Embed Size (px)
Citation preview
IT SECURITY UPDATE
2019
November 6, 2019Presented by Benjamin Ellis & Scott Stone
1
IT SECURITY UPDATE
2019
From the IT consultants:oPasswords / Two-Factor Authentication
o Firewalling
oRansomware / Malware
oUSB / Flash Drives
oPortal / File Transfer Services
oPhysical Loss of a Cell Phone or Laptop
oPhishing
2
BREACHED RECORDS – FIRST ½ OF 20153
BREACHED RECORDS – FIRST ½ OF 20164
BREACHED RECORDS – FIRST ½ OF 20175
BREACHED RECORDS – FIRST ½ OF 20186
2017 BREACHES BY INDUSTRY7
2018 BREACHES BY INDUSTRY8
BREACH INCIDENTS BY TYPE – 2017
9
BREACH INCIDENTS BY TYPE – 2018
10
BREACH INCIDENTS BY SOURCE – 2017
11
BREACH INCIDENTS BY SOURCE – 2018
12
This happens everywhere, right?
2017
13
This happens everywhere, right?
2018
14
CENTRALIZED ANTIVIRUSON EVERY
WORKSTATION WITHACTIVE IT NOTIFICATION
PATCH MANAGEMENTFOR EVERY PC AND
SERVER BOTHMICROSOFT AND THIRD
PARTY
FIREWALLPROTECTION WITH
AN UP-TO-DATEPRODUCT
GOOD PASSWORDHYGIENE
SOLID BACKUPSINCLUDING CLOUD
OR OFF-SITESTORAGE IT SECURITY
BASICS
15
2019 Data not available
2019
16
2019 Data Breaches 17
• Fornite (Epic Games) – 200 million users
• Oklahoma Department of Securities – decade of data lost
• Collection #1- 770 Million unique email addresses and 21 million unique passwords
• Elasticsearch Cloud Storage – 108 million records
• Verifications.io – 982 million records
• Facebook – 540 million records
• First American Corp. – 885 million records
• Canva – 139 million records
• Flipboard – 145 million records
• Capital One – 80,000 bank account #’s, 140,000 SSN#’s, 1 million Canadian social insurance#’s and millions of credit card applicatons.
• Pitney Bowes – malware incident
2019 Data Breaches 18
• Blur
• Town of Salem Video Game
• DiscountMugs.com
• BenefitMall
• OXO
• Managed Health Services (MHS) of Indiana
• BlackRock Inc.
• Graeters Ice Cream
• Online Betting Sites
• Ascension
• Alaska Dept. of Health & Social Services (DHSS)
• Rubrik
• Critical Care, Pulmonary & Sleep Associates(CCPSA)
• Houzz
• Catawba Valley Medical Center
• Huddle House
• EyeSouth Partners
• Dunkin’ Donuts
• Coffee Meets Bagel
• 500px
• North Country Business Products
• Advent Health
• Coinmama
• UW Medicine
• Uconn Health
• Dow Jones
• Rush University Medical Center
• Health Alliance Plan
• Pasquotank-Camden Emergency Medical Services
• Spectrum Health Lakeland
• Rutland Regional Medical Center
• Zoll Medical
• MyPillow & Amerisleep
• Oregon Dept. of Human Services (DHS)
• Federal Emergency Management Agency (FEMA)
• Family Locator
• Milestone Family Medicine
• Verity Health Systems
• Earl Enterprises
• Georgia Tech
• Baystate Health
• Prisma Health
• City of Tallahassee
• Microsoft Email Services
• Steps to Recovery
• EmCare
• Bodybuilding.com
• Atlanta Hawks
• Docker Hub
PHISHING ATTACKS• Phishing uses social engineering, a technique where cyber
attackers attempt to fool you into taking an action.
• These attacks often begin with a cyber criminal sending you anemail pretending to be from someone or something you know ortrust, such as a friend, your bank, or your favorite online store.
• These emails then entice you into taking an action, such as clickingon a link, opening an attachment, or responding to a message.
• Cyber criminals craft these emails to look convincing.
