CSC Security DeckJohn Paul ValenzuelaBusiness Development Manager, South East Asia

Page 2

What’s in a Digital Brand?

DIGITAL ASSETS

Domains

DNS

DigitalCertificates

Email

SocialMedia

Handles

MobileApps

DIGITALBRAND

Page 3

Digital Brand – Cyber Threats

DDoS ATTACKS

Cyber Criminals

“Hacktivists”

DIGITALASSETS

MALWAREPHISHING

SQL INJECTIONSOCIAL HIJACKING

DOMAIN HIJACKING

Page 4

Digital Assets

Who has a company issued laptop or cell phone?

Does it have a serial number that is logged?

Would you agree the business sees that as an asset and documents it appropriately?

Do you treat your digital assets the same way?

Page 5

POTENTIAL THREATSDOMAIN HIJACKINGDOMAIN SHADOWING

Domains

Page 6

Domain Management Challenges

Many companies don’t document their digital assetsIf you don’t know what you have, how do you manage it?How do you enforce policy?How do you make sense of the data? (email feeds, domains, SSLs, social media)

Disparate portfolio managementMultiple vendors causes inefficiency and confusion

• Poor asset management leading to missed renewals• Many sets of credentials to worry about• Increased risk of phishing attack success

No increased purchasing power

Page 7

Threat: Domain Shadowing

Source: CSO Online

Page 8

Threat: Domain Shadowing

Makes phishing attacks look more authenticUses compromised registrant credentialsDifficult to stop Subdomains are high volume, short lived, and random, with no discernible patternsMakes blocking increasingly difficultDirects users to the Angler Exploit Kit

Domain shadowing: when a bad actor hacks and creates sub-domains from your domain

Example: online.cscglobal.com

Page 9

How Can I Reduce the Risk?

Create a domain name policy:

1. Define goals

2. Assign roles and responsibilities

3. Determine strategy

4. Outline processes for availability searches, registrations, renewals, and transfers

5. Establish monitoring, escalation, and enforcement mechanisms

6. Identify budget

7. Create standards

8. Set DNS controls

9. Define reporting

10. Create a policy and compliance review process

Page 10

Key Takeaways

SecurityTwo-factor authenticationRegistry lockEmail protection (DMARC/DKIM/SPF)IP validation

User ManagementWho has access to the digital assets?• Carry out regular user reviews (people move or leave)• User access – do they really need access?• Federated identity – reduce risk of not notifying a vendor

Phishing Awareness TrainingInternally, who has phishing awareness training?Do you test them?

Page 11

POTENTIAL THREATSDDoS ATTACKS(Distributed Denial of Service)

MALWAREDNS

Page 12

DDoS Attacks – Examples

Source: The Register Source: BBC

Page 13

DDoS Attacks – The Risk

Distributed Denial of Service is a common technique to flood your servers with traffic, which in turn “jams” your network [gridlock]

Page 14

DDoS Attacks – A growing threat

85% year over yearDDoS attack activity increased

Source: VeriSign DDoS Trends Report

In the last 2 weeks of January 2016…• 52 mainstream DDoS attacks (many more not reported)• Attacks on government, public, and private sector businesses• They were all powerless to defendSource: http://www.hackmageddon.com

500 Gbps(latest reported size)

31+ full-length 1080p(HD) movies of data per second! What size attack can your organization withstand?

Source: http://www.hackmageddon.comSource: http://filecatalyst.com/todays-media-file-sizes-whats-average

Page 15

DNS/DDoS Attacks – The Impact

18 hoursAverage network outage/disruption timeSource: CIO Insight

$105,710Average cost of 1 hour of down timeSource: CIO Insight

Estimated average annualcost to businesses from DDoS attacks

Source: The Ponemon Institute

$126,153

Page 16

War Games!

PressENTER

to launchATTACK

CLICK TO PLAY

Page 17

50% of businesses worldwide

have no countermeasures against DDoS attacks

Source: IT Pro

Page 18

How Can I Reduce the Risk?

Evaluate current DNS platform – is it suitable and robust enough to withstand DDoS attacks?

Consolidate all domain names onto a single DNS platform

Consider DDoS protection/mitigation service

Consider DNSSEC to combat spoofing/man in the middle attacks

Page 19

POTENTIAL THREATSMALWAREESPIONAGE

SSLs

Page 20

of Global 2,000 companies admit to not having an accurate accounting of

their SSL certificates

*Source: Ponemon Institute, “2013 Annual Cost of Failed Trust Report: Threats and Attacks”

51%

Page 21

Why Is It So Hard to Keep Track?

Responsibility for SSL certificates often spread around the business and around the world

Disparate technology groups and standards

SSL certificates often with numerous providers

Page 22

SSL Risks – Expired Certificates

If you don’t have a grasp of what you own, along with a tight management and renewal process, this can happen:

Page 23

Expired Certificate Examples

Page 24

Expired Certificate Examples

Page 25

Expired Certificates – Impact

“The average Global 5,000 company spends

about $15 million to recover from the loss of business due to a

certificate outage—and faces another

$25 million in potential compliance impact.”

Source: CSOonline.com

Page 26

How Can I Reduce the Risk?

Audit to get a thorough accounting of all existing certificates

Cross-reference with live sites

Consolidate onto one platform for easier management

Develop and implement a policy and process to ensure that all certificates are managed as necessary

Page 27

POTENTIAL THREATSSOCIAL HIJACKING

Social Media handles

Page 28

Social Media Handles – The Challenges

Social media handles are like domain names 10 years ago…

No company policiesLittle to zero protection for TM holdersFirst come, first served

It’s the Wild, Wild West all over again.

