Embed Size (px)
Citation preview
CYBER SECURITYAND WAYS TO PROTECT YOUR BUSINESSBallantyne Chapter, Charlotte Chamber of Commerce
Presented by Christopher Hudel, CISSP®
AGENDA
Cyber Attackers: Who / What / How / Why
Attack Methods, Patterns, and Ways to Defend Your Business• Email
• Web
• Poor Security Controls
What’s Next?• The Internet of Things (IoT)
Thank-you for inviting me! Just a few notes:- There are no specific product
recommendations or endorsements; just examples
- Presented are only a few general best practices and are not exhaustive; your situation will be different
INFORMATION RISK LANDSCAPEWORLD VIEW
Botnet: A network of computers that have been taken over by attackers and used as “robot” computers to do the attacker’s bidding.
DoS: A Denial of Service attack where attackers seek to make a website or transactional system unavailable.
DDoS: A Distributed Denial of Service attack involving many computers, often “botnets”.
Zero-Day: A previously unknown security defect that has no patch available.
Graphic Source: IBM X-Force ® Research and Development
ATTACK PATTERNS AND METHODS
Graphic Source: Verizon Business Data Breach Incident Report, 2014
Analysis of Data Breach / Security Incidents:
• 50 Organizations from Around the World
covering 95 countries
• 63,000 Security Incidents
PATTERNS VARY BY INDUSTRY
Healthcare
Hospitality
Retail
Financial
Services
Graphic Source: Verizon Business Data Breach Incident Report, 2014
VARIOUS METHODS BUT
COMMON THREADS
Phishing
• Email that preys on human curiosity and emotion to gain access to your computer through the installation of malicious software (“malware”) or convincing a user to hand over usernames, passwords, or sensitive personal/financial information.
Fraud / Theft
• Email fraud that seeks to direct victims to perform financial transactions (payments, transfers, wires) moving money out of their company and into the criminals’ control.
Web
Web-Attacks
• Attackers on the Internet exploit weaknesses in a company’s website or infrastructure that makes the business service unavailable, or allows attackers into the company’s internal systems and networks.
Watering Hole
• Similar to phishing emails, a “watering hole” is a legitimate site that has been infected with malware so that when users visit the website, they unknowingly risk computer infection.
(Poor) Security Controls
“Endpoint” Devices
• Systems, applications, and networks need to be fully patched and guarded against common security risks, otherwise it becomes almost trivial for attackers to take over a company network and systems.
Supplier Management
• Evidenced in the Target and Home Depot security breaches, attackers can still hack into a company by exploiting less-secure connections with suppliers.
EMAIL THREATS
Phishing
Phishing is often the first step in having attackers gain remote access to your systems. Phishing emails have four common traits:
• Prey on human emotion
• A “call to action” / urgency
• Mismatched email addresses
• Links or attachments that don’t (upon inspection) make sense.
Protection / Defense• Educate everyone about the top four things to consider
before opening an attachment or clicking on a link.
• Deleting the email is the best course of action
• Use a service that scans email for viruses, malware, phishing,
and other ill intent.
• Google For Work, Microsoft Exchange Online Protection,
Antivirus-Mail Software, FireEye
EMAIL THREATS
Business Fraud
According to the FBI, Business e-mail Compromise is a serious threat from an attacker to dupe a company through faked or compromised corporate email accounts that leads to direct financial loss for companies. Since October, 2013:
• Total U.S. victims: 1198
• Total U.S. dollar loss: $180M
Graphic Source: PhishLabs
Protection / Defense• Educate all employees that are authorized to perform wire
and other “real money” transactions about these threats.
• Document and publish processes for initiating / changing
transfer details for customers and within the company.
• Ask your Bank to setup “Multi Factor Authentication” so
money transfers require an additional security step.
WEB THREATS
Web Attacks
Most web attacks exploit common programming mistakes that exist in many web sites. A“Top 10” list of these are kept along with advice for web programmers to detect and fix these security bugs. Exploits of web application security bugs leads to:
• Download of entire databases
• Installation of software that allows remote access
Graphic Source: Open Web Application Security Project (OWASP)
Protection / Defense• If you host a web site for your business, consider putting it
behind a “Web Application Firewall”
• CloudFlare, Akamai, Cisco, Juniper, Palo Alto Networks
• If you develop your own web applications, provide
developers with training and perform your own web
application testing / source code reviews
• OWASP.org
WEB THREATS
Watering-Holes
Watering holes are like email phishing; both are a type of “social engineering”, luring you to click on a link or download a malicious attachment that you aren’t expecting. In this situation, attackers hack the popular sites you or your company visits.
