In the Wild - Cybersecurity Seminar · 2018-09-21 · In the Wild - Cybersecurity Seminar WHAT’S...

In the Wild -Cybersecurity SeminarWHAT ’S GOING ON IN THE WORLD OF CYBERSECURITY, AND WHAT CAN YOU DO TO HELP PROTECT YOUR ORGANIZATION?

PRESENTED BY:JON WALDMAN, PARTNER – SBS – CISA, CRISC

©2018 SBS CyberSecurity, LLC https://www.sbscyber.com 1

• Jon Waldman◦ Partner, EVP IS Consulting◦ CISA, CRISC◦ Master’s of Information Assurance,

Dakota State University◦ Mission: save the world!◦ Phone: 605-380-8897◦ [email protected]◦ www.sbscyber.com

• SBS Institute◦ [email protected]◦ 605-269-0909

Contact Information


Follow Us:• https://www.linkedin.com/company/sbs-

cybersecurity• https://sbscyber.com/join-our-mailing-list• https://www.facebook.com/trustSBS/• https://twitter.com/SBSCyber

mailto:[email protected]

http://www.protectmybank.com/


https://www.linkedin.com/company/sbs-cybersecurity

https://sbscyber.com/join-our-mailing-list

https://www.facebook.com/trustSBS/

https://twitter.com/SBSCyber

• Co-founder; 13 Years Consulting at SBS• Experienced in Risk Management, ISP

Development, and Auditing• Helped to develop the SBS Institute and teaches

certifications for CBSM, CBCM, CBSTP, and CBVM• SBS has worked with over 1400 banks in 46 states,

as well as Telcos, Rural Water Plants, Healthcare facilities, government agencies, and many others

• Alumni of Dakota State University◦ NSA & DHS National Center of Excellence in Information

Assurance ◦ One of the only universities focusing on community

banking security

Background


Our ExperiencePROCESS:

• Information Security Program design and roll-out

• IT Risk Management• Vendor Management• Technology Selection• Business Continuity/

Disaster Recovery• Incident Response• Information Security Consulting• IT Audit◦ ISP Audit◦ Controls Audit◦ Wire Transfer Audit◦ ACH Audit◦ Internet Banking Audit

TECHNOLOGY:• Network Security Assessment• Penetration Testing• Vulnerability Assessment• System Configuration Assessment• Acceptable Use Scanning

PEOPLE:• Social Engineering• Awareness Programs• ISO Training• CATO Training• KnowBe4


• TRAC – Risk Mgmt. Suite• Verify ACH Whitelisting• Cyber-Risk• Anti-Phishing

• Today’s Top Cybersecurity Threats:◦ Evolution of Cybercrime◦ Cybercrime as a Service◦ Dark Web◦ How much information is out there about you?◦ Privacy vs. Convenience

• Commercial Account Takeover◦ What is CATO?◦ What are the different types of CATO?

• Addressing Cybersecurity◦ What does Blackhawk do to protect you?◦ Top 10 Critical Security Controls for Small Businesses

Agenda


THREATSWHAT ARE THE NEW (AND OLD) WAYS BAD GUYS ARE GETTING OUR INFORMATION AND MONEY?


Today’s Cyber Crime


Re-define your Perimeter

Internet

Customers

Third Parties

Bank Physical

Network Perimeter Security


Business

• Sensitive data belonging to 145.5 million consumers was breached, including:◦ Consumer Names◦ Social Security Numbers◦ Birthdates◦ Addresses◦ Driver’s License Numbers (in some cases)

• Additionally, the following information may have also been exposed:◦ 209,000 credit cards ◦ 182,000 consumer dispute documents containing

personal information


Equifax By The Numbers

• Announced breach on September 7, 2017

• Unauthorized access allegedly gained on July 29th

via a vulnerable web application◦ Allegations of the web application having an admin username

and password of…. Wait for it… “admin” and “admin”◦ Dates allegedly go back much further◦ Final number will almost certainly be higher

• Did not notify individual customers; instead created a website –https://www.equifaxsecurity2017.com – for potential victims to check on their PII


Equifax By The Numbers

https://www.equifaxsecurity2017.com/

• Delay in notifying those with critical PII compromised

• Not notifying customers personally

• Creating a phishy-looking website and asking potential victims to enter confidential information the org already has… and has lost once already

• Offer all customers 12 months of free credit monitoring, which is the thing you sell in the first place, knowing that bad guys will sit on this information for much longer than that. Don’t use the massive breach you just caused as a marketing ploy

• Blame a software provider for the whole thing, despite a patch for the vulnerability being available (just not implemented on your network)

• Let senior managers sell off stock a month before you go public with news that will surely cause your stock price to plummet


How NOT to Handle a Breach

• Since 2010, there have been nearly 2500 data breaches involving SSN’s. Consider your personally identifiable information compromised and plan accordingly.

• Alternatives to Equifax’s “free” offer:◦ Credit Karma - https://www.creditkarma.com◦ Credit Sesame - https://www.creditsesame.com◦ LifeLock - https://www.lifelock.com◦ Credit Freeze: https://www.consumer.ftc.gov/articles/0497-credit-

freeze-faqs

• Vendor Management: if your institution has a direct relationship with Equifax, you’re going to want to file an Incident Report with your examiner. If not, there are no expectations of your institution to report.

