Presented by:

Date:

Tom Beaupre Cyber Security Lead PCI - Quebec

November 17th, 2016

RansomwareAn MNP Cyber Security Seminar

Page 2

• What is Cyber Security?

–Threats, Vulnerabilities and Risk

• Ransomware

–How to protect yourself and your

organization

• MNP Cyber Security

Page 3

Cyber Security – Basic Concept

3

Cyber Security’s main purpose is to protect your information (Confidentiality)

ensure that you can trust the information (Integrity), and your ability to use

information to work, play, shop, travel, etc. (Availability)

Page 4

Threats, Vulnerabilities, and Risks

4

Individuals and Organizations implicitly or explicitly assess RISK when thinking of Cyber Security but do not realize

the Threats and Vulnerabilities they face to their Assets (goods, information, money, etc.)

• Over-reliance on personal experience, i.e. compromise of credit cards, media reports

• Systems still operating, only happens to others, only complete outages are reported

• Checkbox - meet regulatory or compliance requirements (SOX, PCI, PIPEDA, SOC2, BASEL, etc.)

Page 5

Threat Communities – 89% of breaches are

for financial gain or espionage

• Nation States: external, human with a high level of sophistication. They have

access to significant resources and are funded by a nation state. Typically, these

groups consist of an organized hacking group being hired by a nation state.

• Organized Hackers: external, human with a high level of sophistication. They

have access to significant resources. For example, organized crime, hacktivist

groups, etc.

• Non-Organized Hacker: external, individual person with a moderate level of

sophistication. They have access to moderate resources.

Page 6

Threat Communities – cont’d

• Destructive Malware: internal, automated with a high degree of sophistication

focused on destruction or denial of service.

• Employee: Technical: internal, human with a high degree of sophistication.

They have access to moderate resources.

• Employee: Business: internal, human with a low degree of sophistication. They

have access to minimal resources.

• Malicious former employee: external, human with a moderate level of

sophistication. They have access to minimal resources

Page 7

VulnerabilitiesVulnerabilities are weaknesses in

software that allow malicious software

and individuals to perform unwanted

actions

• The more programs and

software you have installed

on your laptop or phone, the

more vulnerable you are –

similar to the number of doors

and windows in your

home/office

• There are literally thousands

of vulnerabilities for each type

of device, operating system,

application

• The more closed a system,

generally the more secure

(i.e. iOS, Linux)

Page 8

Vulnerabilities – Cont’dVulnerabilities are continually being

discovered due to new functionality

and are ranked by severity, ease of

exploitation, and eventually corrected

by vendors

• Some vulnerabilities can exist

for several years before being

detected, these are so called

‘zero-day’ vulnerabilities

• Unfortunately, not all

individuals and organizations

apply the fixes

• Important to note that old

vulnerabilities never die,

although their exploitation

may disappear from

widespread use

• Like old classics, their

popularity can resurface

Page 9

Risks vary by industry

9

• Risk is the probability of a loss/attack/compromise and its impact to an asset

• Considerable amount of data exists on breaches, yet many organizations

underestimate the level of risk they face because of the preponderance of

breaches in the retail and financial sectors – assuming they are not a target

Page 10

Breach Statistics and Risks

10

• Statistics by Industry

have been mapped into

categories and Threat

Scenarios

• Higher Risk Industries

normally already have

Cyber programs in

place or have

mandatory compliance

Page 11

Probability of a Breach over the next 24 months

Source: Ponemon

Institute 2016 Report

Page 12

Cost of a Data Breach in Canada >$200 / record

Tech Support, 10%

Damaged Reputation, 29%

Forensics, 12%

Lost Productivity, 21%

Lost Revenue, 19%

Regulatory Compliance, 8%

Page 13

• What is Cyber Security?

–Threats, Vulnerabilities and Risk

• Ransomware

–How to protect yourself and your

organization

• MNP Cyber Security

Page 14

Ransomware

14

* Graphic from Symantec

Page 15* Graphic from Proofpoint

Page 16

• Ransomware Worldwide expected to reach $1B in 2016

• Montreal is in the top 3 cities in Canada for infections

• Multiple Payloads can be installed

– Encryption

– Key logging

– Botnet

• Canadians are more likely to pay ransom

– Less awareness of Ransomware

– Greater propensity to trust

– Limited support from Law Enforcement

Ransomware In Canada

Page 17

• Threats

– Predominantly organized “Spammers” and freelance hackers with a financial motive

– Ransomware ‘kits’ can be purchased on the dark web for a few hundred dollars

• Vulnerabilities

~85% of infections via emails predominantly from established Spammers

~15% from web activity on malicious or infected sites

~95% on Windows workstations

~98% of Mobile infections on Android mobile platform

• Risks

– Banking and other account numbers and passwords (Confidentiality)

– Loss of changes since last backup (Integrity)

– Total loss of data if no backups exist (Availability)

– Payment of Ransom may not result in unlocking of documents (this one just hurts!)