• A very famous case involves a watering hole attack involving a Chinese restaurant and menu!
Graphic Source: Security Affairs
Protection / Defense• Use products / services that filter your internet use for
malicious content
• Zscaler, Websense, Bluecoat, FireEye, OpenDNS
• Use good “cyber security hygiene” (See later: Controls)
(POOR) SECURITY CONTROL THREATS
Systems & Networks
Patching• “99.8% of all virus/malware infections
caused by commercial exploit kits are a direct result of the lack of updating five specific software packages”
AntiVirus / AntiMalware• Software that protects your system from
infection is the “flu shot” in the cyber world.
User / Administrator Permissions• Users that are full administrators of their
computer and can install any software of their own choosing – can also have malware installed without their knowing!
Processes
• Remote Access• Employees that can access company
systems remotely with only a username and password can find their stolen credentials misused by attackers for that same access.
• Default Passwords• If users do not change the default
passwords that ship with many products, attackers can easily use these same passwords to gain administrative access over devices and systems.
• Supplier Management• If business partners do not also have strong
security controls, they may be used as the “weakest link” into your company network and systems.
Protection / Defense• Patch your operating system and applications.
• Install and keep current AntiVirus / AntiMalware software
• Lists and reviews of software at http://www.av-test.org/
• Change default passwords; change passwords as often as
appropriate
• Remove “local administrators” access by default for users
• Setup Multi-Factor Authentication
• Google Authenticator, SafeNet, Entrust, YubiKey, Okta
• Review supplier and 3rd party access to your company
networks
WHAT’S NEXT?
– THE INTERNET OF THINGS2008
The number of things
connected to the
internet equals the
number of people
2020
There will be 50 Billion
things connected to
the internet
Things are
computers, too!
Graphic Source: http://blog.smarticlelabs.com/internet-of-things-primer/
HACKING THE INTERNET OF THINGS
LESSONS FROM HACKED WEBCAMERAS
For Personal Users
• Cover-up your camera
• Do not connect the camera to
your network (if you don’t need to)
• Patch your camera!
• Change your default passwords
• Create new usernames
• Use “non-standard” ports
For Your Business• Perform security testing, review of
your products and offerings
• Do not ship products with default admin passwords
• Do not put passwords in the User’s Manual
• Force password change during product installation
• Charge more $$ for secure design and implementation of your products.
DEFENSE IN REVIEW - EMAIL
Email Threats• Educate everyone about the top four things to consider before opening an
attachment or clicking on a link.
• Deleting the email is the best course of action
• Use a service that scans email for viruses, malware, phishing, and other ill intent.• Google For Work, Microsoft Exchange Online Protection, Antivirus-Mail Software,
FireEye
• Educate all employees that are authorized to perform wire and other “real money” transactions about these threats.
• Document and publish processes for initiating / changing transfer details for customers and within the company.
• Ask your Bank to setup “Multi Factor Authentication” so money transfers require an additional security step.
DEFENSE IN REVIEW - WEB
Web-Based Threats
• If you host a web site for your business, consider putting it behind a “Web Application Firewall”
• CloudFlare, Akamai, Cisco, Juniper, Palo Alto Networks
• If you develop your own web applications, provide developers with training and perform your own web application testing / source code reviews
• OWASP.org
• Use products / services that filter your internet use for malicious content
• Zscaler, Websense, Bluecoat, FireEye, OpenDNS
• Use good “cyber security hygiene”
DEFENSE IN REVIEW – SECURITY CONTROLS
Security Control Threats
• Patch your operating system and applications.
• Test your browser and operating system at http://browsercheck.qualys.com/
• Install and keep current AntiVirus / AntiMalware software
• Lists and reviews of software at http://www.av-test.org/
• Change Default Passwords / Change Passwords as often as necessary
• Remove “local administrators” access by default for users
• Setup Multi-Factor Authentication
• Google Authenticator, SafeNet, Entrust, YubiKey, Okta
• Review supplier and 3rd party access to your company networks
