cyber security and
play

CYBER SECURITY AND REMOTE WORKING Maritz Cloete, CISSP, M.CIIS 18 - PowerPoint PPT Presentation

Mar 10, 2023 •701 likes •884 views

CYBER SECURITY AND REMOTE WORKING Maritz Cloete, CISSP, M.CIIS 18 June 2020 HOW OUR WAYS OF WORKING HAVE CHANGED Social distancing means working from home is the norm Substantially more reliant on IT to engage internally and externally,

  1. CYBER SECURITY AND REMOTE WORKING Maritz Cloete, CISSP, M.CIIS 18 June 2020

  2. HOW OUR WAYS OF WORKING HAVE CHANGED • Social distancing means working from home is the norm • Substantially more reliant on IT to engage internally and externally, and to keep the business going! • Now ~100% reliant on the connectivity (and security!) the internet provides • New technologies for many – Zoom, Skype, Teams, SharePoint, OneDrive, Hangouts, etc • Employee’s focus shared between work and home life – home-schooling, looking after home-bound dependents, volunteering • Blurring the lines between work and home – employees may no be as alert as usual

  3. INCREASED EXPOSURE TO THE RISK OF CYBER ATTACKS • Even before COVID-19, cyber crime was a growing issue. • Working outside of the organisation’s ‘protective bubble’ increases exposure • Just in the last month and a bit: • Dominic Raab warns of targeted cyber attack campaigns and COVID-19 related scams and phishing e-mails • The UK National Cyber Security blocked nearly 1900 attacks on education organisations in May 2020 • A notable rise in cyber attacks on charities – cyber attackers don’t care who they hit • Phishing e-mails remain at number 1 as the most common attack, and remains a cheap, effective and automated means for cyber criminals to exploit the unwary • Compromised user account details a close second, often causing more harm • Data theft, impersonation, fraud

  4. CASE STUDY – PHISHING/MALWARE

  5. CASE STUDY – CHARITY MALWARE ATTACK • 10-person organisation • Received complaints of phishing e-mails from trustees and beneficiaries • Phishing e-mails were sent in two tranches – on Wednesday and Friday of the same week • Each e-mail included content from prior e-mail correspondence! • E-mail linked to a malicious download on a compromised web site • Suspected that a key shared e-mail account was hacked – ~3GB/1000s of e-mails in the mailbox • Had to notify the ICO of a potential personal data breach, as mailbox contained benefit application forms • Called us in to perform the investigation – what happened and is it over?

  6. CASE STUDY – WHAT WE FOUND • Based on attack characteristics, an Emotet or Qbot malware infection was suspected. • However: • Critical audit logs not turned on or only retained for a short period of time, so difficult to ascertain when the breach occurred, the extent of the breach or the methods used • Office 365 – logs were turned off • Windows Server – only 100MB of logs retained = < 1 day • Exchange mailboxes – retained for 30 days only, limited activities audited • Anti-malware software – no centralised server for alerts/reporting • Staff were working from home – could not identify which staff member’s devices were the source of the breach, could not quarantine devices for inspection • BYOD in use… secure, patched? How do they even check this? • Lots of moving parts to investigate – complexity exacerbated by lockdown • In the end, client lost confidence in IT infrastructure integrity and initiated rebuild from scratch.

  7. EMOTET – THE WORST OF A BAD BUNCH • If it manages to run, it contacts a command and control (C2) server • It downloads >80 other pieces of malware to the machine – from banking trojans to password stealers to ransomware • It scours the local network to find vulnerable service to enable self-perpetuation to other machines (similar to Wannacry) • It copies data from the user’s browser ‘saved passwords’ and sends it to the C2 server • It accesses e-mails stored locally, and sends this back to the C2 servers for use in phishing campaigns, etc. • It copies any other useful data held in the victim’s machine • It sends phishing e-mails pretending to be the user to every contact – includes link to malware so it can propagate.

