Hackers Havoc PAUL HAGER & DALE HARKNESS Your Questions - PowerPoint PPT Presentation

Hacker’s Havoc PAUL HAGER & DALE HARKNESS

Your Questions Answered Today Who is that is writing all these viruses? • • Why do they do it? Is Anti Virus enough? • How do we keep our corporate data safe? • How do I keep my family safe? •

Ground Rules Not about scare tactics today • Education • • Empower you to choose between convenience and privacy

A Brief History of Security The first SPAM email in 1978 • • Name does come from Monty Python • Grows in the 90’s and early 2000’s SPAM exists to sell: • – Adult Content – Pharma • Major Botnet and ISP take downs in 2008 but they strive on

A Brief History of Security Only stopped by … . • – VISA and MASTERCARD • Now what? • Viruses • Ransomware BOTNETS •

A Brief History of Security New Currency in a • new modern black market Bitcoins Bit mining is the new • money laundering • The Onion Router Network • The Darknet

Where is it sold?

State of the State of Security • 65 Adversaries, 36 most active • Increase in Ransomware • Increase in sophistication • POS Targeting Credit Card Track Data in memory • Phone scams on the rise (https://www.youtube.com/watch?v=sz0cEo2h3f8) • More Damage Than Ever • XP EOL and Server 2003 EOL. Coming soon Windows7 EOL!

The Adversary

The Adversary • Criminal • Hacktivist • State-sponsored • Nationalist

Review of Recent Notable Breaches • DNC • Olympics Anti Doping Agency • Target • Sony • Home Depot • Anthem • Equifax • Facebook http://www.informationisbeautiful.net/visualizations/w orlds-biggest-data-breaches-hacks /

Rise of Ransomware Huge Boom in Ransomware • • Profitable Effective •

Cryptolocker aka ‘Cryptowall’ First version taken down in June • of 2014 with the ZeusBot Net going down No longer uses BOTNETS uses P2P • • Polymorhpic and self registering Domain names • Locking Computer Screens • AV won’t prevent it

Other Security Statistics that Will Scare You • The Average time to detection is 191 days – https://databreachcalculator.com • Average is around $158 per record Source: 2017 Cost of Data Breach Study (Ponemon Institute for IBM Security)

How Good is Your Firm’s Security Posture? • Level 0 – Blind (Months) • Level 1 – Minimally Compliant (Weeks) • Level 2 – Securely Compliant (Days) • Level 3 – Vigilant (Hours) • Level 4 – Resilient (Minutes) Think SOC Mean-Time-to-Detect (MTTD) and Mean-Time-to-Respond (MTTR)

Threat landscape for small businesses 71% 55K 60% $900K of cyberattacks target Devices are compromised by of small businesses close is the average cyber attack small businesses ransomware every month their doors after a remediation cost for small cyberattack businesses

Why are attacks so successful? It only takes hackers 4 minutes to get in your network, but 191+ • days for businesses to discover they’ve been breached. 53% 30% 63% of users accidentally of users open emails from of passwords are share information attackers, 10% click on weak, default, or stolen attachments or links

Why We Still Struggle With IT Security • Complicate the Simple Equifax HAS Security – Capital One HAS Security – It Is Not Like The Movies – • Trust Technology Will Protect Us Firewalls – Intrusion Prevention Systems – Antimalware and Threat Intelligence – SIEMs – We Still Have Breaches – • Your Company and Your Data – Where Data Is Stored – How Data Is Accessed – What The Risk Is In That Process

Password Access Security Statistics Get the facts straight – Yes, I meant to use that strike through – Yes, we still have to talk about password security – No, not everyone is using multi factor authentication – Don’t worry, you’re not the only one out there still using ONLY passwords

Password Access Security Statistics • 80% of hacking related breaches still involve compromised and weak credentials • 29% of all breaches are from the use of stolen credentials • 25% of employees use the same password for every account • 63% of businesses receive backlash from employees when using MFA Techrepublic Newsletter – August 1, 2018 Verizon Data Breach Investigation Report - 2019

