copyright © 2015 k2 enterprises, llc. reproduction or reuse for purposes other than a k2...

Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.

SECURITY UPDATE


Learning Objectives

• List and describe key security threats • Identify security issues and solutions for

mobile devices• Recognize security issues associated with the

cloud computing• List key security software that is needed in

addition to antivirus software


BIGGEST SECURITY THREATS


Biggest Security Threats

• Targeted attacks• Facebook and other social networking sites• Infected PDF files• Fake antivirus software on the rise• Apple products see increase in viruses• More sophisticated web-attack toolkits will

increase the number of attacks• Mobile device security• Attacks on cloud-based services are inevitable


Internet Security Threat Report

• Key Findings– 91% increase in targeted attack campaigns – 62% increase in the number of breaches– Over 552M identities were exposed via breaches– 23 zero-day vulnerabilities discovered– 38% of mobile users have experienced mobile cybercrime in

past 12 months– Spam volume dropped to 66% of all email traffic– 1 in 392 emails contain phishing attacks– Web-based attacks are up 23%– 1 in 8 legitimate websites have a critical vulnerability

Symantec ISTR 2014

http://www.symantec.com/security_response/publications/threatreport.jsp


Targeted Attacks

• Dramatically increased in 2011-2013• Use customized malware and refined

social engineering methods to gain unauthorized access to sensitive info/data or alter/shutdown industrial processes

• Latest attack against IE (all versions) Homeland Security Warnings – attack looking for information from current and former military

Symantec Internet Security Threat Report


Targeted Email Attacks

• Symantec documented attacks on 29 companies in the chemical sector– Targeted emails that appeared to be meeting invitations

from suppliers contained a Trojan– Their intent was to steal valuable intellectual

• 2/3 of the attacks focus on a single or very limited number of companies in an industry

• Most attacks use 2 or more exploits• 42% of mailboxes attacked are executives, senior

managers, or in R&DSymantec Internet Security Threat Report


Social Networking Issues

• Attackers use social networking services to– spread malicious code– compromise users' computers – access personal information about a user's

identity, location, contact information, and personal or professional relationships

• Users may also reveal business information to unauthorized individuals


Social Networking Threats

• Viruses – Embedded in a web site or a third party application shared through social networking

• Tools – Attackers may use tools to take control of a user's account and gain access to all their private info and all the private info shared by friends

• Social Engineering Attacks – Attackers become "friends" and convince users to share information that they will later regret sharing


Social Networking Risks

• Business Data – Don't disclose information about customers, intellectual property, human resource issues, mergers and acquisitions, or other company activities– May result in liability or bad publicity– Or reveal information that is useful to competitors

• Professional Reputation – Don't post offensive or objectionable comments or photos– May reduce your credibility– Hurt your professional reputation– Or cost your job


Social Networking Risks

• Personal Relationships – 32% of people who post on a social networking site regret they shared personal information so openly

• Personal Safety – Don't let the crooks know when you are going on vacation


Infected PDF Files

• PDFs continue to be one of the most dangerous file formats available and are a prime method for e-mail based attacks

• Adobe Reader X-XI has an updated security architecture that was designed to better protect against malicious PDF attacks


Infected PDF Files

• Symantec reported a zero-day exploit using PDFs on 12/7/2011

• Message sent to govern-ment contractors

• PDF attachment claimed to be FY2012 Contract Guide

• Opening the document installs malicious code

Targeted Email Attacks


Infected PDF FilesTargeted Email Attacks

Microsoft Security Intelligence Report, vol. 12, published April 2012


Fake Antivirus On The Rise

• In a recent report, global computer security company (Sophos) analyzed more than 850,000 instances of fake antivirus in just 8 months

• Also known as "scare ware," fake antivirus software claims you have a virus and you need the "full" version to remove it for a one-time fee– Then they capture your credit card info

• MacDefender, a fake anti-virus application for Mac OS X, is a Trojan


Viruses Attack Apple OS X

• Viruses and malware that attack Apply OS X are on the rise

• "Flashback," a Java-based exploit, infected over half a million Macs by April 2012

• Security update to OS X Lion was shipped in February 2012 with the debugging switch left on, leaving user passwords exposed

• Most security experts expect threats against Apple systems to become more pronounced in the future


Viruses Attack Apple OS X

• Apple systems are not immune to viruses and other malware

• Exploitable security holes are routinely uncovered in Apple software

• Apple continually releases security patches for the operating system and applications


Web-Attack Toolkits

• Toolkits are becoming more sophisticated

• User interfaces take on the look and feel of commercial software

• This makes it easier for "amateurs" to hack web sites


Web-Attack ToolkitsSo Easy A Caveman Can Do It!