Ransomware – Threats / Vulnerabilities / Risks

Page 18

Email – How did Spammers obtain my address?

How do spammers obtain email

addresses:

• Leaked account databases.

E.g. Adobe, LinkedIn,

eHarmony, Gawker, Last.fm,

Yahoo!, Snapchat and Sony

• Guessing email format from

other examples based on first

and last name E.g.

• tbeaupre@mnp.ca

• tom.beaupre@mnp.ca

• t.beaupre@mnp.ca

• How to check if your email has

been hacked

• Have I been pwned.com?

TO: tom.beaupre@mnp.ca

Outlook

Gmail,etc

Where is mnp.ca?

mnp.ca = 162.249.91.252

TO: tom.beaupre

Outlook

MS Exchange

Registry and Records

Page 19

Email – Is my email address compromised?

Page 20

• First step is the receipt of an email

which is not blocked by either the

ISP, email provider, or the

Corporate Firewall / Spam filter

• Email may be generic or

personalized

• Most successful large scale

campaigns are targeted and

coincide with events such as

elections, natural disasters

• May also use a lure such as a

special offer, discount, etc.

• For extra success, using the email

address of a trusted colleague,

superior

Page 21

• The attachment has a malicious

payload or Web link

• ‘Enable Content’ results in Macros

being executed which exploit

vulnerabilities in Word, Excel

Malicious Document [Read-Only][Compatibility Mode] – Microsoft Word

Page 22

• Macro downloads malicious code

which contains Encryption software

• The software creates Encryption

Keys which are sent back to a

central Server

• Software begins to Encrypt either

the Master Boot Record or will start

to Encrypt individual files with all

the common extensions (*.doc,

*.xls, *.ppt, *.pdf)

• Once Encryption is complete the

software will present a Ransom

note with instructions for payment

Page 23

Encryption – Some Basics• Encryption provides

security by substituting

and transposing

information

• Substitution can be done

at the character level

using a similar technique

to the Caesar Cipher

• Transposition will

introduce randomness

by re-organizing the

location of the character

• Modern techniques are

applied at the bit level,

utilize several iterations

and also ensure that no

frequency analysis can

be performed

• AES-128 uses 128 bit

blocks and provides a

work factor of several

billion years to break

Caesar Cipher Example:

BIRD = ZGPB

Transposition Example

Page 24

• Depending on the Ransomware

variant recovery may be possible:

• Some require a reboot to fully

activate

• Some use common

Encryption keys

• Technical Solutions can help:

• Will scan the attached

documents prior to forwarding

• Will capture the keys before

they are sent out

• Will prevent the execution of

any unknown code based on

whitelisting

• Will prevent the execution of

code based on ‘heuristics’

and other behavior common

to Ransomware

• Training and Awareness

• Any spelling error, unusual

request in email

Page 25

Web – How does a computer get infected?

• Web based attacks

will either be initiated

from an email with an

embedded convenient

link (URL) or direct

access to a malicious

or compromised Web

site

• Compromised

websites may appear

normal

• Certain categories of

Website are much

riskier (gambling, etc.)

• Web attacks exploit

vulnerabilities in your

Browser such as Java

Script

Page 26

Web – Modern Webpage

• Most Websites are composed of information

from multiple sources including other Websites

• Your Browser software interprets or processes

the information (elements) and displays it

• A compromise of any of these sources can

result in compromise of your workstation /

laptop

• The infected workstation then either exploits a

vulnerability directly or downloads other

variants of malware which may or may not

require user interaction

Page 27

Web – Is a Website Safe if it has the Lock?

