copyright © 2015 k2 enterprises, llc. reproduction or reuse for purposes other than a k2...
TRANSCRIPT
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
SECURITY UPDATE
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Learning Objectives
• List and describe key security threats • Identify security issues and solutions for
mobile devices• Recognize security issues associated with the
cloud computing• List key security software that is needed in
addition to antivirus software
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
BIGGEST SECURITY THREATS
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Biggest Security Threats
• Targeted attacks• Facebook and other social networking sites• Infected PDF files• Fake antivirus software on the rise• Apple products see increase in viruses• More sophisticated web-attack toolkits will
increase the number of attacks• Mobile device security• Attacks on cloud-based services are inevitable
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Internet Security Threat Report
• Key Findings– 91% increase in targeted attack campaigns – 62% increase in the number of breaches– Over 552M identities were exposed via breaches– 23 zero-day vulnerabilities discovered– 38% of mobile users have experienced mobile cybercrime in
past 12 months– Spam volume dropped to 66% of all email traffic– 1 in 392 emails contain phishing attacks– Web-based attacks are up 23%– 1 in 8 legitimate websites have a critical vulnerability
Symantec ISTR 2014
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Targeted Attacks
• Dramatically increased in 2011-2013• Use customized malware and refined
social engineering methods to gain unauthorized access to sensitive info/data or alter/shutdown industrial processes
• Latest attack against IE (all versions) Homeland Security Warnings – attack looking for information from current and former military
Symantec Internet Security Threat Report
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Targeted Email Attacks
• Symantec documented attacks on 29 companies in the chemical sector– Targeted emails that appeared to be meeting invitations
from suppliers contained a Trojan– Their intent was to steal valuable intellectual
• 2/3 of the attacks focus on a single or very limited number of companies in an industry
• Most attacks use 2 or more exploits• 42% of mailboxes attacked are executives, senior
managers, or in R&DSymantec Internet Security Threat Report
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Social Networking Issues
• Attackers use social networking services to– spread malicious code– compromise users' computers – access personal information about a user's
identity, location, contact information, and personal or professional relationships
• Users may also reveal business information to unauthorized individuals
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Social Networking Threats
• Viruses – Embedded in a web site or a third party application shared through social networking
• Tools – Attackers may use tools to take control of a user's account and gain access to all their private info and all the private info shared by friends
• Social Engineering Attacks – Attackers become "friends" and convince users to share information that they will later regret sharing
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Social Networking Risks
• Business Data – Don't disclose information about customers, intellectual property, human resource issues, mergers and acquisitions, or other company activities– May result in liability or bad publicity– Or reveal information that is useful to competitors
• Professional Reputation – Don't post offensive or objectionable comments or photos– May reduce your credibility– Hurt your professional reputation– Or cost your job
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Social Networking Risks
• Personal Relationships – 32% of people who post on a social networking site regret they shared personal information so openly
• Personal Safety – Don't let the crooks know when you are going on vacation
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Infected PDF Files
• PDFs continue to be one of the most dangerous file formats available and are a prime method for e-mail based attacks
• Adobe Reader X-XI has an updated security architecture that was designed to better protect against malicious PDF attacks
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Infected PDF Files
• Symantec reported a zero-day exploit using PDFs on 12/7/2011
• Message sent to govern-ment contractors
• PDF attachment claimed to be FY2012 Contract Guide
• Opening the document installs malicious code
Targeted Email Attacks
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Infected PDF FilesTargeted Email Attacks
Microsoft Security Intelligence Report, vol. 12, published April 2012
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Fake Antivirus On The Rise
• In a recent report, global computer security company (Sophos) analyzed more than 850,000 instances of fake antivirus in just 8 months
• Also known as "scare ware," fake antivirus software claims you have a virus and you need the "full" version to remove it for a one-time fee– Then they capture your credit card info
• MacDefender, a fake anti-virus application for Mac OS X, is a Trojan
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Viruses Attack Apple OS X
• Viruses and malware that attack Apply OS X are on the rise
• "Flashback," a Java-based exploit, infected over half a million Macs by April 2012
• Security update to OS X Lion was shipped in February 2012 with the debugging switch left on, leaving user passwords exposed
• Most security experts expect threats against Apple systems to become more pronounced in the future
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Viruses Attack Apple OS X
• Apple systems are not immune to viruses and other malware
• Exploitable security holes are routinely uncovered in Apple software
• Apple continually releases security patches for the operating system and applications
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Web-Attack Toolkits
• Toolkits are becoming more sophisticated
• User interfaces take on the look and feel of commercial software
• This makes it easier for "amateurs" to hack web sites
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Web-Attack ToolkitsSo Easy A Caveman Can Do It!
