Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Building The Human Firewall
Andy Sawyer, CISM, C|CISO
Director of Security
Locke Lord
Cybersecurity
Cybersecurity is all about preserving the confidentiality,integrity, and availability of information assets.
Confidentiality – Authorized parties only
Integrity –Reliable, Authentic
Availability – When needed to authorized parties
Cybercrime
The Internet is the crime scene of the 21st century –
NY DA Cyrus Vance, Jr.
Stealing is stealing, whether you use a computercommand or a crowbar –
Carmen Ortiz, US Atty for Massachusetts
Violent crime is down while cybercrime is up
Tools of the trade have changed
Adrian Garcia, Harris County Sheriff
New Identity Theft in U.S. Every 2 Seconds/
1800 Per Hour
Cybercrime Drivers
Money/Organized Crime/Nation States/Hacktivism
Projected to be a $12 Trillion Industry by 2020
Convergence
Internet-facing systems
Anything, anywhere, any time demand
Sophisticated attackers
Cybercrime Consumerism
Hacker tools are becoming increasingly moresophisticated while requiring increasingly less knowledgeby the hacker about how they work.
Cybercrime Challenges
Attackers are hard to identify
Crimes are:
Hard to detect
Hard to prove
Not reported
Jurisdiction Issues
Cybercrime Costs
U.S. Firms Spent $77 Billion on Cybersecurity in 2015
Expected to Spend $90 Billion this year
Spending on security technology never higher
Criminals seek to exploit networks from the inside,circumventing technology
Cybercrime Is Up
National Counterintelligence Security Center Reports
500 Data breaches in first 8 months of 2015
47% of Americans had personal informationcompromised in the last 3 years
80 of the AmLaw 100 have been hacked since 2011
New Identity Theft in U.S.
Every 2 Seconds/1800 Per Hour
8
Firewall EventsEmailsWeb TransactionsIntrusion Prevention Attacks
Wireless LoginsData Loss Prevention Items
Phishing Emails 1 Per Minute> 1,000 a day
Endpoint AV/AS Malware
On An Average Day, We Block 2,000,000 Events
But Technology Doesn’t Catch Everything
Our Security Stays Busy
Becoming The Human Firewall
Identify Social Engineering
Don’t Be Too Social
The Right Address
Recognize Phishing
Strong Passwords/Phrases
Mobile Smart
TIINSTAFL
Wireless Networks
Cloud Computing
Internet of Things
10
The clever manipulation of the human tendency to trust
Cybersecurity is as much social science as computer science
Hackers Are Not Targeting Technology
You Are The Target
Protect Yourself, By Doing So You Protect Your Company
Social Engineering
Sometimes shared interests or chance meetings
are more than a coincidence
Do You Know Your “friends”?
Social engineering depends on familiarity
Don’t over share – 20% share full DOB
A strong social network presence makes you 50%more likely to be spear phished
60% of profile pictures contain GPS data
Messaging apps show where you’ve been
Social Media
12
Hacker trolls Facebook and finds lots of information on someone he does not know,including:• He visited Tapley’s Pub in Whistler, British Columbia, on Sept. 20.• He visited The Brewhouse in Whistler on Sept. 16.• The names of at least some of the people he was with on Sept. 13.• He visited the 192 Brewing Company on Sept. 12.• He visited the Chainline Brewing Company on Sept. 11.• He visited American Pacific Mortgage on Sept. 9.• He went to a Seattle Seahawks game on Sept. 3.And based on his Facebook profile, employer, where he lives, his wife’s name.
Hacker creates an email with the subject line “Problem with your credit card chargeat Tapley’s Pub” .
The email contains a short, believable message about a problem in running his creditcard and provides a link asking him to verify the charge. The link is to a site thatdownloads a keystroke logger to his computer
GAME OVER. The hacker can now capture every keystroke from then on, includinglogin credentials and other confidential information.
The moral of this story: do not share all kinds of personal information on social mediaThink Before You Share.
Anatomy of A Facebook Spear Phish Attack
13
Firm email address for firm business only
Not for a login to Facebook/Amazon/etc.
