IT SECURITY November 6, 2019 UPDATE Presented by …...Online Betting Sites ... PROTECTING YOURSELF...

transcript

IT SECURITY UPDATE

November 6, 2019Presented by Benjamin Ellis & Scott Stone

IT SECURITY UPDATE

From the IT consultants:oPasswords / Two-Factor Authentication

o Firewalling

oRansomware / Malware

oUSB / Flash Drives

oPortal / File Transfer Services

oPhysical Loss of a Cell Phone or Laptop

oPhishing

BREACHED RECORDS – FIRST ½ OF 20153

2017 BREACHES BY INDUSTRY7

2018 BREACHES BY INDUSTRY8

BREACH INCIDENTS BY TYPE – 2017

BREACH INCIDENTS BY TYPE – 2018

BREACH INCIDENTS BY SOURCE – 2017

BREACH INCIDENTS BY SOURCE – 2018

This happens everywhere, right?

CENTRALIZED ANTIVIRUSON EVERY

WORKSTATION WITHACTIVE IT NOTIFICATION

PATCH MANAGEMENTFOR EVERY PC AND

SERVER BOTHMICROSOFT AND THIRD

FIREWALLPROTECTION WITH

AN UP-TO-DATEPRODUCT

GOOD PASSWORDHYGIENE

SOLID BACKUPSINCLUDING CLOUD

OR OFF-SITESTORAGE IT SECURITY

BASICS

2019 Data not available

2019 Data Breaches 17

• Fornite (Epic Games) – 200 million users

• Oklahoma Department of Securities – decade of data lost

• Collection #1- 770 Million unique email addresses and 21 million unique passwords

• Elasticsearch Cloud Storage – 108 million records

• Verifications.io – 982 million records

• Facebook – 540 million records

• First American Corp. – 885 million records

• Canva – 139 million records

• Flipboard – 145 million records

• Capital One – 80,000 bank account #’s, 140,000 SSN#’s, 1 million Canadian social insurance#’s and millions of credit card applicatons.

• Pitney Bowes – malware incident

2019 Data Breaches 18

• Blur

• Town of Salem Video Game

• DiscountMugs.com

• BenefitMall

• OXO

• Managed Health Services (MHS) of Indiana

• BlackRock Inc.

• Graeters Ice Cream

• Online Betting Sites

• Ascension

• Alaska Dept. of Health & Social Services (DHSS)

• Rubrik

• Critical Care, Pulmonary & Sleep Associates(CCPSA)

• Houzz

• Catawba Valley Medical Center

• Huddle House

• EyeSouth Partners

• Dunkin’ Donuts

• Coffee Meets Bagel

• 500px

• North Country Business Products

• Advent Health

• Coinmama

• UW Medicine

• Uconn Health

• Dow Jones

• Rush University Medical Center

• Health Alliance Plan

• Pasquotank-Camden Emergency Medical Services

• Spectrum Health Lakeland

• Rutland Regional Medical Center

• Zoll Medical

• MyPillow & Amerisleep

• Oregon Dept. of Human Services (DHS)

• Federal Emergency Management Agency (FEMA)

• Family Locator

• Milestone Family Medicine

• Verity Health Systems

• Earl Enterprises

• Georgia Tech

• Baystate Health

• Prisma Health

• City of Tallahassee

• Microsoft Email Services

• Steps to Recovery

• EmCare

• Bodybuilding.com

• Atlanta Hawks

• Docker Hub

PHISHING ATTACKS• Phishing uses social engineering, a technique where cyber

attackers attempt to fool you into taking an action.

• These attacks often begin with a cyber criminal sending you anemail pretending to be from someone or something you know ortrust, such as a friend, your bank, or your favorite online store.

• These emails then entice you into taking an action, such as clickingon a link, opening an attachment, or responding to a message.

• Cyber criminals craft these emails to look convincing.

Still the largest threat IT currently deals with.