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
MOBILE DEVICE SECURITY
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Mobile Device Security Issues
• More than phones – they are handheld computers with similar vulnerabilities as ordinary PCs
• Mobile devices have become repositories for sensitive information
• Bank and other financial transactions are commonplace
• General need for security and for malware protection
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Mobile Threats Increase
• Android is the biggest target–No central control over content–No single app store
• Most malware is designed to send "premium" SMS messages to monetize investment
• Over 80 percent of smartphones are unprotected from malware and attacks
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Mobile MalwareFrom Cottage Industry To Developed Market
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
iPhone Viruses
• Very few iPhone viruses have been reported• The "ikee" virus is the best known
iPhone virus to date, but it only affects jail broken phones
• Kaspersky reports that most Smartphones are not secure from viruses, with one exception – the iPhone
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Risk And Control Measures For Smartdevices
• Smartphones, whether company-owned or employee-owned, should have proper security measures in place if data or access to data is available via their use
• These measures include passwords, screen locks, anti-virus/anti-malware software, and strong protocols for accessing remote sites or data
• Third-party mobile devise management software keeps most of the data on the remote server– AirWatch, Symantec Mobile Devise Management Suite,
XenMobile, MobileIron, and www.good.com
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Mobile Device Management (MDM)
• Tools to remotely enforce security policies– Require strong passwords– Require automatic lock after inactive time– Remote wipe capabilities– Enforce local data encryption
• Multi-platform reporting and inventory tools– Detailed visibility of who has what– Remote troubleshooting for help desks– Remote application inventory and data search– Backup and recovery
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Managing Multiple Devices
• Numerous on-premise, appliance, and SaaS based solutions for securing and managing mobile devices are available
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Gartner Mobile ManagementMagic Quadrant
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Data On Mobile Devices
• Most smartphones have the ability to encrypt the hard drive contents simply by changing a setting– iPhone – hardware based encryption is enabled by
default and cannot be disabled by the user– BlackBerry - enable "Content Protection“– Android – varies by manufacturer, check your device
• iPhone, Android, and many other Smartphones can be "wiped" remotely– Android www.lookout.com– iPhone www.icloud.com (Find my iPhone app)
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Turning On The PIN Feature
• Smartphones usually contain confidential data• Setting a sign-on PIN or password is a basic
first step in securing these devices
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
CLOUD SECURITY ISSUES
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Cloud Security Issues
• Breaches of confidential information• Inappropriate use of a business's confidential
data by cloud provider• Data interception during transmission• Legal issues for data stored on servers
physically located outside the united states• Data recovery in the event a cloud
provider folds
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Security Breaches
• Breach notification is required in 46 states• Long-arm statutes may subject you to the laws
of other states• Notifications are expensive– Most companies notify victims of a breach within
one month– Average cost to clear up breach is approximately
$200 per record• When a breach occurs, contact an attorney
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Security Breaches
• 2013 broke the previous all-time record for the number of exposed records caused by reported data breach incidents
• The 2,164 incidents reported during 2013 exposed over 822 million records, nearly doubling the previous highest year on record, which was 2011
• Report issued February 2014Risk Based Security Report
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Three Privacy And Security Concerns
Unauthorized external access to sensitive data• Keeping the hackers
out
Unauthorized internal access to sensitive data• Majority of
information thief is by insiders
Safe transfer of sensitive data when requested• Email is definitely
not the right answer for regular communication of sensitive information
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Key Tools to Combat Cyber Crime
• Firewalls with intrusion protection services• Anti-malware on all computers• Internal control procedures• Mobile device management• Training• Encryption
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
PC SECURITY SOFTWARE
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
PC Security Software
• Security suites vs. standalone antivirus• Encryption tools• Password management tools• Automated remote backup• Encryption tools• Personal digital IDs• Portals• Above all, training!
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Suites Vs. Standalone Antivirus• Security suites are a bundle of security programs including some or all
of the following– Antivirus– Password Management Software– Antispyware– Firewall– Anti-phishing– Parental Controls– Network Mapping and Monitoring– Identity Protection
• Windows 8.n includes embedded AV and Malware detection– You decide if that is enough
• IT will most likely insist on Endpoint solutions as well as network wide protection of servers and user workstations
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Using Passwords For Authentication
• Passwords are the most common method of authentication
• Many people keep their passwords in their head • This promotes the use of weak passwords
that are often highly susceptible to brute force attacks
• Memorized passwords have to be keyed, increasing the risk of compromise by key loggers and other malware
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Strong Passwords Guidelines
• Passwords used to access sensitive information should– Contain both upper and lower case characters– Have digits and punctuation characters as well as letters– Be at least twelve alphanumeric characters long– Not be a word in any language, slang, dialect, jargon, etc.– Not be based on personal information, family names, etc.– Never be written down– Changed regularly– Never be recycled or used for multiple assets that require
strong passwords• Not all assets require strong passwords
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Password Managers
• LastPass 3.0 (free)/LastPass Premium($12/yr.)• RoboForm Everywhere 7/Desktop 7• Dashlane• Keeper 5.0• MyLOK Personal• Norton Identity Safe (free)• PasswordBox• KeePass (free)
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Password Management
• RoboForm – Saves passwords,
identities, and credit card information
– Generates secure passwords
– Need to remember only the master password
– Fills forms with a single click
– Watch video
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Password Management ROI
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Using Security Tokens
• Tokens can be hardware or software installed on a mobile device or a PC
• Tokens generate a unique authentication code that changes every 60 seconds
• The authentication codes are used in conjunction with a username and PIN
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Automated Remote Backup
• Inexpensive, reliable, easy to set up and use• Provides continuous, encrypted backup to the
Cloud with file versioning• Backup provides protection against damage
caused by a hacker or virus
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Patch Management
• Windows Update only updates Microsoft operating systems and applications
• For all other applications, users need patch management tools
NetChk
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Why Encrypt Data?
