ISACA UAE Conference - ISAFE 2015
(Conference Presentation - October 28, 2015 - Dubai)
Presentation Abstract:
Traditional cyber security defenses center around technology, with controls around networks, servers, devices, software as well as data. This approach helps mitigate technological threats but not human threats. Social engineering attacks have increased over the past years with vishing and phishing attacks becoming more frequent. However, end-user awareness on social engineering mitigation has not followed that same upward trend. This session explores human-centric cyber security defenses that support a more robust defense in depth approach, emphasizing the importance of end-user awareness, operational security strategies and identification of internal human based vulnerabilities.
DSPy a system for AI to Write Prompts and Do Fine Tuning
ISACA UAE - Importance of Human-Centric Approaches to Cyber Security
1. Innovation in a Borderless World
ISACCA – ISAFE 2015 - Dubai, UAE
Importance of
Human-Centric Approaches
to Cyber Security
Lydia Kostopoulos, PhD
@LKCYBER
7. Admiral Rogers
Director of US Cyber Command/NSA
Social
Engineering
Human-Centric
Approach
Attack
Vectors
Accessibility
"Never underestimate the impact of user
behavior on a defensive strategy"
8. Social
Engineering
Human-Centric
Approach
Attack
Vectors
Accessibility
Attacks:
Human Factor & Intellectual Property (IP)
91% of cyberattacks begin with spear phishing
email – TrendMicro Research
Intellectual Property and the U.S. Economy: Industries in Focus –
by the Economics and Statistics Administration and the United States Patent and Trademark Office
IP Intensive Businesses in the US
• Support at least 40 million jobs
• $5 trillion to US GDP 28%
$445 billion – annual cost of cybercrime and
economic espionage to the world economy
- 2014 CSIS & McAfee report
How much does it cost the world?
What’s the most common attack vector?
13. We set up network defenses…
Intrusion
Detection
System
Defense in Depth
Firewall
We set up data defenses…
Destruction
What about human defenses?
Encryption
Data in Use
At Rest
In Motion
Classification
Internal Use
Public
Confidential
Secret
We set up malware defenses…
Anti-Virus Spam Filter?
Identity & Access Management
Social
Engineering
Human-Centric
Approach
Attack
Vectors
Accessibility
Phishing
15. Data Leakage Prevention Plan:
Don’t forget Business Continuity
Social
Engineering
Human-Centric
Approach
Attack
Vectors
Accessibility
Followed by End-User Awareness
16. The process of elevating security awareness
of a human asset in efforts to reduce and
eliminate as many risks as possible.
Hardening of Human Assets (HHA)
Social
Engineering
Human-Centric
Approach
Attack
Vectors
Accessibility
17. OPSEC Awareness
Social Engineering Awareness
Specialized SIEM Settings
(Cross-departmental collaboration)
Espionage Threat Awareness
Data Protection Awareness
Social Media Use Awareness
Travel Security Awareness
Hardening Human Assets (HHA)
Have a Plan
Social
Engineering
Human-Centric
Approach
Attack
Vectors
Accessibility
19. Social
Engineering
Human-Centric
Approach
Attack
Vectors
Accessibility
Incorporate a culture of cyber professionalism
- Clearly communicate acceptable and unacceptable cyber practices
- Create channels for communication about incidents
- Foster an open environment to discuss cyber practices, concerns,
questions and doubt
Cyber Professionalism:
Set the example!
Leaders should lead through example
- Practice cyber hygiene
- Follow best practices
- Report incidents, phishing attempts, potentially malicious files
- Communicate cyber expectations