Still the largest threat IT currently deals with.
19
WAS RANSOMWARE / CRYPTOWARE
NOW CREDENTIALSAND ACCOUNT ACCESS
INCREASE IN THERESEARCH PEOPLE ARE
DOING PRIOR TOSENDING PHISHING
EMAILS
REDUCTION IN THEDUPLICATION OR
COMPLEXITY OF ACTUALEMAILS TO AVOID
LOOKING LIKE SPAM
TARGETEDATTACHMENTS ANDSUBJECTS BASED ON
JOB ROLE
EMAIL FORWARDINGAS PART OF THECOMPROMISE
PHISHING / SPEAR PHISHING20
NOTABLE ATTACK VECTORS – PHISHING EMAILS21
PHISHING EXAMPLE
#1
22
PHISHING EXAMPLE
#2
23
NOTABLE ATTACK VECTORS – PHISHING EMAILS24
NOTABLE ATTACK VECTORS – PHISHING LINKS25
NOTABLE ATTACK VECTORS – PHISHING LINKS
Osmarecommerce.biz/invx/login.php?l=_JeHFUq_VJOXK0QWHtoGYDw1774256418&fid.13InboxLight.aspxn.1774256418&fid.125289964252813InboxLight99642_Product-userid&userid=tadams@
26
NOTABLE ATTACK VECTORS – PHISHING LINKS27
NOTABLE ATTACK VECTORS – PHISHING LINKS28
NOTABLE ATTACK VECTORS – PHISHING LINKS29
NOTABLE ATTACK VECTORS – PHISHING LINKS30
NOTABLE ATTACK VECTORS – PHISHING LINKS31
32
Good Afternoon All,
This email comes as a warning regarding an email hack that we are experiencing. It has been brought to our attention that our CCO/CFO, Amy Smith, has had her email hacked. Steps are being taken right now to correct the situation.
Should you receive any correspondences from Amy Smith (AS@ABCWealthcom) requesting any kind of information—
DO NOT OPEN!
Either delete and/or call our office - ask to speak with either Amy or Bob Smith.
We apologize for any inconvenience and are working tirelessly to fix the problem.
Best,
Sue JacksonMarketing ManagerABC Wealth Management
33
34
PROTECTING YOURSELF• Be suspicious of these three words:
“Urgent” “Payment” “Request”
• Be suspicious of emails addressed to “Dear Customer” or some other generic salutation. If it is your bank they will know your name.
• Be suspicious of grammar or spelling mistakes.
• Do not click on links.
• Hover your mouse over the link to see true destination.
35
PROTECTING YOURSELF• Be suspicious of attachments and only open those that you
were expecting.
• Just because you got an email from your friend does notmean they sent it.
• Stay diligent.
• Not sure? Forward it to IT.
• Train yourself:o https://www.phishingbox.com/phishing-test
o https://www.opendns.com/phishing-quiz/
36
Enable Enable two-factor authentication – O365, Google Authenticator, Security Key, SMS
Train Train your employees and yourself – KnowBe4, Wombat, Sophos.
Use Use a quality email provider – Office365, Gmail, ProtonMail
PROTECTING YOURSELF37
PASSWORDS AND TWO-FACTOR AUTHENTICATION
Password Best Practices Review
01Password Managers, Haystacking, Passphrases
02Two-Factor –Types, Uses, Limitations, Benefits
03
38
PASSWORDS: PROTECTING
YOURSELF
Enable Enable Two-Factor Authentication.
Use Use a Password Manager such as LastPass.
Do not reuse Do not reuse Passwords for important sites.
39
PASSWORD MANAGERSA password manager is a software application or hardware that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password: a single, ideally very strong password which grants the user access to their entire password database.
Examples:
o LastPass
o 1Password
o KeePass
o Lenovo Fingerprint Manager
o HP Protect Tools
40
EXCEL AS APASSWORD MANAGER?
• Better than writing them down.
• Must set a strong master password.
• Be careful how you transfer it or store it.
• Backups are an issue.
