Building The Human Firewall

Andy Sawyer, CISM, C|CISO

Director of Security

Locke Lord

Cybersecurity

Cybersecurity is all about preserving the confidentiality,integrity, and availability of information assets.

Confidentiality – Authorized parties only

Integrity –Reliable, Authentic

Availability – When needed to authorized parties

Cybercrime

The Internet is the crime scene of the 21st century –

NY DA Cyrus Vance, Jr.

Stealing is stealing, whether you use a computercommand or a crowbar –

Carmen Ortiz, US Atty for Massachusetts

Violent crime is down while cybercrime is up

Tools of the trade have changed

Adrian Garcia, Harris County Sheriff

New Identity Theft in U.S. Every 2 Seconds/

1800 Per Hour

Cybercrime Drivers

Money/Organized Crime/Nation States/Hacktivism

Projected to be a $12 Trillion Industry by 2020

Convergence

Internet-facing systems

Anything, anywhere, any time demand

Sophisticated attackers

Cybercrime Consumerism

Hacker tools are becoming increasingly moresophisticated while requiring increasingly less knowledgeby the hacker about how they work.

Cybercrime Challenges

Attackers are hard to identify

Crimes are:

Hard to detect

Hard to prove

Not reported

Jurisdiction Issues

Cybercrime Costs

U.S. Firms Spent $77 Billion on Cybersecurity in 2015

Expected to Spend $90 Billion this year

Spending on security technology never higher

Criminals seek to exploit networks from the inside,circumventing technology

Cybercrime Is Up

National Counterintelligence Security Center Reports

500 Data breaches in first 8 months of 2015

47% of Americans had personal informationcompromised in the last 3 years

80 of the AmLaw 100 have been hacked since 2011

New Identity Theft in U.S.

Every 2 Seconds/1800 Per Hour

8

Firewall EventsEmailsWeb TransactionsIntrusion Prevention Attacks

Wireless LoginsData Loss Prevention Items

Phishing Emails 1 Per Minute> 1,000 a day

Endpoint AV/AS Malware

On An Average Day, We Block 2,000,000 Events

But Technology Doesn’t Catch Everything

Our Security Stays Busy

Becoming The Human Firewall

Identify Social Engineering

Don’t Be Too Social

The Right Address

Recognize Phishing

Strong Passwords/Phrases

Mobile Smart

TIINSTAFL

Wireless Networks

Cloud Computing

Internet of Things

10

The clever manipulation of the human tendency to trust

Cybersecurity is as much social science as computer science

Hackers Are Not Targeting Technology

You Are The Target

Protect Yourself, By Doing So You Protect Your Company

Social Engineering

Sometimes shared interests or chance meetings

are more than a coincidence

Do You Know Your “friends”?

Social engineering depends on familiarity

Don’t over share – 20% share full DOB

A strong social network presence makes you 50%more likely to be spear phished

60% of profile pictures contain GPS data

Messaging apps show where you’ve been

Social Media

12

Hacker trolls Facebook and finds lots of information on someone he does not know,including:• He visited Tapley’s Pub in Whistler, British Columbia, on Sept. 20.• He visited The Brewhouse in Whistler on Sept. 16.• The names of at least some of the people he was with on Sept. 13.• He visited the 192 Brewing Company on Sept. 12.• He visited the Chainline Brewing Company on Sept. 11.• He visited American Pacific Mortgage on Sept. 9.• He went to a Seattle Seahawks game on Sept. 3.And based on his Facebook profile, employer, where he lives, his wife’s name.

Hacker creates an email with the subject line “Problem with your credit card chargeat Tapley’s Pub” .

The email contains a short, believable message about a problem in running his creditcard and provides a link asking him to verify the charge. The link is to a site thatdownloads a keystroke logger to his computer

GAME OVER. The hacker can now capture every keystroke from then on, includinglogin credentials and other confidential information.

The moral of this story: do not share all kinds of personal information on social mediaThink Before You Share.

Anatomy of A Facebook Spear Phish Attack

13

Firm email address for firm business only

Not for a login to Facebook/Amazon/etc.

