Hackers Havoc PAUL HAGER & DALE HARKNESS Your Questions - - PowerPoint PPT Presentation

PAUL HAGER & DALE HARKNESS

Hacker’s Havoc

Your Questions Answered Today

• Who is that is writing all these viruses?
• Why do they do it?
• Is Anti Virus enough?
• How do we keep our corporate data safe?
• How do I keep my family safe?

Ground Rules

• Not about scare tactics today
• Education
• Empower you to choose

between convenience and privacy

A Brief History of Security

• The first SPAM email in 1978
• Name does come from Monty Python
• Grows in the 90’s and early 2000’s
• SPAM exists to sell:

– Adult Content – Pharma

• Major Botnet and ISP take downs in 2008 but

they strive on

A Brief History of Security

• Only stopped by….

– VISA and MASTERCARD

• Now what?
• Viruses
• Ransomware
• BOTNETS

A Brief History of Security

• New Currency in a

new modern black market Bitcoins

• Bit mining is the new

money laundering

• The Onion Router

Network

• The Darknet

Where is it sold?

State of the State of Security

• 65 Adversaries, 36 most active
• Increase in Ransomware
• Increase in sophistication
• POS Targeting Credit Card Track Data in memory
• Phone scams on the rise

(https://www.youtube.com/watch?v=sz0cEo2h3f8)

• More Damage Than Ever
• XP EOL and Server 2003 EOL. Coming soon Windows7 EOL!

The Adversary

The Adversary

• Criminal
• Hacktivist
• State-sponsored
• Nationalist

Review of Recent Notable Breaches

• DNC
• Olympics Anti Doping Agency
• Target
• Sony
• Home Depot
• Anthem
• Equifax
• Facebook

http://www.informationisbeautiful.net/visualizations/w

• rlds-biggest-data-breaches-hacks/

Rise of Ransomware

• Huge Boom in Ransomware
• Profitable
• Effective

Cryptolocker aka ‘Cryptowall’

• First version taken down in June
• f 2014 with the ZeusBot Net

going down

• No longer uses BOTNETS uses P2P
• Polymorhpic and self registering

Domain names

• Locking Computer Screens
• AV won’t prevent it

Other Security Statistics that Will Scare You

• The Average time to detection is 191 days

– https://databreachcalculator.com

• Average is around $158 per record

Source: 2017 Cost of Data Breach Study (Ponemon Institute for IBM Security)

How Good is Your Firm’s Security Posture?

• Level 0 – Blind (Months)
• Level 1 – Minimally Compliant (Weeks)
• Level 2 – Securely Compliant (Days)
• Level 3 – Vigilant (Hours)
• Level 4 – Resilient (Minutes) Think SOC

Mean-Time-to-Detect (MTTD) and Mean-Time-to-Respond (MTTR)

Threat landscape for small businesses

• f cyberattacks target

small businesses Devices are compromised by ransomware every month

• f small businesses close

their doors after a cyberattack is the average cyber attack remediation cost for small businesses

71% 55K 60% $900K

Why are attacks so successful?

• It only takes hackers 4 minutes to get in your network, but 191+

days for businesses to discover they’ve been breached.

• f users open emails from

attackers, 10% click on attachments or links

30%

• f passwords are

weak, default, or stolen

63%

• f users accidentally

share information

53%

Why We Still Struggle With IT Security

• Complicate the Simple

– Equifax HAS Security – Capital One HAS Security – It Is Not Like The Movies

• Trust Technology Will Protect Us

– Firewalls – Intrusion Prevention Systems – Antimalware and Threat Intelligence – SIEMs – We Still Have Breaches

• Your Company and Your Data

– Where Data Is Stored – How Data Is Accessed – What The Risk Is In That Process

Password Access Security Statistics

Get the facts straight

– Yes, I meant to use that strike through – Yes, we still have to talk about password security – No, not everyone is using multi factor authentication – Don’t worry, you’re not the only one out there still using ONLY passwords

• 80% of hacking related breaches still involve compromised

and weak credentials

• 29% of all breaches are from the use of stolen credentials
• 25% of employees use the same password for every account
• 63% of businesses receive backlash from employees when

using MFA

Techrepublic Newsletter – August 1, 2018 Verizon Data Breach Investigation Report - 2019

Password Access Security Statistics

How Secure Is YOUR Password

Packers4 Packers#4 ILoveThePackers

Packers

Access Security Best Practices

• NIST Special Publication 800-63B
• Old standards still hold weight

– 8 character minimum – Complexity requirements – Password history in use – Uppercase and special characters

