Ransomware & More Quick Note About Me Michael Zimmer, Director - - PowerPoint PPT Presentation

ransomware more
SMART_READER_LITE
LIVE PREVIEW

Ransomware & More Quick Note About Me Michael Zimmer, Director - - PowerPoint PPT Presentation

Feb 14, 2023 223 likes •307 views

Ransomware & More Quick Note About Me Michael Zimmer, Director of Information Security Services at Northern Arizona University Working in IT at NAU 23 years, from Help Desk to Deskside Support to Sys Admin to InfoSec WHEN, not if

slide-1
SLIDE 1

Ransomware & More

Quick Note About Me

  • Michael Zimmer, Director of Information Security Services at

Northern Arizona University

  • Working in IT at NAU 23 years, from Help Desk to Deskside Support

to Sys Admin to InfoSec WHEN, not if

  • Right now it’s ransomware,

tomorrow it will be something else…

  • Not every combination of

vulnerabilities can be solved for - they are infinite…

  • There are some tried and true

steps you can take – I hope to illustrate these.

  • I am very interested in your

thoughts, concerns, questions and learning what can help.

slide-2
SLIDE 2

Ransomware & More

  • Ransomware attacks continue to increase in 2019 and from quarter to quarter.
  • Ransomware payments have increased by 184% during Q2 of 2019, to $36,295 average.
  • Bigger costs can come to reputation and customer trust… regulatory fines… downtime.
  • Average duration of downtime has increased, too, from 7.3 days to 9.6 days.
  • Most common method of attack? Most assume it’s phishing, but phishing is second to RDP.
  • Ransomware developers run campaigns like a military operation… how can you defend

that??

  • Hospitals, cities, colleges, k-12, government agencies…
  • Not just ransomware – high school student hacks into school district’s network and copies

students’ Social Security numbers; 13-year old deletes student records; two students steal a password from a teacher’s computer to change grades; storm-related damage to single backup (or no backups at all)…

  • Estimated 2,000+ programs or scripts running on the Internet, night and day, poking and

probing for openings, vulnerabilities, and security holes… once found, it becomes something

  • f interest to an attacker to look closer at…
slide-3
SLIDE 3

Kill chain – “phases” of an attack

Random or Targeted Phishing Emails Open Firewall Rules Account Brute Force Harmful Websites Payload is Delivered Infected Link/Attach Escalate Credentials Remotely Install Worm, Lateral Move After Installation Outbound Comm’s External IP, Domain Inbound Commands Data, Instructions More ID, Recon Poss. More Lateral Moving More Infections Spread for Coverage Not all Ransomware If you are here, too late! Encrypt Files, Ransom Destroy Files if no pay Data Loss, Theft More…?

Kill chain disruption – steps that may dissuade attacker

Be Less Interesting! Block Common Ports Educate Users Email Filters Web Content Filters User Awareness Revoke Admin Level Updates & Patching Anti-Virus, Updated App Control, Macros Firewall / Port Rules Network Monitoring Anti-Virus, Updated Intrusion Detection Alerting Revoke Admin Levels Anti-Virus, Updated Firewall / Port Rules Updates & Patching Network Monitoring Revoke Admin Levels Anti-Virus, Updated Don’t Store Data Locally Have Multiple Backups Have a Recovery Plan

slide-4
SLIDE 4
  • What you can do
  • Assess your risks
  • Backup, and test backups of, your data regularly
  • This protects you from much more than ransomware!
  • If you assume it is when rather than if, best bang for buck is ability to recover… therefore backups!
  • Patching and updating – operating systems, applications, web browsers
  • Firewall rules and port blocking
  • Training and awareness
  • Remove unnecessary administrator permissions (for most it IS un-necessary)
  • Anti-Virus/Firewall – installed and up to date
  • Have a recovery plan and test it or review it annually
  • Bonus Items – if you can:
  • Application Whitelisting, Disable Macros, Intrusion Detection, Network Monitoring, Alerting, Vuln Scans

