Cybersecurity, Phishing, and MFA for VPN Irwin Gaines Report to UEC - - PowerPoint PPT Presentation

cybersecurity phishing and mfa for vpn
SMART_READER_LITE
LIVE PREVIEW

Cybersecurity, Phishing, and MFA for VPN Irwin Gaines Report to UEC - - PowerPoint PPT Presentation

Jan 18, 2023 530 likes •911 views

Cybersecurity, Phishing, and MFA for VPN Irwin Gaines Report to UEC Dec 7 2018 Rebranding of former computer security team We are now the Cybersecurity team All communication to cybersecurity@fnal.gov (including incident reports,

slide-1
SLIDE 1

Cybersecurity, Phishing, and MFA for VPN

Irwin Gaines Report to UEC Dec 7 2018

slide-2
SLIDE 2

“Rebranding” of former computer security team

We are now the Cybersecurity team

All communication to cybersecurity@fnal.gov (including incident reports, phishing reports or questions, other cybersecurity questions, etc.) new web page at http://securityawareness.fnal.gov

Emphasis on partnership between cybersecurity team, management, and employees

1/14/2019 Phishing Report - Irwin Gaines 2

slide-3
SLIDE 3

1/14/2019 Phishing Report - Irwin Gaines 3

slide-4
SLIDE 4
  • Cybersecurity is everyone’s responsibility
  • Phishing: Forged email trying to induce the recipient to click on a link which will

either download malicious software to their computer (or mobile device) or take the user to a seemingly legitimate website to “phish” for user credentials or other personal information.

– Why phishing exercises – What were the exercises – Results of the exercises – Consequences: moving forward (Proofpoint)

  • MFA and VTC

– MFA already in use at Fermi but primarily for privileged access to enterprise systems and any access to business and HR systems; scientists and user community not impacted – New threats require additional use, in particular VPN which will impact scientists and users

1/14/2019 Phishing Report - Irwin Gaines 4

Outline

slide-5
SLIDE 5
  • Statistically, phishing remains as one of the primary means to compromise an

individual or company

– According to a study done by Google, phishing poses the biggest threat to your online security [1] – 91% of cyber attacks (from 2015 to 2016) start with a phishing email [2] – Notable compromises have been accomplished via phishing – a handful of examples include: PNNL/ORNL [3], Sony [4], and DNC [5]. – Phishing combined with password reuse leads to further possible compromises via credential stuffing

  • Fermilab has implemented anti-phishing training and incorporated phishing

assessment as part of its security awareness training

– There previously hasn’t existed means to actually test the effectiveness of this training

Why phishing exercises

1/14/2019 Phishing Report - Irwin Gaines 5

slide-6
SLIDE 6
  • We have not done phishing exercises in the past, partly because of my (now

proved to be mistaken) belief that our employees and users would not click on malicious links in email

  • But with the increasing prevalence of phishing and with the frequent breaches of

government systems because of responses to phishing, the government and DOE are requiring such exercises

  • Seeing the handwriting on the wall, we began regular exercises last summer

(shortly before we were told to do them)

Why phishing exercises (2)

1/14/2019 Phishing Report - Irwin Gaines 6

slide-7
SLIDE 7
  • On Tuesday, June 26, 2018 (starting at

8:50am), a flood of reports (over 40) came into Fermi’s Incident Response (FIR) Team

  • Link was blocked within five minutes by

FIR

  • Looking into the email, it appeared that

the sender’s account was compromised

Initial Flood of Phishing Reports

1/14/2019 Art Lee | User Compromise Involving Lab Director Phishing Emails 7

slide-8
SLIDE 8
  • A number of different campaigns have been run – these were all based on real-

world scenarios and had different goals to assess awareness with Fermi users (those with mailboxes). All had a variety of clues indicating they were not legitimate

  • July 2017

– The first campaign was a package delivery phish which simulated a UPS delivery notification – its intent was to look slightly “genuine” – The second campaign was a password reset phish which was based on a real password reset email – its intent was to see the response rate for garden variety phishing

  • Aug 2017

– The first campaign was a password reset phish modeled after a real email reported to CST last month

  • This included a link to a website (hosted on by the testing provider) that simulated a web-

based password reset form

– The second campaign was a scam phish requesting a user to send money as an investment to receive more money

  • This was based on real (and frequent) scam emails, however has been modified for context

Phishing exercise details

1/14/2019 Phishing Report - Irwin Gaines 8

slide-9
SLIDE 9
  • Sep 2017

– The first campaign was a Facebook deactivation confirmation phish

  • This was based on real phishing emails not generally received by Fermi users; however

these are very common

– The second campaign was a scam phish impersonating a Charles Schwab email requesting a user to receive money

  • This was based on a real phishing email received by Fermi users
  • Oct 2017

– The first campaign was a FedEx delivery notification phis

  • This was based off a real FedEx delivery email. This is a followup to the UPS delivery

notification phish from July of this year.

