Windham Brannon Virtual Roundtable:COVID-19 Cybersecurity EssentialsA l Ta n j u , W i n d h a m B r a n n o n

A p r i l 1 6 , 2 0 2 0

2

What is Cybersecurity?

• The U.S. Department of Homeland Security’s• Cybersecurity and Infrastructure Security Agency (CISA) defines

cybersecurity as “...the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.

• More simply put -• To establish policies, procedures, processes, controls, and technology

• To protect systems and data from unauthorized access

• To maintain the confidentiality, integrity, and availability of information

Cybersecurity

PeopleEmployees can create some of the greatest risks to

cybersecurity. However, when they are well informed they can

also be an asset and a first line of defense.

ProcessesThis layer of cybersecurity ensures that businesses have

strategies in place to proactively prevent and to respond

quickly and effectively in the event of a cybersecurity incident.

TechnologyTechnology must be deployed to prevent or reduce the impact

of cyber risks, depending on your organization’s risk

assessment and what you deem an acceptable level of risk.

Topics

Cyber Threats

&

Steps to Protecting Remote Employees

Best Practices For Securing Remote

Meetings

Industrial spies

Nation states

Hacktivists and hackers

Terrorists

Organized crime groups

Who am I?

Today’s Cyber Threats

Misconfigured SystemsDevices and software are often not configured

with industry standard best practices when

shipped from the manufacturer and must be

configured by your IT department.

Unpatched VulnerabilitiesKnown device and software security

vulnerabilities are not identified or patched

timely providing vectors for attackers to

access company systems.

Credential StuffingUser credentials are obtained from breaches

at other companies and are used to access

your company’s network or software.

Social EngineeringSocial engineering attacks come in different

forms but can be performed anywhere there is

human interaction such as phishing emails.

Malicious SoftwareA virus is a type of malware code that installs

itself on your device. Once on your device, it

can do bad things such as freezing your

system or deleting and stealing data.

Appealing to Different

Emotions

Needs, Greeds, and Fears

Shifting Targets

VPN’s, remote meetings, mobile

devices

Different Costumes

& Make Up

WHO, CDC, Banks vs Nigerian Prince

What’s Old Is New

Risky security practices moving

employees to work remotely.

So what is new with COVID-19?

Misconfigured Systems

• Factory defaults

• Default accounts are not changed

• Misconfigured firewalls

• Default password policies

• Absence of change control

• Lack of knowledge, skills, or experience

Unpatched Vulnerabilities

11

Unpatched Vulnerabilities

https://thehackernews.com/2019/07/equifax-data-breach-fine.html

12

Unpatched Vulnerabilities

• Companies have been slow to patch VPN vulnerabilities identified in 2018/2019

• Pulse Connect Secure:

• CVE-2019-11510: Pre-auth arbitrary file reading

• CVE-2019-11539: Post-auth command injection

• Fortinet:

• CVE-2018-13379: Pre-auth arbitrary file reading

• CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user.

• CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router.

• Palo Alto:

• CVE-2019-1579: Palo Alto Networks GlobalProtect Portal

Malicious Software

• Malware applications on the android app store masquerading as legitimate applications “SM_COVID19”

• Infected word, excel, and pdf attachments in emails

• Links in emails download infected Zoom and MS Teams installers

14

Polling Question 1

Why did you join today’s session?

A. I am worried about my business’s cybersecurity posture.

B. I want questions to ask my IT department.

C. Remoting working is new to us.

D. I need CPE.

Social Engineering – On the Rise

Verizon – 2019 Data Breach Investigations Report

16

Fraud & Scams Targeting Fear

• The BBB in Cleveland reports a company called “Juicy Trends” claiming to sell protective masks called “SafeBreath95.” The website was registered from the Bahamas. The company says it’s based in Scotland. It was selling three face masks for $195.

• Offers for “all-natural and secret vaccines.” There are currently no vaccines or medications approved by the U.S. Food and Drug Administration to prevent coronavirus.

• Door-to-door coronavirus testers are being reported to the BBB. The fraudsters are collecting money and offering to test the victim for coronavirus.