• Valid Certificate

• The lock appears when your

Browser interprets the

certificate as coming from a

legitimate source and with a

currently valid expiry date

• A site with a lock can be

assumed to be legitimate, but

this does not guarantee it is

safe

• Invalid Certificate

• An internal site may not have

a valid Security Certificate but

most likely is safe

• An external site should NOT

be accessed if it has an

invalid certificate

Page 28

• Training and Awareness

• Always type the Web address

directly in your Browser or

carefully inspect the web

address

• Always use a Corporate VPN

when working remotely or

from home

• Banking and other secure

sites will always use https and

a lock will appear

• Technical Solutions can help:

• Will prevent malicious URLs

from being reached

• Will analyse and block traffic

and files transferred to your

Web browser

Web – Is a Website Safe if it has the Lock?

Page 29

Web – Is the web page compromised?

• If you’ve ever received

a link that looks

legitimate but that

you’ve never accessed

before, you should only

access it from a trusted

network such as your

corporate network or

from a protected

workstation

• If you’re not sure you

can use a free service

to analyse the link or a

file• http://csi.websense.com/

Page 30

• Perform regular backups

• Always test that backups are

working by verifying their

contents

• Backup frequency should be

driven by the amount of changes

and cost to restore missing

information

• Regularly update your software and

install CRITICAL updates as soon as

possible

• This includes Windows, Android

• Office products (Word, Excel)

• Browser (Explorer, Chrome)

• Adobe Acrobat Reader

Ransomware Prevention Steps - Individuals

Page 31

• Restrict Network Drive access

• Limit drives to only those with a

business need

• Limit access to Read only when

possible

• Monitor Drive utilisation and i/o

activity - encryption is CPU

intensive and will typically

increase the size of the files

• Implement Technical Controls

• At the perimeter

• On the email server

• On the web filter/proxy

• On the endpoint

• Monitor all activity

Ransomware Prevention Steps - Enterprise

Page 32

• Small and Medium

Businesses are the

most vulnerable

• Downtime is extremely

costly – much higher

than the actual

Ransom cost

• A small percentage

cannot ever recover

the missing information

• Insufficient testing of

ability to recover from

an incident

Ransomware Prevention Steps – Enterprise Data Backup

Page 33

• The 3-2-1 rule is a best practice for backup and

recovery.

• The chances of having two failures of the same

storage type are much higher than for two

completely different types of storage. Therefore,

if you have data stored on an internal hard drive,

make sure you have a secondary storage type,

such as external or removable storage, or the

cloud. A local disaster could wipe out both of

them. Keep a third copy in an offsite location, like

the cloud.

• The 3-2-1 backup rule is a best practice because

it ensures that you’ll have a copy of your data no

matter what happens. Multiple copies prevent

you from losing the only copy of your data.

Multiple locations ensure that there is no single

point of failure and that your data is safe from

disasters such as fires and floods.

• RAID already includes a mechanism to recover

for single/multiple drive failures and is usually

blended with multiple physical locations to

provide the 3-2-1 concept

• Cloud storage can be very expensive and require

significantly more Internet bandwidth

Ransomware Prevention Steps – Enterprise Data Backup

Page 34

• Isolate your Computer

• Disconnect and/or disable

Ethernet and Internet cables and

disable Wi-Fi

• Disconnect any USB drives or

USB memory cards

• Prevents the spread to additional

drives

• Restore from backup

• Ideally start with a clean system

(Windows OS)

• Reinstall only known software

(Microsoft Office, anti-virus)

• Run complete virus scan

• Restore documents and other

files from known good backup

• Change all passwords

How to Recover

Page 35

• Ransom payment is to be avoided

• Further promotes criminal

behavior and funding

• To be used as a last resort

• Be Prepared to move quickly

• Interac or Cash required to

obtain Bitcoins

• Some brokers and exchanges

will limit how many Bitcoins can

be purchased at any one time,

making the accumulation of

Bitcoins for larger ransoms

(>$10K) difficult

Should you pay the Ransom?

Page 36

• Training and Awareness

• Yearly awareness on proper

usage of workstations when

travelling, or working at home

• Email phishing campaign with

employees

• Hotline for reporting suspicious

emails and activity on

workstations

• Provide information on what to

do if suspected infection occurs

(i.e. disconnect from network)

• Cybersecurity risk assessment (Grey

Team)

• Data Backup and Recovery

• Defensive Controls (Blue Team)

• Email

• Web Access

• Penetration Testing (Red Team)

After an attack

Page 37

• Over the coming year it is expected

that more malwave variants will

continue to be developed for other

operating systems

• MacOS

• iOS

• Phishing will continue to be the

privileged method of infection

• Integrity of data is expected to be a

target in the future, making it much

more difficult

Ransomware will continue to evolve

* Graphic from Acronis

Page 38

• What is Cyber Security?

