cyber security - fgfoacfc.wildapricot.org · 3/29/2019 · elements of security but...
TRANSCRIPT
Cyber Security:
An Ever Changing LandscapeAgenda
• Elements of Security− Best Practices
− Layers of Security
• Common Threats− Social Hacking
− Phishing
− Drive-by Attacks
− Malware
− Physical
• Security in Local Government
Cyber Security:
An Ever Changing Landscape
Cyber Security:
An Ever Changing Landscape
“Given the choice between security and
convenience, people complain about
security, but opt for convenience”
Cyber Security:
An Ever Changing Landscape
Elements of Security
Data confidentiality -- means only those who have access to data can
actually do so and no one else
Data integrity -- means that we have confidence that the information we
use, transmit, process or store has not been modified by accident or design in an
inappropriate manner.
Data availability -- means that the computer and the information is available
when we need it.
Elements of Security
Best Practices
• Standardization
• Patches and Updates
• Firewalls/IPS-IDS
• Backups
• Logging Security Changes
• Website Filtering and Scanning
• Password Enforcement/Multifactor Authentication
• Physical Security
• User Awareness
Elements of Security
Who is Responsible for Security?
• Technology Services/IT
• Firewalls
• IPS/IDS
• Web Filtering
• Anti-Virus
• Anti-Malware
• Security
Training
Elements of Security
But Ultimately….. Technical safeguards can only go so far. The security of a system is
only as good as its weakest link. If even one person does not pay
attention to security, the security of the whole system is
compromised.
90/10 Rule• 10 % of all safeguards are technical
• 90 % rely on Users
SEC-U-R-IT-YSECURITY
STOP, THINK, CLICK
Basic Concept
You Control What You Choose to ClickMost threats are targeted specifically in hopes that you will click on a harmful link,
attachment, picture, video or icon in an email or web page, including social media
applications
What you can doSTOP, and THINK BEFORE you CLICK
Be aware, be alert and diligent. Always look for the signs that external entities are
trying to gain access.
Security Threats
Security ThreatsMajor Breaches in the 18-months
• September 2017 – Equifax - 143 million people’s full names, social security numbers, birth dates, home addresses and driver’s license
• November 2017 – Uber - paid hackers $100,000 to delete the stolen data of 57 million of its customers and drivers, including names, phone numbers, email addresses, and license plates
• February 2018 – DHS confirms Russian hackers successfully penetrated the voter registration rolls of several US states prior to the 2016 election.
• March 2018/June 2018 – Facebook - Cambridge Analytica collected user information of 50 million users and the Nametests App publicly exposed information of 120 million users
Security ThreatsMajor Breaches in the 18-months
• May 2018 – Under Armor compromised the information of 150 million users of its fitness and nutrition tracking app MyFitnessPal
• June 2018 – Exactis – Marketing company left a database exposed on public server. 2 Terabytes of 340 million customers individual information, including sensitive details like the names and genders of their children in some cases
• August 2018 – T-Mobile – Usernames and passwords of 2 million users compromised
• September 2018 – Marriott/Starwood Hotels – Information of 5 million guests were accessed by hackers. Data received included guest phone numbers, email addresses, passport numbers, and even credit card numbers.
Security ThreatsLocal Governments are not Immune
• March 2018 – Florida Virtual School – Personal information of 368,000 students and personal information including SSN’s of 1,800 teachers from Leon County
• October 2017 - September 2018 – Click2Gov – Vulnerability discovered in September 2017, patched in June 2018. Research firm Genesis Advisory found that “underground online marketplaces had ‘likely been stolen from local municipal services that license Click2Gov software.’” https://www.forbes.com/sites/taylorarmerding/2018/12/21/click2gov-breaches-show-the-power-of-zero-days/#434b0d2b7e2e
No mention of Ransomware attacks???
Security Threats
Major Breaches in the 18-months
Between January 1, 2005 and April 18, 2018 there have been 8,854 recorded breaches
Security Threats – Attack Vectors
• Social Engineering• Phishing• Drive-By Attacks• Malware (Viruses/Trojans/Worms/Spyware/Ransomware)
• Physical• Computing on the Road or at Home
Social Engineering
Internet
Social EngineeringCan you spot a “social engineer” in this group?
Social Engineering
Security Threats
Social Engineering
• Preying on the Best Qualities of Human Nature:• The desire to be helpful• The tendency to trust people• The fear of getting into trouble
• A successful social engineer receives information without raising any suspicion as to what they are doing.
Social Engineering
Recognizing the SignsSocial Engineers may:
• Refuse to give contact information
• Rush you
• Use name-dropping/Pretexting
• Use intimidation
• Make small mistakes
• Request confidential information
• Request you to do something improper
Social Engineering
What can you do?Be Suspicious! Ask Questions!
• Never provide ANY information
• Number where you can return the call?
• Contact information?