WAS RANSOMWARE / CRYPTOWARE

NOW CREDENTIALSAND ACCOUNT ACCESS

INCREASE IN THERESEARCH PEOPLE ARE

DOING PRIOR TOSENDING PHISHING

EMAILS

REDUCTION IN THEDUPLICATION OR

COMPLEXITY OF ACTUALEMAILS TO AVOID

LOOKING LIKE SPAM

TARGETEDATTACHMENTS ANDSUBJECTS BASED ON

JOB ROLE

EMAIL FORWARDINGAS PART OF THECOMPROMISE

PHISHING / SPEAR PHISHING20

NOTABLE ATTACK VECTORS – PHISHING EMAILS21

PHISHING EXAMPLE

NOTABLE ATTACK VECTORS – PHISHING EMAILS24

NOTABLE ATTACK VECTORS – PHISHING LINKS25

NOTABLE ATTACK VECTORS – PHISHING LINKS

Osmarecommerce.biz/invx/login.php?l=_JeHFUq_VJOXK0QWHtoGYDw1774256418&fid.13InboxLight.aspxn.1774256418&fid.125289964252813InboxLight99642_Product-userid&userid=tadams@

Good Afternoon All,

This email comes as a warning regarding an email hack that we are experiencing. It has been brought to our attention that our CCO/CFO, Amy Smith, has had her email hacked. Steps are being taken right now to correct the situation.

Should you receive any correspondences from Amy Smith (AS@ABCWealthcom) requesting any kind of information—

DO NOT OPEN!

Either delete and/or call our office - ask to speak with either Amy or Bob Smith.

We apologize for any inconvenience and are working tirelessly to fix the problem.

Sue JacksonMarketing ManagerABC Wealth Management

PROTECTING YOURSELF• Be suspicious of these three words:

“Urgent” “Payment” “Request”

• Be suspicious of emails addressed to “Dear Customer” or some other generic salutation. If it is your bank they will know your name.

• Be suspicious of grammar or spelling mistakes.

• Do not click on links.

• Hover your mouse over the link to see true destination.

PROTECTING YOURSELF• Be suspicious of attachments and only open those that you

were expecting.

• Just because you got an email from your friend does notmean they sent it.

• Stay diligent.

• Not sure? Forward it to IT.

• Train yourself:o https://www.phishingbox.com/phishing-test

o https://www.opendns.com/phishing-quiz/

Enable Enable two-factor authentication – O365, Google Authenticator, Security Key, SMS

Train Train your employees and yourself – KnowBe4, Wombat, Sophos.

Use Use a quality email provider – Office365, Gmail, ProtonMail

PROTECTING YOURSELF37

PASSWORDS AND TWO-FACTOR AUTHENTICATION

Password Best Practices Review

01Password Managers, Haystacking, Passphrases

02Two-Factor –Types, Uses, Limitations, Benefits

PASSWORDS: PROTECTING

YOURSELF

Enable Enable Two-Factor Authentication.

Use Use a Password Manager such as LastPass.

Do not reuse Do not reuse Passwords for important sites.

PASSWORD MANAGERSA password manager is a software application or hardware that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password: a single, ideally very strong password which grants the user access to their entire password database.

Examples:

o LastPass

o 1Password

o KeePass

o Lenovo Fingerprint Manager

o HP Protect Tools

EXCEL AS APASSWORD MANAGER?

• Better than writing them down.

• Must set a strong master password.

• Be careful how you transfer it or store it.

• Backups are an issue.

PASSWORD HAYSTACKING• Every password you use can be thought of as a needle hiding in a

haystack. After all searches of common passwords and dictionaries have failed, an attacker must resort to a “brute force” search –ultimately trying every possible combination of letters, numbers, and then symbols until the combination you chose is discovered.

• Example: LinkedIn4-=-=-=

• Which of the following two passwords is stronger,more secure, and more difficult to crack?

D0g.....................

