The Hacking AgeDestruction, Profiting, and Stealing in the Cyber-Era
David Kennedy Founder TrustedSec / Binary Defense@HackingDave
Tammy GedetsisCybersecurity Education & AwarenessKeyBank
Tammy Gedetsis is a Senior Information Security Consultant at KeyBank. She has been at KeyBank for 21 years doing a variety of roles focused on business clients and their digital experience. She recently started a new role where she’ll be responsible for the Cybersecurity Education & Awareness programs for employees, consumer and business clients. Prior to this role, Tammy was the Senior Digital Product Manager for Key’s corporate digital platform, KeyNavigator where she was responsible for strategy and delivery of commercial products and services. Her focus in that role was on security and the client experience.
For Placement Only.See ‘Applying a Brand Photo to a Title Slide Layout’ in the B2B presentation
guidelines document for instructions on adding an image from the Key
photo library to a Title Slide Master.
Introduction
Breakout Timeframe
• Binary Defense analyzed over 3,912 breakout methods over a span of a year of 2018.
• Average attacker broke out of initial compromise and established foothold in under 2 hours (1.43 hours on average).
• Primary method for lateral movement was through lower level protocols.
• Majority of initial compromises (81%) was due to macros and attachments. Malicious websites and links in e-mail was the second highest percentage (11%).
Password Usage• Users using the same password across multiple
systems.• Password patterns – Summer2017, Summer2018.
Business Email Compromises• Compromising victims through password harvesting
then changing wire information.• Claiming to be an executive on a super secret M&A.• 314% increase from last year.
Ransomware• Holding computers hostage for monetary gain.• Spawned out of the credit carder (carder) market.
Data Theft• Centric around intellectual property or monetary
gain.
Main Attacks Today
What individuals have to face is a fraction of what an organization has to deal with on a daily basis.
Sophistication of Attackers
Continue to Progress.
Getting caught remains an
extremely low percentage.
People become one of the hardest challenges
in cyber security.
Demographics of Hackers
State Sponsored• Depends on the originating country.• Ranges from intelligence gathering to military
preparedness.
Organized Crime• PII/PHI has increased in cost in underground
(identity fraud).• Credit cards (albeit a bit more difficult).• IP theft and selling.• Selling compromised accounts.• Ransomware (huge boom).
General Hacking • Selling services such as customized malware.• Compromised accounts.
Detection has to become our biggest priority.
What can you do at home and at the office
to protect yourself?
Two-Factor Authentication
Probably one of the most important steps you can do right now, as I’m sitting here talking.
• Two-Step/Two-Factor Authentication is priority.
• Supported by almost all sites, Apple, Twitter, Banking, Facebook.
• If passwords are compromised – it doesn’t lead to the compromise of the account.
Two-Factor Authentication for Business
Same Password Usage
• Great site to see if your password/email address has been compromised or exposed in a breach:
• https://haveibeenpwned.com/
• Consider password vaults.
• Has to be different on each webpage.
Recommended Password Vaults
• 1Password - https://1password.com/
• KeePass (free) - https://keepass.info/
• LastPass - https://www.lastpass.com/
• Dashlane - https://www.dashlane.com/
Stay Up-To-Date with Patches
• This includes your mobile phones (Android, iPhone, etc.) as well as your Mac (OS X), and Windows.
• Updates fix very specific flaws that hackers have found or will develop soon.
• This includes Java, Adobe, Office products.
Stay Up-To-Date with Patches
• I’m going on vacation this week! It’s going to be awesome. Home empty.
• I’m waiting for this package, dang it!
• Daily rituals, patterns of behavior.
Personal Information
• Leaving personal information online can snag you in trouble.
• When a breach occurs, make sure to change your password.
• Consider services that monitor your credit activity and lock credit with credit providers.
Other Tips
• Wi-Fi Passwords and WPA2• Passphrases – not passwords:
• Think: I love running it’s awesome!• Think before you click.• Be careful with kids online.• iPhone better on security except for Pixel line of devices (Android).• Minimal operating systems such as Chromebooks/iPads are much more
difficult to compromise.
Some Are Difficult to Spot
Indicators of Bad Stuff
Image: Dropsuite.com
Look Where You Are Going
Image: Mabzickle.com
Attachments and Links #1 Delivery Method
Online Safety
• Safe and Secure Online• Free resources available for
learning more about cyber security.
• Kids can learn as well – Garfield sponsored.
• Great resource to learn more about cyber security:• https://safeandsecureonline.org/
Lots of Opportunity
• Third-party software on top of traditional email security is paramount.• Two-Factor Authentication• Email Security• Protection against Phishing.
• Email continues to be a driving force for attack with hackers.
• Reducing the attack surface on email reduces the risk for organizations.
• It’s never been more important to protect the user population and the enterprise.
Moving Forward
• Companies and individuals need to focus on their highest probabilities for attack.
• Normal protections aren’t going to cut it for even average attackers.
Resources
• https://haveibeenpwned.com/• https://safeandsecureonline.org/• https://programs.online.utica.edu/articles/TenWaysToProtectYourIdentity• https://www.theguardian.com/technology/2016/dec/15/protect-passwords-
two-step-verification-encryption-digital-life-privacy• https://www.pcmag.com/article2/0,2817,2407168,00.asp• http://www.businessinsider.com/author/david-kennedy