Doing so makes the Firm a bigger target
Use only firm email for firm/client business
Webmail accounts like Gmail/AOL/Yahoo are notconfidential
Use a different email account for:
Banking
Medical
Personal Correspondence
Social Networks
Shopping
Email – Use The Right Address
14
It’s an entry into (and exit from) our network
Penetration Test – Gain Control of The Network
Attack Technology
5 Days
Unsuccessful
Phishing Campaign
30 Minutes
Successful
Email – Address Not Just For Mail
15
It’s an easily guessable identity
It’s a security feature
It’s a marketing tool
Webmail (like Gmail) not suitable for confidentialinformation
Work email address for firm business only
Use different email account for social networks,shopping, personal correspondence
Email – Not Just An Address
Phishing
Give a man a fish and you will feed him for a day
Teach a man to phish and he will
gladly buy dinner with your
credit card
Using email, voice, or text message to gain access orinformation by persuading you to click a link or open
an attachment.
Phishers, Vishers and Smishers
Hackers Need Your Help
Most popular form of cyberattack because:
Targets people
Circumvents technology defenses
Cheap
Effective
Phishing
18
• Appeals to:
– Trust
– Fear
– Curiosity
– Relationship
– Charity
– Greed/Free
Phishing – An Emotional Appeal
19
Back door for network access/command & controlData/Privacy Loss – May Not Know It’s Happening
Litigation StrategyIntellectual PropertyMergers/AcquisitionsPHI/PII
Ransomware –You Know It’s Happening
EasyProfitableCustomer Service
Trustworthy
Email Creates Phishing Holes
20
Making the right decision about email
Don’t Know? Don’t Click!90% of malware arrives in a phishing email
Think of suspicious email you received in the last 30 daysUnexpected?Unknown Sender?Attachment/Hyperlink?Action Requested?Emotional Response?
Your Best Cyber Defense?
21
Hyperlinks are the delivery vehicle of choice
Avoid the Ready/Fire/Aim Approach
The damage is already done if you click first and check later
Hover to Discover
Press and Hold on Your Phone
.RU isRussianwebsite
Did Someone Order The Phish?
22
Read In Reverse – Right To Left, Not Left To Right
The Last . Is the Most Important
http://chaseonline.revista.br
Spelling Matters
.revista.brNotChaseonline
Hyperlinks – Right To Left
23
Compressed Files and Links
HidesDestinationz8ttqmf
Hides FileContents
24
Expand Compressed Links
RealDestinationBrazil!
25
Don’t Know? Don’t Click!Be Skeptical – Links and attachments should give you pause
Spelling Matters– Typos/bad grammar are warning signals
Hover to Discover/Press and Hold
Phone It In – If the email is suspicious, pick up the phone andcall the source
Don’t Be A Winner – Avoid free merchandise, shoppingcards, too good to be true
Don’t Panic – Clicking a link to fix a problem with yourcomputer or your finances appeals to your impulse to avoidnegative consequences
Quick Tips To Catch More Phish
Passwords or Passphrases
Use Different Passwords
Change Every 90 Days/Don’t Share
Sharing Your Password Grants Others Permission to BeYOU
25 People Gave Snowden Password
Complex passwords hard to remember
Epw74RG!
Passphrases Instead of Passwords – Length Adds Complexity
CyberSecurity is an Attitude!
Cyb3rS3curity is an Attitud3!
Password Managers/Checkers
Work
Banking
Medical
Social Networks
Public Email
Shopping
EPW74RG!
How Strong Is My Password?
Cyb3rS3curity Is @n Attitud3!
How Strong Is My PassPhrase?
Use different passphrases for different types and devices.
Don’t share passphrases or your creation strategy.
Avoid easy to guess passphrases.
Don’t use public computers, such as those at hotels, to log in towork or bank accounts. Great place for keystroke loggers t0 beinstalled.
Be skeptical of websites requiring personal information.
There’s no requirement to be truthful when providing personalinformation as long as you can remember your answers.
Look for opportunities to use two-factor authentication inconjunction with your passphrase
Close, delete, or disable accounts you no longer use.
Passphrase Checklist
Two Factor Authentication
Identification - Your claim
Authentication – Your proof
Something you know - Password
Something you have - Token, text
Something you are – Biometrics
You already use two factor authentication
Use two-factor authentication for:
IOT
Websites
Computers
Remote Access
Mobile Devices
Assume physical control equals loss
Remote Locate/Wipe Software
Don’t be part of the jail brake
Require Passcodes/PINs
Encrypt everything, including memory cards
Lock screen after 5 minutes of inactivity
Avoid app data loss…think Angry Birds
Turn off Frequent Locations/Bluetooth
Dispose with care
35% of resold mobile devices
contain prior owner’s data
When the product is free, YOU are the product
Angry Birds – Free app sells your information to data aggregators
Gmail – Google scans all incoming/outgoing email to determine ads
you see
Windows 10 EULAWe will access, disclose, and preserve personal data, including yourcontent (such as the content of your emails, other privatecommunications or files in private folders), when we have a good faithbelief that it is necessary to do so
FacebookYou grant us a non-exclusive, transferable, sub-licensable, royalty-free,worldwide license to use any IP content that you post on or inconnection with Facebook
Free
Has been around for as long as people have wanted to keepsecrets.