Recap & Steps to Consider

  • Not every combination of vulnerabilities can be solved for - they are infinite
  • Best Approach = assume compromise, assume breach, will occur
  • Be Ready = know your inventory, know your risks, prioritize them, leadership and IT in collaboration
  • Be Ready = have a disaster plan, have multiple backups, be able to recover
  • What if you are attacked?
  • Isolate / remove from network; shut system down
  • Check for, confirm, your backups for affected systems and plan your recovery
  • Change passwords, lock accounts, contact insurer and authorities/peers, follow your recovery plan
slide-5
SLIDE 5

Filtered List for Quick Reference

  • Know your inventory, know and prioritize your risks
  • Maintain a disaster recovery plan
  • Backups!!!!! – multiple, including offline
  • Patching and updating
  • Firewall rules and port blocking
  • Anti-Virus
  • Training and awareness
  • Remove unnecessary administrator permissions
slide-6
SLIDE 6

References & Additional Resources

  • AASA, School Superintendents Association article
  • https://aasa.org/SchoolAdministratorArticle.aspx?id=8606
  • AZ Auditor General Ransomware Alert
  • https://www.azauditor.gov/sites/default/files/DFI_19-405.pdf
  • AZ Cybersecurity Team, ACT
  • https://bc.azgovernor.gov/bc/arizona-cybersecurity-team
  • CoSN, Consortium for School Networking – Home, Self Assessment document, Free webinars
  • https://www.cosn.org/
  • https://cosn.org/download-cybersecurity-self-assessment
  • https://cosn.org/advancement/webinars
  • Department of Homeland Security – Stop.Think.Connect
  • https://www.dhs.gov/stopthinkconnect-toolkit
  • Department of Homeland Security – Student Resources
  • https://www.dhs.gov/publication/stopthinkconnect-student-resources
  • Department of Homeland Security, CISA – What is Ransomware and Steps to Take
  • https://www.us-cert.gov/ncas/tips/ST19-001
  • Department of Homeland Security, CISA – Ransomware Brief
  • https://www.us-cert.gov/sites/default/files/2019-08/CISA_Insights-Ransomware_Outbreak_S508C.pdf
  • Stay Safe Online (user awareness, tips)
  • https://staysafeonline.org/
slide-7
SLIDE 7

References, Additional Resources

  • Awareness Help… See if your password has been in a breach (reminder: do not reuse passwords)
  • https://haveibeenpwned.com/
  • Awareness Help… How Passwords Can Be Stolen
  • https://www.sentinelone.com/blog/7-ways-hackers-steal-your-passwords/
  • Awareness Help… October is National Cybersecurity Awareness Month
  • https://niccs.us-cert.gov/national-cybersecurity-awareness-month-2019
  • CBS 60-Minutes Ransomware Segment – Replayed Sunday August 25 2019
slide-8
SLIDE 8

Questions & Discussions

If needed, some questions I have to help us get started:

  • How many have a risk assessment, prioritized risks?
  • Who would you call / did you call in an event like this?
  • Do you have someone on retainer for response? Is it tied to membership in The Trust, alongside insurance?
  • Do they recommend paying or not paying ransom?
  • Is there a $ amount threshold that helps decide?
  • Funding and budgets
  • Higher Ed isn’t much better off, but I can’t imagine…
  • Grants, Awards?
  • Microsoft, Boards or Departments of Ed
  • State of AZ, ASET AZDOA
  • Governor’s AZ Cybersecurity Team, ACT
  • September meeting (September 19 2019, 9am – 11am)
  • Anyone have contacts? I have approached mine.
  • Anyone familiar with or participating in CoSN, Consortium for School Networking? (I do not see AZ as a chapter)
  • What role(s) do you see, think, wish, want… NAU ETC filling or trying to fill?
  • What would this look like? Individual relationships or consortium level?

Any questions … that aren’t hard?