2015 FALL CONFERENCE & TRAINING SEMINAR
Cybersecurity From the Trenches:Best Practices
Rick Krepelka, Chief Operations Officer Golden State Risk Management Authority
Chris George, CEO and Chief ArchitectProtelligent, Inc.
• Review actual cyber security incidents experienced by a CA public risk pool
• Understand what was done to mitigate/avoid incidents in the future
• Hear expert advice regarding resources and solutions available to provide security and risk mitigation
• Learn what you can do now
Overview
• Small businesses are making the leap to computerized systems and digital records, and have become attractive targets for hackers.
• VISA estimated nearly 90% of credit card data breaches reported in 2013 involved small business customers. 1
• In 2015, the Verizon Communications Inc.'s forensic analysis unit, which investigates attacks, small organizations reported 694 security incidents. 83% with confirmed data loss (large organizations reported 50,081 incidents, ~1% with confirmed data loss)
• Verizon 2015 Data Breach Investigations Report– http://www.verizonenterprise.com/DBIR/2015/
www.protelligent.net
Small Business Breaches
• While large businesses can dedicate resources to cybersecurity, small businesses face the same cybersecurity challenges and threats with limited resources, capacity, and personnel.
• 44% of SMBs reported being the victims of a cyber-‐related attack, with an average cost of approximately $9,000 per reported attack.1
• Nearly 59% SMBs do not have a contingency plan that outlines procedures for responding to and reporting data breaches.2
www.protelligent.net
Small Business Breaches
1.2014 Small Business Technology Survey, National Small Business Association2.www.staysafeonline.org
• Ever increasing dependency on integration and cooperation with 3rdparty partners
Risk: 3rd Party Partners
• About Chris Vickery• How he got the data• Notification from Systema and Vickery• The incident plays out
The Systema Incident
• Keep apprised of progress• Notify cyber security insurer• Reportable or not reportable?• Systema’s adjustments
Our Response
www.protelligent.net
• Target’s big breach• APTs (Advanced Persistent Threats)
Recent Third Party Related
www.protelligent.net
Target’s Big Breach and APT
• Target's attackers had carefully read the APT playbook and followed the Modus Operandi, also known as the "APT kill chain".
• Not positive where it came from –possibly a downloaded software demo or website ad
• Detected when an internal user couldn’t open a file
Risk: Crypto Virus
• Physically disconnected office from the Internet
• Physically disconnected server from network
• Identify infected workstation• Verify no other devices infected• Ignore ransom demand• Restore from backup• Educate internal users
Our response
www.protelligent.net
Ransomware• What is it?
– Virus that encrypts data on your computer and network drives (Cryptolocker, CryptoWall)
– Asks for you to pay money ($200-‐$5000) to unlock the encryption and get your data back
• How do we get it?– malicious email that appear legitimate
• 23% of recipients open message, 11% click on attachments1
– Compromised ads on popular websites1.Verizon Communication’s 2015 Data Breach Investigation Report
www.protelligent.net
Ransomware
• Protecting ourselves1. Reliable/tested file backups and restore2. Educate staff about phishing and ransomware
• Be aware of email requests urgently asking you to take action• Never give sensitive personal or financial information over email• If an offer seems too good to be true, it likely is• Recall if you initiated an action that the email is asking you to take (like
password resets, account updates, etc.)• Only download software from known/trusted sites• Don’t open attachments in unsolicited email• Use same precautions on your mobile device as you would on your
computer/laptop• Employee Security Awareness Training and Education (SATE)
www.protelligent.net
Ransomware
• Protecting ourselves3. Plan for infection/containment/restoration
• Removed infected device from the network• Secure wipe of the hard drive• Clean installation of operating system and applications• Restore of data sets
4. Endpoint protection• Antivirus/HIPS• Automated patching • Strong Passwords• Pop-‐up Blocker• URL filtering
• We share sensitive data with members and 3rd parties via Sharefile (Citrix)
• Our user downloads file that contains an infected payload – even under strange circumstances
• Email relay malware initiated• Within a day, our domain is blacklisted
Risk: Complacent Users
• Indentify infected workstation• Submit request for deletion from lists• Change all Sharefile and critical system passwords
• Educate internal users
Our response
www.protelligent.net
Social Engineering• The oldest tool is still one of the most effective
– “Watering hole”– Malvertising– ‘Trusted resource’ email, text, voice– USB/SD Cards and our Nation’s Capital
– “-‐ishing”• Phishing (random)• Spearfishing (targeted)• Vishing (phone call)• Smishing (SMS text)
– Employee Security Education and Awareness Training (SATE)
Social Engineering
www.protelligent.net
• PDA risks• More than data -‐> control• Highly targeted attacks• Our members
Risk: ???