  8. WHAT WE LEARNED • There was no indication of the initial compromise – complaints were only received after the malware tried to propagate via e-mail • There were no indicators to tell how many users were compromised, or how many if the company’s systems or data have been infected, or how much data was accessed or stolen • No consideration for forensic readiness, so limited in terms of evidence • There was no real plan for what to do in the event of a major incident such as this – it’s the first time its ever happened to them • 100s of access attempts to the company’s remote desktop server were coming in from all over the world, including the US, Russia and China – some of the information leaked must have been useful or enticing to cyber criminals • Key assumption was that the IT Service Provider set up IT infrastructure to be as secure as possible – this was incorrect.

  9. CASE STUDY – PHISHING/MALWARE

  10. CASE STUDY – BUSINESS E-MAIL COMPROMISE • UK Charity – ~70 users • Legitimate e-mail request sent to a third party, authorising the transfer of a £150,000 grant to a new start-up business – with Docu-signed PDF attachment • Follow-up e-mail received from the same person at the charity, 24 hours later • E-mail contained altered copy of PDF attachment, reflecting a different business’s bank account details, but without the Docu-sign seal. • The recipient became suspicious, and queried it with another worker at the charity who raised the alarm internally. • No payment was made, but it was close. • Got us involved to investigate, but 1 week after the event…

  11. HOW DID THIS HAPPEN? • The attackers logged into the person’s office 365 account with his credentials (!!) – no failed login attempts! • The person was based in Madrid, the attackers appeared to be in London on a mobile network, and in the US on a rented server • The attackers only logged in four times: • the evening after the original e-mail was sent, to verify the credentials and possibly locating the original e-mail • the morning of the attack, to set up rules to automatically delete the e-mails once it was send • Sent items, recycle bin and deleted items • Just after noon time, to send the e-mail. The rules automatically destroyed the e-mails. • Ten minutes later to check that no responses were received and that the rules worked. • At this point, the alert was raised and the user’s password changed. • The attackers tried to log in one more time and failed – they knew the game was up. No further attempted logins.

  12. WHAT WE FOUND • The user’s Windows username and password was stolen, possibly through a phishing e - mail • The attackers were organised, and had a valid money-mule bank account ready • They were experts in their craft – worked quickly and removed all the traces they could. But audit log files told the full story • But we were lucky this time – log files were set up to roll over every 7 days. If they contacted us a day later, we would not have had any evidence • There was no consideration for forensic readiness – logs were available through happenstance, rather than design • The charity did not multi-factor authentication enabled on Office 365 – this could have prevented the user’s account from being abused • Limited cyber security awareness amongst charity staff, which we suspect may have led to the compromised user account • Cyber security is not just an IT problem!!!

  13. CYBER SECURITY AND REMOTE WORKING

  14. HOW TO SECURE YOUR (NOW) MOBILE WORKFORCE • Foster continuous Cyber Security awareness, don’t become complacent • Make sure you continue to do the basics to keep technology secure • Use multi-factor authentication for remote or cloud service access • Apply good practice security configuration baselines to your systems, both on premise and in the Cloud • Make sure your IT team applies security patches to your systems in a timely manner • Use enterprise-class anti-malware products, don’t skimp on protection • Pay attention to the security of the services you publish on the internet, specifically remote access facilities • Make sure an appropriate level of audit logging occurs on your key systems and that logs are retained for at least 90 days • Audit logs are periodically checked or continuously monitored for suspicious activities • If you have an IT Service Provider, make sure the contract includes applying security best practice to the systems they manage • Be prepared for a security incident – set up a response team, define response plans and practice

  15. KEY STRATEGIC ACTIONS TO CONSIDER • Obtain Cyber Essentials certification, which includes free Cyber Insurance*, to demonstrate you maintain a basic level of cyber security hygiene within your organisation • Review your organisation’s presence on the internet and determine your Digital Cyber Risk profile • Commission professional network penetration testing to gain confidence in the effectiveness of your perimeter defences • Perform a “Work at Home” assessment to highlight remote working cyber security risks • Check your compliance with GDPR, especially is staff are processing personal data from their home offices • Ask for help – schedule a session with our experts to talk through your cyber security concerns https://calendly.com/sasha-lawrence/15min *For UK-based SMEs with less than £20m turnover

