Chris BensonCEO, AlwaysOnIT

www.AlwaysOnIT.com

IT Security Protections EVERY Business Must Have In Place

• ID Theft – How it happens and what to do about it.

• The #1 security threat to your systems that antivirus, firewalls, and other security protocols can’t protect against.

• Protections you can put in place that will greatly reduce the risk & impact of a cybersecurity incident.

• Why traditional firewalls and antivirus software aren’t enough anymore.

• How to make sure your staff don’t become complacent and unwittingly allow your agency to become a statistic.

Today We’re Going To Cover

The Evolution

Of Crime

What is identity theft?

Identity theft:

• Someone steals personal information (could be yours, your employees, your clients)

• Uses it without permission

• Can damage your finances, credit history, and reputation

How does identity theft happen?

• Spam / Spear Phishing Scams

• Malware

• 3rd party leaks

• Supply-chain Attacks

• Honeypots

Data Breach Statistics - 2017

Source: https://breachlevelindex.com/

Source: https://breachlevelindex.com/

Data Breach Statistics - 2017

Nice little organization you have there, it’d be a shame if something happened to it….

Trouble Ahead…• Send out spam emails

• Launch denial of service attacks (DDos)

• Commit advertising fraud

• Host phishing websites

• Distribute malware, ransomware, or spyware

• Distribute pirated content

• Download & distribute undesirable content

Key Point: This is all being done on YOUR network! When the law comes looking, who will be on the hook?

Recent Examples – City Of AtlantaSamSam Malware

What Happened?

- Network was infected with SamSam malware.

- Unlike many ransomware variants that spread through phishing or online scams and require an individual to inadvertently run a malicious program on a PC (which can then start a chain reaction across a network), SamSaminfiltrates by exploiting vulnerabilities or guessing weak passwords in a target's public-facing systems, and then uses mechanisms like the popular Mimikatz password discovery tool to start to gain control of a network.

- Attackers choose their targets carefully — often institutions like local governments, hospitals and health records firms, and universities that may prefer to pay the ransom than deal with the infections themselves and risk extended downtime. They set the ransoms — $50,000 in the case of Atlanta — at price points that are both potentially manageable for victim organizations and worthwhile for attackers.

- Estimated cleanup costs: $2.7 million – just for external consultants to come and assess damage, develop action plans, and review the city’s IT systems

Source: https://www.wired.com/story/atlanta-ransomware-samsam-will-strike-again/Source: https://www.wsbtv.com/news/local/atlanta/ransomware-attack-cost-city-27-million-records-show/730813530

How did this happen? What could they have done to prevent it?- An unpatched server caused this hack!- The company was aware of the flaw 2 months before the hack,

but never installed the patch.

Supply Chain Malware Attacks

In 2017 the popular system software CCleaner suffered a massive supply-chain malware attack. Hackers compromised the company's servers for more than a month and replaced the original version of CCLeaner with a malicious one.

Between August and September, 2.3 million users were infected when they downloaded or updated the software.

First sign of attack came on March 11th – 5 months before the actual infected software was slipped in. Hackers used previously compromised credentials to access the user’s Team Viewer account, and then once access was established, installed malicious software onto the initial machine.

Using that first machine & credentials, the attackers were able to piggy-back into a second computer and the attack went on from there.

The ‘trojan’ version of CCleaner was deployed on August 2nd, and not detected until September 13th. Within 3 days of notification, the FBI was able to shut down the attack.

Source: https://thehackernews.com/2018/04/ccleaner-malware-attack.html

Source: https://www.abc15.com/news/let-joe-know/alert-thieves-create-fake-hotel-wi-fi-hot-spots-to-steal-your-information

Honeypot / Man-in-the-middle Attacks

• Attacker setups up a wireless hotspot with a common name like ‘Hotel WiFi’

• Inexpensive ‘high gain’ antenna guarantees his signal is the strongest in the area

• Attacker creates a mirror image of the hotel’s own wifi login page

• Anyone who uses this ‘honeypot’ wifi connection will have all their internet traffic routed thru the attacker’s computer

• Freely available software helps the attacker quickly ferret out usernames, passwords, or other sensitive data

• Security experts said in 2013 that 38% of all credit card fraud involved the hotel industry

What If I Get Breached?

Source: https://tax.thomsonreuters.com/blog/organizations/accounting-firms/your-firms-been-hacked-heres-what-to-do-immediately/

- Quickly determine if you must quarantine any or all of your PCs or other devices, and your network.

- Contact your legal department- Evaluate what the scope of the breach is – what was accessed and when- Notify staff that incident is confidential until communication plan is established- Determine which clients have been impacted- Contact your insurance company- Create an incident report – this tells the story of who, what, when, etc- Contact law enforcement (FBI, state / local criminal investigation units)- Contact IRS criminal investigation unit- Contact state regulatory authorities- Develop plan for how you will notify your chain of command- Ensure all staff are on the same script for any external client interactions- Pick one person to be the external spokesperson for the firm

So, How Do I Protect Myself?