–Threats, Vulnerabilities and Risk

• Ransomware

–How to protect yourself and your

organization

• MNP Cyber Security

Page 39

• Professionals across the Country offering services in English/French.

• Our team of Cybersecurity specialists hold extensive industry specific

certifications including: CISSP, CISA, OSCP (Penetration testing), GPEN,

CEH, Payment Card Industry (PCI QSA and PCI ASV), CCSK (Cloud

Security), OpenFAIR (risk analysis), Critical Security Controls (CSC).

• Strong niche/vertical orientation – Public Companies, Municipalities,

Public Safety, Health Services, Financial Services, Resource Sector,

Education, Communications/Media, Retail, Public Sector, Real-estate, etc.

• We’re comfortable in every environment – IT Data Center, Administration,

Executive Suite, Boardrooms.

MNP Cyber Security Team

39

Page 40

Our team uses Social

Engineering techniques to look

for vulnerabilities. They are

seasoned professionals who

typically discover vulnerabilities

other organizations have

overlooked.

MNP provides a structured approach

to the 20 Critical Security Controls

framework to help you understand

your business’ ‘Cyber Security

Maturity’. The Executive Road Map

will help guide allocation of resources

and budget for CyberSecurity.

Our dedicated team will build

appropriate risk controls

through technology solutions

and/or managed services

MNP has one of the largest QSA

(Qualified Security Assessor)

benches in Canada. PCI (Payment

Card Industry) requires any

organization that uses credit card

information to be compliant.

Offensive Security (Red Team) Risk Assessment (Grey Team)

Defensive Security (Blue Team) PCI (Black and White Team)

Cyber Security Services

Page 41

Page 42

• Next Generation Firewalls

• Content Filtering

• SSL VPN

• Data Loss Prevention

• Web Application Firewalls

• Network Access Control

• EndPoint Protection

• Encryption

• Two-Factor

Authentication

• Log Management

• Wireless

Networking

• Acceleration

• Load Balancing

Network System Connectivity

Defensive Security Solutions (Blue Team)

Page 43

Managed Security Services are an extension to

your team, with dedicated CyberSecurity Admin’s

& VCISO’s, we know your network inside & out.

Complete Suite of Services

Preventative Cybersecurity

Detect and Respond to

Cybersecurity Threats

Leverage 100% Canadian

Security call centre in

Ontario and Alberta

Defensive Security - Managed Services (Blue Team)

Page 44

Risk Assessment (Grey Team)

Page 45

PCI and Compliance (Black and White Team)

Page 46

Cyber Security Clients

Communications Government & MunicipalitiesEducation Public Safety

Health & Wellness Financial Services

Legal

Media & Retail

Mining & Resources

Page 47

Accounting / Consulting / Tax (Green Team)

Page 48

Source: UK Centre for the

Protection of National

Infrastructure

Cyber Security

Program

Example

Page 49

Personal Cyber Security Check List - Bonus

• Strong password – use a minimum of 8 characters (uppercase, numbers, special characters, or better yet a long passphrase and multi-factor authentication)

• Keep your systems updated with latest software (patched)

• Run Anti-Virus, Anti-Malware, Firewall, Website blocking/filtering

• Back Up your systems (local storage drive, cloud..)

• Have your computer or mobile set to auto time-out and lock

• Never click on something you don’t know (phishing attacks)

• Instead of clicking on links in emails, start from the web page (i.e. LinkedIn, Facebook, Bank page)

• Don’t add people to your profiles that you don’t know

• Sensitive browsing should only be done from a trusted device and Wi-Fi network

• Keep 2 credit cards – one for recurring payments only with trusted merchants one for e-commerce

Page 50

Page 51

Contact Us:

Tel: 905.607.9777

Toll Free: 866.370.8575

Email: mississaugatechinfo@mnp.ca

Website:

www.nci.ca

www.mnp.ca

Danny Timmins

National Leader

CyberSecurity

DIRECT 905.607.9777 ext.230CELL 647.202.6243

danny.timmins@mnp.ca

95 Topflight Drive

Mississauga, ON

L5S 1Y1

Tom Beaupre

Lead - Quebec

CyberSecurity

DIRECT 514.228.7844CELL 514.451.0578

tom.beaupre@mnp.ca

1155, boul. René- Lévesque O.

23é étage

Montréal, QC

H3B 2K2