Doing so makes the Firm a bigger target

Use only firm email for firm/client business

Webmail accounts like Gmail/AOL/Yahoo are notconfidential

Use a different email account for:

Banking

Medical

Personal Correspondence

Social Networks

Shopping

Email – Use The Right Address

14

It’s an entry into (and exit from) our network

Penetration Test – Gain Control of The Network

Attack Technology

5 Days

Unsuccessful

Phishing Campaign

30 Minutes

Successful

Email – Address Not Just For Mail

15

It’s an easily guessable identity

It’s a security feature

It’s a marketing tool

Webmail (like Gmail) not suitable for confidentialinformation

Work email address for firm business only

Use different email account for social networks,shopping, personal correspondence

Email – Not Just An Address

Phishing

Give a man a fish and you will feed him for a day

Teach a man to phish and he will

gladly buy dinner with your

credit card

Using email, voice, or text message to gain access orinformation by persuading you to click a link or open

an attachment.

Phishers, Vishers and Smishers

Hackers Need Your Help

Most popular form of cyberattack because:

Targets people

Circumvents technology defenses

Cheap

Effective

Phishing

18

• Appeals to:

– Trust

– Fear

– Curiosity

– Relationship

– Charity

– Greed/Free

Phishing – An Emotional Appeal

19

Back door for network access/command & controlData/Privacy Loss – May Not Know It’s Happening

Litigation StrategyIntellectual PropertyMergers/AcquisitionsPHI/PII

Ransomware –You Know It’s Happening

EasyProfitableCustomer Service

Trustworthy

Email Creates Phishing Holes

20

Making the right decision about email

Don’t Know? Don’t Click!90% of malware arrives in a phishing email

Think of suspicious email you received in the last 30 daysUnexpected?Unknown Sender?Attachment/Hyperlink?Action Requested?Emotional Response?

Your Best Cyber Defense?

21

Hyperlinks are the delivery vehicle of choice

Avoid the Ready/Fire/Aim Approach

The damage is already done if you click first and check later

Hover to Discover

Press and Hold on Your Phone

.RU isRussianwebsite

Did Someone Order The Phish?

22

Read In Reverse – Right To Left, Not Left To Right

The Last . Is the Most Important

http://chaseonline.revista.br

Spelling Matters

.revista.brNotChaseonline

Hyperlinks – Right To Left

23

Compressed Files and Links

HidesDestinationz8ttqmf

Hides FileContents

24

Expand Compressed Links

RealDestinationBrazil!

25

Don’t Know? Don’t Click!Be Skeptical – Links and attachments should give you pause

Spelling Matters– Typos/bad grammar are warning signals

Hover to Discover/Press and Hold

Phone It In – If the email is suspicious, pick up the phone andcall the source

Don’t Be A Winner – Avoid free merchandise, shoppingcards, too good to be true

Don’t Panic – Clicking a link to fix a problem with yourcomputer or your finances appeals to your impulse to avoidnegative consequences

Quick Tips To Catch More Phish

Passwords or Passphrases

Use Different Passwords

Change Every 90 Days/Don’t Share

Sharing Your Password Grants Others Permission to BeYOU

25 People Gave Snowden Password

Complex passwords hard to remember

Epw74RG!

Passphrases Instead of Passwords – Length Adds Complexity

CyberSecurity is an Attitude!

Cyb3rS3curity is an Attitud3!

Password Managers/Checkers

Work

Banking

Medical

Social Networks

Public Email

Shopping

EPW74RG!

How Strong Is My Password?

Cyb3rS3curity Is @n Attitud3!

How Strong Is My PassPhrase?

Use different passphrases for different types and devices.

Don’t share passphrases or your creation strategy.

Avoid easy to guess passphrases.

Don’t use public computers, such as those at hotels, to log in towork or bank accounts. Great place for keystroke loggers t0 beinstalled.

Be skeptical of websites requiring personal information.

There’s no requirement to be truthful when providing personalinformation as long as you can remember your answers.

Look for opportunities to use two-factor authentication inconjunction with your passphrase

Close, delete, or disable accounts you no longer use.

Passphrase Checklist

Two Factor Authentication

Identification - Your claim

Authentication – Your proof

Something you know - Password

Something you have - Token, text

Something you are – Biometrics

You already use two factor authentication

Use two-factor authentication for:

IOT

Websites

Computers

Remote Access

Mobile Devices

Assume physical control equals loss

Remote Locate/Wipe Software

Don’t be part of the jail brake

Require Passcodes/PINs

Encrypt everything, including memory cards

Lock screen after 5 minutes of inactivity

Avoid app data loss…think Angry Birds

Turn off Frequent Locations/Bluetooth

Dispose with care

35% of resold mobile devices

contain prior owner’s data

When the product is free, YOU are the product

Angry Birds – Free app sells your information to data aggregators

Gmail – Google scans all incoming/outgoing email to determine ads

you see

Windows 10 EULAWe will access, disclose, and preserve personal data, including yourcontent (such as the content of your emails, other privatecommunications or files in private folders), when we have a good faithbelief that it is necessary to do so

FacebookYou grant us a non-exclusive, transferable, sub-licensable, royalty-free,worldwide license to use any IP content that you post on or inconnection with Facebook

Free

Has been around for as long as people have wanted to keepsecrets.