MOBILE DEVICE SECURITY


Mobile Device Security Issues

• More than phones – they are handheld computers with similar vulnerabilities as ordinary PCs

• Mobile devices have become repositories for sensitive information

• Bank and other financial transactions are commonplace

• General need for security and for malware protection


Mobile Threats Increase

• Android is the biggest target–No central control over content–No single app store

• Most malware is designed to send "premium" SMS messages to monetize investment

• Over 80 percent of smartphones are unprotected from malware and attacks

http://www.mobilitytechzone.com/topics/4g-wirelessevolution/articles/2013/10/15/356753-over-80-percent-smartphones-unprotected-from-malware-attacks.htm


Mobile MalwareFrom Cottage Industry To Developed Market


iPhone Viruses

• Very few iPhone viruses have been reported• The "ikee" virus is the best known

iPhone virus to date, but it only affects jail broken phones

• Kaspersky reports that most Smartphones are not secure from viruses, with one exception – the iPhone


Risk And Control Measures For Smartdevices

• Smartphones, whether company-owned or employee-owned, should have proper security measures in place if data or access to data is available via their use

• These measures include passwords, screen locks, anti-virus/anti-malware software, and strong protocols for accessing remote sites or data

• Third-party mobile devise management software keeps most of the data on the remote server– AirWatch, Symantec Mobile Devise Management Suite,

XenMobile, MobileIron, and www.good.com


Mobile Device Management (MDM)

• Tools to remotely enforce security policies– Require strong passwords– Require automatic lock after inactive time– Remote wipe capabilities– Enforce local data encryption

• Multi-platform reporting and inventory tools– Detailed visibility of who has what– Remote troubleshooting for help desks– Remote application inventory and data search– Backup and recovery


Managing Multiple Devices

• Numerous on-premise, appliance, and SaaS based solutions for securing and managing mobile devices are available

http://www.air-watch.com/


Gartner Mobile ManagementMagic Quadrant


Data On Mobile Devices

• Most smartphones have the ability to encrypt the hard drive contents simply by changing a setting– iPhone – hardware based encryption is enabled by

default and cannot be disabled by the user– BlackBerry - enable "Content Protection“– Android – varies by manufacturer, check your device

• iPhone, Android, and many other Smartphones can be "wiped" remotely– Android www.lookout.com– iPhone www.icloud.com (Find my iPhone app)

http://www.lookout.com/

http://www.icloud.com/


Turning On The PIN Feature

• Smartphones usually contain confidential data• Setting a sign-on PIN or password is a basic

first step in securing these devices


CLOUD SECURITY ISSUES


Cloud Security Issues

• Breaches of confidential information• Inappropriate use of a business's confidential

data by cloud provider• Data interception during transmission• Legal issues for data stored on servers

physically located outside the united states• Data recovery in the event a cloud

provider folds


Security Breaches

• Breach notification is required in 46 states• Long-arm statutes may subject you to the laws

of other states• Notifications are expensive– Most companies notify victims of a breach within

one month– Average cost to clear up breach is approximately

$200 per record• When a breach occurs, contact an attorney


Security Breaches

• 2013 broke the previous all-time record for the number of exposed records caused by reported data breach incidents

• The 2,164 incidents reported during 2013 exposed over 822 million records, nearly doubling the previous highest year on record, which was 2011

• Report issued February 2014Risk Based Security Report

https://www.riskbasedsecurity.com/2014/02/2013-data-breach-quickview/


Three Privacy And Security Concerns

Unauthorized external access to sensitive data• Keeping the hackers

out

Unauthorized internal access to sensitive data• Majority of

information thief is by insiders

Safe transfer of sensitive data when requested• Email is definitely

not the right answer for regular communication of sensitive information


Key Tools to Combat Cyber Crime

• Firewalls with intrusion protection services• Anti-malware on all computers• Internal control procedures• Mobile device management• Training• Encryption


PC SECURITY SOFTWARE


PC Security Software

• Security suites vs. standalone antivirus• Encryption tools• Password management tools• Automated remote backup• Encryption tools• Personal digital IDs• Portals• Above all, training!


Suites Vs. Standalone Antivirus• Security suites are a bundle of security programs including some or all

of the following– Antivirus– Password Management Software– Antispyware– Firewall– Anti-phishing– Parental Controls– Network Mapping and Monitoring– Identity Protection

• Windows 8.n includes embedded AV and Malware detection– You decide if that is enough

• IT will most likely insist on Endpoint solutions as well as network wide protection of servers and user workstations


Using Passwords For Authentication

• Passwords are the most common method of authentication

• Many people keep their passwords in their head • This promotes the use of weak passwords

that are often highly susceptible to brute force attacks

• Memorized passwords have to be keyed, increasing the risk of compromise by key loggers and other malware


Strong Passwords Guidelines

• Passwords used to access sensitive information should– Contain both upper and lower case characters– Have digits and punctuation characters as well as letters– Be at least twelve alphanumeric characters long– Not be a word in any language, slang, dialect, jargon, etc.– Not be based on personal information, family names, etc.– Never be written down– Changed regularly– Never be recycled or used for multiple assets that require

strong passwords• Not all assets require strong passwords


Password Managers

• LastPass 3.0 (free)/LastPass Premium($12/yr.)• RoboForm Everywhere 7/Desktop 7• Dashlane• Keeper 5.0• MyLOK Personal• Norton Identity Safe (free)• PasswordBox• KeePass (free)


Password Management

• RoboForm – Saves passwords,

identities, and credit card information

– Generates secure passwords

– Need to remember only the master password

– Fills forms with a single click

– Watch video

http://www.youtube.com/watch?v=-n9Dr8dL0Oc


Password Management ROI


Using Security Tokens

• Tokens can be hardware or software installed on a mobile device or a PC

• Tokens generate a unique authentication code that changes every 60 seconds

• The authentication codes are used in conjunction with a username and PIN


Automated Remote Backup

• Inexpensive, reliable, easy to set up and use• Provides continuous, encrypted backup to the

Cloud with file versioning• Backup provides protection against damage

caused by a hacker or virus


Patch Management

• Windows Update only updates Microsoft operating systems and applications

• For all other applications, users need patch management tools

NetChk


Why Encrypt Data?

