oak bank business breakfast seminar - stock yards bank · antivirus and anti-malware solutions are...
TRANSCRIPT
Cybersecurity PRESENTED BY:
DR. KEVIN F. STREFF
FOUNDER, SBS CYBERSECURITY, LLC
©2017 SBS CyberSecurity, LLC www.sbscyber.com 1
• Cybersecurity in today’s world • Top cybersecurity threats: ◦ Spot Phishing (share with your staff) ◦ Business Email Compromise ◦ Commercial Account Takeover ◦ Ransomware ◦ Microsoft Support Scam ◦ PoS Fraud
• Addressing Cybersecurity ◦ Basic Security Controls ◦ Security Processes
Agenda
©2017 SBS CyberSecurity, LLC www.sbscyber.com 2
https://www.us-cert.gov/ncas/alerts/TA13-309A
Phishing Examples
https://www.us-cert.gov/ncas/tips/ST15-001
©2017 SBS CyberSecurity, LLC www.sbscyber.com 6
Phishing Process
Goals: • Money • Data
www.website.com
User Action
Malicious
Malicious
©2017 SBS CyberSecurity, LLC www.sbscyber.com 7
Remember: • Legitimate companies do not send email requesting
sensitive information. • Asked to click a link or open an attachment. • Request you to verify or update your account, stop
payment on a charge, or other important time sensitive process.
General Situations
Think before you click.
©2017 SBS CyberSecurity, LLC www.sbscyber.com 8
• Do this or else. • Criminals try to create a sense of urgency
so you’ll respond without thinking.
Alarmist Message
©2017 SBS CyberSecurity, LLC www.sbscyber.com 9
• Make sure the email address matches the name
• Verify the email address is accurate • Generally from unknown senders, but
anyone is fair game.
Inspect Sender
©2017 SBS CyberSecurity, LLC www.sbscyber.com 10
• Greetings should be professional
• Look for a personal greeting
Review Salutation
©2017 SBS CyberSecurity, LLC www.sbscyber.com 11
• Often times phishing messages have typos, grammatical errors, or extra characters.
Grammar/Spelling
©2017 SBS CyberSecurity, LLC www.sbscyber.com 12
• Hover over links. • Type into browser to avoid subtle changes.
Examine Hyperlinks www.bank.com
©2017 SBS CyberSecurity, LLC www.sbscyber.com 13
• Is it worth the risk? ◦ Don’t click or open attachments unless your willing
to take the risk. ◦ Will the customer or bank benefit from addressing
this email “business need” ◦ Is it important enough for the risk
• Verify with a trusted method ◦ Call the sender to verify
• Discuss with a manager, IT resource, or expert • Delete suspected messages
Best Practices
©2017 SBS CyberSecurity, LLC www.sbscyber.com 14
Phishing Trends
15
2016 Verizon Report
91% of successful data breaches started with a spear-phishing attack?
Antiphishing Workgroup
©2017 SBS CyberSecurity, LLC www.sbscyber.com 15
• “…around 85% of cyber attacks are now targeting small businesses.” - Howard Schmidt (Former White House Cybersecurity Coordinator)
• Verizon Data Breach Report - 70% of all information breaches happened against companies with less than 100 staff
• “In fact, 71 percent of cyber-attacks occur at businesses with fewer than 100 employees.”
Commercial Account Takeover
ACH or Wire Fraud
Cash Management
Online Banking
Bill Pay Online
Banking
Wire Phone Request
Wire Fax Request
Wire Email Request
ACH Batch File
P2P or A2A transactions
©2017 SBS CyberSecurity, LLC www.sbscyber.com 16
Corporate Account Takeover
FBI Reports $3.1 billion in BEC losses, as of May 2016. 1,300%
increase since January 2015.