• IRS Publication 4557 – Safeguarding Taxpayer Data

• NIST SP 800-53 - Safeguarding Taxpayer Data - References To Applicable Standards & Best Practice

• NIST SP 800-171 – Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Two Factor Authentication (2FA)

• Something the user knows (username, password, secret, PIN)

• Something the user has (security token, smart phone, security card / badge)

• A unique physical characteristic of the user (fingerprint, retina, voice)

• Improved security – much harder for attacker to gain unauthorized access, even if the user’s password is compromised.

• Makes life easier for users – passwords don’t need to be changed frequently. Your IT department will thank you too.

Acceptable Use Policy & User Training

• Written & communicated policies – are personal devices allowed on the network? Can I surf Facebook or Netflix from my work computer? Can my kids do their homework on my work computer?

• Phish testing – builds ‘top of mind’ awareness for information security. Also gives leadership true picture of security awareness of staff BEFORE a breach.

• No admin rights – leaders, I’m looking at you!

• It’s your organization – time = money.

Email Security

• Spam – annoying & time-wasting

• Phishing – dangerous & expensive

• Malware – ransomware, viruses, launch point for intrusions

• Archiving / Compliance – enforce company or regulatory policies

• Encryption – secure confidential information

• Business Continuity – protect against outages or data loss

Email Attachment Blocking

1. Why block attachments?

2. But what if I need to get a file of <some type that is blocked>?

3. It’s inconvenient to block all those attachments!

4. Which attachments should I block?

"ace", "ade", "adp", "ani", "app", "asp", "bas", "bat", "cer", "chm", "cmd", "com", "cpl", "crt", "csh", "der", "dll", "docm", "dos", "exe", "fxp", "gadget", "hlp", "hta", "inf", "ins", "iso", "lsp", "lts", "jar", "js", "jse", "ksh", "lnk", "mad", "maf", "mag", "mam", "maq", "mar", "mas", "mat", "mau", "mav", "maw", "mda", "mdb", "mde", "mdt", "mdw", "mdz", "msc", "msh", "msh1", "msh1xml", "msh2", "msh2xml", "mshxml", "msi", "msp", "mst", "obj", "ops", "os2", "pcd", "pif", "plg", "prf", "prg", "ps1", "ps1xml", "ps2", "ps2xml", "psc1", "psc2", "pst", "rar", "reg", "rtf", "scf", "scr", "sct", "shb", "shs", "tmp", "url", "vb", "vbe", "vbs", "vbmacros", "vsw", "w16", "ws", "wsc", "wsf", "wsh", "xnk"

Business Continuity / Backups

• Keep 3 copies of any data you want to keep – the original, an onsite copy, and a copy offsite

• Determine your Recovery Time Objective & Recovery Point Objectives

• Avoid consumer-grade backup services – you get what you pay for

• Have a written business continuity plan, and test it before you need it

• RAID is not a backup!

DNS Filtering & Protection

Intelligent Firewall (Security Appliance)

• Active Protection – antivirus / anti-malware, intrusion protection / detection

• Content Filtering – monitor and/or enforce company acceptable use policies

• SSL decryption & inspection – About 50% of internet traffic is encrypted (source: EFF.org report Feb 2017)

• Secure Remote Access – mobile workers & telecommuters

• Bandwidth management – ensure VOIP phone quality, prevent bandwidth hogs

• Visualization & Reporting – proactively identify anomalies

Desktop & Server Malware Protection

Identifying Malware Behavior

Desktop & Server Malware Protection

• Signature-based protection is not enough

• Behavior-based technology is advancing

• Consider application whitelisting – security vs. convenience trade-offs

• Ransomware-aware – can undo damage done by malware

• Website browsing protection

• Keep software patched and updated!

What Else Can You Do?• Never open email attachment or link unless you are expecting it.

• Do not use hotel or free WIFI unless connected to VPN. Use a ‘hotspot’ from your cellular provider instead.

• Be proactive – if you see something that looks odd or unusual, don’t assume ‘it’s probably nothing’.

• Be wary of connecting any network capable device to your network (e.g. wireless devices, Amazon / Google devices, NAS storage devices).

• Encrypt laptops and mobile devices to reduce the impact of a lost or stolen device.

• Carefully inspect links in email or Google searches to avoid ‘poisoned’ links.

• Sign up for e-mail or text alerts from your bank whenever a withdrawal or charge happens.

• Be aware that debit cards may not offer the same fraud protection as a credit card.

• Have a dedicated PC for online banking and DON’T use that PC for accessing any other web sites, e-mail access, social media sites or for downloading files and applications.

• Require YOUR signature for any wire transfers.

• Have your money spread out in multiple accounts to minimize the risk.

Tips For Protecting Your Finances:

Thank You!

https://www.alwaysonit.com503-601-4335

benny@alwaysonit.com

Download a copy of this presentation here:https://www.alwaysonit.com/presentation