• ALWAYS A GOOD IDEA: communicate what’s happening with your customers. Let me know you are a trusted source of help for all their financial needs.


REALITY CHECK

https://www.creditkarma.com/

https://www.creditsesame.com/

https://www.lifelock.com/

https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs



What do you look like to a bad guy?

• Default Passwords◦ http://cirt.net/passwords

• Hacking Tools◦ http://sectools.org/

• Hacking Toolkits◦ http://www.kali.org/

• Caller ID Spoofing◦ http://www.spooftel.com/freecall/

• Social Engineer Toolkit◦ http://www.social-engineer.org

Hacking made easy…


http://cirt.net/passwords

http://sectools.org/

http://www.kali.org/

http://www.spooftel.com/freecall/

http://www.social-engineer.org/


OSINT Framework


Hunter


BuzzFile


Enigma


People Search

• https://haveibeenpwned.com/

Have I been Pwned?


https://haveibeenpwned.com/

The DarkwebA UNPRECEDENTED TOOL TO HIDE YOUR GEOGRAPHIC LOCATION ONLINE – USED BY CYBERCRIMINALS TO BUY AND SELL STOLEN DATA, NEFARIOUS SERVICES, AND HOST COMMAND AND CONTROL SERVERS




• Originally intended for military use to disguise the geographic location of communications

• Adapted for freedom of speech and non-censorship

• Currently, vastly used for nefarious activities – but still for those other things to a lesser extent


Usage


• FBI and NSA – putting up their own TOR nodes (works great if the entry node is one of theirs)◦ Multiple nodes of theirs are used, they can start

to put together where the target is coming from and where it is going

• US Cyber Command – compromising TOR nodes specifically in Russia and China

How Do We Fight Against This?



Dark Web – No Google Search

©2018 SBS CYBERSECURITY, LLC HTTPS://WWW.SBSCYBER.COM 29

Ransomware

A MUST READ: The Untold Story of NotPetya, the Most Devastating Cyberattack in Historyhttps://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/


• Transportation hacking• Camera/DVR hacking• Amazon Echo/Google Home hacking• Smart TV hacking• Botnets of hacked devices• Finding vulnerable IoT devices on the

Internet is child’s play:◦ Insecam: http://www.insecam.org/◦ Shodan: https://www.shodan.io/

IoT Security Issues


http://www.insecam.org/

https://www.shodan.io/

Security vs. Convenience


Commercial Account Takeover (CATO)WHAT IS CATO, AND WHAT DO YOU MEAN BAD GUYS ARE TARGETING SMALL BUSINESSES?


“…around 85% of cyber attacks are now targeting small businesses.” - Howard Schmidt, former White House Cybersecurity Coordinator

“32 percent of respondents say their companies experienced a loss of more than $5,000 due to online banking fraud” – Ponemon Institute

The FDIC lists this as #1 on its top 5 fraud threats list and states that it is responsible for millions of dollars in losses, frayed business relationships, and litigation affecting both banks and commercial accounts.

Commercial Account Takeover


How does CA Takeover Work?


CATO in the Real WorldCompany: Chelan County Public Hospital (2013)Type of Attack: CATOLoss: $1.03 Million Outcome: Attackers accessed payroll accounts and transferred the money into 96 different bank accounts (through the use of money mules) across the Midwest and east coast..

Currently suing Bank of America.

Company: JT Alexander & Son (2014)Type of Attack: CATOLoss: $800,000 Outcome: Attackers were able to access the Bank’s commercial internet banking account and initiate additional payroll ACH transactions remotely.The attackers again sent these payroll transactions to money mules distributed throughout the Midwest and east coast.

Able to recover some of the funds. Currently suing Peoples Bank.


• Business Email Compromise• Payroll takeover• Extortion

Newest forms of CATO


FBI 2017 IC3 Report: BEC cost US businesses $675 Million

CEO Fraud/BEC Attacks


What is Blackhawk Bank doing to combat cyber threats?HOW ARE WE PROTECTING OURSELVES AND OUR CUSTOMERS FROM TODAY’S EVOLVING THREATS?


External Penetration Testing

No Yes

LITTLE LESS THIS

LITTLE MORETHIS

AND THIS(they made me

include this part)


Phishing Email Testing


• Business Banking Client Annual Reviews• ACH Debit Block & Check Positive Pay Services• Set and monitor ACH & Wire limits at least annually• Transactional behavior risk management• Multi-Factor Authentication for Business Banking customers (SMS)• Strong Passwords with periodic password changes• Dual Control strongly suggested for Wires and ACH Origination• Education on Corporate Account Takeover (website, webinars, etc.)• Forge a strong relationship with you and your business, educate• Happy to talk with you about how security controls work for

businesses and what might be best for your business• Encourage the use of a separate workstation or device for Internet

Banking

What does do to prevent CATO?


• Build a relationship with your bank.• Work with your bank regularly to establish

normal patterns of transactions.• Learn about threats such as Commercial

Account Takeover. Share with your employees.