How Secure Is YOUR Password Packers Packers#4 ILoveThePackers Packers4

Access Security Best Practices • NIST Special Publication 800-63B • Old standards still hold weight 8 character minimum – Complexity requirements – Password history in use – Uppercase and special characters – • Revised standards – Frequency: Incident response to security event – Hints: Do not use a hint that is tied to you such as last name, birthdates, or anniversaries Memorable: Think passphrase not password – • Enhancements – Use MFA when possible – Use passphrase managers that are encrypted and supported

Phishing Attack Statistics Get the facts straight: – Yes, you will get phishing emails that slip through spam filters – No, there is no perfect email security system – Yes, you should have a phishing campaign to identify employee needs – Don’t worry, all businesses are targeted regardless of vertical or size

Phishing Attack Statistics Out of 160 billion emails 67 billion were spam, targeted, impersonation or opportunistic attacks (April 2019 to June 2019) 83% of people in 2018 received a phishing attack 2/3 of phishing attacks use malicious links not attachments

Phishing Attacks – Spotting The Fake • Misspelled words • Unknown sender • Urgent or threatening • Attachments with double extensions • Non-business terms or generic verbiage

Phishing Attack – SaaS Credentials

Phishing Attack – Cloud Drives

Phishing Attack – Business Email Compromise

Phishing Security Best Practices Go beyond spam protection measures – Attachment filtering – URL filtering – Implement SPF and DKIM Threat Monitoring – Threat intelligence at desktop level – Data loss prevention – Outbound firewall rules and filtering Train employees – What is a valid request – How to verify the validity of a request – Have a phishing campaign as a learning opportunity

Social Engineering Statistics • Get the facts straight – Yes, this is a real security risk to a business that is very non technical – Yes, you can call them scam or con artists if you want – No, I don’t think you should board up your business as a defense – Don’t worry, there are some next to nothing costs associated with defense • 60% of spoofed email does NOT contain malicious content (links or attachments) • 97% of malicious attacks require some level of human interaction • 45% of users will plug in an unknown USB device they found KnowBe4 Social Engineering Statistics - 2019

How Does Social Engineering Work Gather Information Use Acquired Plan Attack Knowledge System Users Acquire ATTACK Tools

Social Engineering Scenario Hello, this is George with Acme Controls how can I George, it’s Bill at ITP Support. Listen, I have a bunch help you? of errors from your computer. I need to run a quick scan. Sure go ahead and remote into the machine Well here is the thing, my standard remote software isn’t working, can you go to this URL and download this tool? Yeah it is asking for a code for you to get in. Yeah its 12345, just say ok and it will run. My antivirus just popped up a message. Yeah can you go into your Task Manager, and just close out of that for me. That happens all the time. Sure there you go.

Social Engineering Hello, how may I help you today? Yeah, I tried to access your website and I got a bunch of weird errors. I screenshotted them so that I could show you. You can talk to our support team about those right over there . Yeah the thing is I am in a huge rush and since I already have you right here do you mind taking a look. Ok, sure. Where are these error messages? Right here on my flash drive . Ok thank you, yes I see the errors but I am not sure what they mean. Aw, that’s ok thanks anyways I guess I will have to go talk to support. Yes, that would be best. Thanks and have a great day.

Social Engineering Security Best Practices Know what data is publicly available Indeed – – Facebook – Google searches – Way Back Machine Incorporate training of employees – Employee roles and limits Ask questions – – Never be afraid to escalate Know the techniques – Shoulder Surfing and Tailgating – Impersonation and Diversion – Baiting Pretexting – – Water-Holing

How do you protect your business? • Multi Layered Approach – Education – Technology • Not Just AV/IPS • DLP – Data Loss Prevention • SSO/Password Vaults – Testing/Validation/Run book

Personal Security Tips

Personal Security Tips Credit monitoring for your kids • Credit Freeze for adults • • Use DuckDuckGo.com for your search engine • Enable Privacy Protections on your devices and in your browsers