PrXyc.N(n4k77#L!eVdAfp9

PASSPHRASES• Instead of a Password consider using a Passphrase.

• Examples:oWinterisaSlipperyTimeofYearo ItsAccrualWorldoBeAuditYouCanBe

• Longer passwords are better passwords.

• Use a Password Manager to create long, secure, unique passwords so you do not need to remember every one.

WAYS TO STAY SAFE – PASSWORDS• Don’t reuse passwords.

• Don’t type your password into a public use machine.o If you do have to – change it

• Use a machine other than your kid’s gaming machine to check mail or log into Firm resources.

• Use a Password Manager.

• Use Password Haystacking.

• Use Passphrases instead of Passwords.

• If you hear about a breach –change your password.

• Always be diligent about typing in passwords where people can see you type them in.

• Upgrade your operating system and keep it updated.

TWO-FACTOR AUTHENTICATION / BIOMETRICS• Two-Factor Authentication

aka 2FA or Multifactor Authentication

• Examples:

o Pin Texted To Your Cell

o Google Authenticator

o RSA SecureID

o Mobile App Authentication

• Biometricso Fingerprint Scanner (Laptop,

iPhone, etc.)

o Retinal Scanner

o Hand geometry

o Facial Recognition

TWO-FACTOR AUTHENTICATION / BIOMETRICSTwo-Factor Authentication Means:

Something You Know(Password)

Something You Have(RFID Badge, SMS Message, Time-Based One-Time password, Hardware

Key-U2F)

Something You Are(Fingerprint, Retinal Scan, Palm Scanner, Facial Recognition, Voice

Recognition)

SOMETHING YOU HAVE - PROS AND CONS:• RFID Badge – Good, because they are hard to spoof but

they require a reader and they can be lost or stolen.

• SMS Message – Fair and convenient, but are more and more frequently attacked as SMS is not secure.

• Time-Based One-Time password – Excellent – Fairly convenient and difficult to spoof. Becoming Ubiquitous. Manageable from IT.

• Hardware Key-U2F – Good – Very hard to spoof but you have to have it with you and registered to the sites you use; can also be lost or stolen.

WHAT ABOUT SECURITY QUESTIONS?Such as:

oMother’s maiden name

oCity you were born in

oStreet you grew up on

oBest friend’s name

o Father’s middle name

Terrible – Answers available on Social Media

PATCHINGWhat is patching?

Why is it important?

What do I need to do?

PATCHING50

FIREWALLING – WORK, HOME, AND THE ROAD

At Work:oUnified Threat Management Firewalls at every location.

o Laptops and Desktops have the Windows Firewall turned on.

At Home:oDo you run a firewall at home or just the cable modem?

oHave you updated your firewall firmware / software in the last 6 months? American Consumer Institute says 5 out of 6 firewalls vulnerable to an active exploit.

On the Road:oAvoid open Wi-Fi if possible

oUse a VPN if you do have to use open Wi-Fi

IOT IN THE NEWSMirai• First found in August 2016• Primarily targets online consumer devices such as IP cameras and home routers• Used common factory default usernames and passwords to infect hosts• October 2016 - multiple major DDoS attacks in DNS services Dyn affected:

o Amazono Twittero Reddito Netflixo Airbnb

• Dyn estimates 100,000 IOT devices were involved in the DDoS attack.• Mirai source code was released on the internet for others to use.• March of 2017 – Marai variant used 9,700 devices to take a US college

offline for 54 hours.

IOT IN THE NEWSMirai – Follow-up• Turned out to be three 21-year-old students that authored the

malware.

• It was written to take down competing Minecraft servers.

• They released the Mirai source code on the internet in Sept 2016 for others to copy in an attempt to hide themselves among the many people using Mirai.

• They had all their Bitcoin confiscated (millions of dollars worth).

• Sentenced to 5 years probation, $127,000 in restitution and 2,500 hours of community service (meaning time working directly with the FBI).

