Securing Your Salesforce Org: The Human Factor

  • View
    31

  • Download
    1

Embed Size (px)

Text of Securing Your Salesforce Org: The Human Factor

Core Platform Security

Securing Your Salesforce Org: The Human FactorFrancis PindarTechnical Architectfrancis@netstronghold.com@radnipwww.radnip.comLinkedIn.com/in/francisuk

March & August 2016 London Admin User Group Meeting

Safe HarborSafe harbor statement under the Private Securities Litigation Reform Act of 1995:This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.The risks and uncertainties referred to above include but are not limited to risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

If youve ever been to Dreamforce, youve seen this slide before. The gist of this slide is that any purchasing decisions you make on Salesforce should be based only on currently available functionality.2

AgendaSetting the Stage: The Human FactorAttack Card exercise and discussionSecure BehaviorSecure Your Salesforce OrgNext Steps

Welcome everyone to the Security Awareness user group! We are so excited to be here and to open a dialogue about security. This topic touches everyone, both as a Salesforce Admin (developer or user) or as a user of the internet in your personal life.

We have a jam-packed agenda today, and the Salesforce Trust team has sent us some awesome swag and reference materials I will share with you at the end of the meeting. There will also be a prize or two along the way.

We will begin our meeting by sharing some stats that demonstrate our need for improved security awareness and highlighting some of the challenges we face in combating cyber threats that prey on human nature. After providing this context, we will participate in a group exercise that Salesforce runs with all of its employees worldwide as part of their security awareness and training program. Next we will learn about behavioral changes we can work on with our users to make our Salesforce implementations more secure; things like password best practices and phishing trainingAfter talking about the human element, I will provide an overview of security controls built into the Salesforce core products that are available to all customers and can be taken advantage of to add layers of security to your orgs data.To wrap up, I will share some key take-aways that can be used when you return to the office to improve your security posture immediately. Additionally we will list some great resources Salesforce has to help you make these changes.3

Setting the Stage:The Human Factor

4

Why are we here?

Estimated annual cost of global cybercrime

Setting the Stage: The Human Factor First, why are we even having this conversation?

According to the Verizon 2015 Data Breach Investigation Report, the estimated annual cost of global cyber crime is a whopping $100 billion.

A recent report of UK companies showed that nearly half (46%) of small business owners have no employee responsible for data security and more alarming 27% have no process or policy at all. But its not just isolated to small companies. Last year saw an conservative estimate 487,731,758 records (based on public information) of data leaks from companies like Hyatt, Hilton Hhonors, Costa Coffee, Mumsnet, 56 Deans Street clinic leaks 780 HIV patients, JD Wetherspoon nearly 700,000 personal details were stolen and TalkTalk 156,000.

(http://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-2015-over-275-million-leaked-records/)

The threat landscape is more complex than ever and the ability of security teams to prevent, detect, analyze and respond to threats has never been harder or more crucial.5

CyberSecurity Important?

Experts are saying British businesses are not doing enough to protect themselves. Cyber attacks are exacting a heavy toll on british businesses. Research company Cebr last year reported 34bn of increase IT expenditure and lost revenue.

[CLICK]

The UK Government found boards of half of FTSE 350 companies only hear about cyber incidents only on an occasional basis or when something goes wrong.

But Damage can sometimes harm a companies reputation more than the actual attack.

UK Governments Public Policy Exchange is saying the threat from cyber attacks to the UKs national security is Real and Growing. Such attacks have been called a Tier One threat to the UK.

[CLICK]

A recent report of UK companies showed that nearly half (46%) of small business owners have no employee responsible for data security and more alarming 27% have no process or policy at all. But its not just isolated to small companies. Last year saw an conservative estimate 487,731,758 records (based on public information) of data leaks from companies like Hyatt, Hilton Hhonors, Costa Coffee, Mumsnet, 56 Deans Street clinic leaks 780 HIV patients (NHS Trust fined 180k), JD Wetherspoon nearly 700,000 personal details were stolen and TalkTalk 156,000.

CityBankLennon Ray-Brown

They was firing me. I just beat them to it. Nothing personal, the upper management need to see what they guys on the floor is capable of doing when they keep getting mistreated. I took one for the team.Sorry if I made my peers look bad, but sometimes it take something like what I did to wake the upper management up.

On Dec 23, 2013 he had just had a performance review and he decided to delete configuration of City Banks core routers. Knocking out of service 90 of city banks offices.

Last month he admitted intentional damage and got a $77,000 fine and a two year jail term.7

I think of security as

Todays Target: The User

Setting the Stage: The Human Factor For any organization, its people present the biggest security threat and the greatest opportunity for hackers. Cyber criminals have shifted their tactics from technological attacks to targeted assaults on employees by manipulating basic human behaviors. Now more than ever, every person has an impact on security regardless of their function or title.

According to the PWC Global State of Information Security Survey, 2015, employees remain the most cited source of security compromise (over 55%), and incidents attributed to business partners also climbed 22 percent.

It takes only one employee to set off a chain of events that can compromise your companys data. In this way, security is a job expectation critical to your companys success. There are basic behaviors that every employee can do to make the company more secure.

Potential steps your users can take in the spirit of protecting data are:checking links in emails by hovering over them with their mouse, stop letting people in their office without checking for a badge, and continue to update logins using stronger passwords. We will talk about specifics later on.9

Bugs in Human Hardware

Everybody else does it, why shouldnt I?CONFORMITY

People are inherently good and I want to be helpfulTRUST

Hmmmm. I wonder what will happen if ICURIOSITY

Id be wrong not to!MORALITY

If I dont do this, Ill get in trouble!FEAR

Ill get something if I do this!REWARD

Setting the Stage: The Human Factor First, lets talk about human nature and the behaviors cyber criminals have learned they can exploit in order to steal credentials or infiltrate your network. A fun way to think about this is bugs in human hardware.

Here are some examples:Fear could be someone saying: If you dont give me the information, I will report you to your managerTrust might be involved when you receive an authentic looking email from your bank: Your account has just been closed. Click here to re-acti