IT SECURITY UPDATE

2018

November 8, 2018Presented by Benjamin Ellis & Scott Stone

1

IT SECURITY UPDATE

2018

From the IT consultants:oPasswords / Two-Factor Authentication

o Firewalling

oRansomware / Malware

oUSB / Flash Drives

oPortal / File Transfer Services

oPhysical Loss of a Cell Phone or Laptop

2

BREACHED RECORDS – FIRST ½ OF 20153

BREACHED RECORDS – FIRST ½ OF 20164

BREACHED RECORDS – FIRST ½ OF 20175

BREACHED RECORDS – FIRST ½ OF 20186

2017 BREACHES BY INDUSTRY7

2018 BREACHES BY INDUSTRY8

BREACH INCIDENTS BY TYPE – 2017

9

BREACH INCIDENTS BY TYPE – 2018

10

BREACH INCIDENTS BY SOURCE – 2017

11

BREACH INCIDENTS BY SOURCE – 2018

12

This happens everywhere, right?

2017

13

This happens everywhere, right?

2018

14

CENTRALIZED ANTIVIRUSON EVERY

WORKSTATION WITHACTIVE IT NOTIFICATION

PATCH MANAGEMENTFOR EVERY PC AND

SERVER BOTHMICROSOFT AND THIRD

PARTY

FIREWALLPROTECTION WITH

AN UP-TO-DATEPRODUCT

GOOD PASSWORDHYGIENE

SOLID BACKUPSINCLUDING CLOUD

OR OFF-SITESTORAGE IT SECURITY

BASICS

15

PHISHING ATTACKS• Phishing uses social engineering, a technique where cyber

attackers attempt to fool you into taking an action.

• These attacks often begin with a cyber criminal sending you anemail pretending to be from someone or something you know ortrust, such as a friend, your bank, or your favorite online store.

• These emails then entice you into taking an action, such as clickingon a link, opening an attachment, or responding to a message.

• Cyber criminals craft these emails to look convincing.

Still the largest threat IT currently deals with.

16

WAS RANSOMWARE / CRYPTOWARE

NOW CREDENTIALSAND ACCOUNT ACCESS

INCREASE IN THERESEARCH PEOPLE ARE

DOING PRIOR TOSENDING PHISHING

EMAILS

REDUCTION IN THEDUPLICATION OR

COMPLEXITY OF ACTUALEMAILS TO AVOID

LOOKING LIKE SPAM

TARGETEDATTACHMENTS ANDSUBJECTS BASED ON

JOB ROLE

EMAIL FORWARDINGAS PART OF THECOMPROMISE

PHISHING / SPEAR PHISHING17

NOTABLE ATTACK VECTORS – PHISHING EMAILS18

PHISHING EXAMPLE

#1

19

PHISHING EXAMPLE

#2

20

NOTABLE ATTACK VECTORS – PHISHING EMAILS21

NOTABLE ATTACK VECTORS – PHISHING LINKS22

NOTABLE ATTACK VECTORS – PHISHING LINKS

Osmarecommerce.biz/invx/login.php?l=_JeHFUq_VJOXK0QWHtoGYDw1774256418&fid.13InboxLight.aspxn.1774256418&fid.125289964252813InboxLight99642_Product-userid&userid=tadams@

23

24

Good Afternoon All,

This email comes as a warning regarding an email hack that we are experiencing. It has been brought to our attention that our CCO/CFO, Amy Smith, has had her email hacked. Steps are being taken right now to correct the situation.

Should you receive any correspondences from Amy Smith (AS@ABCWealthcom) requesting any kind of information—

DO NOT OPEN!

Either delete and/or call our office - ask to speak with either Amy or Bob Smith.

We apologize for any inconvenience and are working tirelessly to fix the problem.

Best,

Sue JacksonMarketing ManagerABC Wealth Management

25

26

PROTECTING YOURSELF• Be suspicious of these three words:

“Urgent” “Payment” “Request”

• Be suspicious of emails addressed to “Dear Customer” or some other generic salutation. If it is your bank they will know your name.

• Be suspicious of grammar or spelling mistakes.

• Do not click on links.

• Hover your mouse over the link to see true destination.

27

PROTECTING YOURSELF• Be suspicious of attachments and only open those that you

were expecting.

• Just because you got an email from your friend does notmean they sent it.

• Stay diligent.

• Not sure? Forward it to IT.

• Train yourself:o https://www.phishingbox.com/phishing-test

o https://www.opendns.com/phishing-quiz/

28

Enable Enable two-factor authentication – O365, Google Authenticator, Security Key, SMS

Train Train your employees and yourself – KnowBe4, Wombat, Sophos.

