Am I Too Small To Be A Target? Cybersecurity Issues for Small - - PowerPoint PPT Presentation

Am I Too Small To Be A Target?

Cybersecurity Issues for Small Businesses

A Special Presentation For <Name>

• Date
• Location
• Special thanks to

• Senior Cybersecurity

Engineer at CIT

• Certified Ethical Hacker –

2013

• Cybersecurity Blogger @

wyzguyscybersecurity.com and cit-net.com/tech-talk/

Your Speaker – Bob Weiss MCSE, A+, CEH

CIT Cybersecurity Services

• Cybersecurity Awareness Training
• Security Audits
• Vulnerability Assessments
• Penetration Testing
• Computer Forensics
• Incident Response

• Typical Exploits
• Cost of Cybercrime
• Examples of SMB Crimes
• Legal Issues
• Compliance Issues

– PCI/DSS – HIPAA – GLBA

• Cybersecurity Preparedness
• Incident Response Plan
• Training
• Passwords
• Email
• Banking
• Encryption

Agenda

What’s happening out there?

Plan for the attack

• You will be hacked (if you haven’t been already)
• You may not know when it happens.
• You may be informed by your customer, credit card

processor or government regulator

• You may be fined
• You may be sued
• You may end up in the news

Typical Exploits

• Phishing for user passwords or remote access
• Hijacking a computer to use in a bot-net
• Spamming to sell illegal or fraudulent products
• Stealing intellectual property
• Thefts from online bank and financial accounts

Typical Exploits

• Distribution of malware to other computers
• Posting confidential information on the Internet
• Holding critical information for ransom
• Attacking critical network infrastructure to disrupt
• perations

Typical Exploits

• Theft of data – all data has value!

– User credentials – Employee data – Customer data – Patient data – Financial data – Proprietary information

Other Cyber Security Issues

• Politically Motivated Attacks and Hacktivism

– Anonymous, Lulz Sec

• Cyber-Warfare

– Stuxnet and Flame – Ukrainian electric utilities

• Government Sponsored Cyber Spying

– NSA – China

Top Two Attack Vectors

• Email

– Clickable Links and Attachments – Phishing and Spear-phishing

• Web Sites

– Malware distributed by compromised legitimate sites. – Spoofed or cloned sites – Search redirection malware

Cost of Cyber-crime

• Average annual loss per employee - $1500
• In 2015, $400 billion in losses worldwide
• 96% of small businesses unprepared for cyber attack

(Ernst and Young 2013 Survey)

Small Business Targets

Small Businesses in crosshairs

• SMBs targeted by cyber-criminals
• More money in the bank than individuals
• Less security than larger enterprise businesses.
• Employees have little or no training about cyber

security.

• Easy to exploit

NC Fuel Company Loses $800 K

• 15 employee fuel distribution company.
• Monthly payroll of $60,000
• Thieves gained access to bank account using

compromised password

• Bank had recently made changes to its security process

to make online banking “easier.”

• Insurance only covered a portion of the loss.

CA Escrow Company loses $1.5 M

• 9 person company
• 3 electronic transfers of about $500k each
• One in Dec 2012 and two in Jan 2013
• Bank provided two factor authentication, but it wasn’t

working at the time.

• Although this company had never transferred funds
• verseas, bank did not question large transfers – even after

the first was reported!

• Company in receivership.

Construction Company Loses $500K

• $447,000 dollars was stolen from Ferma, a California

construction company.

• A banking Trojan such as Zeus, downloaded from a web site.
• A Ferma employee logs into their bank's on-line financial

Web portal.

• After authentication was confirmed, the employee begins

making legitimate payments.

• At the same time, the Zeus Trojan made 27 fund transfers

totaling $447,000 to various bank accounts.

HVAC Vendor Opens Door For Target Xmas Attack

• Fazio Mechanical small HVAC contractor to Target
• Phishing email installed password stealing malware
• Target network credentials stolen
• Over 17 days between Thanksgiving and Dec 15, cyber-

thieves accessed Target’s POS system and collected credit card transaction information on 40 million customers.

Slovenian Gang Target Small Business

• Spoofed email sent looking like it came from a bank or a

tax authority warning of late payment.

• Clicking on the link in the email installed a remote

access Trojan horse program

• Thieves watched computer for online banking activity.
• Withdrawals timed to occur on Friday or before a

holiday

• Group netted $2.5 million.

Regulatory Compliance and Legal Issues

Legal Issues

• Regulatory fines
• Civil suits
• Cyber insurance may not cover “willful negligence”
• Cybersecurity or computer use policy
• Incident Response Plan

PCI/DSS

• Payment Card Industry Data Security Standard v3.1

– Build and maintain a secure network – Protect cardholder data – Maintain vulnerability management program – Implement strong access control measures – Regularly monitor and test networks – Maintain information security policy

PCI/DSS Penalties

• Non-compliant companies can be fined $5000 to

$100,000 per month

• $50-$90 per cardholder record compromised
• Brand and reputation damage
• Civil litigation

HIPAA

• Health Insurance Portability and Accountability Act
• Regulates patient information

– Access – who can read it – Transmission – how data is transferred from location to location – Storage – how and where data is stored

• Business Associate

– CIT employees need to be trained and certified if they have contact with patient information

