windham brannon virtual roundtable...security awareness training benefits 1. builds a culture of...
TRANSCRIPT
Windham Brannon Virtual Roundtable:COVID-19 Cybersecurity EssentialsA l Ta n j u , W i n d h a m B r a n n o n
A p r i l 1 6 , 2 0 2 0
2
What is Cybersecurity?
• The U.S. Department of Homeland Security’s• Cybersecurity and Infrastructure Security Agency (CISA) defines
cybersecurity as “...the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.
• More simply put -• To establish policies, procedures, processes, controls, and technology
• To protect systems and data from unauthorized access
• To maintain the confidentiality, integrity, and availability of information
Cybersecurity
PeopleEmployees can create some of the greatest risks to
cybersecurity. However, when they are well informed they can
also be an asset and a first line of defense.
ProcessesThis layer of cybersecurity ensures that businesses have
strategies in place to proactively prevent and to respond
quickly and effectively in the event of a cybersecurity incident.
TechnologyTechnology must be deployed to prevent or reduce the impact
of cyber risks, depending on your organization’s risk
assessment and what you deem an acceptable level of risk.
Topics
Cyber Threats
&
Steps to Protecting Remote Employees
Best Practices For Securing Remote
Meetings
Today’s Cyber Threats
Misconfigured SystemsDevices and software are often not configured
with industry standard best practices when
shipped from the manufacturer and must be
configured by your IT department.
Unpatched VulnerabilitiesKnown device and software security
vulnerabilities are not identified or patched
timely providing vectors for attackers to
access company systems.
Credential StuffingUser credentials are obtained from breaches
at other companies and are used to access
your company’s network or software.
Social EngineeringSocial engineering attacks come in different
forms but can be performed anywhere there is
human interaction such as phishing emails.
Malicious SoftwareA virus is a type of malware code that installs
itself on your device. Once on your device, it
can do bad things such as freezing your
system or deleting and stealing data.
Appealing to Different
Emotions
Needs, Greeds, and Fears
Shifting Targets
VPN’s, remote meetings, mobile
devices
Different Costumes
& Make Up
WHO, CDC, Banks vs Nigerian Prince
What’s Old Is New
Risky security practices moving
employees to work remotely.
So what is new with COVID-19?
Misconfigured Systems
• Factory defaults
• Default accounts are not changed
• Misconfigured firewalls
• Default password policies
• Absence of change control
• Lack of knowledge, skills, or experience
11
Unpatched Vulnerabilities
https://thehackernews.com/2019/07/equifax-data-breach-fine.html
12
Unpatched Vulnerabilities
• Companies have been slow to patch VPN vulnerabilities identified in 2018/2019
• Pulse Connect Secure:
• CVE-2019-11510: Pre-auth arbitrary file reading
• CVE-2019-11539: Post-auth command injection
• Fortinet:
• CVE-2018-13379: Pre-auth arbitrary file reading
• CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user.
• CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router.
• Palo Alto:
• CVE-2019-1579: Palo Alto Networks GlobalProtect Portal
Malicious Software
• Malware applications on the android app store masquerading as legitimate applications “SM_COVID19”
• Infected word, excel, and pdf attachments in emails
• Links in emails download infected Zoom and MS Teams installers
14
Polling Question 1
Why did you join today’s session?
A. I am worried about my business’s cybersecurity posture.
B. I want questions to ask my IT department.
C. Remoting working is new to us.
D. I need CPE.
16
Fraud & Scams Targeting Fear
• The BBB in Cleveland reports a company called “Juicy Trends” claiming to sell protective masks called “SafeBreath95.” The website was registered from the Bahamas. The company says it’s based in Scotland. It was selling three face masks for $195.
• Offers for “all-natural and secret vaccines.” There are currently no vaccines or medications approved by the U.S. Food and Drug Administration to prevent coronavirus.
• Door-to-door coronavirus testers are being reported to the BBB. The fraudsters are collecting money and offering to test the victim for coronavirus.
Online Coronavirus Threats
19
Source: https://www.statista.com/ Mar 31, 2020.
20
This fake CDC email offers a phony link to click on and view a list of new COVID-19 cases
Source: https://us.norton.com/internetsecurity-online-scams-coronavirus-phishing-scams.html
21
The suspicious "From" address and misspelling of "coronavirus" give this WHO email away as fake
Source: https://www.wsj.com/articles/hackers-target-companies-with-fake-coronavirus-warnings-11583267812
22
This phishing email claims to provide expert guidance from a doctor based at the origin of the outbreak
Source: https://us.norton.com/internetsecurity-online-scams-coronavirus-phishing-scams.html
23
The link will take the recipient to a spoofed page for a form that asks for their name, address, and credit card number
Source: https://www.proofpoint.com/us/threat-insight/post/coronaviruscovid-19-payment-lures-rise
24
This email arrives with a subject line of “COVID19: Relief Compensation” from the WHO
Source: https://us.norton.com/internetsecurity-online-scams-coronavirus-phishing-scams.html
What are common indicators of phishing attempts?
• Suspicious sender’s address
• Generic greetings and signatures
• Spoofed hyperlinks and website
• Urgent action required
• Indicates level of authority
• Spelling, grammar, and layout
• Suspicious attachments
How to avoid being the victim of phishing?
• Know the signs
• Be suspicious of unsolicited phone calls, visits, or email messages
• Do not provide personal information or information about your organization
• Do not send sensitive information over the internet
• If you are unsure an email request is legitimate, verify it by contacting the company or person directly (not through email)
• Do not request urgent actions through email
• Use antivirus software, email filters, and anti-phishing software
• Use multifactor authentication
How can you protect yourself from credential stuffing?
