2015 – top it risks for today’s auto dealers
TRANSCRIPT
![Page 1: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/1.jpg)
2015 – Top IT Risks for Today’s Auto Dealers
Michael Hammond, CISA, CRISC, CISSP, C|EH Director, IT Audit & Security
O’Connor & Drew P.C. [email protected]
www.ocd.com
![Page 2: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/2.jpg)
Top IT Risks
2
Where is your important data? Phishing WISP Patching (OS and applications) Reliance on your DMS
![Page 3: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/3.jpg)
Where is your important data?
3
Do you have an inventory of all company confidential/sensitive data? Do you have an inventory of State/Federal protected data?
You can’t protect what you don’t know you have
![Page 4: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/4.jpg)
Where is your important data?
4
Data has a lifecycle
Acquire/Create
Classification
Storage (At Rest/In Motion)
Manipulation
Backup
Destruction
![Page 5: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/5.jpg)
Where is your important data?
5
Collection Credit Card applications New employee on-boarding documents
Classification Are documents labeled? If not, are you wasting time protecting every document, or worse, not protecting the ones that should be labeled?
Storage Laptops, phones, and removable media should always be encrypted Desktops should also be encrypted
![Page 6: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/6.jpg)
Where is your important data?
6
Manipulation When the data is moved from the source to another location, or aggregated, did the classification change? Did two non-sensitive documents elevate to necessitate being protected?
Backup Encrypted before leaving the building? External USB? Site to Site? Cloud?
Destruction Drives MUST always be wiped Documents should be shredded, regardless of classification
![Page 7: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/7.jpg)
Phishing
7
![Page 8: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/8.jpg)
Phishing
8
![Page 9: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/9.jpg)
Phishing
9
• Recon ▫ LinkedIn ▫ Twitter ▫ FaceBook ▫ theHarvester
![Page 10: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/10.jpg)
Phishing
10
• 2005 PC World article on Phishing ▫ Defined 12 types of phishing Instant messaging Malware based Session hijacking Pharming MiTM Search Engine …
![Page 11: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/11.jpg)
Phishing
11
• Not much has changed in the past 10 years ▫ Present day Spam Phishing Spear Phishing Watering hole attack
![Page 12: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/12.jpg)
Phishing
12
• Home Attacks
![Page 13: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/13.jpg)
Phishing
13
• Home Attacks
![Page 14: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/14.jpg)
Phishing
• Home Attacks ▫ Links on your phone are
especially dangerous. ▫ You often cannot “hover
over” the link.
How many errors can you spot?
![Page 15: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/15.jpg)
Phishing
• Home Attacks ▫ Same email, but from my
computer ▫ Hovered over link ▫ Microsoft doesn’t need
Bitly
http://bit.ly/1WB0vwF
![Page 16: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/16.jpg)
Phishing
• Shortened URLs? • Use
www.getlinkinfo.com
http://www.budaisoszoba.hu/wp-content/languages/HU/WOWEXodObATuXIC/ifeamaka1_tman-outluk22222222222222222.html
![Page 17: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/17.jpg)
Phishing
• Work Attacks
![Page 18: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/18.jpg)
Spear-Phishing
• Targeting Attacks
![Page 19: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/19.jpg)
Spear-Phishing & Watering hole
• Targeting Attacks
![Page 20: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/20.jpg)
Opps, you clicked. Now what?
• Backdoor
![Page 21: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/21.jpg)
Is it really this easy?
• Backdoor ▫ WinSpy
![Page 22: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/22.jpg)
Phishing – What can you do?
• It starts with educating all employees • Conduct training sessions • Execute Phishing Exercises ▫ Start with obvious looking phishing emails ▫ Work up to more sophisticated emails
Continuous education is key
![Page 23: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/23.jpg)
Phishing – What can you do?
• After employees are trained, focus on technology ▫ Edge devices (UTMs, Enhanced DNS) ▫ Anti-virus updates ▫ Patching desktops
![Page 24: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/24.jpg)
WISP
24
Massachusetts Written Information Security Program Required by the State (201 CMR 17.00)
http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf One of the first and most strict in the US
“create effective administrative, technical and physical safeguards for the protection of personal information of residents of the Commonwealth of Massachusetts” “procedure for evaluating our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information of residents of the Commonwealth of Massachusetts.”
