Cyber Security:

An Ever Changing LandscapeAgenda

• Elements of Security− Best Practices

− Layers of Security

• Common Threats− Social Hacking

− Phishing

− Drive-by Attacks

− Malware

− Physical

• Security in Local Government

Cyber Security:

An Ever Changing Landscape

Cyber Security:

An Ever Changing Landscape

“Given the choice between security and

convenience, people complain about

security, but opt for convenience”

Cyber Security:

An Ever Changing Landscape

Elements of Security

Data confidentiality -- means only those who have access to data can

actually do so and no one else

Data integrity -- means that we have confidence that the information we

use, transmit, process or store has not been modified by accident or design in an

inappropriate manner.

Data availability -- means that the computer and the information is available

when we need it.

Elements of Security

Best Practices

• Standardization

• Patches and Updates

• Firewalls/IPS-IDS

• Backups

• Logging Security Changes

• Website Filtering and Scanning

• Password Enforcement/Multifactor Authentication

• Physical Security

• User Awareness

Elements of Security

Who is Responsible for Security?

• Technology Services/IT

• Firewalls

• IPS/IDS

• Web Filtering

• Anti-Virus

• Anti-Malware

• Security

Training

Elements of Security

But Ultimately….. Technical safeguards can only go so far. The security of a system is

only as good as its weakest link. If even one person does not pay

attention to security, the security of the whole system is

compromised.

90/10 Rule• 10 % of all safeguards are technical

• 90 % rely on Users

SEC-U-R-IT-YSECURITY

STOP, THINK, CLICK

Basic Concept

You Control What You Choose to ClickMost threats are targeted specifically in hopes that you will click on a harmful link,

attachment, picture, video or icon in an email or web page, including social media

applications

What you can doSTOP, and THINK BEFORE you CLICK

Be aware, be alert and diligent. Always look for the signs that external entities are

trying to gain access.

Security Threats

Security ThreatsMajor Breaches in the 18-months

• September 2017 – Equifax - 143 million people’s full names, social security numbers, birth dates, home addresses and driver’s license

• November 2017 – Uber - paid hackers $100,000 to delete the stolen data of 57 million of its customers and drivers, including names, phone numbers, email addresses, and license plates

• February 2018 – DHS confirms Russian hackers successfully penetrated the voter registration rolls of several US states prior to the 2016 election.

• March 2018/June 2018 – Facebook - Cambridge Analytica collected user information of 50 million users and the Nametests App publicly exposed information of 120 million users

Security ThreatsMajor Breaches in the 18-months

• May 2018 – Under Armor compromised the information of 150 million users of its fitness and nutrition tracking app MyFitnessPal

• June 2018 – Exactis – Marketing company left a database exposed on public server. 2 Terabytes of 340 million customers individual information, including sensitive details like the names and genders of their children in some cases

• August 2018 – T-Mobile – Usernames and passwords of 2 million users compromised

• September 2018 – Marriott/Starwood Hotels – Information of 5 million guests were accessed by hackers. Data received included guest phone numbers, email addresses, passport numbers, and even credit card numbers.

Security ThreatsLocal Governments are not Immune

• March 2018 – Florida Virtual School – Personal information of 368,000 students and personal information including SSN’s of 1,800 teachers from Leon County

• October 2017 - September 2018 – Click2Gov – Vulnerability discovered in September 2017, patched in June 2018. Research firm Genesis Advisory found that “underground online marketplaces had ‘likely been stolen from local municipal services that license Click2Gov software.’” https://www.forbes.com/sites/taylorarmerding/2018/12/21/click2gov-breaches-show-the-power-of-zero-days/#434b0d2b7e2e

No mention of Ransomware attacks???

Security Threats

Major Breaches in the 18-months

Between January 1, 2005 and April 18, 2018 there have been 8,854 recorded breaches

Security Threats – Attack Vectors

• Social Engineering• Phishing• Drive-By Attacks• Malware (Viruses/Trojans/Worms/Spyware/Ransomware)

• Physical• Computing on the Road or at Home

Social Engineering

Internet

Social EngineeringCan you spot a “social engineer” in this group?