41
PASSWORD HAYSTACKING• Every password you use can be thought of as a needle hiding in a
haystack. After all searches of common passwords and dictionaries have failed, an attacker must resort to a “brute force” search –ultimately trying every possible combination of letters, numbers, and then symbols until the combination you chose is discovered.
• Example: LinkedIn4-=-=-=
• Which of the following two passwords is stronger,more secure, and more difficult to crack?
D0g.....................
PrXyc.N(n4k77#L!eVdAfp9
42
PASSPHRASES• Instead of a Password consider using a Passphrase.
• Examples:oWinterisaSlipperyTimeofYearo ItsAccrualWorldoBeAuditYouCanBe
• Longer passwords are better passwords.
• Use a Password Manager to create long, secure, unique passwords so you do not need to remember every one.
43
WAYS TO STAY SAFE – PASSWORDS• Don’t reuse passwords.
• Don’t type your password into a public use machine.o If you do have to – change it
ASAP.
• Use a machine other than your kid’s gaming machine to check mail or log into Firm resources.
• Use a Password Manager.
• Use Password Haystacking.
• Use Passphrases instead of Passwords.
• If you hear about a breach –change your password.
• Always be diligent about typing in passwords where people can see you type them in.
• Upgrade your operating system and keep it updated.
44
TWO-FACTOR AUTHENTICATION / BIOMETRICS• Two-Factor Authentication
aka 2FA or Multifactor Authentication
• Examples:
o Pin Texted To Your Cell
o Google Authenticator
o RSA SecureID
o Mobile App Authentication
• Biometricso Fingerprint Scanner (Laptop,
iPhone, etc.)
o Retinal Scanner
o Hand geometry
o Facial Recognition
45
TWO-FACTOR AUTHENTICATION / BIOMETRICSTwo-Factor Authentication Means:
Something You Know(Password)
+
Something You Have(RFID Badge, SMS Message, Time-Based One-Time password, Hardware
Key-U2F)
OR
Something You Are(Fingerprint, Retinal Scan, Palm Scanner, Facial Recognition, Voice
Recognition)
46
SOMETHING YOU HAVE - PROS AND CONS:• RFID Badge – Good, because they are hard to spoof but
they require a reader and they can be lost or stolen.
• SMS Message – Fair and convenient, but are more and more frequently attacked as SMS is not secure.
• Time-Based One-Time password – Excellent – Fairly convenient and difficult to spoof. Becoming Ubiquitous. Manageable from IT.
• Hardware Key-U2F – Good – Very hard to spoof but you have to have it with you and registered to the sites you use; can also be lost or stolen.
47
WHAT ABOUT SECURITY QUESTIONS?Such as:
oMother’s maiden name
oCity you were born in
oStreet you grew up on
oBest friend’s name
o Father’s middle name
Terrible – Answers available on Social Media
48
PATCHINGWhat is patching?
Why is it important?
What do I need to do?
49
PATCHING50
FIREWALLING – WORK, HOME, AND THE ROAD
At Work:oUnified Threat Management Firewalls at every location.
o Laptops and Desktops have the Windows Firewall turned on.
At Home:oDo you run a firewall at home or just the cable modem?
oHave you updated your firewall firmware / software in the last 6 months? American Consumer Institute says 5 out of 6 firewalls vulnerable to an active exploit.
On the Road:oAvoid open Wi-Fi if possible
oUse a VPN if you do have to use open Wi-Fi
51
IOT IN THE NEWSMirai• First found in August 2016• Primarily targets online consumer devices such as IP cameras and home routers• Used common factory default usernames and passwords to infect hosts• October 2016 - multiple major DDoS attacks in DNS services Dyn affected:
o Amazono Twittero Reddito Netflixo Airbnb
• Dyn estimates 100,000 IOT devices were involved in the DDoS attack.• Mirai source code was released on the internet for others to use.• March of 2017 – Marai variant used 9,700 devices to take a US college
offline for 54 hours.
52
IOT IN THE NEWSMirai – Follow-up• Turned out to be three 21-year-old students that authored the
malware.
• It was written to take down competing Minecraft servers.