![Page 25: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/25.jpg)
WISP
25
201 CMR 17.00 Compliance Checklist http://www.mass.gov/ocabr/docs/idtheft/compliance-checklist.pdf
![Page 26: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/26.jpg)
WISP
26
Regular monitoring to ensure that the WISP operates effectively to protect both paper and electronic records, to detect any unauthorized use of or access to personal information, and to identify any areas where upgraded safeguards are needed; We see ineffective preventative controls, and almost no monitoring/detective controls
Review of the WISP's scope at least annually, and whenever there is a material change in business practices that may reasonably implicate the protection of personal information; About 40% of companies lack a WISP. Most companies cannot produce evidence of annual review
![Page 27: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/27.jpg)
WISP – What can you do?
27
Ensure you have a WISP Validate it is up to date and reflects any significant changes in personnel, process, or technology Test against the areas defined within the document
![Page 28: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/28.jpg)
Patching
28
Phishing takes advantage of software to exploit a vulnerability. Top 10 Internal Vulnerabilities a/o July 2015
1. Oracle Java SE 2. Microsoft XML Parser 3. Obsolete SNMP Version 4. Microsoft various (3) 5. Oracle Java SE/JRE/JDK 6. Adobe Flash 7. Microsoft Windows Shell 8. Microsoft Windows Journal
https://www.qualys.com/research/top10/
![Page 29: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/29.jpg)
Patching
29
Still The Top 3 Oracle JAVA – Not Updated with Windows Update Microsoft OS Patches Adobe (Flash/Reader) – Not Updated with Windows Update
Why? Law of large numbers. “Stable, long-term results”. These products are installed almost everywhere.
Law of large numbers. Encyclopedia of Mathematics. URL: http://www.encyclopediaofmath.org/index.php?title=Law_of_large_numbers&oldid=26552
![Page 30: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/30.jpg)
Patching
30
Starting to see Mac OSX exploits Still far less than Windows Still requires AV/patching
Are you managing iOS/Android? Paranoid? Only allow iOS on your network Deploy Mobile Device Management (MDM)
![Page 31: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/31.jpg)
Patching – What can you do?
31
Validate patching is up to date Manual spot checks; Automated tools (examples) Shavlik WSUS SolarWinds ManageEngine LogMeIn Dell (KACE)
Ensure patching tools include software in addition to Microsoft
![Page 32: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/32.jpg)
DMS
32
There is a misconception the DMS provider is “watching” all the computers on the network. We see the DMS patching and maintaining only those PCs connecting to the DMS This leaves many computers, printers, WiFi, and other devices exposed and vulnerable
This is a HUGE gap!
![Page 33: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/33.jpg)
DMS
33
![Page 34: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/34.jpg)
DMS – What can you do?
34
Identify DMS and non-DMS managed equipment Validate the DMS patches are working Implement the non-DMS patches (see patching above)
![Page 35: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/35.jpg)
The Team
35
![Page 36: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/36.jpg)
Staff Michael Hammond– IT Audit & Security Director, with the firm since October 2012. • Certified Information Systems Auditor (CISA) • Certified in Risk and Information Systems Control (CRISC) • Certified Information Systems Security Professional (CISSP) • Certified Ethical Hacker (C|EH) • Michael is a member of the financial services InfraGard
association. A joint partnership between the FBI and private sector.
• Michael is a veteran of the United States Air Force
https://www.linkedin.com/in/michaelwhammond
36
![Page 37: 2015 – Top IT Risks for Today’s Auto Dealers](https://reader031.vdocuments.net/reader031/viewer/2022012507/6183b7e54fe85b6c26648243/html5/thumbnails/37.jpg)
Staff Nick DeLena– Senior IT Audit Manager Nick is the lead senior IT audit manager at O’Connor & Drew. He works in concert with internal senior management to scope and budget engagements. He provides oversight and training to existing staff. Nick’s prior engagements includes SOX compliance, SAS70, and FFIEC compliance. In addition to Nick’s audit and advisory experience, he also has 12 years in various IT operations and analyst positions. Certifications and designations: • Executive Masters in Business Administration (MBA) • Certified Information Systems Auditor (CISA) • Certified in Risk and Information Systems Control (CRISC) • CompTIA Security+ • ITIL v3 Foundations Certification (ITILv3F) • Nick is a member of the science and technology InfraGard association.
A joint partnership between the FBI and private sector.
• https://www.linkedin.com/in/nickdelena
37