Business System Compromised
Business Email Compromise
©2017 SBS CyberSecurity, LLC www.sbscyber.com 17
Business System Compromise
UPS Phishing Email Receptionist Opens
Pivot
Infects Accounting PC
8 New Employees $70,000 Loss
Real Case Study
©2017 SBS CyberSecurity, LLC www.sbscyber.com 19
Distributed Denial of Service
Thousands of Hacked Computers
Victim Business
Hacker
©2017 SBS CyberSecurity, LLC www.sbscyber.com 20
• May 2013 - J.T. Alexander & Son Inc. ◦ $800,000 in ACH transactions ranging from 5-10K to 60 mules, company
has 15 employees with average 30K payroll.
• April 2013 – Chelan County Public Hospital ◦ $1M in ACH transactions from payroll account using 96 mules ◦ Identified by Brian Krebs
• December 2012 - Efficient Services Escrow Group ◦ $1.5M in wires (December .4M and January 1.1M). Forced company to
close.
• December 2012 – Ascent Builders Inc. ◦ $900,000 in wires and ACH covered up by DDOS ◦ Identified by Brian Krebs
• February 2014 – The Scoular Co. - Omaha, NE ◦ $17.2M to China using BEC Fraud (aka CEO fraud or man-in-the-email)
• August 2014 – Ubiquiti Networks - San Jose, CA ◦ $46.7M to Hong Kong and other overseas accounts. BEC Fraud.
Notable Incidents
©2017 SBS CyberSecurity, LLC www.sbscyber.com 21
New Malware
McAfee December 2016
©2017 SBS CyberSecurity, LLC www.sbscyber.com 22
SBS Toolkit:
https://www.protectmybank.com/blog/Free%20Offer%20Ransomware%20Toolkit/
Ransomware
©2017 SBS CyberSecurity, LLC www.sbscyber.com 23
How Ransomware Works
2. Attachment is downloader malware that connects to URLs hosting the ransomware.
3. The ransomware is downloaded to the computer.
4. Files in the affected computer are encrypted.
5. A ransom message is displayed, stating the deadline and amount.
6. Victims must use Tor browser to pay using BitCoins.
1. User receives spammed message with attachment.
©2017 SBS CyberSecurity, LLC www.sbscyber.com 25
Ransomware in the Real World
Company: Hollywood Presbyterian Medical Center Type of Attack: Data encryption Ransom Request: Payment in exchange for return of data Outcome: Paid $17,000 ransom in bitcoins to unlock data encrypted by the cyber attackers. The hospital president/CEO noted that his organization decided to pay the ransom because obtaining the decryption key from the attacker was “the quickest and most efficient way to restore our systems and administrative functions.” Company: Code Spaces Type of Attack: DDoS Ransom Request: Payment in exchange for returning operational control Outcome: Company did not pay off the extortionist. In the end the company stated that “most of our data, backups, machine configurations and offsite backups were either partially or completely deleted. The situation led to company to shut its doors.
©2017 SBS CyberSecurity, LLC www.sbscyber.com 26
http://www.usatoday.com/story/tech/news/2016/11/28/san-francisco-metro-hack-meant-free-rides-saturday/94545998/
©2017 SBS CyberSecurity, LLC www.sbscyber.com 27
• Approximately 50% of Americas Pay Ransom (Tripwire)
• Beginning rates around 1 to 3 bitcoin ($300-$750) some in excess of $17,000
• Paying ransom does not remove malware • There is no guarantee that payment will result
in release of your files (Kansas Heart Hospital) • FBI suggests you don’t pay ransoms. Or do
they?
Ransomware Details
©2017 SBS CyberSecurity, LLC www.sbscyber.com 29
While the below tips are primarily aimed at organizations and their employees, some are also applicable to individual users.
Prevention Efforts ◦ Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s
data. ◦ Patch operating system, software, and firmware on digital devices (which may be made easier through a
centralized patch management system). ◦ Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans. ◦ Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely
needed, and only use administrator accounts when necessary. ◦ Configure access controls, including file, directory, and network share permissions appropriately. If users only
need read specific information, they don’t need write-access to those files or directories. ◦ Disable macro scripts from office files transmitted over e-mail. ◦ Implement software restriction policies or other controls to prevent programs from executing from common
ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).