  16. QUESTIONS?

  17. CS Risk Management Unit 4 Brooklands Farm Bottle Lane Binfield RG42 5QX +44 (0)203 981 6555 enquiries@csriskmanagement.co.uk www.csriskmanagement.co.uk

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division Agenda Why worry about cyber security? ABBs approach to cyber security Cyber security

1.07k views • 39 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views • 41 slides
Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three

Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three

Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three points of failure in any secure network: Technology (hardware and software) Technology Support (ITS) End Users (USD students and employees)

359 views • 23 slides
CYBER SECURITY PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES AND WHAT TO DO SHOULD THEY

CYBER SECURITY PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES AND WHAT TO DO SHOULD THEY

CYBER SECURITY PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES AND WHAT TO DO SHOULD THEY HAPPEN London June 2019 INTRODUCTION Cyber Security The activity or process, ability or capability, or state whereby information and

735 views • 24 slides
ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* *

ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* *

ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* * Preliminary programme, subject to revision/update status 16 December 2014 4 February 2015 Day 1: Cyber Security Readiness Registration KU

306 views • 4 slides
Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities Bradford

Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities Bradford

16 Oct 2012 Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities Bradford Willke Cyber Security Advisor, MidAtlantic Region National Cyber Security Division (NCSD) Office of Cybersecurity and Communications

443 views • 20 slides
Cyber security Current challenges Ludovic M, septembre 2019 Cyber security ? Three triptychs !

Cyber security Current challenges Ludovic M, septembre 2019 Cyber security ? Three triptychs !

Cyber security Current challenges Ludovic M, septembre 2019 Cyber security ? Three triptychs ! 3 properties ... Confidentiality (including personal data) Integrity Availability 2 -Sminaire LIRIMA: Cyber security: current

876 views • 64 slides
2018 Legislative Ag Chairs Summit Cyber Security Geoff Jenista, CISSP Cyber Security Advisor,

2018 Legislative Ag Chairs Summit Cyber Security Geoff Jenista, CISSP Cyber Security Advisor,

2018 Legislative Ag Chairs Summit Cyber Security Geoff Jenista, CISSP Cyber Security Advisor, Region VII Office of Cybersecurity and Communications (CS&amp;C) National Protection and Programs Directorate (NPPD) FOUO / UNCLASS Cyber Security

333 views • 12 slides
CIP 101 Training CIP-007-3a Cyber Security System Security Management Overview September

CIP 101 Training CIP-007-3a Cyber Security System Security Management Overview September

Eric Weston Wally Magda, CISSP, PSP, CISA Compliance Auditor, Cyber Compliance Auditor, Cyber Security Security CIP 101 Training CIP-007-3a Cyber Security System Security Management Overview September 24-25, 2013 Salt Lake City, UT No

2.02k views • 198 slides
CYBER SECURITY Nick Kervin Partner, IT Advisory August 2017 Page 1 CYBER SECURITY Overview

CYBER SECURITY Nick Kervin Partner, IT Advisory August 2017 Page 1 CYBER SECURITY Overview

CYBER SECURITY Nick Kervin Partner, IT Advisory August 2017 Page 1 CYBER SECURITY Overview 1. What is at risk? 2. Global industry trends 3. BDO/AusCERT survey 4. Recent cyber case studies 5. Cyber risk mitigation strategies Page

481 views • 35 slides
Healthy Approach to Cyber Security : For data-intensive healthcare, cyber security is integral to

Healthy Approach to Cyber Security : For data-intensive healthcare, cyber security is integral to

1 Healthy Approach to Cyber Security : For data-intensive healthcare, cyber security is integral to innovation Sallie Sweeney KPMG The healthcare industrys evolution toward a true value based system, assuming responsibility for complex

797 views • 10 slides
Centre for Cyber Security Thomas Kristmar Centre for Cyber Security Danish Defence Intelligence

Centre for Cyber Security Thomas Kristmar Centre for Cyber Security Danish Defence Intelligence

Centre for Cyber Security Thomas Kristmar Centre for Cyber Security Danish Defence Intelligence Service 05-10-2015 05-10-2015 Who are we? Centre for Cyber Security In respect of the Rule of Law and Privacy Cyber is a priority (Gov.