– The second campaign was a scam phish noting that a foreign email address was added to a user’s Paypal account

  • This was based on a real phishing scheme – however this has not been reported to us from

Fermi users.

Phishing exercise details (2)

1/14/2019 Phishing Report - Irwin Gaines 9

slide-10
SLIDE 10
  • Nov 2017

– The first campaign was a Netflix billing campaign

  • This was based off a real Netflix phishing scam. It was designed to trick users into thinking

that their Netflix payment was not validated, resulting in a suspension of the account.

– The second campaign was a USPS phish noting the delivery status of the shipment.

  • This was targeted specifically to repeat offenders that clicked on both the past UPS and

FedEx package delivery phish campaigns.

  • Feb 2018

– The first campaign was a Microsoft security alert

  • This is an email from “Microsoft” stating that someone else may have accessed his/her
  • account. If the user clicks the link to verify the account, a fake login page will be shown. The

user may enter his/her credentials into this form.

– The second campaign was a DropBox sharing notification

  • This is an email from “DropBox” stating that a person has shared a PDF regarding neutrinos

with the user

Phishing exercise details (3)

1/14/2019 Phishing Report - Irwin Gaines 10

slide-11
SLIDE 11

UPS Quantum View campaign

1/14/2019 Phishing Report - Irwin Gaines 11

slide-12
SLIDE 12

ICT Service Desk campaign

1/14/2019 Phishing Report - Irwin Gaines 12

slide-13
SLIDE 13

Please reset your password campaign (1 of 2)

1/14/2019 Phishing Report - Irwin Gaines 13

slide-14
SLIDE 14

Please reset your password campaign (2 of 2)

1/14/2019 Phishing Report - Irwin Gaines 14

slide-15
SLIDE 15

LETTER FROM HOSPITAL campaign

1/14/2019 Phishing Report - Irwin Gaines 15

slide-16
SLIDE 16

Sorry to see you leave Facebook! campaign

1/14/2019 Phishing Report - Irwin Gaines 16

slide-17
SLIDE 17

Your Schwab Brokerage Deposit campaign

1/14/2019 Phishing Report - Irwin Gaines 17

slide-18
SLIDE 18

FedEx Tracking Email campaign

1/14/2019 Phishing Report - Irwin Gaines 18

slide-19
SLIDE 19

Paypal email address campaign

1/14/2019 Phishing Report - Irwin Gaines 19

slide-20
SLIDE 20

Netflix Billing Campaign

1/14/2019 Phishing Report - Irwin Gaines 20

slide-21
SLIDE 21

USPS Delivery Status

1/14/2019 Phishing Report - Irwin Gaines 21

slide-22
SLIDE 22

Microsoft Security Alert

1/14/2019 22 Phishing Report - Irwin Gaines

slide-23
SLIDE 23

Microsoft Security Alert

1/14/2019 23 Phishing Report - Irwin Gaines

slide-24
SLIDE 24

DropBox Sharing

1/14/2019 24 Phishing Report - Irwin Gaines

slide-25
SLIDE 25

Phish landing page

1/14/2019 Phishing Report - Irwin Gaines 25

slide-26
SLIDE 26

Phish landing page

1/14/2019 26 Phishing Report - Irwin Gaines

slide-27
SLIDE 27

Campaign # clicks % clicks # reports # repeats UPS delivery 753 27% 38 ICT service desk 177 7% 52 Reset password 327/199 12%/8% 62 Letter from hospital 7 0.3% 25 Facebook deactivation 159 5.8% 54 Schwab brokerage 37 1.3% 44 FedEx tracking 345 13% 110 293 Paypal email addr 227 8% 122 206 Netflix 115 4% 84 164 USPS (only 137 users) 50 36% 1 50 Microsoft alert 57/10 2%/0.4% 166 96 Dropbox 115 4% 50 179

Results of Phishing Exercises

1/14/2019 Phishing Report - Irwin Gaines 27

slide-28
SLIDE 28

Overall lessons learned

1/14/2019 Phishing Report - Irwin Gaines 28

  • Click rates are still higher than we would like, but overall performance is improving
  • Repeat offenders be a problem, considering 137 users fell for both the UPS and

the FedEx shipping phishes, and 50 still fell for the USPS phish

  • Users reporting phishes has gone way up
  • Many users read the phish email from mobile devices and/or from outside of

Fermilab (and so will not be protected by web blocks at the lab)