17

Fraud & Scams Targeting Fear

18

Fraud & Scams Targeting Fear

Online Coronavirus Threats

19

Source: https://www.statista.com/ Mar 31, 2020.

20

This fake CDC email offers a phony link to click on and view a list of new COVID-19 cases

Source: https://us.norton.com/internetsecurity-online-scams-coronavirus-phishing-scams.html

21

The suspicious "From" address and misspelling of "coronavirus" give this WHO email away as fake

Source: https://www.wsj.com/articles/hackers-target-companies-with-fake-coronavirus-warnings-11583267812

22

This phishing email claims to provide expert guidance from a doctor based at the origin of the outbreak

Source: https://us.norton.com/internetsecurity-online-scams-coronavirus-phishing-scams.html

23

The link will take the recipient to a spoofed page for a form that asks for their name, address, and credit card number

Source: https://www.proofpoint.com/us/threat-insight/post/coronaviruscovid-19-payment-lures-rise

24

This email arrives with a subject line of “COVID19: Relief Compensation” from the WHO

Source: https://us.norton.com/internetsecurity-online-scams-coronavirus-phishing-scams.html

What are common indicators of phishing attempts?

• Suspicious sender’s address

• Generic greetings and signatures

• Spoofed hyperlinks and website

• Urgent action required

• Indicates level of authority

• Spelling, grammar, and layout

• Suspicious attachments

How to avoid being the victim of phishing?

• Know the signs

• Be suspicious of unsolicited phone calls, visits, or email messages

• Do not provide personal information or information about your organization

• Do not send sensitive information over the internet

• If you are unsure an email request is legitimate, verify it by contacting the company or person directly (not through email)

• Do not request urgent actions through email

• Use antivirus software, email filters, and anti-phishing software

• Use multifactor authentication

Credential Stuffing

How can you protect yourself from credential stuffing?

• Multi-factor authentication

• Password managers

• Use a different strong password for each site

29

Polling Question 2

Does your organization use multifactor authentication?

A. Yes

B. No

C. Don’t know

D. Just learned about it today

Cybersecurity Steps to Protecting Remote Employees

16 Key Cybersecurity Controls

01Multifactor AuthenticationYour credentials fall into any of these three categories: something

you know (like a password or PIN), something you have (like a

smart card), or something you are (like your fingerprint).

02User Education and Awareness

Produce user security policies covering acceptable and secure user

of your systems. Include in staff training. Maintain awareness of

cyber risks. Manage on going phishing campaigns.

03Malware Prevention

Produce relevant policies and establish anti-virus/anti-malware

defenses.

04Manage User Privileges

Establish effective management processes and limit the number of

privileged accounts. Limit user privileges and monitor user activity.

Control access to activity and audit logs.

16 Key Cybersecurity Controls

05Mobile Device Management

Require anti-malware software, data encryption, enforce strong password

security features, and segment corporate applications from personal

applications. Use software that can remotely wipe devices.

06VPNKeep VPN appliances up-to-date and only allow VPN access from

corporate managed devices. Ensure current encryption protocols are used.

Train employees to immediately connect to the VPN after connecting to the

internet.

07Encryption

Encrypt data at rest on desktops, laptops, tablets, and phones.

Configure Wi-Fi to use strong encryption such as WPA2 or WPA3.

08Secure File Transfer

Use managed and encrypted file transfer portals for securely

exchanging documents.

16 Key Cybersecurity Controls

09DLP

Implement digital loss prevention software to prevent sensitive data

from leaving the organization without authorization and proper

security protocols. Block access to removable media.

10Network Security

Configure, maintain, and monitor firewalls and intrusion detection

and prevention devices. Segment your network.

11Security Information Event Monitor

Log, monitor, and review security events from all sources with in the

organization using a SIEM tool or subscribe to a security operations

center (SOC) as a service.

12Policies and Procedures

Establish comprehensive policies and procedures to address

security, change management, access management, BYOD, remote

work, and acceptable usage.