• Revised standards

– Frequency: Incident response to security event – Hints: Do not use a hint that is tied to you such as last name, birthdates, or anniversaries – Memorable: Think passphrase not password

• Enhancements

– Use MFA when possible – Use passphrase managers that are encrypted and supported

Phishing Attack Statistics

Get the facts straight:

– Yes, you will get phishing emails that slip through spam filters – No, there is no perfect email security system – Yes, you should have a phishing campaign to identify employee needs – Don’t worry, all businesses are targeted regardless

• f vertical or size

Phishing Attack Statistics

Out of 160 billion emails 67 billion were spam, targeted, impersonation or opportunistic attacks

(April 2019 to June 2019)

83% of people in 2018 received a phishing attack 2/3 of phishing attacks use malicious links not attachments

Phishing Attacks – Spotting The Fake

• Misspelled words
• Unknown sender
• Urgent or threatening
• Attachments with double extensions
• Non-business terms or generic verbiage

Phishing Attack – SaaS Credentials

Phishing Attack – Cloud Drives

Phishing Attack – Business Email Compromise

Phishing Security Best Practices

Go beyond spam protection measures

– Attachment filtering – URL filtering – Implement SPF and DKIM

Threat Monitoring

– Threat intelligence at desktop level – Data loss prevention – Outbound firewall rules and filtering

Train employees

– What is a valid request – How to verify the validity of a request – Have a phishing campaign as a learning opportunity

Social Engineering Statistics

• Get the facts straight

– Yes, this is a real security risk to a business that is very non technical – Yes, you can call them scam or con artists if you want – No, I don’t think you should board up your business as a defense – Don’t worry, there are some next to nothing costs associated with defense

• 60% of spoofed email does NOT contain malicious content (links
• r attachments)
• 97% of malicious attacks require some level of human interaction
• 45% of users will plug in an unknown USB device they found

KnowBe4 Social Engineering Statistics - 2019

How Does Social Engineering Work

Gather Information Plan Attack Acquire Tools ATTACK Use Acquired Knowledge

System Users

Social Engineering Scenario

Hello, this is George with Acme Controls how can I help you? Sure go ahead and remote into the machine Yeah it is asking for a code for you to get in. My antivirus just popped up a message. Sure there you go. George, it’s Bill at ITP Support. Listen, I have a bunch

• f errors from your computer. I need to run a quick

scan. Well here is the thing, my standard remote software isn’t working, can you go to this URL and download this tool? Yeah its 12345, just say ok and it will run. Yeah can you go into your Task Manager, and just close out of that for me. That happens all the time.

Social Engineering

Hello, how may I help you today? You can talk to our support team about those right over there. Ok, sure. Where are these error messages? Ok thank you, yes I see the errors but I am not sure what they mean. Yes, that would be best. Thanks and have a great day. Yeah, I tried to access your website and I got a bunch

• f weird errors. I screenshotted them so that I could

show you. Yeah the thing is I am in a huge rush and since I already have you right here do you mind taking a look. Right here on my flash drive. Aw, that’s ok thanks anyways I guess I will have to go talk to support.

Social Engineering Security Best Practices

Know what data is publicly available

– Indeed – Facebook – Google searches – Way Back Machine

Incorporate training of employees

– Employee roles and limits – Ask questions – Never be afraid to escalate

Know the techniques

– Shoulder Surfing and Tailgating – Impersonation and Diversion – Baiting – Pretexting – Water-Holing

How do you protect your business?

• Multi Layered Approach

– Education – Technology

• Not Just AV/IPS
• DLP – Data Loss

Prevention

• SSO/Password Vaults

– Testing/Validation/Run book

Personal Security Tips

Personal Security Tips

• Credit monitoring for your kids
• Credit Freeze for adults
• Use DuckDuckGo.com for your search engine
• Enable Privacy Protections on your devices

and in your browsers

Personal Security Tips Email

• Setup a separate email account for logging into the bank and
• ther sensitive online accounts.

– Never re-use your work or personal email for critical financial

• nline activities

– Use a different password for this account

• What is the best free email? None

– Not Google – Ad Free outlook.com (paid)

Password Management

• No file called Passwords
• Not digital
• No Excel Spreadsheets
• https://lastpass.com/

– Other password manager

Get a Dark Web Scan

itprosusa.com/dark-web

Questions?

Wrapping Up…

Thank you! Paul Hager

phager@itprosusa.com www.itprosusa.com blog.itprosusa.com https://www.linkedin.com/in/paulhagerfuturist/

Dale Harkness

dharkness@itprosusa.com