Cyber Self-Defense | Paul Carugati | TEDxSpokane

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

only 50% of all cyberattacks are successful 50% that doesn't sound like a very lucrative campaign does it when I was in grade school admittedly I was not a very good student academically speaking anyway as such I had to become intimately familiar with the grading scale so I'd know exactly what score I'd need to get to pass a test sometimes this worked in aiming for just above that demarcation between failing and passing was enough for me to secure success in my school the failure mark was 69% so we're all agree that according to the standards codified by my junior high and attack campaign receiving a 50% victim rate would by all accounts be considered a failure right wrong because it takes one person to fall victim for a modern cyberattack in order for it to be considered a success once they've gained access attackers will install malware on the victim computer and then advanced their positions or pivot and lateral movement morphing their code to evade detection and then finally once they have their trove they will exfiltrate and disappear into the ether their plan low next campaign infect pillage rinse and repeat recent data breach studies have shown that an only do up to 50% of all attack targets fall victim but they do so within the first hour of the attack three months ago the Ashley Madison breach exposed their entire customer database resulting in the compromised and publication of up to 32 million email addresses passwords and credit card numbers incidents like this are no longer the exception but they're becoming an almost everyday occurrence we see names in the headlines like Sony Target Anthem Blue Cross Blue Shield Home Depot JPMorgan Chase even the federal government the estimated cost of the average data breach rose to three point seven nine million dollars in 2015 which represents a 23% growth of the past two years alone does that not sound like a fantastic investment opportunity if only this really JIT amid business at the source of these attacks is a diverse group of intelligent adversaries ranging from hacktivists like anonymous to crime syndicates even nation-states and really their motives couldn't be simpler in the postmodern digital age of information and social media what they want is your data now I know what you're probably all saying yeah yeah we know all this already right malware is bad and the Internet is dangerous but I've got antivirus software running on my home computer I haven't even got a firewall on my home network so I'm good right well I'm sorry to say that those niceties just are not as effective as they once were the days have set it and forget it security controls are a thing of the past 15 years ago the hacker stereotype was analogous to the twenty-something pimple-faced underachiever living in his parents basement and playing video games exploding software vulnerabilities in his spare time the motive there was fun and the reward was bragging rights these were mostly just smash-and-grab jobs remember the I love you worm of the Melissa virus from the turn of the century those attacks were slow to develop difficult to achieve and mostly easy to detect and while they still cause some damage they were mostly just considered annoyance where in this world tools like antivirus software and port based firewalls could still help protect you but the threat landscape is changing zero-day vulnerabilities in brute-force hacking are still active but they're no longer as prevalent they've been displaced by a cheaper more effective style of attack one that's successful about 50% of the time and those odds are pretty great humans humans of the new attack vector it's no longer just computers or our apps the target and motives have shifted to you and to yours this is true for personal and business information for employees and employers alike no noun is safe why a cyber security is such a big deal today because the attacks are global in nature in their increasing in frequency and severity we are most definitely at war and the Internet is our battlefield the next question really is how can we arm ourselves now I'm not trying to make you paranoid but you really should be listen this is a real problem but there's a simple solution we can't just rely on building better tools like a better firewall because they'll be obsolete by the time the bad guys have changed their method speaking as a security professional for over a decade I can tell you that relying on tools alone is a losing battle unlike fighting vampires there's no silver bullet here so just like in the days of yore it's the layered defense model that is the most effective to protect our critical assets from being pillaged next generation security software application aware firewalls big data analytics these are all a great start but towering above all the tools policies and politics is education that's right training awareness education it's the only path forward to holistically protect ourselves against these very dynamic threats and just like we would discipline the mind and train the body to protect ourselves against physical threats we need to do the same for cyber threats against our data and our information really our well being this is why I believe that cyber self-defense is going to become an in-demand and necessary skill for tomorrow's professional an asset that employers will seek in the future workforce as evidence of a conscientious and caring individual who understands the value of protecting information and business intelligence as the cost and impact of data breaches continue to increase companies are drastically investing in holistic security programs and defensive tools and employee education to help reduce their exposure so if you can demonstrate an acute awareness and aptitude on how to identify these types of attacks you'll reduce the risk to your employer moreover practicing cyber self to self defense is just as relevant at home as it is in the workplace after all our digital personas of mostly online and they deserve to be safeguarded as long as there's technology that will be those who use it for good and for evil and so we need to ingrain the thought of security and protection into every decision we need to learn cyber self-defense strategy and practice cyber self defense tactics using common sense derived from the physical world applied to our digital communications and interactions the first step in any form of self-defense is to know your assailant and their methods of attack so let's spend a few minutes going over what is certainly the most prevalent type of cyberattack today social engineering social engineering is the modus operandi of modern hackers now you're probably already familiar with these types of condoms they focus on gaining your trust using opaque pieces of information which on the surface may seem legitimate sometimes the hackers will perform reconnaissance so that their story will be more personally relevant other times though theme will be generalized whatever form it might take the trick here is to get you to do something because you have what they want the first social engineering attack on the hackers quiver is called phishing now this is the one to watch because it is definitely the most widespread and the most successful in fact you've all probably come across a phishing email in your personal or business inbox already phishing is a fraudulent message which like spam is unwanted or unsolicited but instead of trying to sell you something the attacker here is trying to get you to take some sort of action because they're trying to install malware on your computer hackers will send thousands of these messages as bait to lure their prey hoping for just one victim to fall for their trap here's a real-world example of a well known phishing email this one originates circa 2007 but it's actually still