© Aronson LLC | aronsonllc.com |

Non-Profit IT Threats in the New Normal

October 20, 2021

© Aronson LLC | aronsonllc.com

Agenda

• About Aronson / Introductions• Course Description & Learning Objectives• Cyber crime Financial Impacts• Attack Tactics & Techniques • Cybersecurity Program Basics

© Aronson LLC | aronsonllc.com 3

About Aronson

Aronson offers a diverse set of technical skills, industry knowledge, and resources in a responsive service model.

https://aronsonllc.com/service/cmmc-advisory/

4© Aronson LLC | aronsonllc.com

• Unique and diverse technical skillset with 20 years of experience in IT strategy, IT operations, cybersecurity, business process reengineering, agile methodologies, & more.

• Direct IT operations, cybersecurity, and digital business transformation activities for Aronson. • Previously served as the Director of IT at a Federal government contractor & 12+ years in

Big 4 Consulting.

Azunna leverages agile principles and practices to help businesses address:

Director of Technology Advisory & Information Technology, Aronson LLC

Azunna Anyanwu

IT OperationsImplement and execute ITIL based processes and procedures to deliver critical services in a standardized and repeatable manner with minimal downtime.

IT Strategy & ArchitectureDefine the technology vision, strategy and objectives based on current and planned business needs. Develop integrated processes and solutions to enable your business to operate optimally and reduce waste.

IT SecurityImplement security program and address gaps in IT security controls to achieve compliance with government, industry, or client requirements.

LinkedIn.com/in/Azunna/

aanyanwu@aronsonllc.com

© Aronson LLC | aronsonllc.com 5

Course Description & Learning Objectives

The pandemic and the abrupt shift to remote work has introduced additional risks for IT and cybersecurity professionals to protect against. During this discussion, we will talk about the different types of vulnerabilities and how to reduce your risks.

Learning Objectives

Understand cybersecurity risks in remote working

environments

Learn strategies to reduce risks

Learn the basics of a cyber security

program

© Aronson LLC | aronsonllc.com 6

Schools Under Attack

There have been 1,200 cyber incidents affecting K-12 public schools in all 50 states ~ K12 Security Information Exchange

Buffalo Public schools

• Shutdown by ransomware attack for one week (34,000 students affected)

Howard University

• Classes canceled, Wi-Fi shutdown on Howard U’s campus due to ransomware cyberattack

Biden Signs School Cybersecurity Bill (K-12

Cybersecurity Act of 2021)

• DHS CISA will study cyber risks affecting K-12 schools and develop recommendations to make them less vulnerable to attacks

Buffalo Public Schools: https://searchsecurity.techtarget.com/feature/The-biggest-ransomware-attacks-this-yearHoward University: https://www.wusa9.com/article/news/local/dc/howard-university-ransomware-cyberattack/65-15b329bf-f4f4-430a-aae7-4003df9cea89Biden School Bill: https://www.route-fifty.com/tech-data/2021/10/biden-signs-school-cybersecurity-bill/186022/

Cyber crime financial impacts

© Aronson LLC | aronsonllc.com 8

Hacking is a Lucrative BusinessRansomware and funds transfer fraud account for 50% of all insurance losses.

Ransomware

• Average Ransom demand is $1.2M (170% increase over 2020)

• Increase in ransom demands is due to: • Change in systems

necessary to go remote• Hackers have more insight

into what a company can “afford”, and the value of information stored

Funds Transfer Fraud

• Average funds transfer loss is $326K (180% increase over 2020)

• Often perpetrated through phishing and email compromise followed by social engineering • Modify payment instructions• Make fraudulent payments• Send doctored invoices,

spoofed emails

© Aronson LLC | aronsonllc.com 9

Should I Pay the Ransom if affected by Ransomware?

Do you have a viable backup?

YesSkip the payment and

try to recover from backup

Attackers may still attempt to extort you by

exposing stolen data (data exfiltration)

NoPay the ransom and hope the decryption

keys work.