• More internal training and updates• More formalized risk assessment and response planning
• Store some sensitive data off network when practical
• Ask vendors about their security• Revamp internal policies
Our response
Protection and Response• Murphy's law – What can go wrong, will – so we need:
– Plans, procedures, and policies• FEMA: Business Continuity and IT Disaster Recovery Planning– http://www.fema.gov/planning-‐templates
• FCC: SMB Security Planning Wizard– fcc.gov/cyberplanner
www.protelligent.net
www.protelligent.net
Host Intrusion Prevention Systems (HIPS)
• With IoT, cloud movements, etc. attacks more focused on direct application access, instead of gaining endpoint control
• HIPS is a combination of firewall, IDS, and anti-‐malware to monitor activity and behavior from the network to the application layer– McAfee HIPS– Symantec Endpoint Protection– Trend Micro Deep Security
Protection and Response• Maintain relevant technology (from the perimeter to the endpoint)– Internet/email URL/content filtering, intrusion/malware prevention and detection systems, email/wireless security
– Endpoint operating system and application patching and updating
– HIPS and application-‐aware defense at the endpoint device
– Encrypted backup and disaster recovery
www.protelligent.net
• Training and awareness– Top to bottom employee security awareness training and education
– Subscribe to security notification services
• Insurance• Consult an expert– Routine security assessment/audit– Enforce need-‐to-‐know, review employee/vendor access
– Annual reviews– Outsourced Security Operations Center
Protection and Response
Technology / Toolsets• Layered Security Implementation– Network Border
• Firewall, VPN, and nextgen security (anti-‐x, IPS, URL filter)
– Domain/Application Security• Active Directory Group Policy, mail security
– Computing device (server, laptop, mobile)• HIPS, Anti-‐X, automated patch management
– Staff member• Education, policy/procedure
– Data sets• Backup/DR and Continuity Planning
Technology / Toolsets• Mobile Security (iOS and Android)– BYOD vs. organization provided equipment
• Understand organization data is sitting on BYODs• Security process/procedure should extend equally to BYODs
– Password Protect– Remote wipe
• Find my iPhone, Android Device Manager, and 3rdparty solutions
– Anti-‐X/HIPS solutionswww.protelligent.net
Password Management• Password challenges– More login-‐based websites/services than ever before
– Homogony of username/password across sites
• Best-‐practices• Password databases– Centralized password management– Enforces secure, single-‐site usernames/passwords
www.protelligent.net
www.protelligent.net
• CERT: Protect your Workplace Campaign– us-‐cert.gov– https://www.us-‐cert.gov/mailing-‐lists-‐and-‐feeds
• Microsoft:– Internet Safety Toolkit– Microsoft Technical Security Notifications
• FEMA: Business Continuity and IT Disaster Recovery Planning– fema.gov
• FCC: SMB Security Planning Wizard– fcc.gov/cyberplanner
• On Guard Online: SMB Employee SATE– onguardonline.gov
• National Cyber Security Alliance: Online Safety– staysafeonline.org
Resources
• Get educated/alerted– Sign up for email alerts (CERT, Microsoft, etc.)– Send a staff member to security seminar/webinar to stay up-‐
to-‐speed on the changing security and threat landscape
• Start talking with your executive/management team• Continually educate/update your staff on how to stay alert for potential threats
• Updated your IT and business continuity plans to include security policy/procedures
• Enforce a strong password management policy in your organization
What Can I Do Now?
www.protelligent.net
• Implement automated patch management• Evaluate current backup strategy
– Is it stored offsite? Encrypted in-‐flight and at-‐rest? What media is used? What is the process/procedure for recovery?
• Evaluate current hardware and software technologies for outdated/unsupported products
• Evaluate and update policies/procedures– IT Plan, Security Plan, DR and Business Continuity
• Consult a reputable security services organization that can provide you guidance, ongoing auditing, reviews
• Consider utilization of an outsourced SOC to manage and maintain your security practice
What Can I Do Now?
www.protelligent.net
www.protelligent.net
Christopher [email protected](855) PRO-‐TELL
California Office2100 Main Street Suite 230Irvine, CA 92614
Phone: (949) 221-‐8900
Washington Office15407 East Mission AvenueSuite 425Spokane Valley, WA 99037
Phone: (509) 378-‐3460
Q & A