16 Key Cybersecurity Controls

13Vulnerability & Penetration Testing

Implement internal and external vulnerability and penetration test to

identify and remediate vulnerabilities in your IT environment.

14Patching and Outdate Software

Use automated patch utilities to download, test, and deploy security

patches for devices, operating systems, and applications. Replace

outdated software.

15Cybersecurity Risk Assessment

Identifies the various information assets that could be affected by a

cyber attack (such as hardware, systems, laptops, and data), and

then identifies the various risks that could affect those assets.

16Cyber-Insurance

Evaluate your potential cyber risk exposure and obtain adequate

insurance in case of a breach.

Employers ❑Require strong passwords

❑Implement MFA

❑Only provide VPN access to corporate managed devices

❑Use virtual desktops, remote desktops, or GoToMyPC for users without corporate laptops

❑Encrypt any device that will hold corporate data

❑Provide security awareness training

Employees❑Private work area

❑Secure private Wi-Fi with at least WPA2

❑Work while connected to the VPN

❑Disable devices (Alexia / Google Home)

❑Unique strong passwords

❑Don’t click links or download files

❑Keep work data on work computers

C h e c k l i s t

Protecting Remote Employees

36

NIST Password Standards

• Length—8-64 characters are recommended.

• Character types—Nonstandard characters, such as emoticons, are allowed when possible.

• Construction—Long passphrases are encouraged. They must not match entries in the prohibited password dictionary.

• Reset—Required only if the password is compromised or forgotten.

• Multifactor—Encouraged in all but the least sensitive applications.

https://www.isaca.org/resources/isaca-journal/issues/2019/volume-1/nists-new-

password-rule-book-updated-guidelines-offer-benefits-and-risk

NIST Passwords

• Long memorable passphrases are encouraged.

• Example: “My best friend ran away when I was five.”

• Problematic passwords are rejected by a dictionary.

• Example: “123456”

• Example: “Go Dawgs”

Traditional Passwords

• Length can be seen as an obstacle as it adds complexity.

• Example: “zx2[23]a!”

• Memorable might be easy to guess.• Example: “P@$$wORD”

• Example: HeidiLamarca2020!

E x a m p l e s

37

NIST Password Standards

38

Security Awareness Training

Benefits

1. Builds a culture of

cybersecurity

2. Improves information

security, privacy, and compliance

3. Avoids and reduces cost

from information security

incidents and breaches

4. Improves reputation and

trust

5. Creates situational awareness

39

Polling Question 3

How often does your organization perform security awareness training?

A. Annually

B. Multiple times a year

C. We need to do more

D. Never

Best PracticesSecuring Remote Meetings

Who hasn’t heard of Zoombombing?

41

https://techcrunch.com/2020/04/03/zoom-waiting-rooms-default/

Securing Remote Meetings

1

2

3

4

Follow your organization’s policies for virtual

meeting security.

Keep meeting software up-to-date.

Limit access to calendar details.

Limit reuse of access codes. If you’ve used

the same code for a while, you’ve probably

shared it with more people than you can

imagine or recall.

Securing Remote Meetings

5

6

7

8

Use a “lobby” or “waiting room” and don’t allow the meeting to begin until the host joins.

Using a dashboard feature so you can see

who all the attendees are at any time.

Enable notification when attendees join by

playing a tone or announcing names.

Pick the right solution for your use: meetings

vs webinars

Securing Remote Meetings

9

10

11

12

Don’t record the meeting unless it’s

necessary.

Before anyone shares their screen, remind

them not to share other sensitive information

during the meeting inadvertently.

Close clients documents not needed for the

meeting and keep your desktop clean.

Remember you are on camera.

H e l p i n g b u s i n e s s e s b u i l d a c y b e r s e c u r i t y c u l t u r e !

A l Ta n j u | C y b e r s e c u r i t y

W i n d h a m B r a n n o n - S e n i o r M a n a g e r

a t a n j u @w i n d h a m b r a n n o n . c o m

6 7 8 - 5 0 9 - 2 7 2 2

Questions

46