It provides confidentiality – assurance that only intended partieshave access to the information.

It’s only as strong as its key.

Keys and algorithms scramble the data. Only the right key willunscramble it.

It’s a must for data in motion or at rest.

You should:

Look for HTTPS sites, they use encryption.

Be sure to encrypt your phone.

Encryption

Wireless Networks

Home

Change the default SSID without identifying yourself.

Turn on encryption and select WPA or WPA/2.

Change the administrator name and password.

Public

Encrypted or not?

Phones search and automatically connect

Hackers publish hotspots like “Free WIFI”

Within minutes a coffee shop hacker knows:

Names/Passwords/Search History/More

Cloud Computing

Your data is in the cloud. Sanctioned or not.Storage, Collaboration, BackupPhone Sync, Office Apps, CRM

But where exactly is your data?And who, besides you, has access?Before moving to the cloud, ask:

What is/is not in Contract

Content Management

SLAs

Access/Subcontractors

Validation of controls

Certifications/Compliance

Usage of Data

Backups

Security Standards

Breach Notifications

Encryption

Geolocational Issues

Post Termination TransitionRights/Assistance

Support

Devices with Internet access that collect,store, send information without human intervention

Who has access to this information?Convenience is the prioritySecurity, if at all, an afterthoughtSusceptible to malware and hackersNow being used for denial of service attacks

10s of millions associated with the Mirai botnet involvedin the October 21 DDOS attackThermostats

Appliances

Cameras

Security Systems

Doors

Car GPS/Phones

Insurance Devices

Medical devices/

implants

Internet of Things

Final Thoughts

Cybersecurity is an attitude, not a department.We spend millions on technology, and it’s mostly money

wasted, if we do not buildthe human firewall.

Questions?

Today’s Presentation Is Available:

http://thehumanfirewall.org/presentations

http://www.securingthehuman.org

Helpful Links

Phishing

https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201512_en.pdf

http://lifehacker.com/this-infographic-shows-the-common-ways-scammers-try-to-1787443763

Passphrases

https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201504_en.pdf

Encryption

https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201606_en.pdf

Password Checkers

https://howsecureismypassword.net/

http://daleswanson.org/things/password.htm

Helpful Links

Following are some examples of emails I’vereceived.

You have, in all likelihood, received similaremails.

Knowing what’s real and sharing with youremployees helps you identify fakes.

Phishing Examples

Phishing - Unsubscribing

Right Click InInbox

Phishing - Fake DocuSign

NotDocuSign

NotDocuSign

Real DocuSign

Phishing – Free Money!

RedFlags?

Phishing – You’ve Received A Fax

RedFlags?

Phishing – Your Order

December 13, 2016

RedFlags?

Phishing – Your Account

Dear YOURNAMECarole from the bank notified us about the suspicious movements onout account. Examine the secure file. If you need more information,feel free to contact me.

King regards,Elis LucasAccount ManagerCOMPANYNAME112233 S Dakota Ave NEWashington, DC 20018

RedFlags?

Phishing – Your Password

Hi YOURNAME,Someone just used your password to sign in to your account.

DETAILS:November 11, 2016 11:00 AM CSTIP Address: 168.51.100.1Location: UKRAINE

We have stopped this sign-in attempt. You should change your passwordimmediately.

Best,Account Services Team

RedFlags?

Phishing – Your Review

Here at COMPANY we take employee performance very serious. Aspart of a new initiative, we have asked management to conduct routineevaluations of all employees in your department. Your supervisor,SUPERVISOR NAME, has uploaded your most recent evaluation. Pleaselogin to our secure portal using your COMPANY username andpassword.

Thank you,

Dina DowerEmployee Relations

RedFlags?

Phishing – Compliance Required

This is a reminder that your signature is required for the Sarbanes-Oxley Act (SOX) compliance. All employees must fill out the form byCOB. Please sign the attached document and HR.

As a requirement of SOX, we must ensure private data is protected andthat all employees are in compliance with the regulatory standards.Therefore, it is critical that all employees review the followingprocedures and policies and acknowledge responsibility.

RedFlags?