©2012 CliftonLarsonAllen LLP 1 1 1 1
©20
12 C
lifto
nLa
rso
nA
llen
LLP
Summary of the State of Security
Tram Jewett, CISA
CliftonLarsonAllen LLP
Virginia GFOA Annual Spring Conference, 2016
©2012 CliftonLarsonAllen LLP 2
Summary of the State of Security
Tram Jewett, MS., CISA,
11 years IT audit and Cyber Security in the Federal and State government
• Pension
• Transportation
• Education
• Housing
©2012 CliftonLarsonAllen LLP 3
What We Will Cover?
• Federal Information Security Modernization Act (FISMA) of 2014
• Cybersecurity Act of 2015
• Breaches
• Ransomware
• Other tools
• How to protect your self
• Cloud Computing
• IoT
©2012 CliftonLarsonAllen LLP 4
Federal Information Security Modernization Act (FISMA) of 2014
• DHS to administer the FISMA
• DHS can issue “binding operational directives”
• OMB retains policy/procedure;
• Modifies reporting to Congress to be less policy, more threat and incident-oriented
• Focus on detecting, reporting and responding to security incidents
• Requires OMB to revise Circular A-130 to eliminate “wasteful/inefficient” reporting requirements
©2012 CliftonLarsonAllen LLP 5
Cybersecurity Act of 2015
• Effective until September 30, 2025
• Voluntary sharing of cyber threat information
• Permits , Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cybersecurity Threats
• Allows networks operators:
– Monitor
– Operate defensive measures
– Share information with others
©2012 CliftonLarsonAllen LLP 6
Why were these Laws necessary?
JAN -- Xoom $31 million business email compromise
FEB -- Deep Panda Likely cause of breach with 80 million victims
MAR -- Premera Data breach affecting 11 million people
APR -- Great Cannon DDoS attacks on GitHub, GreatFire
MAY -- Healthcare Data breaches cause problems for insurance providers
JUN -- OPM breach 21 million victims
©2012 CliftonLarsonAllen LLP 7
Why were these Laws necessary? cont
JUL -- Ashley Madison 100 GB of stolen data in high-profile compromise
AUG -- Ubiquity $47 million business email compromise
SEP -- Blue Termite Chinese cyber-espionage attack on Japanese companies
OCT -- Experion Breach affects 15 million customers
NOV -- Dridex Banking malwares shows up again
DEC -- BlackEnergy Malware causes power outages in Ukraine.
©2012 CliftonLarsonAllen LLP 8
Who performs the Breaches?
Hackers: – They are not individual working alone – They are well funded Professionals – Foreign governments and organizations
(Chinese and ISIL)
Motivation Behind These Attacks
– Financial – Political – Espionage
©2012 CliftonLarsonAllen LLP 9
What are the Hacker’s Tools?
Ransomware is a serious security threat that has data-kidnapping capabilities.
Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction.
©2012 CliftonLarsonAllen LLP 10
How do you catch Ransomware?
• Viewing compromised websites
• Clicking on a Phishing email
• Other malware
©2012 CliftonLarsonAllen LLP 11
How do you catch Ransomware? cont
©2012 CliftonLarsonAllen LLP 12
How Ransomware Works
• Locks your screen.
• Call home to get encryption keys.
• Encrypting every file, both on the local device and on your network.
©2012 CliftonLarsonAllen LLP 13
How Ransomware Works cont
©2012 CliftonLarsonAllen LLP 14
Ransomware Note
Ransomware demands you to send money in Bitcoin.
©2012 CliftonLarsonAllen LLP 15
Ransomware Note cont
• “Your computer has been infected with a virus. Click here to resolve the issue.”
• “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
• “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”
• Source: https://www.us-cert.gov/ncas/alerts/TA16-091A
©2012 CliftonLarsonAllen LLP 16
CryptoLocker ransom demand
©2012 CliftonLarsonAllen LLP 17
Jigsaw ransomware demand
©2012 CliftonLarsonAllen LLP 18
Jigsaw ransomware demand cont
©2012 CliftonLarsonAllen LLP 19
Ransomware Payment
After the attacker receive the Bitcoins and turns into Dollars, he may send you the key to decrypt your files.