– Note that first report of a new phish will have the landing site for that phish blocked in our web proxies, providing protection for anyone who is on site when they click

slide-29
SLIDE 29

Going forward

1/14/2019 Phishing Report - Irwin Gaines 29

  • Regular phishing campaigns will continue to be implemented – some will use

varied attack vectors

  • There will be consequences to users when they repeatedly “fail” a phishing

exercise

– Currently 43 3-time offenders have had Remedial Phishing Training added to their ITPs

  • URL “defanging” service being implemented from ProofPoint

– This will prepend links to ProofPoint’s servers to verify if a link is legitimate or not – Unlike controls like the proxy servers, this can mitigate risks outside of the lab – This can also mitigate risks regardless of platform (Windows, MacOS, iOS, Android, etc.) – Whitelisting and blacklisting will be possible for versatility

  • Still need to raise ongoing awareness with users

– securityawareness.fnal.gov

slide-30
SLIDE 30

1/14/2019 Phishing Report - Irwin Gaines 30

slide-31
SLIDE 31
  • ProofPoint URL Decoder

Self-service tool for decoding a ProofPoint URL

  • ProofPoint URL:

https://urldefense.proofpoint.com/v2/url?u=https- 3A__powerpedia.energy.gov_wiki_IM-2D24- 5FData5FCalls&d=DwMFAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ct1EoviYG4gx4IPJGo 2How&m=GGGQWNlRADGtfJDUdQMMNdYP2tEjYN- 0bovWUq4yFN4&s=kJSAJqFIZym8fe7uhNnXiJ2kJCTEVOkYm-wE4IBfiTA&e=

  • Decoded URL:

hxxps://powerpedia.energy.gov/wiki/IM-24_Data_Calls

Proofpoint decoding

1/14/2019 Phishing Report - Irwin Gaines 31

slide-32
SLIDE 32

1/14/2019 Phishing Report - Irwin Gaines 32

slide-33
SLIDE 33

References

1/14/2019 Phishing Report - Irwin Gaines 33

  • [1] https://www.engadget.com/2017/11/11/google-

study-hijack/

  • [2] http://www.darkreading.com/endpoint/91--of-

cyberattacks-start-with-a-phishing-email/d/d- id/1327704

  • [3]

https://www.computerworld.com/article/2510012/m alware-vulnerabilities/second-doe-lab-is-likely- victim-of-spear-phishing-attack.html

  • [4] https://www.tripwire.com/state-of-

security/latest-security-news/sony-hackers-used- phishing-emails-to-breach-company-networks/

  • [5] https://www.engadget.com/2017/11/03/ap-

investigation-russia-hack-dnc-clinton-emails/

slide-34
SLIDE 34
  • Multi Factor Authentication (MFA) is the use of at least two of three possible

modalities for identification: something you know (a password); something you have (smartcard or phone); something you are (fingerprints)

  • Fermilab is presently (under DOE mandate) using PIV-I smart cards for access to

enterprise privileged systems and RSA tokens (both hardware and software tokens) for access to business and HR systems. Note that the RSA tokens do not satisfy the strictest level of authentication assurance and so need to be migrated to a “better” token

  • Recent cyber attacks have highlighted a possible vulnerability in VPN access to the

lab, which presently only requires use of the services password that is also used for email access

  • Current MFA upgrade project will

– Switch to a single token (Yubikey) for most access (so no need for two types of tokens) – Satisfy DOE requirements for authentication assurance – Extend to additional systems (in particular VPN)

MFA and VPN

1/14/2019 Phishing Report - Irwin Gaines 34

slide-35
SLIDE 35
  • Project in initial stages, in particular we need to understand use cases for remote

science access to data acquisition and analysis systems

  • We intend to support both token-based and software-based authentication methods
  • Will take several months to roll out credentials to all VPN users
  • Currently asking users to make sure they have the root certificate from the Fermliab

CA installed on the machines they will be using for token-based VPN access in the future.

  • Will be reaching out to user community to identify who needs to use VPN and what

devices they will be using for this access. For example, we need to know:

– Will users be present at Fermilab to be issued hardware tokens or are they only remote users – Are they using access devices with USB ports – Will they have access to smartphones or other devices to do software authentication

MFA usage for VPN

1/14/2019 Phishing Report - Irwin Gaines 35

slide-36
SLIDE 36
  • Watch FermiNews and VPN users mailing list for updated information over next

several months

  • VPN already accepts Yubikey and RSA authentication.
  • Pilot users will be issued Yubikey tokens in January, RSA tokens already available

at Service Desk. Volunteers for pilot program eagerly accepted.

Future path

1/14/2019 Phishing Report - Irwin Gaines 36