Am I Too Small To Be A Target?

Cybersecurity Issues for Small Businesses

A Special Presentation For <Name>

• Date

• Location

• Special thanks to

• Senior Cybersecurity

Engineer at CIT

• Certified Ethical Hacker –

2013

• Cybersecurity Blogger @ wyzguyscybersecurity.com

and cit-net.com/tech-talk/

Your Speaker – Bob Weiss MCSE, A+, CEH

CIT Cybersecurity Services

• Cybersecurity Awareness Training

• Security Audits

• Vulnerability Assessments

• Penetration Testing

• Computer Forensics

• Incident Response

• Typical Exploits

• Cost of Cybercrime

• Examples of SMB Crimes

• Legal Issues

• Compliance Issues– PCI/DSS

– HIPAA

– GLBA

• Cybersecurity Preparedness

• Incident Response Plan

• Training

• Passwords

• Email

• Banking

• Encryption

Agenda

What’s happening out there?

Plan for the attack

• You will be hacked (if you haven’t been already)

• You may not know when it happens.

• You may be informed by your customer, credit card

processor or government regulator

• You may be fined

• You may be sued

• You may end up in the news

Typical Exploits

• Phishing for user passwords or remote access

• Hijacking a computer to use in a bot-net

• Spamming to sell illegal or fraudulent products

• Stealing intellectual property

• Thefts from online bank and financial accounts

Typical Exploits

• Distribution of malware to other computers

• Posting confidential information on the Internet

• Holding critical information for ransom

• Attacking critical network infrastructure to disrupt

operations

Typical Exploits

• Theft of data – all data has value!– User credentials

– Employee data

– Customer data

– Patient data

– Financial data

– Proprietary information

Other Cyber Security Issues

• Politically Motivated Attacks and Hacktivism– Anonymous, Lulz Sec

• Cyber-Warfare– Stuxnet and Flame

– Ukrainian electric utilities

• Government Sponsored Cyber Spying– NSA

– China

Top Two Attack Vectors

• Email– Clickable Links and Attachments

– Phishing and Spear-phishing

• Web Sites– Malware distributed by compromised legitimate sites.

– Spoofed or cloned sites

– Search redirection malware

Cost of Cyber-crime

• Average annual loss per employee - $1500

• In 2015, $400 billion in losses worldwide

• 96% of small businesses unprepared for cyber attack

(Ernst and Young 2013 Survey)

Small Business Targets

Small Businesses in crosshairs

• SMBs targeted by cyber-criminals

• More money in the bank than individuals

• Less security than larger enterprise businesses.

• Employees have little or no training about cyber

security.

• Easy to exploit

NC Fuel Company Loses $800 K

• 15 employee fuel distribution company.

• Monthly payroll of $60,000

• Thieves gained access to bank account using

compromised password

• Bank had recently made changes to its security process

to make online banking “easier.”

• Insurance only covered a portion of the loss.

CA Escrow Company loses $1.5 M

• 9 person company

• 3 electronic transfers of about $500k each

• One in Dec 2012 and two in Jan 2013

• Bank provided two factor authentication, but it wasn’t working at the time.

• Although this company had never transferred funds overseas, bank did not question large transfers – even after the first was reported!

• Company in receivership.

Construction Company Loses $500K

• $447,000 dollars was stolen from Ferma, a California construction company.

• A banking Trojan such as Zeus, downloaded from a web site.

• A Ferma employee logs into their bank's on-line financial Web portal.

• After authentication was confirmed, the employee begins making legitimate payments.

• At the same time, the Zeus Trojan made 27 fund transfers totaling $447,000 to various bank accounts.

HVAC Vendor Opens Door For Target Xmas Attack

• Fazio Mechanical small HVAC contractor to Target

• Phishing email installed password stealing malware

• Target network credentials stolen

• Over 17 days between Thanksgiving and Dec 15, cyber-

thieves accessed Target’s POS system and collected

credit card transaction information on 40 million

customers.

Slovenian Gang Target Small Business

• Spoofed email sent looking like it came from a bank or a tax authority warning of late payment.

• Clicking on the link in the email installed a remote access Trojan horse program

• Thieves watched computer for online banking activity.

• Withdrawals timed to occur on Friday or before a holiday

• Group netted $2.5 million.

Regulatory Compliance and

Legal Issues

Legal Issues

• Regulatory fines

• Civil suits

• Cyber insurance may not cover “willful negligence”

• Cybersecurity or computer use policy

• Incident Response Plan

PCI/DSS

• Payment Card Industry Data Security Standard v3.1– Build and maintain a secure network

– Protect cardholder data

– Maintain vulnerability management program

– Implement strong access control measures

– Regularly monitor and test networks

– Maintain information security policy

PCI/DSS Penalties

• Non-compliant companies can be fined $5000 to

$100,000 per month

• $50-$90 per cardholder record compromised

• Brand and reputation damage

• Civil litigation

HIPAA

• Health Insurance Portability and Accountability Act

• Regulates patient information– Access – who can read it

– Transmission – how data is transferred from location to location

– Storage – how and where data is stored

• Business Associate– CIT employees need to be trained and certified if they have contact

with patient information

HIPAA Violation Penalties

• Accidental - $100 per violation – annual max $25,000

• For cause - $1000 per violation – annual max $100,000

• Willful neglect - $10,000 per violation – annual max $250,000

• Uncorrected willful neglect - $50,000 per violation – annual max $1.5 million

GLBA

• Gramm-Leach-Bliley Act

• Financial Privacy Rule– Consumers need to be informed how their information is used and may

opt out of information sharing

• Safeguards Rule – Consumer information security plan and implementation

• Pretexting Provisions– Systems and training to defeat social engineering

GLBA Penalties

• The penalties for violating the GLBA are quite severe:– A financial institution can be fined up to $100,000 for each violation

