10/30/2017
1
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. | ©CliftonLarsonAllen LLP
How Cybercrime Affects Schools 2017 MASBO Fall Conference
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Introduction
I am going to share with you:
1. Who am I
2. Current state of cybercrime
3. Social Engineering
4. How cybercrime is affecting our schools
5. How schools can protect themselves
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Who am I
David Anderson
• MN Farm kid turned hacker
• Worked in IT/IT Security 9+ years
• Yes, I am older than 18
10/30/2017
2
Current State of Cybercrime
What are the bad guys up to?
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Current State of Cybercrime
• All about the Benjamins
– Theft of personally identifiable information (PII)
– Payment fraud
– Ransomware
• Many attacks are perpetuated by organized crime
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Organized Crime
• Hacking is run like a business where people specialize in different areas
– Writing malware
– Renting botnets
– Stealing data
– Selling data (collect data from various sources/BIG DATA)
– Etc.
• Most attacks are completely automated
10/30/2017
3
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
The Cost
Global cybercrime cost businesses up to:
$400 BILLION annually
Some estimate it will reach:
$2.1 TRILLION by 2019
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Theft of PII
• Every organization stores information about their employees in electronic format
– Payroll/Tax/W2 ◊ Name, Address, SSN, etc.
– Email address
• Some organizations store other sensitive data
– Credit card information
– Health information
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Theft of PII
• All this information has value
– Submit fraudulent tax returns
– Submit fraudulent insurance claims
– Purchase items with stolen credit card information
– Use emails for phishing campaigns
• Attackers buy and sell data on cyber black market
– Similar to amazon.com for stolen information
10/30/2017
4
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Theft of PII
• Children are 51x more likely to be affected
• It is of higher value because
– Can be used with any name/DOB to create fake ID ◊ Illegal immigration
◊ Financial fraud
◊ Circumvent bad credit (parents and siblings )
– Child won’t know until they become an adult ◊ No crime without a victim
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Marketplace for Stolen Credit Cards
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Payment Fraud
• Every organization interacts with their bank electronically
– Wire transfers
– ACH payment
– Online banking
• Corporate Account Take Over (CATO)
– Compromise accounts/credentials that can move money
10/30/2017
5
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Payment Fraud
• Can occur via technical means
– Attackers “hack” into finance computers
– Banking Trojans monitor online banking
– Create fake employees in payroll/ACH file
• Can occur via non-technical means
– Social engineering
– Coerce employee to send money
◊ E.g. Fake CEO emails cost businesses over BILLIONs over last 3years
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Ransomware
• Cryptolocker, Locky, WannaCry, etc.
• Encrypts all data, holds in “ransom” for $$
– Data on local machine and on network
• Can affect non-Windows OS (e.g. Mac)
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Ransomware
10/30/2017
6
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Ransomware
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Ransomware
“Theresa and Billy Niedermayer paid an $800 ransom to get precious family photos of their three young boys back from cybercriminals.”
Social Engineering
I am a Nigerian Prince…
10/30/2017
7
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Social Engineering
• Employees are HIGHLY targeted with “social engineering”
• Every employee plays a role in securing the organization
• Employees become the first line of defense
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Social Engineering
Trick user into doing something that helps the attacker • Visit malicious website
• Open malicious attachment
• Provide confidential info
• Allow access to building or systems
“Why break a window when you can get the user to open the door?”
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Social Engineering
10/30/2017
8
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Social Engineering
• [audio sample]
How Cybercrime is Affecting Our Schools
No one is immune…
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Case Study #1
• Bloomington MN Public School
– Lost W2 info on all 1,800 employees
– Occurred February 2017
– How it happened? ◊ Email phishing scam
◊ Most likely social engineering attack where attacker requested W2 information
10/30/2017
9
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Cast Study #1
• This happened to several schools in 2017
– Dracut Schools
– Tipton County Schools
– Odessa School District
– Lexington School District Two
– Mercedes Independent School District
– Morton School District
– Davidson County Schools
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Cast Study #1
• Continued…
– Belton Independent School District
– Argyle School District
– Manatee County School District
– Corsicana Independent School District
– Mercer County Schools
– Bloomington Public Schools
– Black River Falls School District
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Cast Study #1
• Continued…
– Trenton R-9 School District
– Barron Area School District
– Mount Healthy City Schools
– Abernathy Independent School District
– Redmond School District
– Independence School District
– Yukon Public Schools
10/30/2017
10
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Cast Study #1
• Continued…
– Groton Public Schools
– Tyler Independent School District
– Glastonbury Public Schools
– Ark City School District
– Ben Bolt Independent School District
– Powhatan County Public Schools
– Walton School District
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Case Study #2
• Los Angeles Valley College
– Virus locked up files, email, voicemail, etc.
– Occurred December 2016
– Paid hackers $28K after ransomware outbreak
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Case Study #3
• Spring Branch Independent School District (TX)
– Student “hacked” school and changed grades
– Occurred April 2017
– Student gained access to administrator password
10/30/2017
11
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Case Study #4
• Metropolitan State University (St. Paul)
– Website got hacked
– Found out because hacker bragged online
– Occurred January 2015
– Controls were not sufficient to detect or respond efficiently
◊ “spokeswoman said she did not know how far back in time the affected data goes”
How Schools can Protect Themselves
What can be done about this?
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Action Items
• User awareness training
– Help employees understand cyber risks that affect them
– Understand that IT will never ask for your password
– Train employees that it is OK to be skeptical about odd requests
– Train employees to perform call back verification
– Perform focused training on employees that have access to sensitive info (IT, HR, C-suite, etc.)
10/30/2017
12
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Action Items
• Harden email systems
– Many email phishing attacks take advantage of weak email settings
– Configure email system to block emails that spoof internal employees
– Tag external emails as “External” to help users identify the message did not originate internally
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Action Items
• Test backup systems
– Periodically test backup systems to ensure you can recover from ransomware
– Have IT perform a full, bare-metal recovery of main file share
– Have IT document how long it takes to recover various files or systems
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Action Items
• Configure auditing/logging
– Ensure all systems are configured to log important information
– Successful logins is just as important to log as failed logins
– Retain logs for at least 1 year, longer is better
10/30/2017
13
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Action Items
• Audit systems for default/weak passwords
– Most systems have default passwords and they are all documented online
– Don’t overlook “simple” systems ◊ E.g. Printers, IP cameras, etc.
Questions?
twitter.com/CLAconnect facebook.com/ cliftonlarsonallen
linkedin.com/company/ cliftonlarsonallen
CLAconnect.com
Thank you! David Anderson Manager, Information Security 612-376-4699 [email protected]