oak bank business breakfast seminar - stock yards bank · antivirus and anti-malware solutions are...

Cybersecurity PRESENTED BY:

DR. KEVIN F. STREFF

FOUNDER, SBS CYBERSECURITY, LLC

©2017 SBS CyberSecurity, LLC www.sbscyber.com 1

• Cybersecurity in today’s world • Top cybersecurity threats: ◦ Spot Phishing (share with your staff) ◦ Business Email Compromise ◦ Commercial Account Takeover ◦ Ransomware ◦ Microsoft Support Scam ◦ PoS Fraud

• Addressing Cybersecurity ◦ Basic Security Controls ◦ Security Processes

Agenda


Criminal Types


Data Breaches


Online Card Sale


https://www.us-cert.gov/ncas/alerts/TA13-309A

Phishing Examples

https://www.us-cert.gov/ncas/tips/ST15-001



https://www.us-cert.gov/ncas/tips/ST15-001

Phishing Process

Goals: • Money • Data

www.website.com

User Action

Malicious

Malicious


http://www.protectmybank.com/

Remember: • Legitimate companies do not send email requesting

sensitive information. • Asked to click a link or open an attachment. • Request you to verify or update your account, stop

payment on a charge, or other important time sensitive process.

General Situations

Think before you click.


• Do this or else. • Criminals try to create a sense of urgency

so you’ll respond without thinking.

Alarmist Message


• Make sure the email address matches the name

• Verify the email address is accurate • Generally from unknown senders, but

anyone is fair game.

Inspect Sender

[email protected]


mailto:[email protected]

• Greetings should be professional

• Look for a personal greeting

Review Salutation


• Often times phishing messages have typos, grammatical errors, or extra characters.

Grammar/Spelling


• Hover over links. • Type into browser to avoid subtle changes.

Examine Hyperlinks www.bank.com


http://www.protectmybank.com/

• Is it worth the risk? ◦ Don’t click or open attachments unless your willing

to take the risk. ◦ Will the customer or bank benefit from addressing

this email “business need” ◦ Is it important enough for the risk

• Verify with a trusted method ◦ Call the sender to verify

• Discuss with a manager, IT resource, or expert • Delete suspected messages

Best Practices


Phishing Trends

15

2016 Verizon Report

91% of successful data breaches started with a spear-phishing attack?

Antiphishing Workgroup


http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-executive-summary_xg_en.pdf

http://docs.apwg.org/reports/apwg_trends_report_q4_2016.pdf

• “…around 85% of cyber attacks are now targeting small businesses.” - Howard Schmidt (Former White House Cybersecurity Coordinator)

• Verizon Data Breach Report - 70% of all information breaches happened against companies with less than 100 staff

• “In fact, 71 percent of cyber-attacks occur at businesses with fewer than 100 employees.”

Commercial Account Takeover

ACH or Wire Fraud

Cash Management

Online Banking

Bill Pay Online

Banking

Wire Phone Request

Wire Fax Request

Wire Email Request

ACH Batch File

P2P or A2A transactions


http://smallbusiness.house.gov/news/documentsingle.aspx?DocumentID=398099sthash.K7QXGiCY.dpuf

Corporate Account Takeover

FBI Reports $3.1 billion in BEC losses, as of May 2016. 1,300%

increase since January 2015.

Business System Compromised

Business Email Compromise


CEO Fraud/BEC Attacks


Business System Compromise

UPS Phishing Email Receptionist Opens

Pivot

Infects Accounting PC

8 New Employees $70,000 Loss

Real Case Study


Distributed Denial of Service

Thousands of Hacked Computers

Victim Business

Hacker


• May 2013 - J.T. Alexander & Son Inc. ◦ $800,000 in ACH transactions ranging from 5-10K to 60 mules, company

has 15 employees with average 30K payroll.

• April 2013 – Chelan County Public Hospital ◦ $1M in ACH transactions from payroll account using 96 mules ◦ Identified by Brian Krebs

• December 2012 - Efficient Services Escrow Group ◦ $1.5M in wires (December .4M and January 1.1M). Forced company to

close.

