it security for nonprofits
TRANSCRIPT
IT Security Threats to Non-Profits
Community IT Innovators Webinar Series
January 21, 2016
WebinarTips
• InteractAsk Questions via Chat
• FocusAvoid multitasking
• Slides & RecordingWill be posted on website, YouTube channel and SlideShare
About Community ITAdvancing mission
through the effective use of technology.
• Invested Work exclusively with nonprofit organizations, serving over 900 since 1993.
• Strategic Help our clients make IT decisions that support mission.
• Collaborative Team of over 30 staff who empower you to make informed IT choices.
Matthew [email protected] @meshleman
Steve LongeneckerDirector – Infrastructure [email protected] @CommunityIT
AgendaThreat Landscape
New in cybercrime
Community IT Security Playbook
Security is headline news
CYBER SECURITYA New Headline
Every Day
Changes in technology
SaaSSubscribe to applications
IaaSRent servers and
storage
CaaSCyberCrime made
easier
Hacker Organization Centralized Build from scratch Own servers Expensive Large targets
Crime Ecosystem Distributed Buy or hosted Specialize in areas Cheap Smaller targets
OLD NEWEvolution of cyber crime
Job postings Payment systems Marketplaces
Cybercrime is easier than everAnd it’s more accessible to everyone
SMB in the crosshairs
PROPORTION OF BREACHES BY ORG
SIZE
15x
1x ORGS WITH 11-100 EMPLOYEES
ORGS WITH <11 or >100 EMPLOYEES2011
41%
TARGETED ATTACKS
AGAINST SMBS
41%36
%18%
2012 2013
41%
Idealware, “What Non-profits need to know about security” January 2016http://www.idealware.org/reports/what-nonprofits-need-know-about-security-practical-guide-managing-risk
In fact, many hackers have discovered that nonprofits make good targets. They are easier to penetrate than large companies with security teams and less likely catch a hacker in the act. Today, most hackers are part of professional rings focused on the bottom line. If there is money to be made by hacking your nonprofit, they won’t hesitate.
Non-Profits can’t hide in the herd
What does it mean to be a target?
https://commons.wikimedia.org/wiki/File:Target_10_points.svg
First stage of attack: Infect
Emails more finely tuned to SMB TACTICTrick SMB into opening link or attachment
http://thetechguyblog.com/wp-content/uploads/2012/08/Screen-Shot-2012-08-13-at-7.37.58-AM.png
http://www.onlinethreatalerts.com/article/2013/12/20/at-t-you-have-a-new-voice-mail-virus-email-message/5.jpg
Malvertising on the Rise
1. Set up a website with exploit kit
2. Run an ad on Yahoo, AOL or other ad network, with legitimate company creative
3. Ad server redirects users to exploit kit site
4. User gets infected
How does malvertising work? Attn: NYTimes.com readers: Do not click pop-up box warning about a virus -- it’s an unauthorized ad we are working to eliminate.The New York Times
Top websites deliver CryptoWall ransomware via malvertising…Adam GreenbergSC Times
Malvertising Targeting SMBs
Image: http://news.softpedia.com/news/CryptoWall-2-0-Delivered-Through-Malvertising-On-Yahoo-and-Other-Large-Sites-462970.shtml#sgal_0
Explosion in SaaS/CaaS Plug-and-Play MarketplaceKits cost as little as $200
ANGLERRIGASTRUM
FIESTA
BLEEDING LIFE
BLACKHOLE
CRIMEPACK
DOTKACHEF
FLASHPACK
GONGDA
NITERIS
LIGHTSOUTNUCLEAR
ARCHIE
SWEETORANGE
Exploit Kits Are Getting Better
http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/
Malware payload
Increasingly Common Step: DropperIncreasingly Common Option for Ransomware
Bad actor gets a piece of malware on computer
1Malware sits quietly and just phones home; not the flashy/noisy malware
2Bad actor sells or
rents ability to infect computer Malware phones
home Installs main
payload: Ransomware, Keylogger, Spambot
3If contract ends or more capacity, install more malware
4
TACTICMalware that installs other malware
Source: krebsonsecurity.com
Battle Ground Cinema$81,000 stolenSource: Krebs On Security
Delray Beach Public Library$160,000 stolenSource: Krebs On Security
Brookeland Fresh Water Supply District$35,000 stolenSource: Krebs On Security
Spring Hill Independent School District$30,687 stolenSource: News-Journal
Crystal Lake Elementary School District
47$350,000 stolenSource: McHenry County Blog
DKG Enterprises$100,000 stolenSource: Krebs On Security
Downeast Energy & Building Supply$150,000 stolenSource: Bank Info Security
Little & King LLC$164,000 stolenSource: Krebs On Security
SMB bank account breaches
But this is just the beginning…
What about DOWNTIME & DATA THEFT?