455 views • 18 slides
Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security Group The Cyber Security lecture series 1 Agenda for today Part I Latest security news Security vulnerabilities in Java

2.02k views • 185 slides
Cyber Security Information Sharing Oscar Serrano NCI Agency Cyber Security Service Line

Cyber Security Information Sharing Oscar Serrano NCI Agency Cyber Security Service Line

Cyber Security Information Sharing Oscar Serrano NCI Agency Cyber Security Service Line DeepSec 2014, Vienna, 21 November 2014 NATO UNCLASSIFIED Cyber Security In NATO NATO in a nutshell: Collective defence Interoperable

666 views • 42 slides
Cyber security Tiered approach to cyber security preparedness in water National Sector

Cyber security Tiered approach to cyber security preparedness in water National Sector

Cyber security Tiered approach to cyber security preparedness in water National Sector What I am Company utilities in the UK going to Water UK good practice cover NIS Directive Dr Jim Marshall, Senior Policy Advisor,

231 views • 4 slides
r t r

r t r

r t r sts trs tt tt

994 views • 9 slides
Managing Functions in Couchbase Kishan Iyer LOONYCORN www.loonycorn.com Overview Redacting

Managing Functions in Couchbase Kishan Iyer LOONYCORN www.loonycorn.com Overview Redacting

Managing Functions in Couchbase Kishan Iyer LOONYCORN www.loonycorn.com Overview Redacting sensitive information from logs Function statistics from the Eventing Service Statistics graphs for functions Auditing in Couchbase Couchbase

1.85k views • 24 slides
Systemic Issues in the Hart InterCivic and Premier Voting Systems: Reflections Following Project

Systemic Issues in the Hart InterCivic and Premier Voting Systems: Reflections Following Project

Systemic Issues in the Hart InterCivic and Premier Voting Systems: Reflections Following Project EVEREST K. Butler, W. Enck, H. Hursti, S. McLaughlin, P. Traynor, P. McDaniel USENIX EVT 2008 Presented by Siddharth Murali Introduction

468 views • 14 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

693 views • 45 slides
Logging Por$ons courtesy Ellen Liu CSE/ISE 311: Systems

Logging Por$ons courtesy Ellen Liu CSE/ISE 311: Systems

CSE/ISE 311: Systems Administra5on Logging Por$ons courtesy Ellen Liu CSE/ISE 311: Systems Administra5on Outline Introduc$on Finding log files Syslog:

547 views • 21 slides
A Building Block Approach to Intrusion Detection Mark J. Crosbie Hewlett-Packard Company

A Building Block Approach to Intrusion Detection Mark J. Crosbie Hewlett-Packard Company

A Building Block Approach to Intrusion Detection Mark J. Crosbie Hewlett-Packard Company mark_crosbie@hp.com Benjamin A. Kuperman CERIAS, Purdue University kuperman@cerias.purdue.edu http://www.hp.com/products/security/ids/ RAID 2001

485 views • 14 slides
Keypad: Auditing Encrypted Filesystem for Theft-prone Devices Roxana Geambasu John P. John

Keypad: Auditing Encrypted Filesystem for Theft-prone Devices Roxana Geambasu John P. John

Keypad: Auditing Encrypted Filesystem for Theft-prone Devices Roxana Geambasu John P. John Steve Gribble Yoshi Kohno Hank Levy University of Washington The Move to Small, Powerful, Mobile Devices Small, powerful mobile devices are

363 views • 25 slides
We have to t st t rt tt

We have to t st t rt tt

We have to t st t rt tt r so that we can catch terrorists, drug dealers, pedophiles, and organized criminals. Some of this data is sent

906 views • 48 slides

More recommend