• They released the Mirai source code on the internet in Sept 2016 for others to copy in an attempt to hide themselves among the many people using Mirai.
• They had all their Bitcoin confiscated (millions of dollars worth).
• Sentenced to 5 years probation, $127,000 in restitution and 2,500 hours of community service (meaning time working directly with the FBI).
• Marai variants have been used to take all levels of businesses (from colleges to hospitals to financial services) offline for hours.
53
IOT IN THE NEWSReaper / IOTroop• As of 10/26 – estimated 3.5 million devices and could be
capable of growing by nearly 85,000 devices per day.
54
• What could it do?o DDoS Attacks – Internet
Crippling Attackso Spam relays (each bot could
send 250 emails a day)o Digital currency mining
(increasingly unlikely, though)o Tor-like anonymous proxies,
which can be rented
o Crypto ransomo Clickjackingo Ad fraudo Fake ad, SEO Injectiono Fake AV fraudo Malware hosting
IOT TAKEAWAYS
• IOT has been in business for years:oCopiers / PrintersoVOIP PhonesoCloud Configured Wireless DevicesoSecurity Systems / Cameras
• Be careful what you connect to the Internet – Ask IT.
• Look for the manufacturer to update the device.
• Cheap and easy to setup is probably not secure.
• IOT devices are computers and they need to be patched.
55
BayerMerckHeritage Valley HealthFedExDept. Homeland SecurityNissanHitachiUK National Health ServiceTNT ExpressHancock Health Honda
Government Agencies
Worldwide Banks
Hospitals
Manufacturing
Telecom55%Admit to having been a victim
56
RANSOMWARE
57
RANSOMWARE
58
RANSOMWARE
• 20% of Phishing emails we see lead to Ransomeware. 60% to
Credential Theft.
• Ransomware attacks are on the rise again.
• FBI estimates Cyber Criminals made over $5 Billion in 2017.
• We have consulted on Ransomware infections for organizations from
large hospitals to home businesses.
• Only options are to pay or restore from backups.
• Ransomware always results in downtime and lost productivity.
59
RANSOMWARE
Currently Ransomware commonly comes disguised as:
o Email File Attachments
o Invoice.doc or Invoice.zip
o Fax.doc or Fax.zip
o Voicemail.wav or Voicemail.zip
o IRS Notice.zip
Download links:oUPS / FEDEX / USPS
notifications
oClient files to Box, Dropbox, Google drive, OneDrive
o Tax documents / Wells Fargo Documents
60
RANSOMWARE
• Most people reuse the same passwords over and over.
• Most people use 1 or 2 email addresses for all correspondence.
COMBINED WITH
• Hacked databases providing email / Password combinations:oYahoo – 10 Million accounts (2012)o LinkedIn – 117 Million accounts (2012)oMyspace – 427 Million accounts (2006)
These are old databases. Why release old sets?⦁ YAHOO MAIL = 500 million accounts (Sept 2016)
⦁ OOPS! YAHOO = 3 BILLION Accounts
Every single customer account - email, Tumblr, Fantasy, and Flickr
61
PASSWORD / PIN REUSE
EMAIL ADDRESSSPOOF
Passwords are legitimate and
used from Yahoo email breach
62
NOTABLE ATTACK VECTORS63
USB/EXTERNAL DEVICES
PORTALS AND FILE TRANSFER SERVICES•Common Services
oDropbox
oOneDrive
oGoogleDrive
oLeapFile
oSharefile
•What are the risks?
64
MOBILE DEVICES – BEST PRACTICES• Keep it updated (IOS / Nexus).
• Use a strong Pin / Passcode.
• Be careful of the apps you install.
• Enable encryption.
• Dispose of old devices properly.
• Be cautious of what you plug it into to charge.
• Do not open attachments you do not need to read on yourphone.
65
THINK LOW-TECH:27% OF BREACH INCIDENTS WERE
RELATED TOPAPER!
• Shredding
• Printing and Faxing
• Copies sitting out
• Secure Print & eFax
• Electronic Device Memory (copiers)
66
PHYSICAL LOSS OF PAPER!