TACTICRansom encrypted data
Fake Anti-Virus FBI Ransomware Cryptovirus
– CryptoLocker– PrisonLocker– HowDecrypt– CryptorBit– CryptoDefense– CryptoWall
Ransomware
http://blogs-images.forbes.com/parmyolson/files/2014/02/cryptolocker.png
CryptoVirus workflowInbound and outbound communication
Infect machine with early stage• Email• Exploit kit• Malvertisin
g• Dropper
1Phone home to Command and Control server to get encryption key
2Encrypt local and network share data• May take hours
to days to fully encrypt
• Makes finding a clean restore difficult
3Ransom user• Establish
deadline and threaten permanent data loss
4
TACTICRansom user for encrypted data
“Signature-based tools (antivirus, firewalls, and intrusion prevention) are only effective against 30–50% of current security threats.”IDCNovember 2011
Test Against Signature Based Tools
http://www.aegiscrypter.com/
New Malware executable is testedagainst AV and UTMs.
If detected, crypter runs againto create zero-day FUD
(Fully UnDetectable)
Getting Around Signatures: Crypters
Strengthening security beyond signatures
Security Playbook
Security Training and Awareness
PatchingBackupsAntiVirusPasswor
ds
Predictive Intelligence
Security Training and Awareness
Help staff be aware of common vectors (spoofed email, advertising, dictionary attacks)
An ounce of prevention is worth a pound of cure – Ben Franklin
We shouldn’t count on technical safety nets
Image courtesy of http://www.pdpics.com/photo/2363-training-glass/
Backups
Set up a backup regime with appropriate Recovery Point Objectives and Recovery Time Objectives.
Don’t just backup files. Backup email. Backup databases. Backup cloud data as well as on-premise data.
Conduct test restores.Image courtesy of https://commons.wikimedia.org/wiki/User:Evan-Amos from https://commons.wikimedia.org/wiki/File:Sega-Saturn-Backup.jpg
Patching
Patching Windows is Critical
Increasing threats coming from other vectors
Passwords
Complex (ie, Long) Change relatively
frequently Incorporate 2 factor
authentication (when possible)
Identity and Access Management
Image courtesy of Akhilan, https://commons.wikimedia.org/wiki/File:Debian_Installation_Password_15.jpg
AntiVirus
Based on definition lists of “Bad Software”
Requires regular full system scans
Growing resource footprint
Predictive Intelligence
Machine Learning & Big Data put to use
‒ DNS Filtering and Insight‒ Reporting and analytics‒ Next Gen Malicious
software detection
Image courtesy of Sam Johnston. Created using OmniGroup's OmniGraffle and Inkscape. https://commons.wikimedia.org/wiki/File:Cloud_computing.svg
Backup and Disaster Recovery for Non-Profits
Community IT Innovators Webinar SeriesUpcoming
February 18, 2016
Author: DuMont Television/Rosen Studios, New York-photographer, Uploaded by We hope at en.wikipedia http://commons.wikimedia.org/wiki/File:20_questions_1954.JPG
Provide feedback Short survey after you exit the webinar. Be sure to include any questions that were not answered.
Missed anything? Link to slides & recording will be emailed to you.
Connect with us
Thank you