Business Continuity Efforts ◦ Back up data regularly and verify the integrity of those backups regularly. ◦ Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.
https://www.fbi.gov/news/stories/2016/april/incidents-of-ransomware-on-the-rise/incidents-of-ransomware-on-the-rise
Tips for Dealing with the Ransomware Threat
©2017 SBS CyberSecurity, LLC www.sbscyber.com 30
https://www.microsoft.com/en-us/safety/online-privacy/avoid-phone-scams.aspx
Microsoft Tech Support Fraud
©2017 SBS CyberSecurity, LLC www.sbscyber.com 31
POS Fraud: 1,000+ Small Businesses
"Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that more than 1,000 U.S. businesses are affected," stated US-CERT.
©2017 SBS CyberSecurity, LLC www.sbscyber.com 32
PCI Breach Investigations
https://www.pcisecuritystandards.org/pci_security/ ©2017 SBS CyberSecurity, LLC
www.sbscyber.com 33
• October 2009 NIST 7621 was released • Assist small business management in
understanding how to provide basic security for their information, systems, and networks.
• Provides commercially reasonable security measures which will reduce the likeliness of a security incident.
• Three basic areas which may reduce likeliness: ◦ Absolutely Necessary (todays focus) ◦ Highly Recommended ◦ Other Considerations
• http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf
Small Business Information Security
©2017 SBS CyberSecurity, LLC www.sbscyber.com 34
• If your networks access the internet, then you have risk from Malware (Malicious Software).
1) Malware - Virus, Trojans, Spyware
©2017 SBS CyberSecurity, LLC www.sbscyber.com 35
1) I am not aware of what kind of software we use
2) We do not use this type of software
3) We have it on some computers
4) We have it on all computers but it is not updated on a regular basis and I question the quality of the product
5) We update our software and scan all computers daily with a quality product
1) My organization uses anti-virus and anti-spyware (malware) software:
©2017 SBS CyberSecurity, LLC www.sbscyber.com 36
• Most small businesses have a broadband (high speed) internet connection which is always “on”. This leaves the network susceptible to network attacks on a 24/7 basis.
2) Hardware Firewall
©2017 SBS CyberSecurity, LLC www.sbscyber.com 37
1) I am not aware if we have a hardware firewall
2) We do not use a hardware firewall
3) We have a hardware firewall but I am not sure on its quality
4) We have a commercial grade hardware firewall
5) We have a commercial grade hardware firewall that has all default security settings changed
2) My organization secures our internet connection with a hardware firewall:
©2017 SBS CyberSecurity, LLC www.sbscyber.com 38
• In addition to hardware firewalls, software firewalls should be used on all workstations.
• Software firewalls protect workstations from each other.
• Microsoft provides built in firewall
3) Software Firewall
©2017 SBS CyberSecurity, LLC www.sbscyber.com 39
1) I am not aware if we have any software firewalls
2) We do not use a software firewall
3) We have a software firewall installed on a few computers
4) We have a software firewall installed on all computers
5) We have a commercial grade software firewall installed on all computers
3) My organization has a software firewall on all computers:
©2017 SBS CyberSecurity, LLC www.sbscyber.com 40
• All operating systems such as Microsoft Windows, Apple OSX, and all distributions of UNIX/Linux have patches that need to be installed on a regular basis.
• Most software products require patches, including Microsoft Office, Adobe, Java, QuickTime, Firefox.
• These patches fix compatibility issues and known security vulnerabilities, not applying them leaves you vulnerable.