– The officers and directors can be fined up to $10,000 for each violation

– Criminal penalties include imprisonment for up to 5 years, a fine, or

both

– If the GLBA is violated at the same time that another federal law is

violated, or if the GLBA is violated as part of a pattern of any illegal

activity involving more than $100,000 within a 12-month period, the

violator's fine will be doubled and he or she will be imprisoned for up to

10 years

Policy Considerations

Cybersecurity Preparedness

• Patch

• Backup

• Keep antimalware software updated

• Enforce good password policy

• Use two factor authentication when possible

• Create alertness through training and events

Incident Response Plan – Before the Breach

• Plan to be attacked

• Know who is in charge

• Have a cybersecurity expert on retainer

• Review insurance coverage

• Review legal requirements and exposure

• Plan for a media response

Incident Response Plan – After the Breach

• Find out what happened – review your logs

• Remove affected devices from network

• Save affected devices for forensics – do not wipe drives!

• Report to the police and Internet Crime Complaint

Center

• Responding to media – be brief but truthful

Creating a More Secure Environment

Train Your Staff

• Train your employees in the fundamentals of

cybersecurity.

• Create a data practices policy for your employees.

• Even the most sophisticated security defenses cannot

prevent a malware breach that is permitted when an

employee clicks on a malicious link in an email.

The Basics

• Internet security software on every computer

• Hardware firewall – blocks attacks from outside

• Intrusion Detection System (IDS) – detects attack traffic

both outside and inside the network

• Security information and event management (SIEM) -

provides real-time analysis of security alerts generated

by network hardware and applications

Password policy

• 10 characters or longer– 8 character passwords can be cracked in under 12 hours

– 10 character passwords take several centuries.

• No dictionary words in any language

• Use complexity rules, at least one from each group– UPPER CASE

– lower case

– Num63r5

– $ym%o!s* _- ! @ # $ % & *

Advanced Password policy

• Character substitution (p@5$w0#d)

• Use passphrase (i.e. @mBwu10cPW! = “at my business

we use 10 character pass words”)

• Use two-factor authentication when available

• Check password at Passfault (passfault.com)

• Nothing will matter if you lose your plain text password to

a keylogger or phishing exploit

Physical Security

• Server in locked server room or closet

• Beware unescorted visitors or vendors

• Mobile employees and laptop users should put laptop in

trunk not on the seat.

• Intellectual property often leaves the building on a flash

drive.

• Use data encryption to protect against loss or theft of

computers.

Email Security

• Never click on a link in an email, its always safer to type

in the address manually.

• Never open an email attachment until you confirm who

sent it and why they sent it.

• Use email encryption if your provider supports it.

Avoid Phishing Emails

• Fake but realistic looking emails

• Attachments, often in .zip format will install exploit code,

such as CryptoWall ransomware.

• Malicious links take you to fake websites.

• Trojan horse malware is downloaded.

• Personal information is surrendered via a web form.

How To Catch a Phish

Web Security

• Use the most up to date web browser versions– Internet Explorer 11

– Firefox 26

– Chrome 31

– Safari 7

• Be wary of changes to your home page or search

provider

Banking

• On-line banking – are you using all the security tools your bank provides? – Two factor authentication?

– Treasury management?

• Find out what security features are provided by your bank.

• Will your bank alert you if there unusual transactions?

• Whose responsible for unauthorized transactions?

Zeus and Neverquest Bank Trojans

• Zeus – 2009

• Neverquest – 2013

• Dyre Wolf - 2015– Multiple installation avenues

– Automatically looks for vulnerable computers

– Works like a botnet

– Keylogger watches for banking activity

– Captures your banking logon credentials

– Allows remote attacker to transfer money from your bank account using your own computer.

– Also watches for logon info for other accounts.

Protect against Banking Trojans

• Use a bootable LiveCD– OS and apps on a CD cannot be changed

– Linux based OS

• Use a dedicated computer system for all banking and

financial transactions– Linux is better than Windows

– Google Chromebook

Encryption

• Use encryption whenever possible– HTTPS websites

– VPN for mobile workers or traveling employees

– Full disk encryption for laptops

– Encryption for employee and client records, proprietary data

– Encrypted email solutions like Zix

Where Do I Begin?

CIT Cybersecurity Services

• Cybersecurity Awareness Training

• Security Audits

• Vulnerability Assessments

• Penetration Testing

• Computer Forensics

• Incident Response Management

More CIT Cybersecurity Services

• Zix secure email

• Data backup and recovery solutions

• Computer Use and Cybersecurity Policy development

• Business Continuity and Disaster Recovery

• Incident Response Planning

Thank You!

Any questions?

Thanks

• Please take a business card

• Contact me for a security review or on-site training for

your employees.– bob.weiss@cit-net.com

– 651 387-1668