US Government has put limits on ransom payments to known

terrorist organizations

You will typically want to/need to work through a 3rd party to negotiate

payment

© Aronson LLC | aronsonllc.com 10

How to Combat Ransomware

• Implement email security (spam filtering tools)• Train end users (cybersecurity awareness) • Implement a robust backup strategy (3-2-1 rule)

– Frequent backups– Offline storage of backups

• Patch software and address technical vulnerabilities

Create 3 copies of your data (1 primary copy and 2 backups)

Store your copies in at least 2 types of storage media (local drive, network share/NAS, tape drive, etc.)

Store 1 of these copies offsite (e.g., in the Cloud)

x2 x1x3

© Aronson LLC | aronsonllc.com 11

Funds Transfer Fraud Examples

Invoice Fraud• Spoofed email from vendor/supplier indicating a change in banking information • Spoofed email from CEO or leader authorizing a fraudulent payment • Hackers gain access to employee email and send invoices out to company

suppliers

Payroll Diversion• Spoofed email to employees from HR/Payroll asking for a change to direct

deposit accounts • Hackers gain access to employee’s direct deposit account and alters banking

information

© Aronson LLC | aronsonllc.com 12

Anatomy of a Funds Transfer Fraud Event

Victim Identification

Credential Theft (via phishing

email)Malicious logins Search for

transactions

Mailbox rules modified

Modification of payment requests

Criminal verification of instructions

Criminal receives fraudulent funds

transfer

How to Combat Funds Transfer Fraud• Define procedures for handling new payment requests or change in payment requests

– Call the requesting party on a known good number to confirm the request – Establish two-party approval for transfers or payment detail changes

Attack tactics & techniques

© Aronson LLC | aronsonllc.com 14

Business Email Compromise, Fraud, & Ransomware Attacks Are All on the Rise

Source: Cyber Insurance Coalition’s 1H 2021 Cyber Insurance Claims Reporthttps://info.coalitioninc.com/rs/566-KWJ-784/images/DLC-2021-07-Coalition-Cyber-Insurance-Claims-Report-2021-h1.pdf

© Aronson LLC | aronsonllc.com 15

Poll Question #1 – What was the most prevalent attack technique in 2021?

A. Phishing

B. External Remote Services

C. Public Facing Applications

© Aronson LLC | aronsonllc.com 16

Phishing Attacks

Phishing involves tricking a person via email into providing credentials or installing malware. Phishing can also occur via other means:• Smishing involves text or SMS messages• Vishing involves phone calls

Spear phishing targets specific, high value individuals with crafted attacks.

Attackers frequently email or call or text with a planned scenario, such as:• New Online Tool (Salesforce, Office365, Time and Expense Tracking, etc) • Annual HR benefits (“Log in to select new benefits package”)• Incident Response (“Enter credentials to confirm validity of account”)

Recommended Counter-Measures:• Append Disclaimer to External Email

• E.g. Messages received from outside the organization include a disclaimer highlighted in yellow• Security Awareness Training –

• Provides an overview of the most important issues.

© Aronson LLC | aronsonllc.com 17

Business Email Compromise (BEC)

• The FBI defines BEC as “a sophisticated scam targeting businesses working with suppliers and/or businesses that regularly perform wire transfer payments.

• The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

$26BGlobal losses to

BEC scams

87%↑Phishing campaigns

targeting finance staff

75%Invoice Fraud

increase

© Aronson LLC | aronsonllc.com 18

Supply Chain Attack (Third-Party Vendors)

“A supply chain attack is a cyber-attack that seeks to damage an organization by targeting les-secure elements in the supply chain”. (Wikipedia)

SolarWinds Software compromised to infect thousands of clients

• https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/

Microsoft Exchange Server vulnerability affects US defense industrial base, think tanks and “hundreds of thousands” of organizations globally

• https://breakingdefense.com/2021/03/microsoft-updates-exchange-server-ioc-tool-emergency-alternative-mitigations-overnight/

200 businesses hit by ransomware after breach at Florida IT firm

• https://www.cnbc.com/2021/07/02/200-businesses-hit-by-ransomware-cybersecurity-company-says.html

© Aronson LLC | aronsonllc.com 19

Insider Threat Attack

Disgruntled HR executive trashed personnel files and deleted 17K resumes after being fired• Executive was fired over the phone