Social Engineering

Security Threats

Social Engineering

• Preying on the Best Qualities of Human Nature:• The desire to be helpful• The tendency to trust people• The fear of getting into trouble

• A successful social engineer receives information without raising any suspicion as to what they are doing.

Social Engineering

Recognizing the SignsSocial Engineers may:

• Refuse to give contact information

• Rush you

• Use name-dropping/Pretexting

• Use intimidation

• Make small mistakes

• Request confidential information

• Request you to do something improper

Social Engineering

What can you do?Be Suspicious! Ask Questions!

• Never provide ANY information

• Number where you can return the call?

• Contact information?

• Why the information is needed?

• Who authorized the request? Verify the

authorization.

AND REPORT IT!!!

Phishing

Phishing

• Often uses Pre-Texting – false narrative to obtain information

or influence behavior• A “Trustworthy Entity” asks via email for sensitive information such as SSN, login

ID’s etc...

• Requests are made via links to Malicious websites• Clicking on link will try to install malware on your device

• Often emails may contain “links” to Word or PDF documents

• Spear-phishing, Whaling and Pharming.

Phishing

Phishing Statistics

• Social Engineering Attacks

increased

• Increase in Credential

Compromise Attacks – 280%

increase!

Phishing

How to Identify Phishing Emails

• Strange/Unofficial Email Address

• P00r grammer and Speling

• Generic Greeting

• Urgent Action Required

• Links to Fraudulent Sites

• Junkmail

STOP… THINK… CLICK

Examples of Phishing

Examples of Phishing

Phishing

Examples of Phishing

Examples of Phishing

Examples of Phishing

PhishingO365 Advanced Threat Protection – Safe Links

Phishing

Phishing

REMEMBER

STOP

THINK

CLICK

Drive-By Attacks

A drive-by attack is the unintentional download of

a virus or malicious software (malware) onto your

system. A drive-by attack will usually take

advantage of (or “exploit”) a browser, app, or

operating system that is out of date and has a

security flaw.

Drive-By Attacks

• Not always “Sketchy” or “click-bait” sites• Ads

Drive-By Attacks

Protecting Against Drive-Bys:

• Robust Anti-Malware solution – Active Scanning

• Keep your PC, AV and Anti-Malware Updated

• Web Content Filters

• Beware “sketchy” and “click-bait” sites

• Be careful when clicking on Ads

• STOP, THINK, CLICK

Malware

• Software that will maliciously cause harm to

your computer

• Ranges from

• Annoyances – Spyware/Scareware

• Destructive – Virus/Trojan/Worm

• Financial - Ransomware

• How?

• Take advantage of vulnerabilities

• Virus scanners don’t catch anything

• Elements of Social Engineering

Malware

Common Types of Malware

• Virus – Program attached to a file, picture,

video, etc.…Can delete, corrupt, copy data.• Worm – Program that replicates itself to

computers across the network causing harm

• Trojan Horse – Looks like a beneficial

program while quietly damaging your system

• PUPs, Adware – Bundled with software installed if not careful

Malware

Common Types of Malware

• Spyware/Keyloggers – collects information and transmits it to interested parties

• Browser Hijack – Homepage gets changed to infected site• Botnets – Silent agent running on a group of computers

passing information to one another• Ransomware – Encrypts files on a computer and holds them

for ransom• CryptoJacking – Infected machines mine cryptocurrency for

hackers. Uses machine resources to accomplish

Malware

Recent Ransomware Attacks

• Atlanta – Online Services disrupted- $17mil• Baltimore 911 System – Manual Dispatch• Mecklenberg County NC – Rebuilt System $16mil• Colorado Dept of Transportation – 2 months in a row• City of Leeds, Alabama – Paid $12k to unlock files• Farmington, NM – Over a year later, some files still

inaccessible• Many jurisdictions in Florida….