• To fulfill legal and fiduciary obligations• To protect data on lost or stolen laptops, flash
drives, hand held devices, etc.• To protect data from hackers• To protect data from viruses, worms,
and trojans• Most breach notification laws exempt
encrypted data from notification requirements
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Cryptography Basics
• Encryption is the process of converting ordinary information (plain text) into unintelligible gibberish
• Strong encryption cannot be broken• 128-bit AES encryption is the US
government standard• 256-bit AES is used for military secrets
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Whole Disk Vs. Volume
• No perceivable performance difference• Volume encryption requires active
participation by end user– Wastes time– Increases the risk that something is not protected
because of user error• Whole disk encryption– Entire hard disk is protected– If you lose the key, all is lost
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Whole Disk Encryption Solutions
• BitLocker – www.microsoft.com (video)• TrueCrypt (free, www.truecrypt.org, Windows, OS X, and
Linux)• PGP Whole Disk Encryption (contact publisher for pricing,
www.pgp.com, Windows, OS X, and Linux)• Kruptos – Windows like version of TrueCrypt• Beachhead Solutions – www.beachhead.com • McAfee Endpoint Encryption (contact publisher for pricing,
www.mcafee.com, Windows and Windows Mobile)
• Many other very good products
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Personal Digital IDs
• Provide login authentication• Authorize transactions• Encrypt e-mail to others with digital IDs
without having to communicate or share passwords
• Digitally sign contracts, and other agreements– Prevents signed documents from being altered– Verifies that the person who purportedly signed
the document actually did so
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Personal Digital IDs
A Digital ID consists of a pair of matched keys.
PublicKey
=Distributed to Everyone
PrivateKey
=Never
Revealed
To send an encrypted message or file using Public/Private Key encryption, the sender must possess the Public Key of the intended recipient. To verify the signature of the sender, the recipient must possess the Public Key of the sender. This requires the sender and recipient to exchange Public Keys.
NO PASSWORDS!
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Personal Digital IDs
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
CPA Firm Portals And Security
• Portals provide a more secure way to– Transfer tax documents to clients– Gather tax organizer information– Provide payroll services to clients– Store and exchange working documents
with clients
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Features Of Portals
• Online access to past tax returns – clients can access their prior year tax returns without having to bother the CPA
• Secure file transfer – staff can provide files to clients securely and clients can transmit files to the firm securely
• Provide clients safe online storage– Gives clients a secure place to store
important documents
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Features Of Portals
• Online tax organizer – lets clients enter and organize their tax data with this easy-to-use online system, helping you prepare their returns faster and easier
• Provide online accounting – some portal services integrate with online accounting systems
• Online payroll – some accounting portals integrate with online payroll systems
• Pricing depends on the functionality provided and the number of users
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
• Currently the most cost effective, secure method of communicating confidential information with customers and clients
• Huge time savings along with much better quality of service
• No servers to buy, no software to load, no capital investment, up and running in hours for much less than you would think
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
ShareFile Portal For CPA Firms
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
CPA Firm Portals
• ShareFile http://www.sharefile.com • Thomson Reuters – NetClient CS
http://cs.thomsonreuters.com/portals • CCH ProSystem fx Portal
http://tax.cchgroup.com/portal • Sage AssuredSend/LeapFile
http://www.sagesend.com • Website Relief by AccountantsWorld
http://bit.ly/WSRELF
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
User Training
• The weakest links in any security regime are the users themselves
• Training is the most important element in implementing effective security
• Basic training, internal newsletters, login reminders, staff meetings – anything that raises awareness is effective
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Conclusions
• Social networking tools and mobile devices pose significant new security threats– Businesses should address these issues before it is
too late • While there are new security concerns with
Cloud solution providers, working in the Cloud has the potential to significantly improve security
• Traditional defenses, like antivirus software and firewalls, are essential
Copyright © 2015 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.
Questions?