4) Software Patching
©2017 SBS CyberSecurity, LLC www.sbscyber.com 41
1) I am not aware if we address security patches and updates
2) We do not patch or update any software
3) We patch and update some computers intermittently
4) We have Microsoft updates set to automatically install on all computers
5) We automatically update Microsoft and regularly update other critical programs on all computers
4) My organization applies security patches and updates to software programs:
©2017 SBS CyberSecurity, LLC www.sbscyber.com 42
• Backing up your data protects it from numerous threats:
◦ Ransomware ◦ Hackers destroying your computer ◦ Malware corrupting your data ◦ Fire and other natural disaster destroying your systems ◦ Many other threats
• Include all your critical data, backup often. • Store a copy offsite. • Test your backup process to know you can
restore data.
5) Backup Data
©2017 SBS CyberSecurity, LLC www.sbscyber.com 43
1) I am not aware if any information is backed up electronically
2) We do not create electronic backup copies of any information
3) We create backup copies of some important data intermittently
4) We create backups of all important data on a weekly basis
5) We backup all critical data weekly, test it monthly, and keep a copy off-site
5) My organization creates electronic backup copies of important data/information:
©2017 SBS CyberSecurity, LLC www.sbscyber.com 44
• Secure each entrance point • Monitor areas for unauthorized people • Escort visitors around the building • Secure documents, computers, servers from
theft
6) Physical Access Security
Secure ?
Secure ?
©2017 SBS CyberSecurity, LLC www.sbscyber.com 45
1) I am not aware how we control physical security
2) We allow anyone to walk into our organization’s sensitive areas unchallenged
3) We might sometimes challenge people who we do not recognize
4) We identify and challenge all third parties entering our organization’s sensitive areas and lock all secondary entrances
5) We identify and challenge all third parties entering our organization’s sensitive areas, lock all secondary entrances and also consider the placement of paper documents and computer monitors to protect information
6) My organization controls unauthorized physical access to protect our computers and important information:
©2017 SBS CyberSecurity, LLC www.sbscyber.com 46
• Do not use wireless unless required for business • Securely configure all wireless devices and access points. • Most users implement with default settings ◦ Default passwords - http://cirt.net/passwords
• WEP encryption can be hacked in hours (use WPA2!) with longer passphrases (21 characters complex)
• Security vulnerabilities in wireless technology www.us-cert.gov/cas/techalerts/TA12-006A.html
• Update wireless software and firmware • Users connect wireless devices to unsecured wireless, then
conduct business.
7) Wireless Security
©2017 SBS CyberSecurity, LLC www.sbscyber.com 47
1) I am not aware if we have wireless
2) We bought a wireless access point and just connected it to our internal network
3) We use some type of security settings on our wireless
4) We use strong security settings and changed default settings on our wireless
5) We strictly prohibit wireless technology from being connected to our network
7) My organization secures our wireless access points:
©2017 SBS CyberSecurity, LLC www.sbscyber.com 48
• Employees should read security policies • Employees should sign Acceptable Use
Agreement • Employees should receive training on
security threats: ◦ Malware ◦ Phishing ◦ Social Engineering ◦ Unauthorized Access
8) Security Awareness Training
©2017 SBS CyberSecurity, LLC www.sbscyber.com 49
1) I am not aware of what training on security principles is done
2) We do not provide any training 3) We require employees handling sensitive information to
watch webinars, read articles, and go to seminars on information security
4) We train employees when hired and on a regular basis by informed security personnel
5) We train employees when hired and on a regular basis by informed security personnel and we require all employees sign a statement that they understand our organization’s security policies
8) My organization trains our employees on basic security principles:
©2017 SBS CyberSecurity, LLC www.sbscyber.com 50
• Users should have a unique login to all computers, programs, and websites.
• Users should not be administrators on their local machine. If users can install software, then malware can install itself to the computer when clicked.
• Complex passwords - the password Spring16 can be cracked with on a normal computer in 24 seconds.
• Secure Passwords - 73% of users share the passwords which they use for online banking, with at least one nonfinancial website.