• December 2012 – Ascent Builders Inc. ◦ $900,000 in wires and ACH covered up by DDOS ◦ Identified by Brian Krebs

• February 2014 – The Scoular Co. - Omaha, NE ◦ $17.2M to China using BEC Fraud (aka CEO fraud or man-in-the-email)

• August 2014 – Ubiquiti Networks - San Jose, CA ◦ $46.7M to Hong Kong and other overseas accounts. BEC Fraud.

Notable Incidents


New Malware

McAfee December 2016


https://www.mcafee.com/au/resources/reports/rp-quarterly-threats-dec-2016.pdf

SBS Toolkit:

https://www.protectmybank.com/blog/Free%20Offer%20Ransomware%20Toolkit/

Ransomware


https://www.protectmybank.com/blog/Free Offer Ransomware Toolkit/

How Victims Are Infected


How Ransomware Works

2. Attachment is downloader malware that connects to URLs hosting the ransomware.

3. The ransomware is downloaded to the computer.

4. Files in the affected computer are encrypted.

5. A ransom message is displayed, stating the deadline and amount.

6. Victims must use Tor browser to pay using BitCoins.

1. User receives spammed message with attachment.


Ransomware in the Real World

Company: Hollywood Presbyterian Medical Center Type of Attack: Data encryption Ransom Request: Payment in exchange for return of data Outcome: Paid $17,000 ransom in bitcoins to unlock data encrypted by the cyber attackers. The hospital president/CEO noted that his organization decided to pay the ransom because obtaining the decryption key from the attacker was “the quickest and most efficient way to restore our systems and administrative functions.” Company: Code Spaces Type of Attack: DDoS Ransom Request: Payment in exchange for returning operational control Outcome: Company did not pay off the extortionist. In the end the company stated that “most of our data, backups, machine configurations and offsite backups were either partially or completely deleted. The situation led to company to shut its doors.


http://www.usatoday.com/story/tech/news/2016/11/28/san-francisco-metro-hack-meant-free-rides-saturday/94545998/

















The Scary Facts


• Approximately 50% of Americas Pay Ransom (Tripwire)

• Beginning rates around 1 to 3 bitcoin ($300-$750) some in excess of $17,000

• Paying ransom does not remove malware • There is no guarantee that payment will result

in release of your files (Kansas Heart Hospital) • FBI suggests you don’t pay ransoms. Or do

they?

Ransomware Details


While the below tips are primarily aimed at organizations and their employees, some are also applicable to individual users.

Prevention Efforts ◦ Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s

data. ◦ Patch operating system, software, and firmware on digital devices (which may be made easier through a

centralized patch management system). ◦ Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans. ◦ Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely

needed, and only use administrator accounts when necessary. ◦ Configure access controls, including file, directory, and network share permissions appropriately. If users only

need read specific information, they don’t need write-access to those files or directories. ◦ Disable macro scripts from office files transmitted over e-mail. ◦ Implement software restriction policies or other controls to prevent programs from executing from common

ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).

Business Continuity Efforts ◦ Back up data regularly and verify the integrity of those backups regularly. ◦ Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

https://www.fbi.gov/news/stories/2016/april/incidents-of-ransomware-on-the-rise/incidents-of-ransomware-on-the-rise

Tips for Dealing with the Ransomware Threat


https://www.microsoft.com/en-us/safety/online-privacy/avoid-phone-scams.aspx

Microsoft Tech Support Fraud


https://www.microsoft.com/en-us/safety/online-privacy/avoid-phone-scams.aspx

POS Fraud: 1,000+ Small Businesses

"Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that more than 1,000 U.S. businesses are affected," stated US-CERT.



PCI Breach Investigations

https://www.pcisecuritystandards.org/pci_security/ ©2017 SBS CyberSecurity, LLC

www.sbscyber.com 33

https://www.pcisecuritystandards.org/pci_security/

• October 2009 NIST 7621 was released • Assist small business management in

understanding how to provide basic security for their information, systems, and networks.

• Provides commercially reasonable security measures which will reduce the likeliness of a security incident.

• Three basic areas which may reduce likeliness: ◦ Absolutely Necessary (todays focus) ◦ Highly Recommended ◦ Other Considerations

• http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf

Small Business Information Security


http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf

• If your networks access the internet, then you have risk from Malware (Malicious Software).