It provides confidentiality – assurance that only intended partieshave access to the information.
It’s only as strong as its key.
Keys and algorithms scramble the data. Only the right key willunscramble it.
It’s a must for data in motion or at rest.
You should:
Look for HTTPS sites, they use encryption.
Be sure to encrypt your phone.
Encryption
Wireless Networks
Home
Change the default SSID without identifying yourself.
Turn on encryption and select WPA or WPA/2.
Change the administrator name and password.
Public
Encrypted or not?
Phones search and automatically connect
Hackers publish hotspots like “Free WIFI”
Within minutes a coffee shop hacker knows:
Names/Passwords/Search History/More
Cloud Computing
Your data is in the cloud. Sanctioned or not.Storage, Collaboration, BackupPhone Sync, Office Apps, CRM
But where exactly is your data?And who, besides you, has access?Before moving to the cloud, ask:
What is/is not in Contract
Content Management
SLAs
Access/Subcontractors
Validation of controls
Certifications/Compliance
Usage of Data
Backups
Security Standards
Breach Notifications
Encryption
Geolocational Issues
Post Termination TransitionRights/Assistance
Support
Devices with Internet access that collect,store, send information without human intervention
Who has access to this information?Convenience is the prioritySecurity, if at all, an afterthoughtSusceptible to malware and hackersNow being used for denial of service attacks
10s of millions associated with the Mirai botnet involvedin the October 21 DDOS attackThermostats
Appliances
Cameras
Security Systems
Doors
Car GPS/Phones
Insurance Devices
Medical devices/
implants
Internet of Things
Final Thoughts
Cybersecurity is an attitude, not a department.We spend millions on technology, and it’s mostly money
wasted, if we do not buildthe human firewall.
Questions?
Today’s Presentation Is Available:
http://thehumanfirewall.org/presentations
http://www.securingthehuman.org
Helpful Links
Phishing
https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201512_en.pdf
http://lifehacker.com/this-infographic-shows-the-common-ways-scammers-try-to-1787443763
Passphrases
https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201504_en.pdf
Encryption
https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201606_en.pdf
Password Checkers
https://howsecureismypassword.net/
http://daleswanson.org/things/password.htm
Helpful Links
Following are some examples of emails I’vereceived.
You have, in all likelihood, received similaremails.
Knowing what’s real and sharing with youremployees helps you identify fakes.
Phishing Examples
Phishing - Unsubscribing
Right Click InInbox
Phishing - Fake DocuSign
NotDocuSign
NotDocuSign
Real DocuSign
Phishing – Free Money!
RedFlags?
Phishing – You’ve Received A Fax
RedFlags?
Phishing – Your Order
December 13, 2016
RedFlags?
Phishing – Your Account
Dear YOURNAMECarole from the bank notified us about the suspicious movements onout account. Examine the secure file. If you need more information,feel free to contact me.
King regards,Elis LucasAccount ManagerCOMPANYNAME112233 S Dakota Ave NEWashington, DC 20018
RedFlags?
Phishing – Your Password
Hi YOURNAME,Someone just used your password to sign in to your account.
DETAILS:November 11, 2016 11:00 AM CSTIP Address: 168.51.100.1Location: UKRAINE
We have stopped this sign-in attempt. You should change your passwordimmediately.
Best,Account Services Team
RedFlags?
Phishing – Your Review
Here at COMPANY we take employee performance very serious. Aspart of a new initiative, we have asked management to conduct routineevaluations of all employees in your department. Your supervisor,SUPERVISOR NAME, has uploaded your most recent evaluation. Pleaselogin to our secure portal using your COMPANY username andpassword.
Thank you,
Dina DowerEmployee Relations
RedFlags?
Phishing – Compliance Required
This is a reminder that your signature is required for the Sarbanes-Oxley Act (SOX) compliance. All employees must fill out the form byCOB. Please sign the attached document and HR.
As a requirement of SOX, we must ensure private data is protected andthat all employees are in compliance with the regulatory standards.Therefore, it is critical that all employees review the followingprocedures and policies and acknowledge responsibility.
RedFlags?