circulating in the wild there are usually obvious warning signs to any phishing message if you know what to look for and are keen to find them so let's review some of the telltale signs of this fish one the branding of the message is made to look and feel legitimate but this is not the real FedEx logo it's a cheap mock up to the sending address is not really coming from FedEx although what a quick glance you might not even notice that and three the body of the message uses poor language and bad grammar which would never be the case if this was really coming from FedEx use your experience about the subject matter to question the reality am I expecting a package did I order something to be delivered from FedEx is that even a real FedEx tracking number no it's not and this attachment here is malicious malware or malicious software gives an attacker an open path on your computer allowing them to do just about anything they want using malware they can install a keystroke logging program to record your password or credit card number as you type it in to that ever so secure website they can capture screenshots of your monitor display in real time they can turn on your webcam and watch you remotely from halfway across the world in picture-perfect high-definition or they can turn your computer into a zombie note as part of a larger botnet and use it to launch a distributed denial-of-service attack against another internet-connected system in other words they can use your computer as a weapon to engage in cyber warfare they can do all of these things and you would never even know what's happening and the same family as fishing is a nut this next attack called credential harvesting it starts the same way using using a phishing email to bait its victim in this example the message is personally relevant and the sender is completely legitimate the action here is to follow the link to the reference document now we've all done this before click the link see a familiar login screen second nature for us to enter our username and password let's take a look at this thing again though it's a strangely worded message from a friend although I wasn't expecting them to send me anything so I'm not exactly sure what this is if I take my mouse and hover over the link I can reveal the true destination and all that although that kind of looks like it's going to Google it's really not this is a fake landing page made to look and feel like the actual Google account sign in once I enter my username and password here the attacker now has it and can log in as me which they'll use to download all the data and my online cloud storage account or log into my email and send another thousand of these phishing messages to my entire address book or they'll just take my username and password and sell it on the black market to the highest bidder credential harvesting is platform agnostic this is equal opportunity for Windows and Mac users alike if you give up your password all bets are off this last example is a timeless classic with a simple twist it's called phone phishing in this scenario the attackers actually have the gall to talk with you on the phone and compel you to installing malware they'll claim to be for some well-known tech company citing trouble with your computer trouble which they'll happily be able to solve for you if you just install this simple remote troubleshooting program for them you guessed it it's malware so now that we've seen some of the most prevalent types of cyberattack today let's go over a few rules and how we can defend ourselves against them I call them the cyber self defense tactics number one stop clicking we've just seen how dangerous cyberspace is and so we all need to stop clicking in every file attachment and phrase that is blue and underlined remember 50% of all attack targets fall victim by clicking on that fishing link within the first hour of the attack take a second reflect on the telltale signs of how to spot attack and think about how your actions are going to affect your employer your family or you number two seriously stop clicking I just can't over emphasize this point enough which is why it's here twice we all need to make a pact collectively today to stop clicking on everything we see just practicing this tactic alone is going to go a long way to prevent us from falling victim number three use strong passwords for the past two decades we've all been trained to believe that the best passwords are complicated and hard to remember this is simply no longer the case as both computers and attackers have gotten better at cracking them in the case of the Ashley Madison breach those 32 million passwords that were exposed they were all encrypted but if my password there was short or using common dictionary phrases it would be trivial for an attacker to crack that in actuality it's better to use a long passphrase with words that are personally relevant to you so that you can recall them more easily length is superior to complexity the passphrase here on the right is much more difficult to crack than the password on the left number 4 don't reuse your passwords we got to stop using the same single password across all of our different accounts of course hackers know this so they know that if they get one of your passwords it's going to get them in everywhere to help get around this use free password management software online a few examples are LastPass and dashlane so that you can manage multiple passwords against multiple different accounts with ease number 5 oops sorry you know what playing long game passwords are a losing battle any single layer protection is going to fail eventually just like in the layered defense model its multiple defenses that we need to use for lasting protection two-factor authentication works similarly and if something is a message you're already familiar with think about how you withdraw cash from an ATM you need your PIN and your card something you know and something you have one of the other is just not good enough similarly you two-factor authentication using your online account works the same you start with your password but you'll also use a one-time passcode delivered to you out-of-band usually via text message and email a phone call even a smartphone app this is the future of adequate security controls best of all all the major tech companies provide this service for you today completely free of charge Google Yahoo Microsoft Amazon even Facebook number six stay current with your security tools and computer software patches believe it or not these tools still do add value provided that you keep them running and up to date remember reduce your attack surface and you will reduce your exposure be sure you've configured Windows updates to one frequently and automatically and then finally the golden rule of cyber self-defense taken directly from President Reagan himself we are all social creatures and we want to see the good in everyone this is a fundamental tenant of what makes us human we know there are those out there who will cause us harm so in order to ensure our security we need to continue to trust but it doesn't hurt to verify also and there you have it cyber self-defense next-generation skills to help protect and safeguard your information in the digital world protect yourself and your company give yourself an edge above the rest of the competition by showing that you know how to identify these types of attacks and how not to fall victim to them a little knowledge goes a long way stay safe out there thanks for listening you

Info

Channel: TEDx Talks

Views: 45,120

Rating: 4.9347472 out of 5

Keywords: TEDxTalks, English, United States, Technology, Communication, Computer Virus, Computers, Crime, Cyber, Digital, Education, Hack, Open-source, Security, Social Media, Software, Terrorism

Id: knLDY7hRm5I

Channel Id: undefined

Length: 14min 48sec (888 seconds)

Published: Tue Nov 24 2015