Am I Too Small To Be A Target?
Cybersecurity Issues for Small Businesses
A Special Presentation For <Name>
• Date
• Location
• Special thanks to
• Senior Cybersecurity
Engineer at CIT
• Certified Ethical Hacker –
2013
• Cybersecurity Blogger @ wyzguyscybersecurity.com
and cit-net.com/tech-talk/
Your Speaker – Bob Weiss MCSE, A+, CEH
CIT Cybersecurity Services
• Cybersecurity Awareness Training
• Security Audits
• Vulnerability Assessments
• Penetration Testing
• Computer Forensics
• Incident Response
• Typical Exploits
• Cost of Cybercrime
• Examples of SMB Crimes
• Legal Issues
• Compliance Issues– PCI/DSS
– HIPAA
– GLBA
• Cybersecurity Preparedness
• Incident Response Plan
• Training
• Passwords
• Banking
• Encryption
Agenda
What’s happening out there?
Plan for the attack
• You will be hacked (if you haven’t been already)
• You may not know when it happens.
• You may be informed by your customer, credit card
processor or government regulator
• You may be fined
• You may be sued
• You may end up in the news
Typical Exploits
• Phishing for user passwords or remote access
• Hijacking a computer to use in a bot-net
• Spamming to sell illegal or fraudulent products
• Stealing intellectual property
• Thefts from online bank and financial accounts
Typical Exploits
• Distribution of malware to other computers
• Posting confidential information on the Internet
• Holding critical information for ransom
• Attacking critical network infrastructure to disrupt
operations
Typical Exploits
• Theft of data – all data has value!– User credentials
– Employee data
– Customer data
– Patient data
– Financial data
– Proprietary information
Other Cyber Security Issues
• Politically Motivated Attacks and Hacktivism– Anonymous, Lulz Sec
• Cyber-Warfare– Stuxnet and Flame
– Ukrainian electric utilities
• Government Sponsored Cyber Spying– NSA
– China
Top Two Attack Vectors
• Email– Clickable Links and Attachments
– Phishing and Spear-phishing
• Web Sites– Malware distributed by compromised legitimate sites.
– Spoofed or cloned sites
– Search redirection malware
Cost of Cyber-crime
• Average annual loss per employee - $1500
• In 2015, $400 billion in losses worldwide
• 96% of small businesses unprepared for cyber attack
(Ernst and Young 2013 Survey)
Small Business Targets
Small Businesses in crosshairs
• SMBs targeted by cyber-criminals
• More money in the bank than individuals
• Less security than larger enterprise businesses.
• Employees have little or no training about cyber
security.
• Easy to exploit
NC Fuel Company Loses $800 K
• 15 employee fuel distribution company.
• Monthly payroll of $60,000
• Thieves gained access to bank account using
compromised password
• Bank had recently made changes to its security process
to make online banking “easier.”
• Insurance only covered a portion of the loss.
CA Escrow Company loses $1.5 M
• 9 person company
• 3 electronic transfers of about $500k each
• One in Dec 2012 and two in Jan 2013
• Bank provided two factor authentication, but it wasn’t working at the time.
• Although this company had never transferred funds overseas, bank did not question large transfers – even after the first was reported!
• Company in receivership.
Construction Company Loses $500K
• $447,000 dollars was stolen from Ferma, a California construction company.
• A banking Trojan such as Zeus, downloaded from a web site.
• A Ferma employee logs into their bank's on-line financial Web portal.
• After authentication was confirmed, the employee begins making legitimate payments.
• At the same time, the Zeus Trojan made 27 fund transfers totaling $447,000 to various bank accounts.
HVAC Vendor Opens Door For Target Xmas Attack
• Fazio Mechanical small HVAC contractor to Target
• Phishing email installed password stealing malware
• Target network credentials stolen
• Over 17 days between Thanksgiving and Dec 15, cyber-
thieves accessed Target’s POS system and collected
credit card transaction information on 40 million
customers.
Slovenian Gang Target Small Business
• Spoofed email sent looking like it came from a bank or a tax authority warning of late payment.
• Clicking on the link in the email installed a remote access Trojan horse program
• Thieves watched computer for online banking activity.
• Withdrawals timed to occur on Friday or before a holiday
• Group netted $2.5 million.
