Security Awareness: Where is Your Biggest Risk?

Tony Roessler

Costs per Industry

Financial Consequences

Companies who have been Compromised

• Blue Cross

• State of South Carolina

• Target

• Home Depot

• Chic-Fil-a

• Sony Pictures

• US postal Service

• Staples

• JP Morgan

Types Of Breaches

HackersWho is knocking at the door

• White Hat

• Black Hat

• Grey Hat

• Hacktivist

• Nation State

• Criminal Gangs

White hat

• The term "white hat" in Internet slang refers to an “ethical hacker.”

• A white hat hacker breaks security for non-malicious reasons;– to test their own security system

– working for a security company which makes security software.

Black Hat

• A "black hat" hacker is a hacker who "violates computer security for little reason beyond maliciousness or for personal gain"

• Black hat hackers form the stereotypical, illegal hacking groups often portrayed in popular culture

Grey Hat

• A grey hat hacker may hack into a computer system for the sole purpose of notifying the administrator that their system has a security defect

• They may then offer to correct the defect for a fee

• Even though grey hat hackers may not necessarily perform hacking for their personal gain, unauthorized access to a system can be considered illegal and unethical.

Hacktivist

• A hacktivist is a hacker who utilizes technology to publicize a social, ideological, religious or political message.

• Hacktivism can be divided into two main groups:– Cyberterrorism — Activities involving website defacement or

denial-of-service attacks

– Freedom of information — Making information that is not public, or is public in non-machine-readable formats, accessible to the public.

anonymous

WikiLeaks

Nation State

• Intelligence agencies and cyber warfare operatives of nation states

• “Almost every country out there ignores that its citizens are hacking, or they’re aiding that activity, or they’re engaging in it directly, said Kevin Mandia, founder of Mandiant and president of FireEye, speaking at a company summit last week. “And there are, for now, no risks or repercussions to the attackers.”

Nation State

• “The China agreement says that intrusions will be limited to espionage activities,” Mandia said. “So universities are fair game. Whoever hacked OPM has been doing it a long time, they’re in China and they get paid for it. China may or may not be actively supporting it, but those records are useful for espionage and are fair game. Healthcare—they have information on all of us. That’s useful for espionage. So the targets remain the same. Then there will still be plenty of companies in the middle, which are victims of drive-by [cyber] shootings that build the infrastructure for carrying out the attack.”

Gangs

• Groups of hackers that carry out organized criminal activities for profit.

Where are my biggest threats

Types of Threats

• Spam

• Phishing

• Social Engineering

• Ransomware

• Malware

• Computer Virus

• Rogue security software

• Trojan Horse

• Malicious spyware

• Computer worm

• Botnet

• Rootkit

Spam

• Spam in the security context is primarily used to describe email spam —unwanted messages in your email inbox. Spam, or electronic junk mail, is a nuisance as it can clutter your mailbox as well as potentially take up space on your mail server. Unwanted junk mail advertising items you don’t care for is harmless, relatively speaking. However, spam messages can contain links that when clicked on could go to a website that installs malicious software onto your computer.

Phishing

• Phishing: Phishing scams are fraudulent attempts by cybercriminals to obtain private information. Phishing scams often appear in the guise of email messages designed to appear as though they are from legitimate sources. For example, the message would try to lure you into giving your personal information by pretending that your bank or email service provider is updating its website and that you must click on the link in the email to verify your account information and password details.

Begin forwarded message:

From:

Date: December 13, 2016 at 12:58:54 PM EST

To: Subject: Message

Reply-To:

Heather,

Did you get my previous email?

Thanks

Frank

• Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.

Social Engineering

Social Engineering

• One example of social engineering is an individual who walks into a building and posts an official-looking announcement to the company bulletin that says the number for the help desk has changed. So, when employees call for help the individual asks them for their passwords and IDs thereby gaining the ability to access the company's private information. Another example of social engineering would be that the hacker contacts the target on a social networking site and starts a conversation with the target. Slowly and gradually, the hacker gains trust of the target and then uses it to get access to sensitive information like password or bank account details. [3]

Social Engineering

• Conference room Examples

• Official Shirts/ Delivery person

• Conference Computer

Vishing

Executive Whaling

CEO Fraud

Common Sense

Jagerwirt Hotel Ransomware Attack

St. Louis Public Library System Ransomware Attack

Hollywood Presbyterian Hospital Ransomware Attack

What is Ransomware?

• Malware which inhibits endpoint operation (English Translation: bad software that locks up your computers)

• Demands payment to return device to normal operation

Locking Ransomware

Encrypting Ransomware

New Trends

• As recent cybersecurity infographics and Annual Threat Report have revealed, ransomware is on the rise. We saw that attacks grew 167 times over, from 4 million in 2015 to 638 million in 2016. Victims typically download ransomware by opening an infected email attachment or clicking a compromised pop-up, triggering malicious code. From there, a sequence of events unfolds that locks down the victim’s device and displays a message listing demands that must be met in order to regain access.

Why is Ransomware so successful?

• Social Engineering

– Often accuses user of performing illegal acts (may be true...)

– Users might not report, pay, and hope problem goes away

Why is Ransomware so successful?

• Provides an easy way to monetize the malware

– No illegal money transfers from victim's accounts

– No money mules or other middle-men

– No action required on behalf of the cyber criminal

Why is Ransomware so successful?

The Likely Outcome

– Catastrophic loss of personal documents

– Even with backups, productivity impact can be significant

– Time limit (pay ransom quickly or lose info on device forever)

RaaS Brings Cybercrime To The People

• RaaS is designed to make cybercrime accessible to anyone, no matter how limited their programming mastery. Advanced cybercriminals author the malicious code, then make it available for others to download and use. The authors may provide the ransomware for free or charge a small fee up front, often opting to take a cut of each ransom. This incentivizes a higher volume of attacks and higher ransom requests.