Page 29

Social Media Handles – The Risks

INTERNAL: Managing access to social media handles

What happens if the user leaves the company?How protected are credentials?

EXTERNAL:Hacking of social accounts via comprised credentials

Third parties creating fake accounts to target your brand

Job scamsInfringementsCorporate disparagement

Page 30

Fake Social Media Accounts

Researchers have spotted fake social buttons plugins that attackers are using to compromise websites

and redirect visitors to the Angler exploit kit.Source: grahamcluley.com

“Cybersecurity researchers have uncovered a network of fake LinkedIn profiles, which they suspect were being used by hackers in Iran to build relationships with potential victims around the world.”Source: The Wall Street Journal

Page 31

Social Media Hacking and Hijacking - Examples

Page 32

How Can I Reduce the Risk?

Manage the handles as you would other digital assets

Develop and maintain an inventory of social media handles

Find a secure online repository

Determine registration strategy (part of domain policy)

Limit access to usernames/passwords

Change passwords on frequent basis

Monitor activity on social networks – what are staff doing as well as third parties

update image

Page 33

Mobile Apps

POTENTIAL THREATSSOCIAL HIJACKINGMALWARE

Page 34

Mobile Apps – A Growing Channel

89%of mobile-user time is spent using apps, as opposed to

just 11% spent accessing media through the mobile web.Source: Nielson

Total app revenues are projected to grow from

Source: http://www.businessofapps.com/app-revenue-statistics/$45,37B in 2015 to $76.52B in 2017

Page 35

Mobile Apps – Challenges & Risks

ChallengesSimilar to social media (WWW = Wild, Wild West)

Third parties can publish mobile apps to target a brand’s customers (e.g. malapps)Manage of these assets as they grow in usage

RisksMalware PhishingFake apps/trademark infringementCounterfeiting

Page 36

Mobile Apps – Threats

9 million of the 120 million apps over multiple app stores around the globe contained malware.Source: McAfee

11%of the 350K apps that reference ‘banking’ across

global app stores contain malware or suspicious code.Source: RiskIQ

Over half of companies devote zero budget to mobile security.Source: Security Intelligence/Ponemon Institure

Page 37

Mobile App Abuse - Examples

Page 38

How Can I Reduce the Risk?

Develop and maintain an inventory of authorized mobile apps (in order to quickly identify unauthorized apps that require investigation and action)

Monitor the major app stores to quickly detect infringements and take rapid enforcement action

Page 39

Email

POTENTIAL THREATSPHISHINGMALWAREFRAUDSPOOFING

Page 40

Phishing/Email Fraud Challenges

30%of consumers prefer email communications over phone, text, post or social media.Source: http://tsys.com/2015USConsumerResearch/

97%of people globally can’t correctly identify

a sophisticated phishing email.Source: Intel

45% conversion rateEmail fraud has up to a

Source: Google

Page 41

Email Fraud – The Impact

Phishing costs brands worldwide

$4.5 billion each yearSource: The Economics of Spam," Journal of Economic Perspectives

Customers are 42% less likelyto do business with you after a phishing attack,

regardless of whether they were actually fooled.Source: http://www.magillreport.com/Phishing-Threatens-Your-Brand-More-than-You-Think-Return-Path/

82 secondsmedian time from email received to first clickSource: https://info.wombatsecurity.com/blog/infographic-what-impact-does-phishing-have-on-your-business

Page 42

Phishing Attacks - Examples

Page 43

In a survey of more than 1,000 global brands across 33 countries,

Source: ReturnPath

only 22%of companies were publishing

a DMARC record

Page 44

How Can I Reduce the Risk?

Provide staff training to identify phishing emails and to report them immediatelyEmpower employees to say “No” to requests for data and money from senior leadershipSubscribe to Email Fraud Protection (service that provides both Email Governance and Threat Intelligence) Apply SPF, DKIM, and DMARC on your sending domains Monitor the email channels (honey pots, abuse feeds) for phishing emails targeting your brandSubscribe to a takedown service to remove and blacklist offending URLsUse a robust Domain Name Monitoring service to identify registered typo domains that could be used for phishing

Page 45

Why Does Security Matter to You?

You are often making decisions that will impact your brand!

We are now managing digital assets, which are valuable, and bad actors want to exploit them.

The business needs your help!

Question: Who thinks security is just the job of IT?

Page 46

Who Makes the Decisions?

Advent of domains

IT Increase in infringements

Legal

Growth in eCommerce

MarketingIncrease in cyber attacks

CISO

FUTURE:Multi-stakeholder approach

Page 47

How can I reduce the risk?The CSC Digital Optimization Plan

Page 48

Checklist

Consolidate all domain names onto a single DNS platform Consider DDoS protection/mitigation service Consider DNSSEC to combat spoofing/man-in-the-middle attacks User review - Ensure access to critical in-house and third-party systems

(domains, DNS, etc.) is correct Employ two-factor authentication (IP validation or token based security)

on these systems Place critical domains on registrar/registry lock (CSC MultiLock) Train staff with system access on social engineering awareness Ensure your third-party providers are employing two factor authentication

and providing social engineering awareness Employ third-party phishing detection and takedown solution Employ email fraud prevention solution and apply a DMARC policy on

your sending domains Educate your customers!