Regulatory Compliance and
Legal Issues
Legal Issues
• Regulatory fines
• Civil suits
• Cyber insurance may not cover “willful negligence”
• Cybersecurity or computer use policy
• Incident Response Plan
PCI/DSS
• Payment Card Industry Data Security Standard v3.1– Build and maintain a secure network
– Protect cardholder data
– Maintain vulnerability management program
– Implement strong access control measures
– Regularly monitor and test networks
– Maintain information security policy
PCI/DSS Penalties
• Non-compliant companies can be fined $5000 to
$100,000 per month
• $50-$90 per cardholder record compromised
• Brand and reputation damage
• Civil litigation
HIPAA
• Health Insurance Portability and Accountability Act
• Regulates patient information– Access – who can read it
– Transmission – how data is transferred from location to location
– Storage – how and where data is stored
• Business Associate– CIT employees need to be trained and certified if they have contact
with patient information
HIPAA Violation Penalties
• Accidental - $100 per violation – annual max $25,000
• For cause - $1000 per violation – annual max $100,000
• Willful neglect - $10,000 per violation – annual max $250,000
• Uncorrected willful neglect - $50,000 per violation – annual max $1.5 million
GLBA
• Gramm-Leach-Bliley Act
• Financial Privacy Rule– Consumers need to be informed how their information is used and may
opt out of information sharing
• Safeguards Rule – Consumer information security plan and implementation
• Pretexting Provisions– Systems and training to defeat social engineering
GLBA Penalties
• The penalties for violating the GLBA are quite severe:– A financial institution can be fined up to $100,000 for each violation
– The officers and directors can be fined up to $10,000 for each violation
– Criminal penalties include imprisonment for up to 5 years, a fine, or
both
– If the GLBA is violated at the same time that another federal law is
violated, or if the GLBA is violated as part of a pattern of any illegal
activity involving more than $100,000 within a 12-month period, the
violator's fine will be doubled and he or she will be imprisoned for up to
10 years
Policy Considerations
Cybersecurity Preparedness
• Patch
• Backup
• Keep antimalware software updated
• Enforce good password policy
• Use two factor authentication when possible
• Create alertness through training and events
Incident Response Plan – Before the Breach
• Plan to be attacked
• Know who is in charge
• Have a cybersecurity expert on retainer
• Review insurance coverage
• Review legal requirements and exposure
• Plan for a media response
Incident Response Plan – After the Breach
• Find out what happened – review your logs
• Remove affected devices from network
• Save affected devices for forensics – do not wipe drives!
• Report to the police and Internet Crime Complaint
Center
• Responding to media – be brief but truthful
Creating a More Secure Environment
Train Your Staff
• Train your employees in the fundamentals of
cybersecurity.
• Create a data practices policy for your employees.
• Even the most sophisticated security defenses cannot
prevent a malware breach that is permitted when an
employee clicks on a malicious link in an email.
The Basics
• Internet security software on every computer
• Hardware firewall – blocks attacks from outside
• Intrusion Detection System (IDS) – detects attack traffic
both outside and inside the network
• Security information and event management (SIEM) -
provides real-time analysis of security alerts generated
by network hardware and applications
Password policy
• 10 characters or longer– 8 character passwords can be cracked in under 12 hours
– 10 character passwords take several centuries.
• No dictionary words in any language
• Use complexity rules, at least one from each group– UPPER CASE
– lower case
– Num63r5
– $ym%o!s* _- ! @ # $ % & *
Advanced Password policy
• Character substitution (p@5$w0#d)
• Use passphrase (i.e. @mBwu10cPW! = “at my business
we use 10 character pass words”)
• Use two-factor authentication when available
• Check password at Passfault (passfault.com)
• Nothing will matter if you lose your plain text password to
a keylogger or phishing exploit
Physical Security
• Server in locked server room or closet
• Beware unescorted visitors or vendors
• Mobile employees and laptop users should put laptop in
trunk not on the seat.
• Intellectual property often leaves the building on a flash
drive.
• Use data encryption to protect against loss or theft of
computers.
Email Security
• Never click on a link in an email, its always safer to type
in the address manually.
• Never open an email attachment until you confirm who
sent it and why they sent it.
• Use email encryption if your provider supports it.
Avoid Phishing Emails
• Fake but realistic looking emails
• Attachments, often in .zip format will install exploit code,
such as CryptoWall ransomware.
• Malicious links take you to fake websites.
• Trojan horse malware is downloaded.
• Personal information is surrendered via a web form.
How To Catch a Phish
Web Security
• Use the most up to date web browser versions– Internet Explorer 11
– Firefox 26
– Chrome 31
– Safari 7
• Be wary of changes to your home page or search
provider
Banking
• On-line banking – are you using all the security tools your bank provides? – Two factor authentication?
– Treasury management?
• Find out what security features are provided by your bank.
• Will your bank alert you if there unusual transactions?
• Whose responsible for unauthorized transactions?
Zeus and Neverquest Bank Trojans
• Zeus – 2009
• Neverquest – 2013
• Dyre Wolf - 2015– Multiple installation avenues
– Automatically looks for vulnerable computers
– Works like a botnet
– Keylogger watches for banking activity
– Captures your banking logon credentials
– Allows remote attacker to transfer money from your bank account using your own computer.
– Also watches for logon info for other accounts.
Protect against Banking Trojans
• Use a bootable LiveCD– OS and apps on a CD cannot be changed
– Linux based OS
• Use a dedicated computer system for all banking and
financial transactions– Linux is better than Windows
– Google Chromebook
Encryption
• Use encryption whenever possible– HTTPS websites
– VPN for mobile workers or traveling employees
– Full disk encryption for laptops
– Encryption for employee and client records, proprietary data
– Encrypted email solutions like Zix
Where Do I Begin?
CIT Cybersecurity Services
• Cybersecurity Awareness Training
• Security Audits
• Vulnerability Assessments
• Penetration Testing
• Computer Forensics
• Incident Response Management
More CIT Cybersecurity Services
• Zix secure email
• Data backup and recovery solutions
• Computer Use and Cybersecurity Policy development
• Business Continuity and Disaster Recovery
• Incident Response Planning
Thank You!
Any questions?
Thanks
• Please take a business card
• Contact me for a security review or on-site training for
your employees.– [email protected]
– 651 387-1668