It Takes More than a Firewall

Thane BarnierIT / Web Development Manager

Sioux Falls Area Chamber of Commerce

A network is like a castle

A network is like a castle The medieval castle model: Build the walls thick, stockpile supplies

and laugh as attacks bounce off the walls. It’s a siege.

A good firewall can stop a brute force attack.

A network is like a castle How do you break down a castle’s

defenses? Attack from multiple sides Go over or under the walls Add more siege engines to overwhelm

the walls. But the best way to get in…

A network is like a castle Get someone inside to open the gates!!

It wasn’t me, I swear!

It wasn’t me, I swear! The Melissa macro virus hit in March

1999.

It wasn’t me, I swear! High traffic generated by this virus

brought mail servers to their knees. Antivirus software was ineffective

against this attack vector. In short, we weren’t ready!

It wasn’t me, I swear! The LoveLetter

worm hit in 2000. Because of its

destructiveness and virulence, many still consider it the most dangerous virus ever.

It wasn’t me, I swear! It destroyed JPG files, overwriting them

with copies of itself. Difficult to remove because it self-

replicated within the computer, cloning itself.

Launched a Denial of Service attack on the official White House website.

50 million infections in the first 10 days. Est. 10% of internet-connected

computers infected worldwide.

It wasn’t me, I swear! Mid 2000’s sees the rise of Spyware,

Adware and Trojan Horse programs. Hard to detect because they are

relatively passive. Steal information covertly without

triggering Antivirus software.

It wasn’t me, I swear! Most versions don’t use email to

spread, rather they exploit holes in browser security to install.

Not generally self replicating. Trojan’s can create zombie computers

to form botnets for DDoS attacks. Wide variety of attack vectors, striking

from multiple sides. (get more siege engines)

It wasn’t me, I swear! 2009 – RogueWare/Fake Antivirus!!!

It wasn’t me, I swear! A new approach to malware with one

goal in mind: $$$$ FakeAV Software, warnings of reporting

illegal activities, Porn Pop-ups. Played on user fear to invoke an emotional response.

Required user interaction to install, thereby circumventing most antivirus systems.

It wasn’t me, I swear! Users who paid requested prices would

find their credit cards charged, AND stolen.

A 2010 report estimated creators were making $35 million PER MONTH.

Nearly impossible to remove safely at the time. Disabled REAL Antivirus software.

Employ the nuclear option.

What do all these attackshave in common?

SOCIAL ENGINEERING

Social Engineering

The Devil made me do it!

The Devil made me do it! A hacker’s most effective tool is good

SOCIAL ENGINEERING. The trick is to get one of us to open our

gates without realizing we’re doing it. As people catch on, hackers quickly

adapt their techniques .

The Devil made me do it! The Email Worms use tricks to get the

user to open the attached file.

The Devil made me do it! Antivirus programs begin to strip them

off, so hackers move to embedded links which lead to malware payloads.

The Devil made me do it! Emails begin to look more realistic,

making them harder to spot.

The Devil made me do it! Fake Antivirus programs created by

experienced programmers look and feel like real commercial software.

The Devil made me do it! Ransomware plays on users’ fears.

The Devil made me do it! Malvertising offers a sophisticated

attack vector which is impossible to detect until it’s too late.

CRYPTOLOCKER

The new face of EVIL!

CRYPTOLOCKERThe new face of evil

CRYPTOLOCKERThe new face of evil

Hit in 2013. Caught us unprepared and defenseless. No one had an answer.

Unlike anything we’d ever seen before. Ransomware for real.

Literally kidnaps your files. Encryption which is virtually

unbreakable. RSA-4096. Multiple variants. CryptoWall,

TorrentLocker, etc. Antivirus virtually non-effective.

CRYPTOLOCKERThe new face of evil

May 2014 – FBI announced it had shutdown the Zues Botnet, and the Cryptolocker network.

The media declared Cryptolocker dead and stopped talking about it.

New variants, new botnets started appearing in the “darknet”.

Oct. 2015 - The FBI’s official response…pay the ransom.

CRYPTOLOCKERThe new face of evil

Feb 2016 – Hollywood Presbyterian Medical Center hit by ransomware attack.

CT scans, documentation, lab work, pharmacy functions and electronic communications out of commission.

Radiation & Oncology shut down, ER “sporadically impacted”. Luckily no one died.

After a week of fighting it, the hospital paid over $17,000 to get their files back.

ALL your files are belong to us! Removal tools can strip the virus, but

will do nothing to fix encrypted files. The program MUST be installed in order

to pay the ransom and decrypt the files. Backups. Backups. Backups.