Use Use a quality email provider – Office365, Gmail, ProtonMail

PROTECTING YOURSELF29

PASSWORDS AND TWO-FACTOR AUTHENTICATION

Password Best Practices Review

01Password Managers, Haystacking, Passphrases

02Two-Factor –Types, Uses, Limitations, Benefits

03

30

PASSWORDS: PROTECTING

YOURSELF

Enable Enable Two-Factor Authentication.

Use Use a Password Manager such as LastPass.

Do not reuse Do not reuse Passwords for important sites.

31

PASSWORD MANAGERSA password manager is a software application or hardware that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password: a single, ideally very strong password which grants the user access to their entire password database.

Examples:

o LastPass

o 1Password

o KeePass

o Lenovo Fingerprint Manager

o HP Protect Tools

32

EXCEL AS APASSWORD MANAGER?

• Better than writing them down.

• Must set a strong master password.

• Be careful how you transfer it or store it.

• Backups are an issue.

33

PASSWORD HAYSTACKING• Every password you use can be thought of as a needle hiding in a

haystack. After all searches of common passwords and dictionaries have failed, an attacker must resort to a “brute force” search –ultimately trying every possible combination of letters, numbers, and then symbols until the combination you chose is discovered.

• Example: LinkedIn4-=-=-=

• Which of the following two passwords is stronger,more secure, and more difficult to crack?

D0g.....................

PrXyc.N(n4k77#L!eVdAfp9

34

PASSPHRASES• Instead of a Password consider using a Passphrase.

• Examples:oWinterisaSlipperyTimeofYearo ItsAccrualWorldoBeAuditYouCanBe

• Longer passwords are better passwords.

• Use a Password Manager to create long, secure, unique passwords so you do not need to remember every one.

35

WAYS TO STAY SAFE – PASSWORDS• Don’t reuse passwords.

• Don’t type your password into a public use machine.o If you do have to – change it

ASAP.

• Use a machine other than your kid’s gaming machine to check mail or log into Firm resources.

• Use a Password Manager.

• Use Password Haystacking.

• Use Passphrases instead of Passwords.

• If you hear about a breach –change your password.

• Always be diligent about typing in passwords where people can see you type them in.

• Upgrade your operating system and keep it updated.

36

TWO-FACTOR AUTHENTICATION / BIOMETRICS• Two-Factor Authentication

aka 2FA or Multifactor Authentication

• Examples:

o Pin Texted To Your Cell

o Google Authenticator

o RSA SecureID

o Mobile App Authentication

• Biometricso Fingerprint Scanner (Laptop,

iPhone, etc.)

o Retinal Scanner

o Hand geometry

o Facial Recognition

37

TWO-FACTOR AUTHENTICATION / BIOMETRICSTwo-Factor Authentication Means:

Something You Know(Password)

+

Something You Have(RFID Badge, SMS Message, Time-Based One-Time password, Hardware

Key-U2F)

OR

Something You Are(Fingerprint, Retinal Scan, Palm Scanner, Facial Recognition, Voice

Recognition)

38

SOMETHING YOU HAVE - PROS AND CONS:• RFID Badge – Good, because they are hard to spoof but

they require a reader and they can be lost or stolen.

• SMS Message – Fair and convenient, but are more and more frequently attacked as SMS is not secure.

• Time-Based One-Time password – Excellent – Fairly convenient and difficult to spoof. Becoming Ubiquitous. Manageable from IT.

• Hardware Key-U2F – Good – Very hard to spoof but you have to have it with you and registered to the sites you use; can also be lost or stolen.

39

WHAT ABOUT SECURITY QUESTIONS?Such as:

oMother’s maiden name

oCity you were born in

oStreet you grew up on

oBest friend’s name

o Father’s middle name

Terrible – Answers available on Social Media

40

PATCHINGWhat is patching?

Why is it important?

What do I need to do?

41

FIREWALLING – WORK, HOME, AND THE ROAD

At Work:oUnified Threat Management Firewalls at every location.

o Laptops and Desktops have the Windows Firewall turned on.

At Home:oDo you run a firewall at home or just the cable modem?

oHave you updated your firewall firmware / software in the last 6 months? American Consumer Institute says 5 out of 6 firewalls vulnerable to an active exploit.

On the Road:oAvoid open Wi-Fi if possible

oUse a VPN if you do have to use open Wi-Fi

42

IOT IN THE NEWSMirai• First found in August 2016• Primarily targets online consumer devices such as IP cameras and home routers• Used common factory default usernames and passwords to infect hosts• October 2016 - multiple major DDoS attacks in DNS services Dyn affected:

o Amazono Twittero Reddito Netflixo Airbnb

• Dyn estimates 100,000 IOT devices were involved in the DDoS attack.• Mirai source code was released on the internet for others to use.• March of 2017 – Marai variant used 9,700 devices to take a US college

offline for 54 hours.