– Colleagues reported seeing her repeatedly hitting the delete key on her computer • Hours after she was escorted out of the office, she logged into an outside computer system

where she deleted the bulk of the files • The company spent $300K over 2 years to rebuild the system and spent another $100K to

get it working again. – Many files were unable to be retrieved.

https://www.marketwatch.com/story/ex-hr-exec-convicted-of-trashing-companys-personnel-records-and-deleting-17-000-resumes-after-being-fired-11629230357

Cybersecurity Program Basics

© Aronson LLC | aronsonllc.com 21

3 Keys To A Robust Cybersecurity Program

People

Process

Technology

Address Cybersecurity Holistically

© Aronson LLC | aronsonllc.com 22

Poll Question #2 – What Factors Should Be Addressed for Cybersecurity?

A. People

B. Process

C. Technology

D. All of the Above

© Aronson LLC | aronsonllc.com 23

Technology – Implement Tools that Address Common Risks

• Highly recommend implementing Endpoint Detection & Response (EDR) or Managed Detection & Response (MDR) tools

Deploy anti-virus tools to all endpoints (servers and computers)

• Consider implementing a central identity management system

Implement Multi-factor or Two-factor Authentication (MFA/TFA)

• Detect & block malware and non-malware email threats

Implement email security protection

© Aronson LLC | aronsonllc.com 24

Process – Develop a Security Program

Timely patch systems (servers, desktops,

applications, networking infrastructure, etc)

Actively monitor environment for vulnerabilities and anomalous events• Consider outsourcing to Managed

Security Services Provider (MSSP)

Enforce principle of least privilege across enterprise

(endpoints, servers, applications, etc)

Conduct 3rd party testing at least annually (e.g.,

penetration testing or cybersecurity assessments)

Develop & document policies, plans & procedures

Review and respond to threat intelligence feeds

(e.g., US-CERT)

© Aronson LLC | aronsonllc.com 25

People – Educate Staff on their Responsibility

Implement a security awareness training program for users

• Consider subscribing to a training platform or outsourcing to 3rd

party

Conduct phishing simulations (tests/campaigns)

Provide specialized cybersecurity training to IT personnel

© Aronson LLC | aronsonllc.com 26

What Should I Do Next (Cybersecurity Journey Map)?

• Identify scope & desired maturity level

• Perform independent security assessment

Security Assessment

• Develop / Update Security Plan, Policies, & Procedures

• Implement and/or enhance controls to address gaps

Gap Remediation • Review & document

objective evidence that demonstrates meeting recommended security controls

Sustain maturity

Minimum 12-18+ month process

© Aronson LLC | aronsonllc.com 27

Contact & Connect with Aronson

202.869.0995

cmmc@aronsonllc.com

https://aronsonllc.com/service/cmmc-advisory/

111 Rockville Pike, Suite 600Rockville, MD 20815

301.231.6200 | www.aronsonllc.com

© Aronson LLC | aronsonllc.com 28

Cybersecurity Best Practices (based on DOD CMMC ML1 Framework)

Access Control

• Use *strong* passwords to restrict log-on • Assign people “user” rights to their computer, not “Admin” rights • Limit connections to external information systems/networks • Limit and secure what’s posted or processed on publicly accessible

information systems

Identification & Authentication

• Don’t use shared logins (each person should have their own account) • Require authentication to access systems • Implement Multifactor Authentication (MFA/TFA)

System and Communications

Protection

• Continuously monitor information systems (servers, endpoints, and network infrastructure)

• Logically and physically separate public networks from internal networks

System and Information Integrity

• Install updates and patch systems in a timely manner • Use antivirus systems, update signatures regularly, and enable antivirus

scans

© Aronson LLC | aronsonllc.com 29

Additional Resources

• Protecting Against Ransomware – https://us-cert.cisa.gov/ncas/tips/ST19-001

• Avoiding Social Engineering and Phishing Attacks– https://us-cert.cisa.gov/ncas/tips/ST04-014

• Protecting Against Malicious Code– https://us-cert.cisa.gov/ncas/tips/ST18-271

• Internet Crime Complaint Center (IC3) – https://www.ic3.gov/default.aspx

• Cybersecurity for Nonprofits– https://www.councilofnonprofits.org/tools-resources/cybersecurity-nonprofits