©2012 CliftonLarsonAllen LLP 20
Effect of Ransomware
• Ransomware infections can lead to:
– loss of your information,
– Disruption your operations,
– financial losses incurred to restore systems and files, and
– potential harm to an organization’s reputation.
©2012 CliftonLarsonAllen LLP 21
Effect of Ransomware cont
• Paying the ransom does not guarantee the encrypted files will be released;
• In addition, decrypting files does not mean the malware infection itself has been removed.
©2012 CliftonLarsonAllen LLP 22
Ransomware in the news
• Hollywood Presbyterian Medical Center
• MedStar Health in the Washington, D.C. area
• Methodist Hospital in Henderson, KY
• Chino Valley Medical Center in Chino, CA
• Desert Valley Hospital in Victorville, CA
©2012 CliftonLarsonAllen LLP 23
Popularity of Ransomware
• Ransomware exists because it is:
– Profitable
– Low-budget
– Low stakes
– Does not require much skill to pull off
©2012 CliftonLarsonAllen LLP 24
Ransomware Preventative Measures
• Data backup and recovery plan for all critical information.
• Use application whitelisting
• Keep your operating system and software up-to-date with the latest patches.
• Maintain up-to-date anti-virus software
©2012 CliftonLarsonAllen LLP 25
Ransomware Preventative Measures cont
• Restrict users’ ability (permissions) to install and run their own software.
• Principle of “Least Privilege” to all systems and services.
• Avoid enabling macros from email attachments.
©2012 CliftonLarsonAllen LLP 26
Ransomware Preventative Measures cont
• Train users:
– How to safely handle email attachments, see Recognizing and Avoiding Email Scams (https://www.us-cert.gov/sites/default/files/publications/emailscams_0905.pdf).
– Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks (https://www.us-cert.gov/ncas/tips/ST04-014) for more information.
– Follow safe practices when browsing the Web. See Good Security Habits (https://www.us-cert.gov/ncas/tips/ST04-003) and Safeguarding Your Data (https://www.us-cert.gov/ncas/tips/ST06-008) for additional details.
©2012 CliftonLarsonAllen LLP 27
Other Hacker’s tool
Root kit
• The Dark Web is like a candy store for hackers
• Exploits vulnerabilities for:
– Microsoft – 2002 servers…
– Oracle …
– Adobe …
– Java ….
©2012 CliftonLarsonAllen LLP 28
Other Hacker’s tool cont
©2012 CliftonLarsonAllen LLP 29
Things you can do to prevent on getting Hacked
• No passwords or blank passwords
• Username is the same as the password
• The username or the username concatenated with itself
• Passwords such as “password,”“passcode,” “admin”
• Service or vendor accounts (backups)
• Built your servers securely from the start
©2012 CliftonLarsonAllen LLP 30
Cloud Computing
– Data Breaches
– Compromised credentials and broken authentication
– Hacked interfaces and APIs
– Exploited system vulnerabilities
– Account hijacking
– Malicious insiders
– APT parasite
– Permanent data loss
– Inadequate diligence
– Cloud service abuses
– DoS attacks
– Shared technology, shared dangers
Cloud Security Alliance (CSA) Treacherous 12
©2012 CliftonLarsonAllen LLP 31
2015 IoT Vulnerabilities
©2012 CliftonLarsonAllen LLP 32
2015 IoT Vulnerabilities cont
©2012 CliftonLarsonAllen LLP 33
2015 IoT Vulnerabilities cont
©2012 CliftonLarsonAllen LLP 34
2015 IoT Vulnerabilities cont
©2012 CliftonLarsonAllen LLP 35
2015 IoT Vulnerabilities cont
©2012 CliftonLarsonAllen LLP 36
2015 IoT Vulnerabilities cont
©2012 CliftonLarsonAllen LLP 37
2015 IoT Vulnerabilities cont
©2012 CliftonLarsonAllen LLP 38
Questions?