1) Malware - Virus, Trojans, Spyware


1) I am not aware of what kind of software we use

2) We do not use this type of software

3) We have it on some computers

4) We have it on all computers but it is not updated on a regular basis and I question the quality of the product

5) We update our software and scan all computers daily with a quality product

1) My organization uses anti-virus and anti-spyware (malware) software:


• Most small businesses have a broadband (high speed) internet connection which is always “on”. This leaves the network susceptible to network attacks on a 24/7 basis.

2) Hardware Firewall


1) I am not aware if we have a hardware firewall

2) We do not use a hardware firewall

3) We have a hardware firewall but I am not sure on its quality

4) We have a commercial grade hardware firewall

5) We have a commercial grade hardware firewall that has all default security settings changed

2) My organization secures our internet connection with a hardware firewall:


• In addition to hardware firewalls, software firewalls should be used on all workstations.

• Software firewalls protect workstations from each other.

• Microsoft provides built in firewall

3) Software Firewall


1) I am not aware if we have any software firewalls

2) We do not use a software firewall

3) We have a software firewall installed on a few computers

4) We have a software firewall installed on all computers

5) We have a commercial grade software firewall installed on all computers

3) My organization has a software firewall on all computers:


• All operating systems such as Microsoft Windows, Apple OSX, and all distributions of UNIX/Linux have patches that need to be installed on a regular basis.

• Most software products require patches, including Microsoft Office, Adobe, Java, QuickTime, Firefox.

• These patches fix compatibility issues and known security vulnerabilities, not applying them leaves you vulnerable.

4) Software Patching


1) I am not aware if we address security patches and updates

2) We do not patch or update any software

3) We patch and update some computers intermittently

4) We have Microsoft updates set to automatically install on all computers

5) We automatically update Microsoft and regularly update other critical programs on all computers

4) My organization applies security patches and updates to software programs:


• Backing up your data protects it from numerous threats:

◦ Ransomware ◦ Hackers destroying your computer ◦ Malware corrupting your data ◦ Fire and other natural disaster destroying your systems ◦ Many other threats

• Include all your critical data, backup often. • Store a copy offsite. • Test your backup process to know you can

restore data.

5) Backup Data


1) I am not aware if any information is backed up electronically

2) We do not create electronic backup copies of any information

3) We create backup copies of some important data intermittently

4) We create backups of all important data on a weekly basis

5) We backup all critical data weekly, test it monthly, and keep a copy off-site

5) My organization creates electronic backup copies of important data/information:


• Secure each entrance point • Monitor areas for unauthorized people • Escort visitors around the building • Secure documents, computers, servers from

theft

6) Physical Access Security

Secure ?

Secure ?


1) I am not aware how we control physical security

2) We allow anyone to walk into our organization’s sensitive areas unchallenged

3) We might sometimes challenge people who we do not recognize

4) We identify and challenge all third parties entering our organization’s sensitive areas and lock all secondary entrances

5) We identify and challenge all third parties entering our organization’s sensitive areas, lock all secondary entrances and also consider the placement of paper documents and computer monitors to protect information

6) My organization controls unauthorized physical access to protect our computers and important information:


• Do not use wireless unless required for business • Securely configure all wireless devices and access points. • Most users implement with default settings ◦ Default passwords - http://cirt.net/passwords

• WEP encryption can be hacked in hours (use WPA2!) with longer passphrases (21 characters complex)

• Security vulnerabilities in wireless technology www.us-cert.gov/cas/techalerts/TA12-006A.html

• Update wireless software and firmware • Users connect wireless devices to unsecured wireless, then

conduct business.

7) Wireless Security


http://cirt.net/passwords

http://www.us-cert.gov/cas/techalerts/TA12-006A.html

1) I am not aware if we have wireless

2) We bought a wireless access point and just connected it to our internal network

3) We use some type of security settings on our wireless

4) We use strong security settings and changed default settings on our wireless

5) We strictly prohibit wireless technology from being connected to our network

7) My organization secures our wireless access points:


• Employees should read security policies • Employees should sign Acceptable Use

Agreement • Employees should receive training on

security threats: ◦ Malware ◦ Phishing ◦ Social Engineering ◦ Unauthorized Access

8) Security Awareness Training


1) I am not aware of what training on security principles is done

2) We do not provide any training 3) We require employees handling sensitive information to

watch webinars, read articles, and go to seminars on information security

4) We train employees when hired and on a regular basis by informed security personnel

5) We train employees when hired and on a regular basis by informed security personnel and we require all employees sign a statement that they understand our organization’s security policies

8) My organization trains our employees on basic security principles:


• Users should have a unique login to all computers, programs, and websites.

