North Carolina Local Government Information Systems Associations (NCLGISA)
October 19, 2011
Asheville, North Carolina
Notes taken by: Brittany Box, Fortalice, LLC.
· Theresa Payton, Fortalice, LLC. "Protecting Your Cyberturf"
Executive Summary: General overview of the rise and risk of Cybercrime as it relates to law enforcement officials and the citizens they are trying to protect.
Cyberterrorists & Cybercriminals Are in Our Community Cookie Jar…How to Avoid Getting Left with the Crumbs
· Question: How can we properly raise awareness on a citizen level? Proper funding, resources, etc. for IT?
· 1/3 of the room has seen an increase in cybercrime and fraud in their industry
· role you play in the community
o Serious and complex
o People are ground zero- building the culture to know when things don't seem right
Serious and Complex
o Security focus has evolved
o Current reality: You are compromised and/or will be compromised
o Assume all devices you connect to are "dirty"
o Black Hat themes 2011
o paradigm shift- not because of incompetence, everyone is a target
o "This threat is increasing in scope and scale and its impact is difficult to overstate…Some of these are what we define APT, which are difficult to counter."
o Annual Threat Assessment
o Advanced: not the point of intrusion (ie. infected thumbdrive, link in an email, social engineering), advanced= how sneaky they are now
o Persistent: continues to infect and steal IP
o "Sensitive information…"-DHS, creating difficult situation for first responses
1. Govt. protection: Situational awareness
o Evolving threat vector
o ie. Robin Sage experiment, fake social media profiles, connected a few people to them, extended trust networks because of mutual connections, people were tricked, photos and geocodes leaked
o similar situations occurring within communities
o proactive research and information gathering
o citizens at risk
2. Business protection
o old-fashioned social engineering with a twist, manipulating information
o How did they get in?
o Spear phishing
o Infected hard drives, laptops, smartphones, pod slurping, man in the middle
o Checking in via Foursquare
o resumes via LinkedIn leads to discovery of 80% network infrastructure in 6 man hours via LinkedIn profiles, etc.
Who? DIfferent players on DIfferent teams?
o organized cybercrime
o state sponsored
o unscrupulous competitors
If you have credit card data or SSN info ANYWHERE on your computers then that is worth something to someone (commerce items make you a target to cybercriminals A/V catches 33% of KNOWN signatures of viruses**
bad guys can run their own code against antivirus so as to not be detected
Businesses are not prepared 87% of breaches were preventable, 60% # of incidents that resulted from ignoring a social media policy
Businesses are losing: American biz. losses due to cyber attacks hit over $1 trillion worth of IP (Infragard thinks this is actually a low estimate)
Most businesses are not aware that they are not protected from a cyberheist if their computers are infected
Banks will do their best to help stop the loss of funds but they do not have to refund the money, based on about 50 current court cases, typically rule on the side of the banks
3. Internet crimes against children
- kids are the evolving threat vector
- they are at risk
- "net generation"
- A Generation of Eve (Wall-E reference): raise security awareness within this group, keeping sensitive information confidential including their own bodies and identities
- October is Cyber Security Awareness month: How can we engage consumers/citizens from the ground up during this month?
- NC state law, cyberbullying misdemeanor
4. Consumer protection/education/awareness
· Consumer/business/govt. threats are evolving
· Money laundering scams via email
· Favorite topics for cybercriminals to include:
· Criminals themselves think that they are heroes in their village because of larger fish creating the fraud scheme
Top 10 Cybercrime hosts:
- South Korea
Building a Cool and Hip Security Culture
An informed citizen is Key to Preventing
· How can we make it easy for suspicious behavior notification (cyberbullying instance, email, etc.)
· How can we resolve these issues
· citizen and employee involvement
· scenario based training
· edutainment ie. with the S.A.F.E kids program
· Disaster recovery and business continuity
· ⁃ Stop-Think-Connect (DHS website, ACTION ITEM: get websites to attendees)
Q1: We win the argument with a risk versus reward approach, sell the scenarios, modern day breach examples, leverage these, best practices?, be focused in your requests
Q2: Typically cybercrime are considered not victimless but not necessarily a priority ($ to put cops on the street vs. cybercrime realm)-- How do we make this a priority? Don't want to "take boots off the ground", but internet crimes do create opportunity for physical world crime. Need to create internet savvy portion of our work force- ie. Cyber crime watch?- volunteer basis by community members? Demonstrate efforts' successes and adapt.
Q3: How can we encourage teens to use resources that ARE available? Peer influence- don't want to be judged in a negative way- adapt the mindset of the culture, until we can do that- encourage kids to be safer and use safe social networks ie. YourSphere, human monitors- don't have to go directly to mom and dad
Links to consider tracking:
· our website and blog J
· cccert.gov- current global threats
· sophos.com- threat information