• Implement additional security controls within your business and on your network!

So, what can YOU do about CATO?


• October 2009 NIST 7621 was released• Assist small business management in

understanding how to provide basic security for their information, systems, and networks.

• Provides commercially reasonable security measures which will reduce the likeliness of a security incident.

• Three basic areas which may reduce likeliness:◦ Absolutely Necessary (todays focus)◦ Highly Recommended◦ Other Considerations

• http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf

Small Business Information Security


http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf

• If your networks access the internet, then you have risk from Malware (Malicious Software).

1) Malware - Virus, Trojans, Spyware


• Most small businesses have a broadband (high speed) internet connection which is always “on”. This leaves the network susceptible to network attacks on a 24/7 basis.

2) Hardware Firewall


• In addition to hardware firewalls, software firewalls should be used on all workstations.

• Software firewalls protect workstations from each other.

• Microsoft provides built in firewall

3) Software Firewall


• All operating systems such as Microsoft Windows, Apple OSX, and all distributions of UNIX/Linux have patches that need to be installed on a regular basis.

• Most software products require patches, including Microsoft Office, Adobe, Java, QuickTime, Firefox.

• These patches fix compatibility issues and known security vulnerabilities, not applying them leaves you vulnerable.

4) Software Patching


• Backing up your data protects it from numerous threats:

◦ Ransomware◦ Hackers destroying your computer◦ Malware corrupting your data◦ Fire and other natural disaster destroying your systems◦ Many other threats

• Include all your critical data, backup often.• Store a copy offsite. • Test your backup process to know you can

restore data.

5) Backup Data


• Secure each entrance point• Monitor areas for unauthorized people• Escort visitors around the building• Secure documents, computers, servers from

theft

6) Physical Access Security

Secure ?

Secure ?


• Do not use wireless unless required for business• Securely configure all wireless devices and access points.• Most users implement with default settings◦ Default passwords - http://cirt.net/passwords

• WEP encryption can be hacked in hours (use WPA2!) with longer passphrases (21 characters complex)

• Security vulnerabilities in wireless technologywww.us-cert.gov/cas/techalerts/TA12-006A.html

• Update wireless software and firmware• Users connect wireless devices to unsecured wireless, then

conduct business.

7) Wireless Security


http://cirt.net/passwords

http://www.us-cert.gov/cas/techalerts/TA12-006A.html

• Employees should read security policies

• Employees should sign Acceptable Use Agreement

• Employees should receive training on security threats:◦ Malware◦ Phishing◦ Social Engineering◦ Unauthorized Access

8) Security Awareness Training


Phishing is an INSIDER Threat

Goals:• Money• Data• Volume

www.website.com

User Action

Malicious

Malicious


http://www.protectmybank.com/

• Users should have a unique login to all computers, programs, and websites.

• Users should not be administrators on their local machine. If users can install software, then malware can install itself to the computer when clicked.

• Complex passwords - the password Spring16 can be cracked with an average computer in 24 seconds.

• Secure Passwords - 73% of users share the passwords which they use for online banking, with at least one nonfinancial website.

• If its easy to remember, its easy to guess. Try mnemonics:

“Proud to be an American” + birth year = PtbaA!(*)where the birth year 1980 is typed in using the shift key

9) Unique User Accounts and Control


• For all employees, provide access to only those systems and only to the specific information that they need to do their jobs.

• Do not allow a single individual to both initiate and approve a transaction (financial or otherwise).

• Limited access reduces the exposure of data to malware and hackers. Also reduces the impacts of malicious insiders.

10) Limit Access to Data


• Center for Internet Security Top 20◦ https://www.cisecurity.org/critical-controls/

• NIST 800-53◦ https://web.nvd.nist.gov/view/800-53/home

• NIST Cybersecurity Framework◦ https://www.nist.gov/cyberframework

• ISO 27001◦ http://www.iso.org/iso/home/standards/manag

ement-standards/iso27001.htm


Other Cybersecurity Frameworks

https://www.cisecurity.org/critical-controls/

https://web.nvd.nist.gov/view/800-53/home

https://www.nist.gov/cyberframework

http://www.iso.org/iso/home/standards/management-standards/iso27001.htm

1. Assess Risk2. Implement Controls3. Audit Controls◦ Vulnerability Assessment◦ Penetration Testing◦ Social Engineering◦ Security Audit

4. Improve

Security Lifecycle


• Security is everyone’s responsibility!

• Take steps to secure YOUR financial information on YOUR networks.

• Work with your Bank to establish normal patterns of banking

• Report suspicious activity or situations.

Summary



That’s all she wrote…• Any questions, comments, or concerns?• Contact info:◦ Jon Waldman◦ Partner, EVP IS Consulting◦ [email protected]◦ 605-380-8897◦ www.sbscyber.com◦ Follow us on: Twitter (@SBSCyber) Facebook LinkedIn



http://www.sbscyber.com/

Date post:	25-Apr-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

In the Wild - Cybersecurity Seminar · 2018-09-21 · In the Wild - Cybersecurity Seminar WHAT’S...

Documents