Redundancy. If you don’t have backups, pay the

ransom and hope it works. That’s the only way to unencrypt your files. NOT A Guarantee!!!

ALL your files are belong to us! If a PC does get infected, kill the

power immediately and disconnect it from the network before it infects other systems.

If you don’t have an IT staff, call a pro! Dealing with CryptoLocker takes finesse.

IT’s worse than that, he’s dead Jim!

IT’s worse than that, he’s dead Jim!

IT’s worse than that, he’s dead Jim! User waited hours to report it. In 4

hours Cryptolocker decimated our network.

Every document, image, pdf, spreadsheet etc. on the computer was encrypted.

200,000+ files encrypted on 6 different network shares, across 3 servers.

Almost 2 tb of data. Our main membership database.

IT’s worse than that, he’s dead Jim! We had just purchased a new backup

system. Though the software reported it was

working perfectly, none of the backups were valid for restoration.

The software company, responded that apparently it wasn’t working correctly. They offered no other support.

IT’s worse than that, he’s dead Jim! Using Volume Shadow Copy, I was able

to restore all of the file shares, except our main membership database.

We worked for 48 straight hours restoring systems and trying to recover the membership database.

In the end…we had no choice but to pay the ransom. It worked!

IT’s worse than that, he’s dead Jim! It all started with one email that

looked like a FedEx receipt.

CryptoWall – The second coming

CryptoWall – The second coming Hit Friday at 1:43 PM. By 2:45 it had encrypted 275,000 files,

875GB of data. Safety measures put in place for

Cryptolocker were completely circumvented.

CryptoWall – The second coming Our triple redundancy backup system

worked great. We were able to restore all but 6 files. A/V, Security Policies, Firewalls – it got

past them all. Still, it could have been prevented.

Don’t take ZIP filesfrom strangers!

Don’t take ZIP filesfrom strangers!

So how do we defend against this? We must combat this Social

Engineering with our own Social Engineering.

We all need to learn what to look for and what to do if we do get infected.

Think before you act.

Don’t take ZIP filesfrom strangers!

Email is still the most common threat vector.

Despite all our filtering, things still can and do get through.

In the end, the best countermeasure we have is ourselves.

Don’t take ZIP filesfrom strangers!

Even if you know the sender of an email, were you expecting it?

Would this person really send you a ZIP file?

Never open anything with a .scr, .vbs or .exe extension. (elfbowling.exe)

Don’t take ZIP filesfrom strangers!

Don’t take ZIP filesfrom strangers!

Amazon, UPS, USPS, FedEx, PayPal – companies we use everyday are commonly spoofed emails.

VERY prevalent around the holidays. On first glance, these fake emails are

so well crafted you’d never notice a difference.

Suspicion and couple seconds will reveal the difference.

Don’t take ZIP filesfrom strangers!

Warning Signs that this is a fake email: Bad grammar or misspellings. Do the links really go where they say? HTTP:// vs. HTTPS:// These companies will never send you

an attachment!!! Rather than clicking the link in the

email, go to the site itself. ALWAYS be wary. If you have doubts

don’t open it, don’t click it.

My password = PASSWORD

My password = PASSWORD There are 10 Immutable Laws of

Network Security. Law #5: Weak passwords trump strong

security. There are many ways to crack your

password. Key Loggers and Malware. Phishing.

My password = PASSWORD Social media harvesting and Google

hacking : Used to create tables of pertinent

information used in automated guessing attacks.

Using the names of people, places, things and dates that means something to us makes these attacks possible.

My password = PASSWORD Brute Force Password Attacks: What a hashed password looks like: BF733889685D4B3068EE38CF7D1CE36131D6CFE0D16AE931B73C59D7E0C089C0

vikings: 2 seconds Vikings: 6 minutes Vikings28: 55 days VikingsSuck!: 1397612 years, 6 months

My password = PASSWORD Minimum 12 Characters Complex (3 of 4: uppercase, lowercase,

number or symbol) Don’t use things that are easily

identifiable from social media. Don’t use your work password at home. Don’t just change 1 number each time.

It takes more than a firewall

It takes more than a firewall With so many threats, so many attack

vectors, we fight a multi-front war. 7-Character complex passwords aren’t

enough anymore. Enterprise Antivirus software is

essential, but it isn’t enough. A strong Firewall is essential, but it isn’t

enough. Security must be a responsibility of

every user, not just the IT guys.

It takes more than a firewall Keep staff updated of new threats. Acknowledge their successes in

spotting and avoiding danger, don’t just berate them when they fail.

We must keep users engaged; they MUST become a part of the security process.

Our users are our biggest vulnerability, but they are also our most effective line of defense.

Build yourself a Cyber Militia!