2015 – Top IT Risks for Today’s Auto Dealers

Michael Hammond, CISA, CRISC, CISSP, C|EH Director, IT Audit & Security

O’Connor & Drew P.C. mhammond@ocd.com

www.ocd.com

Top IT Risks

2

Where is your important data? Phishing WISP Patching (OS and applications) Reliance on your DMS

Where is your important data?

3

Do you have an inventory of all company confidential/sensitive data? Do you have an inventory of State/Federal protected data?

You can’t protect what you don’t know you have

Where is your important data?

4

Data has a lifecycle

Acquire/Create

Classification

Storage (At Rest/In Motion)

Manipulation

Backup

Destruction

Where is your important data?

5

Collection Credit Card applications New employee on-boarding documents

Classification Are documents labeled? If not, are you wasting time protecting every document, or worse, not protecting the ones that should be labeled?

Storage Laptops, phones, and removable media should always be encrypted Desktops should also be encrypted

Where is your important data?

6

Manipulation When the data is moved from the source to another location, or aggregated, did the classification change? Did two non-sensitive documents elevate to necessitate being protected?

Backup Encrypted before leaving the building? External USB? Site to Site? Cloud?

Destruction Drives MUST always be wiped Documents should be shredded, regardless of classification

Phishing

7

Phishing

8

Phishing

9

• Recon ▫ LinkedIn ▫ Twitter ▫ FaceBook ▫ theHarvester

Phishing

10

• 2005 PC World article on Phishing ▫ Defined 12 types of phishing Instant messaging Malware based Session hijacking Pharming MiTM Search Engine …

Phishing

11

• Not much has changed in the past 10 years ▫ Present day Spam Phishing Spear Phishing Watering hole attack

Phishing

12

• Home Attacks

Phishing

13

• Home Attacks

Phishing

• Home Attacks ▫ Links on your phone are

especially dangerous. ▫ You often cannot “hover

over” the link.

How many errors can you spot?

Phishing

• Home Attacks ▫ Same email, but from my

computer ▫ Hovered over link ▫ Microsoft doesn’t need

Bitly

http://bit.ly/1WB0vwF

Phishing

• Shortened URLs? • Use

www.getlinkinfo.com

http://www.budaisoszoba.hu/wp-content/languages/HU/WOWEXodObATuXIC/ifeamaka1_tman-outluk22222222222222222.html

Phishing

• Work Attacks

Spear-Phishing

• Targeting Attacks

Spear-Phishing & Watering hole

• Targeting Attacks

Opps, you clicked. Now what?

• Backdoor

Is it really this easy?

• Backdoor ▫ WinSpy

Phishing – What can you do?

• It starts with educating all employees • Conduct training sessions • Execute Phishing Exercises ▫ Start with obvious looking phishing emails ▫ Work up to more sophisticated emails

Continuous education is key

Phishing – What can you do?

• After employees are trained, focus on technology ▫ Edge devices (UTMs, Enhanced DNS) ▫ Anti-virus updates ▫ Patching desktops

WISP

24

Massachusetts Written Information Security Program Required by the State (201 CMR 17.00)

http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf One of the first and most strict in the US

“create effective administrative, technical and physical safeguards for the protection of personal information of residents of the Commonwealth of Massachusetts” “procedure for evaluating our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information of residents of the Commonwealth of Massachusetts.”

WISP

25

201 CMR 17.00 Compliance Checklist http://www.mass.gov/ocabr/docs/idtheft/compliance-checklist.pdf

WISP

26

Regular monitoring to ensure that the WISP operates effectively to protect both paper and electronic records, to detect any unauthorized use of or access to personal information, and to identify any areas where upgraded safeguards are needed; We see ineffective preventative controls, and almost no monitoring/detective controls

Review of the WISP's scope at least annually, and whenever there is a material change in business practices that may reasonably implicate the protection of personal information; About 40% of companies lack a WISP. Most companies cannot produce evidence of annual review

WISP – What can you do?

27

Ensure you have a WISP Validate it is up to date and reflects any significant changes in personnel, process, or technology Test against the areas defined within the document

Patching

28

Phishing takes advantage of software to exploit a vulnerability. Top 10 Internal Vulnerabilities a/o July 2015

1. Oracle Java SE 2. Microsoft XML Parser 3. Obsolete SNMP Version 4. Microsoft various (3) 5. Oracle Java SE/JRE/JDK 6. Adobe Flash 7. Microsoft Windows Shell 8. Microsoft Windows Journal

https://www.qualys.com/research/top10/

Patching

29

Still The Top 3 Oracle JAVA – Not Updated with Windows Update Microsoft OS Patches Adobe (Flash/Reader) – Not Updated with Windows Update

Why? Law of large numbers. “Stable, long-term results”. These products are installed almost everywhere.

Law of large numbers. Encyclopedia of Mathematics. URL: http://www.encyclopediaofmath.org/index.php?title=Law_of_large_numbers&oldid=26552

Patching

30

Starting to see Mac OSX exploits Still far less than Windows Still requires AV/patching

Are you managing iOS/Android? Paranoid? Only allow iOS on your network Deploy Mobile Device Management (MDM)

Patching – What can you do?

31

Validate patching is up to date Manual spot checks; Automated tools (examples) Shavlik WSUS SolarWinds ManageEngine LogMeIn Dell (KACE)

Ensure patching tools include software in addition to Microsoft

DMS

32

There is a misconception the DMS provider is “watching” all the computers on the network. We see the DMS patching and maintaining only those PCs connecting to the DMS This leaves many computers, printers, WiFi, and other devices exposed and vulnerable

This is a HUGE gap!

DMS

33

DMS – What can you do?

34

Identify DMS and non-DMS managed equipment Validate the DMS patches are working Implement the non-DMS patches (see patching above)

The Team

35

Staff Michael Hammond– IT Audit & Security Director, with the firm since October 2012. • Certified Information Systems Auditor (CISA) • Certified in Risk and Information Systems Control (CRISC) • Certified Information Systems Security Professional (CISSP) • Certified Ethical Hacker (C|EH) • Michael is a member of the financial services InfraGard

association. A joint partnership between the FBI and private sector.

• Michael is a veteran of the United States Air Force

https://www.linkedin.com/in/michaelwhammond

36

Staff Nick DeLena– Senior IT Audit Manager Nick is the lead senior IT audit manager at O’Connor & Drew. He works in concert with internal senior management to scope and budget engagements. He provides oversight and training to existing staff. Nick’s prior engagements includes SOX compliance, SAS70, and FFIEC compliance. In addition to Nick’s audit and advisory experience, he also has 12 years in various IT operations and analyst positions. Certifications and designations: • Executive Masters in Business Administration (MBA) • Certified Information Systems Auditor (CISA) • Certified in Risk and Information Systems Control (CRISC) • CompTIA Security+ • ITIL v3 Foundations Certification (ITILv3F) • Nick is a member of the science and technology InfraGard association.

A joint partnership between the FBI and private sector.

• https://www.linkedin.com/in/nickdelena

37