Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Get HACKED for the last time!
https://www.kybersecure.com
September 27, 2017
Presenters:
• Bob Thomas – Sr. Solutions Architect• Introduction / Background
• Ben Karsif – Sr. Security Engineer• Employee Awareness
• Mario DiNatale – Chief Technology Officer• Live Hacking Demonstration
https://www.kybersecure.com
Recent breaches / attacks:
• Equifax – 143M U.S. citizens affected
• Hollywood (CA) hospital paid $17K+ to retrieve data
• Montgomery County (AL) Commission – paid $40K+ to retrieve data
• Edmodo – Education database of 77M accounts harvested & sold
• WannaCry & Petya – Ransomware attacks succeed worldwide
https://www.kybersecure.com
Statistics:
• 1,000 attacks per day (2015)1
• 4,000 attacks per day (2016)1
• 2017???
• $209M in ransoms paid (1st qtr of 2016)1
• Locky – 90,000 computers were being infected PER DAY!!!
• WannaCry – 300,000 computers infected during the outbreak
• 60% of SMB’s that are affected by a cyber attack go out of business in 6 months •
1Data provided by IBM study performed in 2017
https://www.kybersecure.com
How can I protect myself?
• Backup your data
• Firewall (Yes…you need one)
• AI-based malware & virus protection
• Apply security updates to your devices
• Educate yourself and your employees
https://www.kybersecure.com
How do they do it???
• Asking you & your staff to call a phone # to clean/remove a virus
• “Drive-By” Download
• Phoning you & your staff and impersonating…
• Emailing you & your staff (asking for a wire transfer to be made)…
https://www.kybersecure.com
Terminology
• Spam is unsolicited bulk commercial email messages
• Phishing is tricking individuals into disclosing sensitive personal information, or taking a potentially dangerous action, such as opening an infected attachment, or visiting a compromised web link, using deception via email.
• Spear phishing is a form of phishing where the attack specifically targets an individual or group.
• Spoofing refers to tricking or deceiving you or your system. This is typically done by hiding the sender’s identity, or faking the identity of another user.
Identifying Hostile Email
Be alert for any email that asks you to take any of these actions:
• Replying (including sending an “unsubscribe” answer
• Clicking any hyperlink in the message (and that includes the “unsubscribe” link)
• Opening an attachment
• Forwarding the email message to others
Beware the Call to Action
Be cautious of any message that:
• Requires urgent, immediate action to avoid a negative consequence or to mitigate a threat
• Offers to gain something of value
• Asks you to resolve an urgent problem
Identifying Hostile Email
• A few years ago, most phishing attempts were badly written.
• Today, the grammar is correct, and they steal graphics from the websites of the companies they’re spoofing.
When a major event makes the news, hackers will try to trick you through phishing attacks.
Here’s an example from an internal email account..
Appears legitimate
Appears legitimate
If you clicked this link:Your computer could be infectedYour company could be at risk of further attack and/or data loss
Trying to look like it’s really from Fidelity (spoofing).
Hover to see if the address goes to the Fidelity website.
Did you order anything from Apple?
May be a made up domain name.
Content tries to make you worried enough to click a link.
Hackers are getting pretty smart… spear phishing to target specific groups.
Best Practices for Email Security
Do not open attachments unless you are 100% certain of:• The sender• The purpose of the attachment
Never click embedded links in messages without hovering your mouse over them first
Note that:
www.microsoft.com
and
www.support.microsoft.software.com
are two different domains (and only the first is an actual Microsoft site)
Best Practices for Email Security
• Check the ‘From’ field to validate the sender (the ‘From’ address may be spoofed).
• Do not ‘unsubscribe’ – it’s easier to Delete than to deal with the security risks.
• Do not respond to spam in any way – delete it!
• Do not open email attachments that end with: .exe, .scr, .bat, .com, or other executable files you do not recognize.
Best Practices for Email Security
• Check for ‘double-extended’ scam attachments. A file named ‘safe.txt’ is mostly safe, but a file called ‘safe.txt.exe’ is not.
• Report all suspicious emails to your IT help desk.
Your Business’ Largest Threat
There are a number of impressive tools and services that can help ensure your employees are responsible and vigilant digital citizens.
• Mock phishing campaigns
• Customizable alerts and reports
• Mandatory Cybersecurity training
• Clear visibility into where your weak links reside
Make your organization more secure immediately!
You may be eligible to participate in a no cost security study of your
organization. This study, funded by our security partners, will review your
security posture to determine how secure your network is at its current state.
We will review policies, processes, human components, network traffic
and usage and existing available breach points in your network. This
information will be compiled into a security report with actionable information
that you can use immediately to make your business more secure
without any further engagement.
You’re not secure until you’re KyberSecure™!
https://www.kybersecure.com