• Multi-factor authentication
• Password managers
• Use a different strong password for each site
29
Polling Question 2
Does your organization use multifactor authentication?
A. Yes
B. No
C. Don’t know
D. Just learned about it today
16 Key Cybersecurity Controls
01Multifactor AuthenticationYour credentials fall into any of these three categories: something
you know (like a password or PIN), something you have (like a
smart card), or something you are (like your fingerprint).
02User Education and Awareness
Produce user security policies covering acceptable and secure user
of your systems. Include in staff training. Maintain awareness of
cyber risks. Manage on going phishing campaigns.
03Malware Prevention
Produce relevant policies and establish anti-virus/anti-malware
defenses.
04Manage User Privileges
Establish effective management processes and limit the number of
privileged accounts. Limit user privileges and monitor user activity.
Control access to activity and audit logs.
16 Key Cybersecurity Controls
05Mobile Device Management
Require anti-malware software, data encryption, enforce strong password
security features, and segment corporate applications from personal
applications. Use software that can remotely wipe devices.
06VPNKeep VPN appliances up-to-date and only allow VPN access from
corporate managed devices. Ensure current encryption protocols are used.
Train employees to immediately connect to the VPN after connecting to the
internet.
07Encryption
Encrypt data at rest on desktops, laptops, tablets, and phones.
Configure Wi-Fi to use strong encryption such as WPA2 or WPA3.
08Secure File Transfer
Use managed and encrypted file transfer portals for securely
exchanging documents.
16 Key Cybersecurity Controls
09DLP
Implement digital loss prevention software to prevent sensitive data
from leaving the organization without authorization and proper
security protocols. Block access to removable media.
10Network Security
Configure, maintain, and monitor firewalls and intrusion detection
and prevention devices. Segment your network.
11Security Information Event Monitor
Log, monitor, and review security events from all sources with in the
organization using a SIEM tool or subscribe to a security operations
center (SOC) as a service.
12Policies and Procedures
Establish comprehensive policies and procedures to address
security, change management, access management, BYOD, remote
work, and acceptable usage.
16 Key Cybersecurity Controls
13Vulnerability & Penetration Testing
Implement internal and external vulnerability and penetration test to
identify and remediate vulnerabilities in your IT environment.
14Patching and Outdate Software
Use automated patch utilities to download, test, and deploy security
patches for devices, operating systems, and applications. Replace
outdated software.
15Cybersecurity Risk Assessment
Identifies the various information assets that could be affected by a
cyber attack (such as hardware, systems, laptops, and data), and
then identifies the various risks that could affect those assets.
16Cyber-Insurance
Evaluate your potential cyber risk exposure and obtain adequate
insurance in case of a breach.
Employers ❑Require strong passwords
❑Implement MFA
❑Only provide VPN access to corporate managed devices
❑Use virtual desktops, remote desktops, or GoToMyPC for users without corporate laptops
❑Encrypt any device that will hold corporate data
❑Provide security awareness training
Employees❑Private work area
❑Secure private Wi-Fi with at least WPA2
❑Work while connected to the VPN
❑Disable devices (Alexia / Google Home)
❑Unique strong passwords
❑Don’t click links or download files
❑Keep work data on work computers
C h e c k l i s t
Protecting Remote Employees
36
NIST Password Standards
• Length—8-64 characters are recommended.
• Character types—Nonstandard characters, such as emoticons, are allowed when possible.
• Construction—Long passphrases are encouraged. They must not match entries in the prohibited password dictionary.
• Reset—Required only if the password is compromised or forgotten.
• Multifactor—Encouraged in all but the least sensitive applications.
https://www.isaca.org/resources/isaca-journal/issues/2019/volume-1/nists-new-
password-rule-book-updated-guidelines-offer-benefits-and-risk
NIST Passwords
• Long memorable passphrases are encouraged.
• Example: “My best friend ran away when I was five.”
• Problematic passwords are rejected by a dictionary.
• Example: “123456”
• Example: “Go Dawgs”
Traditional Passwords
• Length can be seen as an obstacle as it adds complexity.
• Example: “zx2[23]a!”
• Memorable might be easy to guess.• Example: “P@$$wORD”
• Example: HeidiLamarca2020!
E x a m p l e s
37
NIST Password Standards
38
Security Awareness Training
Benefits
1. Builds a culture of
cybersecurity
2. Improves information
security, privacy, and compliance
3. Avoids and reduces cost
from information security
incidents and breaches
4. Improves reputation and
trust
5. Creates situational awareness
39
Polling Question 3
How often does your organization perform security awareness training?
A. Annually
B. Multiple times a year
C. We need to do more
D. Never
Who hasn’t heard of Zoombombing?
41
https://techcrunch.com/2020/04/03/zoom-waiting-rooms-default/
Securing Remote Meetings
1
2
3
4
Follow your organization’s policies for virtual
meeting security.
Keep meeting software up-to-date.
Limit access to calendar details.
Limit reuse of access codes. If you’ve used
the same code for a while, you’ve probably
shared it with more people than you can
imagine or recall.
Securing Remote Meetings
5
6
7
8
Use a “lobby” or “waiting room” and don’t allow the meeting to begin until the host joins.
Using a dashboard feature so you can see
who all the attendees are at any time.
Enable notification when attendees join by
playing a tone or announcing names.
Pick the right solution for your use: meetings
vs webinars
Securing Remote Meetings
9
10
11
12
Don’t record the meeting unless it’s
necessary.
Before anyone shares their screen, remind
them not to share other sensitive information
during the meeting inadvertently.
Close clients documents not needed for the
meeting and keep your desktop clean.
Remember you are on camera.