• Marai variants have been used to take all levels of businesses (from colleges to hospitals to financial services) offline for hours.

IOT IN THE NEWSReaper / IOTroop• As of 10/26 – estimated 3.5 million devices and could be

capable of growing by nearly 85,000 devices per day.

• What could it do?o DDoS Attacks – Internet

Crippling Attackso Spam relays (each bot could

send 250 emails a day)o Digital currency mining

(increasingly unlikely, though)o Tor-like anonymous proxies,

which can be rented

o Crypto ransomo Clickjackingo Ad fraudo Fake ad, SEO Injectiono Fake AV fraudo Malware hosting

IOT TAKEAWAYS

• IOT has been in business for years:oCopiers / PrintersoVOIP PhonesoCloud Configured Wireless DevicesoSecurity Systems / Cameras

• Be careful what you connect to the Internet – Ask IT.

• Look for the manufacturer to update the device.

• Cheap and easy to setup is probably not secure.

• IOT devices are computers and they need to be patched.

BayerMerckHeritage Valley HealthFedExDept. Homeland SecurityNissanHitachiUK National Health ServiceTNT ExpressHancock Health Honda

Government Agencies

Worldwide Banks

Hospitals

Manufacturing

Telecom55%Admit to having been a victim

RANSOMWARE

• 20% of Phishing emails we see lead to Ransomeware. 60% to

Credential Theft.

• Ransomware attacks are on the rise again.

• FBI estimates Cyber Criminals made over $5 Billion in 2017.

• We have consulted on Ransomware infections for organizations from

large hospitals to home businesses.

• Only options are to pay or restore from backups.

• Ransomware always results in downtime and lost productivity.

RANSOMWARE

Currently Ransomware commonly comes disguised as:

o Email File Attachments

o Invoice.doc or Invoice.zip

o Fax.doc or Fax.zip

o Voicemail.wav or Voicemail.zip

o IRS Notice.zip

Download links:oUPS / FEDEX / USPS

notifications

oClient files to Box, Dropbox, Google drive, OneDrive

o Tax documents / Wells Fargo Documents

RANSOMWARE

• Most people reuse the same passwords over and over.

• Most people use 1 or 2 email addresses for all correspondence.

COMBINED WITH

• Hacked databases providing email / Password combinations:oYahoo – 10 Million accounts (2012)o LinkedIn – 117 Million accounts (2012)oMyspace – 427 Million accounts (2006)

These are old databases. Why release old sets?⦁ YAHOO MAIL = 500 million accounts (Sept 2016)

⦁ OOPS! YAHOO = 3 BILLION Accounts

Every single customer account - email, Tumblr, Fantasy, and Flickr

PASSWORD / PIN REUSE

EMAIL ADDRESSSPOOF

Passwords are legitimate and

used from Yahoo email breach

NOTABLE ATTACK VECTORS63

USB/EXTERNAL DEVICES

PORTALS AND FILE TRANSFER SERVICES•Common Services

oDropbox

oOneDrive

oGoogleDrive

oLeapFile

oSharefile

•What are the risks?

MOBILE DEVICES – BEST PRACTICES• Keep it updated (IOS / Nexus).

• Use a strong Pin / Passcode.

• Be careful of the apps you install.

• Enable encryption.

• Dispose of old devices properly.

• Be cautious of what you plug it into to charge.

• Do not open attachments you do not need to read on yourphone.

THINK LOW-TECH:27% OF BREACH INCIDENTS WERE

RELATED TOPAPER!

• Shredding

• Printing and Faxing

• Copies sitting out

• Secure Print & eFax

• Electronic Device Memory (copiers)

PHYSICAL LOSS OF PAPER!

QUESTIONS?

BENJAMIN ELLISBENJAMIN.ELLIS@ACTCPAS.COM

304.346.0441

SCOTT STONESCOTT.STONE@ACTCPAS.COM

724.658.1565