, go back to better
than 85% of these attacks originate through email. These links are often malicious. They
are often the bad guys, we refer — it’s how the bad guys get that software on to our computers
that then give them the ability to do command and control. So when in doubt throw it out.
If you don’t recognize the individual, if you’re not interested in the product, stop
right there and throw it out. You know, just savvy about Wi-Fi hot spots.
I mentioned just a minute ago, just be thoughtful about the type of business that you conduct
on open Wi-Fi networks. It may be that they’re being monitored, or it could be that there
are people on that same network that are taking advantage of people that connect to the Wi-Fi
hot spot to try to intercept that traffic. And then protect your dollars, right? Think
about where you’re using your on-line payments. Make sure that you’re looking for the https.
The S is for security or for secure socket layer. If it doesn’t have the S it’s not secure.
Don’t put your payment card in there, don’t put your debit card in there if it’s just
the conventional http site. And a lot of our Web browsers have gotten a lot better recently.
They’ll turn a site green if it’s secure, they’ll turn it red and pop up big warnings
if it’s not secure and they see that you’re being asked for your credit card information.
So technology is catching up, like I said, but it really comes down to our individual
ability to understand and be aware of what’s going on around us.
And so from here I think I’ll turn it back to Kim to take us home.
>>KIM VANGELDER: Yeah, thank you. And just a note relative to RIT’s role, because we
as alums can be proud of the roll that RIT takes as it relates to cybersecurity, because
not only is our (inaudible) college home to the nation’s first undergraduate programs
in software engineering and information technology, but the Golisano College was also the first
in the nation to establish a department of computer security in 2012, so that’s a very
unique and impressive accomplishment. We placed top 3 in the National Collegiate Cyber Defense
Competition for the past three years, and during this year’s competition ten of the
best student teams in the nation worked to fend off cyber-attacks from a team of industry
professionals. And the challenge this year was for student teams to defend against an
attack to shut down the U.S. electric grid, which is the scenario we referenced earlier
in this discussion, and so students were hired as a replacement IT team to understand what
the threat was, could they detect the threat, respond to it, maintain the services such
as email and violates services for their company, and they had to manage the devices at the
same time that ran on the grid. So our team finishing in third place on that is really
an impressive accomplishment. And in RIT we also participate in the National
Science Foundation Cyber Corps scholarships for service because there’s a national shortage
of computer service individuals, and both the industry and government is facing this.
So this program is designed to increase the number of people who work for the federal
government in these critical IT security roles, and the program provides scholarships to students,
funded through grants from the NSF, and students work after graduation for the government for
the number of years they received the scholarship. I was on campus last month and heard from
one of the Cyber Corps scholarship recipients, and he was talking about the work he did on
drone security, analyzing vulnerability, Open Source project, really some impressive work
from some impressive students. So with that we’d like to, Lisa, turn it back
to you.>>LISA CAUDA: Great. Thanks, Kim. So we’ve
expended our time for Q&A but we’ll send directly to you for comments. Additional questions
can be emailed to [email protected] or tweeted to @RIT_alumni with the hashtag #meRIT Webinars
and we will direct your questions to our experts. Know all participants will receive an email
from us in the next few days with a link to today Webinar recording. Many thanks to Kim
and Jeff for being our distinguished speakers today, and thank you to all our listeners
for joining us for today’s Webinar. Our next Webinar is on November 11 on taxation
and charitable giving. With 2015 rapidly coming to a close, now is the time to think about
your year-end charitable giving and the various implications on your 2015 tax preparation.
Please check your email inbox for an invitation to this next meRIT Webinar event. Thank you
again to all for joining us today. Please exit this Webinar by simply closing your WebEx
window and please do let us know what you thought of the Webinar through a brief survey,
which will pop up when you exit. And have a great day!