Malware

Ransomware Demo

Malware

CryptoJacking• Has overtaken Ransomware as #1 attack vector• Hacker hijacks computer processing power to mine

cryptocurrency on hacker’s behalf – Low Profile• Infections occur through malicious links in emails (Phishing) or

Drive-by attacks• Scripts work in background without user knowing• Symptoms

• Overheating of Device• High Processor Usage• Sluggish Internet Response times

Malware

How do you get infected?

• Unsafe browsing• Legitimate websites that have been hacked• Infected Ads• Attachments – DOC/PDF/EXE etc..

• Unsafe Links in Email• USB Keys/Mass Storage Devices• Unpatched Systems/Open ports on Firewalls

MalwareHow can you prevent infection?

• Unsafe browsing✓ Answer: Stay on legit sites – Be Vigilant

• Infected Ads✓ Answer: Stay on legit sites – Be Vigilant

• Attachments – DOC/PDF/EXE etc..

✓ Answer: Were you expecting it? - Be Vigilant

• Unsafe Links in Email✓ Answer: Were you expecting it? No? Does it look

strange? Yes? DELETE IT! Remember: STOP, THINK, CLICK (HOVER!) – BE VIGILANT!

MalwareHow can you prevent infection?

• USB Keys/Mass Storage Devices✓ Answer: Don’t connect foreign devices

• Vulnerabilities✓ Answer: Keep your Antivirus, Antimalware and PC

up to date. Only have needed ports open on firewalls

• Use Multifactor Authentication✓ Can limit the fallout if credentials are lost or stolen

Always let IT know if you notice strange behavior!

Physical Security

• Always lock your workstation/tablet /phone• Ctrl-Alt-Del and “Lock Computer” or Windows Key

and “L”

• Set Tablets/Phones to Lock – Resume w/Password

• Secure Critical IT Resources• Servers, switches, even user workstations

• Behind Locked Doors – Authorized personnel only

• Lock sensitive documents and materials in a safe location- “Clean Desk Policy”

Physical Security

• Dispose of sensitive documents and equipment

appropriately – Clean Desk Policy

• Do not write down password and use “better”

passwords

• Always question unescorted strangers• ALWAYS report incidents and suspicious activities

Better Passwords

Better Passwords

Better Passwords• Passwords should be long

• Longer = Harder to crack• DoD recommends 15+ characters• 8 characters can be cracked in less than 24 hours

• Passwords should be random• Don’t use dictionary words/phrases or common

combinations• Should be as complex as possible

• Passwords should be unique• Different passwords for applications/sites• Don’t follow patterns

• Passwords should be private• Don’t share… EVER• You will never be asked for your password by reputable

sources

Better Passwords

Choosing Great Passwords (examples):

Better Passwords

Choosing Go0d! Passwords (examples):

• Friendship = “Fr13nd+sh1p”• Lifelong = “L!f3l0ng”• Teddybear = “T3ddy^BaRe”• I love my 2 cats = “I love my 2 c@ts”• Gators Rule! = “G@tor5 Rul3!”• I like to go to the movies and watch 2 in a row! =

“Iltgttmaw2iar!”• I work at 125 East Colonial Dr + 02/13/2007 =

“SLHw@125ecolDR021307”

Better Passwords

Better Passwords

Better Passwords

Password Manager• All usernames & passwords, protected by a single

"master password“

• Store on a server, computer, smartphone

• Most can generate long, random and unique passwords

for each app/site you visit

• Many different ones out there• LastPass

• iPassword

• KeePass

• Use a REALLY good master password – it should be the

only one you have to remember!

Better Passwords

Strong Password Policy:

• Minimum 8 characters

• At least one UPPER, lower and numeric

character

• Changes every 90 days

• Remembers last 6 passwords

• Network locks account after five failed

attempts for 15 minutes

Better Passwords

Multi-Factor Authentication“Security enhancement that allows you to present two

pieces of evidence – your credentials – when logging in to

an account.”• Common Uses

• Email

• Facebook

• Banking

• Remote Access to Network

• Legal Requirements – PCI Requirement 8.3

• Common Methods• SMS Text to Phone

• Authenticator App

• Call to Phone

Security in Practice

At your Municipality• Do not take files home to work on your home PC

• Refrain from bringing files or programs in from home.

