Cybersecurity Threatscape

Quick Information Security Tips for Businesses and Individuals

Joshua S. Moulin
ACE,CAWFE,CCENT,CEECS,CEH,CFCE,CHFI,DFCP,GCFA,GSEC

Background
2+ years in federal cybersecurity for agency focusing on national security
18 years of public safety experience, 11 years were in law enforcement
(patrol, detectives, sergeant, lieutenant)
The last 7 years in law enforcement were spent as the commander of a
Cyber Crimes Task Force. Sworn in by both the FBI and the US Marshals
Service
Handled hundreds of investigations and forensic cases including murder,
terrorism, cybercrime, hacking, child pornography, extortion, human
trafficking, intellectual property, fraud, misconduct, etc. and performed
thousands of forensic examinations
Have been qualified as an expert witness in state and federal court
Multiple certifications in law enforcement, cybersecurity, and forensics
Graduated Summa Cum Laude with a bachelors degree and will graduate
with a Master of Science Information Security and Assurance in November
of 2014
Adjunct Instructor for college teaching computer security

Prevention is ideal, but detection is a must.

The Adversaries are Real

Source: Mandiant M-Trends 2012

InfoSec for you and your Business

Passwords and multifactor authentication

Encryption of data and devices
Enforced policies and procedures (especially an AUP)
Disaster Recovery and Continuity Plans
Employee Training and Awareness
Social Engineering Attacks and Recon
Wireless Networking
Least Privileged Access
Endpoint Security, Patching, and Security Controls
Security costsyou can pay now, or you can pay later
but if you pay later, you always pay more.

Passwords and Multifactor Authentication

Want at least two factor
authentication (2FA):
Something you have
Something you know
Something you are

Website to locate
compatibles sites:
https://twofactorauth.org/

Passwords and Multifactor Authentication

Strong passwords should include uppercase,
lowercase, numbers, and special characters
Password attacks are extremely common
(Brute force, dictionary, or hybrid)
Simple passwords can be cracked in seconds
Consider a password management tool (e.g.,
KeyPass, LastPass, etc.)
Consider passphrases
Never reuse passwords

Encryption

Encryption should be mandatory on all portable

devices (tablets, phones, laptops, USB devices, etc.)
Encryption should also be used to transmit sensitive
data via email (especially PII and IP)
Many free and inexpensive encryption programs
available

Policies and Procedures

Policies are a must, especially if you are in any
type of regulated business (HIPAA, SOX, GLBA,
PCI-DSS,etc.)
Polices are only good if they are enforced
If nothing else, have a well written Acceptable
Use Policy (AUP) and have all employees sign
it (preferably annually)
The AUP should discuss several items,
particularly that there is no expectation of
privacy on the business network

Disaster Recovery / Continuity

93% of companies that lost their data for 10
days or more filed for bankruptcy within one
year
50% of companies that lost their data for 10
days or more filed for bankruptcy immediately
Every week 140,000 hard drives crash in the
United States
Have a backup plan for home and work
Consider offsite backup solutions as well and
geographic location is important
http://www.concertonetworks.com/files/DriveSavers_Industry%20Facts_Stats.pdf

Employee Awareness Training

The most common security violations
include:
Failing to encrypt data and devices
Clicking on links within phishing email
messages
Downloading unauthorized software
(p2p, malware)
Misuse of company IT assets
Plugging in unauthorized devices such
as USB devices or home computers to
company assets

Social Engineering Attacks & Recon

Phishing, Vishing, Smishing, Spear Phishing,
Whaling, pharmingthe list goes on and on
Be aware of what is on the Internet about you
and your company (OPSEC)
Social engineering also includes dumpster
diving, tailgating, diversion, etc.

Wireless Networking
NEVER use public open Wi-Fi access points for
anything sensitive (or maybe at all)
If accessing work, make sure you use a Virtual Private
Network (VPN) solution
SMS messages sent over Wi-Fi are all plaintext
At home take the following precautions on your
wireless router:

Dont broadcast the SSID

Change the default username/password for the router
Enable WPA2 encryption (Not WEP)
Use MAC address filtering

Least Privileged Access

Usually a culture change and

not popular (but absolutely
essential)
Limit who has administrative
privileges
No one should ever use an
admin account for their day-today work
Admin account should never be
used to check email or surf the
Internet

Endpoint Security, Patching & Security

Controls
Endpoint Security is essential on everything
including mobile devices
Have up to date anti-malware software
Use host firewalls
Keep operating system and third-party
software patched from security vulnerabilities
Make sure your business network is secure
and you have an incident response plan

The Life Cycle of a Cyber-attack

Source: Mandiant M-Trends 2012

Questions?
Email: Josh@JoshMoulin.com
@JoshMoulin
https://www.linkedin.com/in/joshmoulin