HIPAA Violation Penalties

• Accidental - $100 per violation

– annual max $25,000

• For cause - $1000 per violation

– annual max $100,000

• Willful neglect - $10,000 per violation

– annual max $250,000

• Uncorrected willful neglect - $50,000 per violation

– annual max $1.5 million

GLBA

• Gramm-Leach-Bliley Act
• Financial Privacy Rule

– Consumers need to be informed how their information is used and may

• pt out of information sharing
• Safeguards Rule

– Consumer information security plan and implementation

• Pretexting Provisions

– Systems and training to defeat social engineering

GLBA Penalties

• The penalties for violating the GLBA are quite severe:

– A financial institution can be fined up to $100,000 for each violation – The officers and directors can be fined up to $10,000 for each violation – Criminal penalties include imprisonment for up to 5 years, a fine, or both – If the GLBA is violated at the same time that another federal law is violated, or if the GLBA is violated as part of a pattern of any illegal activity involving more than $100,000 within a 12-month period, the violator's fine will be doubled and he or she will be imprisoned for up to 10 years

Policy Considerations

Cybersecurity Preparedness

• Patch
• Backup
• Keep antimalware software updated
• Enforce good password policy
• Use two factor authentication when possible
• Create alertness through training and events

Incident Response Plan – Before the Breach

• Plan to be attacked
• Know who is in charge
• Have a cybersecurity expert on retainer
• Review insurance coverage
• Review legal requirements and exposure
• Plan for a media response

Incident Response Plan – After the Breach

• Find out what happened – review your logs
• Remove affected devices from network
• Save affected devices for forensics – do not wipe drives!
• Report to the police and Internet Crime Complaint

Center

• Responding to media – be brief but truthful

Creating a More Secure Environment

Train Your Staff

• Train your employees in the fundamentals of

cybersecurity.

• Create a data practices policy for your employees.
• Even the most sophisticated security defenses cannot

prevent a malware breach that is permitted when an employee clicks on a malicious link in an email.

The Basics

• Internet security software on every computer
• Hardware firewall – blocks attacks from outside
• Intrusion Detection System (IDS) – detects attack traffic

both outside and inside the network

• Security information and event management (SIEM) -

provides real-time analysis of security alerts generated by network hardware and applications

Password policy

• 10 characters or longer

– 8 character passwords can be cracked in under 12 hours – 10 character passwords take several centuries.

• No dictionary words in any language
• Use complexity rules, at least one from each group

– UPPER CASE – lower case – Num63r5 – $ym%o!s* _- ! @ # $ % & *

Advanced Password policy

• Character substitution (p@5$w0#d)
• Use passphrase (i.e. @mBwu10cPW! = “at my business

we use 10 character pass words”)

• Use two-factor authentication when available
• Check password at Passfault (passfault.com)
• Nothing will matter if you lose your plain text password to

a keylogger or phishing exploit

Physical Security

• Server in locked server room or closet
• Beware unescorted visitors or vendors
• Mobile employees and laptop users should put laptop in

trunk not on the seat.

• Intellectual property often leaves the building on a flash

drive.

• Use data encryption to protect against loss or theft of

computers.

Email Security

• Never click on a link in an email, its always safer to type

in the address manually.

• Never open an email attachment until you confirm who

sent it and why they sent it.

• Use email encryption if your provider supports it.

Avoid Phishing Emails

• Fake but realistic looking emails
• Attachments, often in .zip format will install exploit code,

such as CryptoWall ransomware.

• Malicious links take you to fake websites.
• Trojan horse malware is downloaded.
• Personal information is surrendered via a web form.

How To Catch a Phish

Web Security

• Use the most up to date web browser versions

– Internet Explorer 11 – Firefox 26 – Chrome 31 – Safari 7

• Be wary of changes to your home page or search

provider

Banking

• On-line banking – are you using all the security tools your

bank provides?

– Two factor authentication? – Treasury management?

• Find out what security features are provided by your

bank.

• Will your bank alert you if there unusual transactions?
• Whose responsible for unauthorized transactions?

Zeus and Neverquest Bank Trojans

• Zeus – 2009
• Neverquest – 2013
• Dyre Wolf - 2015

– Multiple installation avenues – Automatically looks for vulnerable computers – Works like a botnet – Keylogger watches for banking activity – Captures your banking logon credentials – Allows remote attacker to transfer money from your bank account using your

• wn computer.

– Also watches for logon info for other accounts.

Protect against Banking Trojans

• Use a bootable LiveCD

– OS and apps on a CD cannot be changed – Linux based OS

• Use a dedicated computer system for all banking and

financial transactions

– Linux is better than Windows – Google Chromebook

Encryption

• Use encryption whenever possible

– HTTPS websites – VPN for mobile workers or traveling employees – Full disk encryption for laptops – Encryption for employee and client records, proprietary data – Encrypted email solutions like Zix

Where Do I Begin?

CIT Cybersecurity Services

• Cybersecurity Awareness Training
• Security Audits
• Vulnerability Assessments
• Penetration Testing
• Computer Forensics
• Incident Response Management

More CIT Cybersecurity Services

• Zix secure email
• Data backup and recovery solutions
• Computer Use and Cybersecurity Policy development
• Business Continuity and Disaster Recovery
• Incident Response Planning

Thank You!

Any questions?

Thanks

• Please take a business card
• Contact me for a security review or on-site training for

your employees.

– bob.weiss@cit-net.com – 651 387-1668