• Refrain from installing any software not approved by IT (All

users should be restricted users on their machines)

• Better Passwords

Security in Practice

At your Municipality• Use best judgment with email and attachments

and when browsing Internet

• Physically secure your devices/work area

• Strange system behaviors, phone calls or

requests?

• Mandatory Annual Training – PCI

• BE VIGILANT!!!

Security in Practice

At Home/On the Road• Use multifaceted Antivirus/Antimalware

• Make sure PC and Antivirus/Antimalware are

up to date

• Secure your home Wi-Fi

• Be wary of free Wi-Fi

• Unencrypted

• Packetsniffers

Security in Practice

At Home/On the Road

• Do not use the same passwords for Email,

Facebook, Banking, WORK… etc..

• Multifactor Authentication

• Password Managers

• Do not let anyone utilize devices that attach to

your municipality’s network

• BE VIGILANT

Security in Practice

Recognizing Threats• Antivirus/Antimalware Notifications

• Fake Antivirus Messages

• PopUps and Strange Messages

• System is extremely slow

• Mouse moves by itself

• Standard programs won’t open

• Unfamiliar programs/Toolbars

• Passwords Change

Security in Practice

Responding to an attack at home• Disconnect from Internet ASAP

• Scan your device multiple times in Safe Mode

• Change passwords to accounts – Email/Social

Media/Online Banking etc.

• BACKUPS – Use an online backup such as Carbonite

• Reinstall OS and Apps

Cyber Security in Your Municipality

Policies, Policies, Policies• Create an IT security policy

• Password Standards

• New Hire/Termination

• Hardware Replacement Program

• Restricted Users

• Standardization

• Remote Access/Email – Multifactor Authentication

• Mobile Device/Bring Your Own Device (BYOD)

• Acceptable Usage Policy

• Internet/Email Usage

• Disaster Recovery Plan

• Ensure all users have read and have signed policy

• Adherence!

Cyber Security in Your Municipality

TECHNICAL• BACKUPS ARE CRITICAL! Have a solid backup plan in place and ensure

backups are maintained properly and tested on a regular basis

• Implement a patch management schedule for servers and workstations

– vulnerabilities are discovered frequently• Operating System and Application Patches

• Anti-Virus and Anti-Malware

• Lock critical infrastructure – Servers, Networking Devices, etc..

• Limited access to data centers/closets. Keep audit logs of entry

Cyber Security in Your Municipality

TECHNICAL• Network Monitoring

• Audit Server Logs

• Audit Login Accounts

• Web Filtering

• Next Generation Firewall

• Managed Services• 24/7 monitoring of network

• Much less expensive than hiring full-time cyber-security personnel or

doing nothing at all

• Security Training Resources

• MS-ISAC

• Glatfelter Cyber Self Assessment Checklist

• Pagerduty Security Training For Everyone

• KnowBe4

Cyber Security in Your Municipality

TRAINING• Stay up to date with the current threat landscape.

• Create a training program that is required for all users

• Update the training annually as threats are constantly

evolving

• Conduct mandatory yearly training for all users

• PCI Requirement 12.6 requires formal ANNUAL security

awareness training

Cyber Security in Your Municipality

RESPONSE & RECOVERY

• IT Disaster Recovery Plan and/or Incident

Response Plan (Review regularly)• Responsibilities

• Contact information

• Mission Critical Data

• Restoration Priorities

• Assess the threat/Capture extent of damage

• Take steps to minimize additional damage

• Work with Law Enforcement

• Contact any individuals who might be affected

Thank You!

Contact:Mike Taylor

Associate Director,

TSD Infrastructure

Florida League of Cities

mtaylor@flcities.com