• Ransomware is not only cheap to purchase and download; it’s also easy to spread. In comparison to other types of popular attacks, you don’t need to be tech-savvy or have expensive equipment, which means more and more cybercriminals are turning to this type of misconduct. It also produces a quicker payout than stealing credit card data or personal information. Perhaps most importantly, there is a lower risk of being caught due to the anonymity of Bitcoin.

RaaS

• Today’s cybercriminals have new options that make their malicious efforts easier than ever. Cyberattacks can be purchased in several forms, including as-a-service packages and simple downloads to be installed in rogue servers. While these may not be the most cutting-edge techniques, they can be effective in infiltrating systems that have not been sufficiently patched. Chief information security officers (CISOs) must take precautions to close access gaps and patch all systems with current updates.

Security Plan

• Your company’s value is its data

– Think you don’t have anything of value to protect? Think again. The key asset that a security program helps to protect is your data — and the value of your business is in its data. You already know this if your company is one of many whose data management is dictated by governmental and other regulations — for example, how you manage customer credit card data. If your data management practices are not already covered by regulations, consider the value of the following:

– Product information, including designs, plans, patent applications, source code, and drawings

– Financial information, including market assessments and your company’s own financial records

– Customer information, including confidential information you hold on behalf of customers or clients

Be Proactive

1. Designated security officer

2. Risk assessment

3. Policies and Procedures

4. Organizational security awareness

5. Regulatory standards compliance

6. Audit compliance plan

Designated security officer

For most security regulations and standards, having a Designated Security Officer (DSO) is not optional — it’s a requirement. Your security officer is the one responsible for coordinating and executing your security program. The officer is your internal check and balance. This person or role should report to someone outside of the IT organization to maintain independence.

Risk assessment

• This component identifies and assesses the risks that your security program intends to manage. This is perhaps the most important section because it makes you think about the risks your organization faces so that you can then decide on appropriate, cost-effective ways to manage them. Remember that we can only minimize, not eliminate, risk, so this assessment helps us to prioritize them and choose cost-effective countermeasures. The risks that are covered in your assessment might include one or more of the following:

• Physical loss of data. You may lose immediate access to your data for reasons ranging from floods to loss of electric power. You may also lose access to your data for more subtle reasons: the second disk failure, for example, while your RAID array recovers from the first.

• Unauthorized access to your own data and client or customer data. Remember, if you have confidential information from clients or customers, you’re often contractually obliged to protect that data as if it were your own.

• Interception of data in transit. Risks include data transmitted between company sites, or between the company and employees, partners, and contractors at home or other locations.

• Your data in someone else’s hands. Do you share your data with third parties, including contractors, partners, or your sales channel? What protects your data while it is in their hands?

• Data corruption. Intentional corruption might modify data so that it favors an external party: think Trojan horses or keystroke loggers on PCs. Unintentional corruption might be due to a software error that overwrites valid data.

Policies and Procedures

• Preparing your risk assessment hopefully gave you lots to worry about. The policies and procedures component is the place where you get to decide what to do about them. Areas that your program should cover include the following:

Policies and Procedures

• Physical security documents how you will protect all three C-I-A aspects of your data from unauthorized physical access.

• Authentication, authorization, and accountability establishes procedures for issuing and revoking accounts. It specifies how users authenticate, password creation and aging requirements, and audit trail maintenance.

• Security awareness makes sure that all users have a copy of your acceptable use policy and know their responsibilities; it also makes sure that your IT employees are engaged in implementing your IT-specific policies.

• Risk assessment states how often you will reassess the potential threats to your IT security and update your security program.

• Incident response defines how you will respond to security threats, including potential (such as unauthorized port scanning) and actual incidents (where security has been compromised). We discussed the importance of having an incident-handling guide in the Q1 2006 issue of The Barking Seal.

• Virus protection outlines how you protect against viruses. This might include maintaining workstation-based products and scanning email, Web content, and file transfers for malicious content.

• Business continuity planning includes how you will respond to various man-made and natural disaster scenarios. This includes setting up appropriate backup sites, systems, and data, as well as keeping them up-to-date and ready to take over within the recovery time you have defined.

• Relationships with vendors and partners defines who these organizations are, what kind of data you might exchange with them, and what provisions must be in your contracts to protect your data. This is an often-overlooked aspect of data security because your IT organization probably has not had a lot of interaction with your legal organization over vendor contracts. You may need to take measures such as evaluating your partners’ ability to safeguard your data and insisting on having reasonable security practices in place.

Audit compliance plan

• This component of your security program dictates how often you will audit your IT security and assess its compliance with your security program. As we discussed in the Q2 2008 issue of The Barking Seal, there are aspects of your security that you will want to audit on a frequency ranging from daily to annually. Periodic security assessments are important for finding out whether your security has already been breached. They help you to stay on top of new security threats with the right technology and staff training. And they help you make smart investments by helping you to prioritize and focus on the high-impact items on your list.

Security Network Audits

• Every business that has any type of network should be concerned with network security. Networks, both large and small, move data from one location to another, often across the globe or to remote computers or people. These types of connections allow for potential vulnerabilities. It's critical to align yourself and your business with the right security partner to protect your business.

Organizational security awareness

The security community generally agrees that the weakest link in most organizations’ security is the human factor, not technology. And even though it is the weakest link, it is often overlooked in security programs. Don’t overlook it in yours.Every employee needs to be aware of his or her roles and responsibilities when it comes to security. Even those who don’t even touch a computer in their daily work need to be involved because they could still be targeted by social-engineering attacks designed to compromise your physical security

Thank You

Tony Roessler