• To fulfill legal and fiduciary obligations• To protect data on lost or stolen laptops, flash

drives, hand held devices, etc.• To protect data from hackers• To protect data from viruses, worms,

and trojans• Most breach notification laws exempt

encrypted data from notification requirements


Cryptography Basics

• Encryption is the process of converting ordinary information (plain text) into unintelligible gibberish

• Strong encryption cannot be broken• 128-bit AES encryption is the US

government standard• 256-bit AES is used for military secrets


Whole Disk Vs. Volume

• No perceivable performance difference• Volume encryption requires active

participation by end user– Wastes time– Increases the risk that something is not protected

because of user error• Whole disk encryption– Entire hard disk is protected– If you lose the key, all is lost


Whole Disk Encryption Solutions

• BitLocker – www.microsoft.com (video)• TrueCrypt (free, www.truecrypt.org, Windows, OS X, and

Linux)• PGP Whole Disk Encryption (contact publisher for pricing,

www.pgp.com, Windows, OS X, and Linux)• Kruptos – Windows like version of TrueCrypt• Beachhead Solutions – www.beachhead.com • McAfee Endpoint Encryption (contact publisher for pricing,

www.mcafee.com, Windows and Windows Mobile)

• Many other very good products

http://windows.microsoft.com/en-US/windows7/products/features/bitlocker



http://www.truecrypt.org/

http://www.pgp.com/

http://www.kruptos2.co.uk/

http://www.beachhead.com/

http://www.mcafee.com/


Personal Digital IDs

• Provide login authentication• Authorize transactions• Encrypt e-mail to others with digital IDs

without having to communicate or share passwords

• Digitally sign contracts, and other agreements– Prevents signed documents from being altered– Verifies that the person who purportedly signed

the document actually did so



A Digital ID consists of a pair of matched keys.

PublicKey

=Distributed to Everyone

PrivateKey

=Never

Revealed

To send an encrypted message or file using Public/Private Key encryption, the sender must possess the Public Key of the intended recipient. To verify the signature of the sender, the recipient must possess the Public Key of the sender. This requires the sender and recipient to exchange Public Keys.

NO PASSWORDS!


CPA Firm Portals And Security

• Portals provide a more secure way to– Transfer tax documents to clients– Gather tax organizer information– Provide payroll services to clients– Store and exchange working documents

with clients


Features Of Portals

• Online access to past tax returns – clients can access their prior year tax returns without having to bother the CPA

• Secure file transfer – staff can provide files to clients securely and clients can transmit files to the firm securely

• Provide clients safe online storage– Gives clients a secure place to store

important documents


Features Of Portals

• Online tax organizer – lets clients enter and organize their tax data with this easy-to-use online system, helping you prepare their returns faster and easier

• Provide online accounting – some portal services integrate with online accounting systems

• Online payroll – some accounting portals integrate with online payroll systems

• Pricing depends on the functionality provided and the number of users


• Currently the most cost effective, secure method of communicating confidential information with customers and clients

• Huge time savings along with much better quality of service

• No servers to buy, no software to load, no capital investment, up and running in hours for much less than you would think


ShareFile Portal For CPA Firms


CPA Firm Portals

• ShareFile http://www.sharefile.com • Thomson Reuters – NetClient CS

http://cs.thomsonreuters.com/portals • CCH ProSystem fx Portal

http://tax.cchgroup.com/portal • Sage AssuredSend/LeapFile

http://www.sagesend.com • Website Relief by AccountantsWorld

http://bit.ly/WSRELF

http://www.sharefile.com/

http://cs.thomsonreuters.com/portals

http://tax.cchgroup.com/portal

http://www.sagesend.com/

http://bit.ly/WSRELF


User Training

• The weakest links in any security regime are the users themselves

• Training is the most important element in implementing effective security

• Basic training, internal newsletters, login reminders, staff meetings – anything that raises awareness is effective


Conclusions

• Social networking tools and mobile devices pose significant new security threats– Businesses should address these issues before it is

too late • While there are new security concerns with

Cloud solution providers, working in the Cloud has the potential to significantly improve security

• Traditional defenses, like antivirus software and firewalls, are essential


Questions?

copyright © 2015 k2 enterprises, llc. reproduction or reuse for purposes other than a k2...

Documents

k2 enterprises training

security considerations

key security threats

targeted attack campaigns

antivirus softwarecopyright

antivirus product

cloudbased services

cloudbased applications