• Users should not be administrators on their local machine. If users can install software, then malware can install itself to the computer when clicked.

• Complex passwords - the password Spring16 can be cracked with on a normal computer in 24 seconds.

• Secure Passwords - 73% of users share the passwords which they use for online banking, with at least one nonfinancial website.

• If its easy to remember, its easy to guess. Try mnemonics:

“Proud to be an American” + birth year = PtbaA!(*) where the birth year 1980 is typed in using the shift key

9) Unique User Accounts


1) I am not aware if we have unique user accounts

2) We use unique usernames on some computers and programs

3) We use unique usernames on some computers and programs with passwords

4) We use unique usernames on all computers and programs with good passwords (8 characters consisting of random letters, numbers, and special characters)

5) We use unique usernames on all computers and programs with good passwords that are changed every 3 months plus users do not have administrative privileges

9) My organization has unique user accounts for each employee on computers and applications:


• For all employees, provide access to only those systems and only to the specific information that they need to do their jobs.

• Do not allow a single individual to both initiate and approve a transaction (financial or otherwise).

• Limited access reduces the exposure of data to malware and hackers. Also reduces the impacts of malicious insiders.

10) Limit Access to Data


1) I am not aware if we limit access to data or information

2) We allow employees to access any system and have access to all information

3) We allow employees to access any system but control access to some information

4) We allow employees to access systems and information that is only necessary for their job

5) We allow employees to access systems and information that is only necessary for their job and require two employees initiating and approving transactions (financial or otherwise)

10) My organization limits employee access to data and information:


• Identify where you are… • Take steps to continuously improve your

security controls • Good security does not guarantee

protection

Rate Your level of Defense

Points Percent Correct

45 90%

40 80%

35 70%

30 60%


Krebs Best Practices • http://krebsonsecurity.com/online-banking-best-practices-for-businesses/

• The surest way to do that is to maintain a clean computer: Start with a fresh install of the operating system and all available security updates, or adopt a “live CD” approach. Other suggestions:

◦ Use a dedicated system to access the bank’s site. ◦ If possible, use something other than Microsoft Windows ◦ If you must use a multi-purpose machine where you will check email, avoid clicking links

in email (see previous tip). Also, set email to display without HTML formatting if possible. ◦ If you installed it, patch it. Keep the operating system up-to-date with patches. It’s

equally important to update the third-party software on your system, especially browser plugins.

◦ Remove any unneeded software from dedicated systems used to access the bank’s site. In particular, unneeded plugins (such as Java) should be junked.

◦ Avoid opening attachments in email that you were not expecting. ◦ Use a bookmark to access the bank’s site. ◦ Remember that antivirus software is no substitute for common sense. ◦ If your financial institution offers it, consider taking advantage of ACH Positive Pay. ◦ Require two people to sign off on every transaction.


http://krebsonsecurity.com/online-banking-best-practices-for-businesses/

• Test & Train your employees • Real life examples in a controlled setting • Types Include: ◦ Phishing Emails ◦ Phone Impersonation ◦ Physical Impersonation ◦ Dumpster Diving

Social Engineering


1. Assess Risk 2. Implement Controls 3. Audit Controls ◦ Vulnerability Assessment ◦ Penetration Testing ◦ Social Engineering ◦ Security Audit

Security Lifecycle


• Security is everyone’s responsibility!

• Take steps to secure YOUR financial information on YOUR networks.

• Work with your Bank to establish normal patterns of banking

• Report suspicious activity or situations.

Summary


False Sense of Security

Dr. Kevin Streff

– Professor of Cybersecurity at Dakota State University • [email protected] • (605) 270-0790

– Founder: SBS Cybersecurity, LLC. • www.sbscyber.com • [email protected] • (605) 270-0790


http://www.sbscyber.com/


oak bank business breakfast seminar - stock yards bank · antivirus and anti-malware solutions are...

Documents