Statewide Cyber Trends

October 12, 2016

2

Current threats

8/17/2015 Information Technology

•Phishing

•Ransomware

•Hacktivism - DDoS

3

Phishing

8/17/2015 Information Technology

• I titled this part phishing but Social Engineering is a better term.

• From the The Verizon Data breach digest - Scenarios from the field “We witness social tactics being used in around 20% of confirmed data breaches.”

• June 1 edition of CSOonline.com “As of the end of March, 93 percent of all phishing emails contained encryption ransomware, according to a report released today by PhishMe.”

• Phishing emails have counterparts of vishing (voice phishing) and even in person actions

• Spear-phishing – a targeted phish

4

Phishing

8/17/2015 Information Technology

5

Phishing

8/17/2015 Information Technology

6

Phishing

8/17/2015 Information Technology

7

Phishing

8/17/2015 Information Technology

8

Ransomware

8/17/2015 Information Technology

• Cybercriminals are using a type of malware called "ransomware", which can infect your computer or mobile device and restrict access to your files and programs unless you agree to pay a ransom to the creators of the malware to regain access. (https://home.mcafee.com)

• Many state agencies have been hit by ransomware. Data that is not backed up is permanently lost. Not all backups are equal. Needs to be an offline backup. Backups to external drives with a drive letter are as vulnerable to the ransomware as the rest of the storage.

9

Ransomware - Cryptolocker

8/17/2015 Information Technology

10

Ransomware - TeslaCrypt Notice

10

11

Ransomware - Locky

8/17/2015 Information Technology

12

Hacktivism

8/17/2015 Information Technology

• Hacktivism is defined as the subversive use of computers and computer networks to promote a political agenda. In the past, these activities included Distributed Denial of Service (DDoS,) Doxing, Phishing or Spear Phishing Attacks and website defacements.

• https://en.wikipedia.org/wiki/Hacktivism

13

Hacktivism

8/17/2015 Information Technology

Yeah these folks……

14

Hacktivism -DDoS

• State agencies have been the victim of DDoS

Luckily in most cases the duration (and therefore the impact) of the attack has been short. However longer attacks at critical times have had a significant business impact on the victim.

15

Hacktivism - DDoS

8/17/2015 Information Technology

16

Hacktivism - DDoS

8/17/2015 Information Technology

Graphic from http://www.kaspersky.co.za/enterprise-

security/ddos-protection

17

Recommendations - Phishing

8/17/2015 Information Technology

• User Awareness training

• Don’t follow links or open attachments in unexpected or suspicious e-mails

• Report suspicious e-mails to report.spam@nc.gov so they can be filtered

18

Recommendations - Ransomware

8/17/2015 Information Technology

• User Awareness

• Back up important files on local system

• Don’t follow links or open attachments in unexpected or suspicious e-mails

• Report suspicious e-mails to report.spam@nc.gov so they can be filtered

• Web browsing should be work related

19

Recommendations – Ransomware (System Controls)• User Accounts should not be administrators

• Consider Implementing Microsoft AppLocker GPO

Prevents execution of files from the c:/Users/<user>/AppData/ folder and subs

• Application Whitelisting/SW Restriction

• Utilize WCF and DNS FW

• Patch – OS to plugins (Flash, Java)

• Allow/Install Pop-up and Ad Blockers

20

Statewide perspective - Ransomware

• Ransomware infections are a reportable incident to the State CIO

21

Recommendation – HacktivismDD0S - Best Practices

8/17/2015 Information Technology

DDoS

Establish and maintain effective partnerships with your upstream network service provider

know what assistance they may be able to provide you in the event of a DDoS attack

the faster that they can implement traffic blocks and mitigation strategies at their level, the sooner your services will become available for legitimate users.

Consider also establishing relationships with companies that offer DDoS mitigation services.

If you are experiencing a DDoS attack, provide the attacking IP addresses to your upstream network service provider so they can implement restrictions at their level.

22

Questions?