43

IOT IN THE NEWSMirai – Follow-up• Turned out to be three 21-year-old students that authored the

malware.

• It was written to take down competing Minecraft servers.

• They released the Mirai source code on the internet in Sept 2016 for others to copy in an attempt to hide themselves among the many people using Mirai.

• They had all their Bitcoin confiscated (millions of dollars worth).

• Sentenced to 5 years probation, $127,000 in restitution and 2,500 hours of community service (meaning time working directly with the FBI).

• Marai variants have been used to take all levels of businesses (from colleges to hospitals to financial services) offline for hours.

44

IOT IN THE NEWSReaper / IOTroop• As of 10/26 – estimated 3.5 million devices and could be

capable of growing by nearly 85,000 devices per day.

45

• What could it do?o DDoS Attacks – Internet

Crippling Attackso Spam relays (each bot could

send 250 emails a day)o Digital currency mining

(increasingly unlikely, though)o Tor-like anonymous proxies,

which can be rented

o Crypto ransomo Clickjackingo Ad fraudo Fake ad, SEO Injectiono Fake AV fraudo Malware hosting

IOT TAKEAWAYS

• IOT has been in business for years:oCopiers / PrintersoVOIP PhonesoCloud Configured Wireless DevicesoSecurity Systems / Cameras

• Be careful what you connect to the Internet – Ask IT.

• Look for the manufacturer to update the device.

• Cheap and easy to setup is probably not secure.

• IOT devices are computers and they need to be patched.

46

BayerMerckHeritage Valley HealthFedExDept. Homeland SecurityNissanHitachiUK National Health ServiceTNT ExpressHancock Health Honda

Government Agencies

Worldwide Banks

Hospitals

Manufacturing

Telecom55%Admit to having been a victim

47

RANSOMWARE

48

RANSOMWARE

49

RANSOMWARE

• 20% of Phishing emails we see lead to Ransomeware. 60% to

Credential Theft.

• Ransomware attacks are on the rise again.

• FBI estimates Cyber Criminals made over $5 Billion in 2017.

• We have consulted on Ransomware infections for organizations from

large hospitals to home businesses.

• Only options are to pay or restore from backups.

• Ransomware always results in downtime and lost productivity.

50

RANSOMWARE

Currently Ransomware commonly comes disguised as:

o Email File Attachments

o Invoice.doc or Invoice.zip

o Fax.doc or Fax.zip

o Voicemail.wav or Voicemail.zip

o IRS Notice.zip

Download links:oUPS / FEDEX / USPS

notifications

oClient files to Box, Dropbox, Google drive, OneDrive

o Tax documents / Wells Fargo Documents

51

RANSOMWARE

• Most people reuse the same passwords over and over.

• Most people use 1 or 2 email addresses for all correspondence.

COMBINED WITH

• Hacked databases providing email / Password combinations:oYahoo – 10 Million accounts (2012)o LinkedIn – 117 Million accounts (2012)oMyspace – 427 Million accounts (2006)

These are old databases. Why release old sets?⦁ YAHOO MAIL = 500 million accounts (Sept 2016)

⦁ OOPS! YAHOO = 3 BILLION Accounts

Every single customer account - email, Tumblr, Fantasy, and Flickr

52

PASSWORD / PIN REUSE

EMAIL ADDRESSSPOOF

Passwords are legitimate and

used from Yahoo email breach

53

NOTABLE ATTACK VECTORS54

USB/EXTERNAL DEVICES

PORTALS AND FILE TRANSFER SERVICES•Common Services

oDropbox

oOneDrive

oGoogleDrive

oLeapFile

oSharefile

•What are the risks?

55

MOBILE DEVICES – BEST PRACTICES• Keep it updated (IOS / Nexus).

• Use a strong Pin / Passcode.

• Be careful of the apps you install.

• Enable encryption.

• Dispose of old devices properly.

• Be cautious of what you plug it into to charge.

• Do not open attachments you do not need to read on yourphone.

56

THINK LOW-TECH:27% OF BREACH INCIDENTS WERE

RELATED TOPAPER!

• Shredding

• Printing and Faxing

• Copies sitting out

• Secure Print & eFax

• Electronic Device Memory (copiers)

57

PHYSICAL LOSS OF PAPER!

58

QUESTIONS?

SCOTT STONESCOTT.STONE@ACTCPAS.COM

724.658.1565