• If its easy to remember, its easy to guess. Try mnemonics:
“Proud to be an American” + birth year = PtbaA!(*) where the birth year 1980 is typed in using the shift key
9) Unique User Accounts
©2017 SBS CyberSecurity, LLC www.sbscyber.com 51
1) I am not aware if we have unique user accounts
2) We use unique usernames on some computers and programs
3) We use unique usernames on some computers and programs with passwords
4) We use unique usernames on all computers and programs with good passwords (8 characters consisting of random letters, numbers, and special characters)
5) We use unique usernames on all computers and programs with good passwords that are changed every 3 months plus users do not have administrative privileges
9) My organization has unique user accounts for each employee on computers and applications:
©2017 SBS CyberSecurity, LLC www.sbscyber.com 52
• For all employees, provide access to only those systems and only to the specific information that they need to do their jobs.
• Do not allow a single individual to both initiate and approve a transaction (financial or otherwise).
• Limited access reduces the exposure of data to malware and hackers. Also reduces the impacts of malicious insiders.
10) Limit Access to Data
©2017 SBS CyberSecurity, LLC www.sbscyber.com 53
1) I am not aware if we limit access to data or information
2) We allow employees to access any system and have access to all information
3) We allow employees to access any system but control access to some information
4) We allow employees to access systems and information that is only necessary for their job
5) We allow employees to access systems and information that is only necessary for their job and require two employees initiating and approving transactions (financial or otherwise)
10) My organization limits employee access to data and information:
©2017 SBS CyberSecurity, LLC www.sbscyber.com 54
• Identify where you are… • Take steps to continuously improve your
security controls • Good security does not guarantee
protection
Rate Your level of Defense
Points Percent Correct
45 90%
40 80%
35 70%
30 60%
©2017 SBS CyberSecurity, LLC www.sbscyber.com 55
Krebs Best Practices • http://krebsonsecurity.com/online-banking-best-practices-for-businesses/
• The surest way to do that is to maintain a clean computer: Start with a fresh install of the operating system and all available security updates, or adopt a “live CD” approach. Other suggestions:
◦ Use a dedicated system to access the bank’s site. ◦ If possible, use something other than Microsoft Windows ◦ If you must use a multi-purpose machine where you will check email, avoid clicking links
in email (see previous tip). Also, set email to display without HTML formatting if possible. ◦ If you installed it, patch it. Keep the operating system up-to-date with patches. It’s
equally important to update the third-party software on your system, especially browser plugins.
◦ Remove any unneeded software from dedicated systems used to access the bank’s site. In particular, unneeded plugins (such as Java) should be junked.
◦ Avoid opening attachments in email that you were not expecting. ◦ Use a bookmark to access the bank’s site. ◦ Remember that antivirus software is no substitute for common sense. ◦ If your financial institution offers it, consider taking advantage of ACH Positive Pay. ◦ Require two people to sign off on every transaction.
©2017 SBS CyberSecurity, LLC www.sbscyber.com 56
• Test & Train your employees • Real life examples in a controlled setting • Types Include: ◦ Phishing Emails ◦ Phone Impersonation ◦ Physical Impersonation ◦ Dumpster Diving
Social Engineering
©2017 SBS CyberSecurity, LLC www.sbscyber.com 57
1. Assess Risk 2. Implement Controls 3. Audit Controls ◦ Vulnerability Assessment ◦ Penetration Testing ◦ Social Engineering ◦ Security Audit
Security Lifecycle
©2017 SBS CyberSecurity, LLC www.sbscyber.com 58
• Security is everyone’s responsibility!
• Take steps to secure YOUR financial information on YOUR networks.
• Work with your Bank to establish normal patterns of banking
• Report suspicious activity or situations.
Summary
©2017 SBS CyberSecurity, LLC www.sbscyber.com 59
Dr. Kevin Streff
– Professor of Cybersecurity at Dakota State University • [email protected] • (605) 270-0790
– Founder: SBS Cybersecurity, LLC. • www.sbscyber.com • [email protected] • (605) 270-0790