• Why the information is needed?
• Who authorized the request? Verify the
authorization.
AND REPORT IT!!!
Phishing
Phishing
• Often uses Pre-Texting – false narrative to obtain information
or influence behavior• A “Trustworthy Entity” asks via email for sensitive information such as SSN, login
ID’s etc...
• Requests are made via links to Malicious websites• Clicking on link will try to install malware on your device
• Often emails may contain “links” to Word or PDF documents
• Spear-phishing, Whaling and Pharming.
Phishing
Phishing Statistics
• Social Engineering Attacks
increased
• Increase in Credential
Compromise Attacks – 280%
increase!
Phishing
How to Identify Phishing Emails
• Strange/Unofficial Email Address
• P00r grammer and Speling
• Generic Greeting
• Urgent Action Required
• Links to Fraudulent Sites
• Junkmail
STOP… THINK… CLICK
Examples of Phishing
Examples of Phishing
Phishing
Examples of Phishing
Examples of Phishing
Examples of Phishing
PhishingO365 Advanced Threat Protection – Safe Links
Phishing
Phishing
REMEMBER
STOP
THINK
CLICK
Drive-By Attacks
A drive-by attack is the unintentional download of
a virus or malicious software (malware) onto your
system. A drive-by attack will usually take
advantage of (or “exploit”) a browser, app, or
operating system that is out of date and has a
security flaw.
Drive-By Attacks
• Not always “Sketchy” or “click-bait” sites• Ads
Drive-By Attacks
Protecting Against Drive-Bys:
• Robust Anti-Malware solution – Active Scanning
• Keep your PC, AV and Anti-Malware Updated
• Web Content Filters
• Beware “sketchy” and “click-bait” sites
• Be careful when clicking on Ads
• STOP, THINK, CLICK
Malware
• Software that will maliciously cause harm to
your computer
• Ranges from
• Annoyances – Spyware/Scareware
• Destructive – Virus/Trojan/Worm
• Financial - Ransomware
• How?
• Take advantage of vulnerabilities
• Virus scanners don’t catch anything
• Elements of Social Engineering
Malware
Common Types of Malware
• Virus – Program attached to a file, picture,
video, etc.…Can delete, corrupt, copy data.• Worm – Program that replicates itself to
computers across the network causing harm
• Trojan Horse – Looks like a beneficial
program while quietly damaging your system
• PUPs, Adware – Bundled with software installed if not careful
Malware
Common Types of Malware
• Spyware/Keyloggers – collects information and transmits it to interested parties
• Browser Hijack – Homepage gets changed to infected site• Botnets – Silent agent running on a group of computers
passing information to one another• Ransomware – Encrypts files on a computer and holds them
for ransom• CryptoJacking – Infected machines mine cryptocurrency for
hackers. Uses machine resources to accomplish
Malware
Recent Ransomware Attacks
• Atlanta – Online Services disrupted- $17mil• Baltimore 911 System – Manual Dispatch• Mecklenberg County NC – Rebuilt System $16mil• Colorado Dept of Transportation – 2 months in a row• City of Leeds, Alabama – Paid $12k to unlock files• Farmington, NM – Over a year later, some files still
inaccessible• Many jurisdictions in Florida….
Malware
Ransomware Demo
Malware
CryptoJacking• Has overtaken Ransomware as #1 attack vector• Hacker hijacks computer processing power to mine
cryptocurrency on hacker’s behalf – Low Profile• Infections occur through malicious links in emails (Phishing) or
Drive-by attacks• Scripts work in background without user knowing• Symptoms
• Overheating of Device• High Processor Usage• Sluggish Internet Response times
Malware
How do you get infected?
• Unsafe browsing• Legitimate websites that have been hacked• Infected Ads• Attachments – DOC/PDF/EXE etc..
• Unsafe Links in Email• USB Keys/Mass Storage Devices• Unpatched Systems/Open ports on Firewalls
MalwareHow can you prevent infection?
• Unsafe browsing✓ Answer: Stay on legit sites – Be Vigilant
• Infected Ads✓ Answer: Stay on legit sites – Be Vigilant
• Attachments – DOC/PDF/EXE etc..
✓ Answer: Were you expecting it? - Be Vigilant
• Unsafe Links in Email✓ Answer: Were you expecting it? No? Does it look
strange? Yes? DELETE IT! Remember: STOP, THINK, CLICK (HOVER!) – BE VIGILANT!
MalwareHow can you prevent infection?
• USB Keys/Mass Storage Devices✓ Answer: Don’t connect foreign devices
• Vulnerabilities✓ Answer: Keep your Antivirus, Antimalware and PC
up to date. Only have needed ports open on firewalls
• Use Multifactor Authentication✓ Can limit the fallout if credentials are lost or stolen
Always let IT know if you notice strange behavior!
Physical Security
• Always lock your workstation/tablet /phone• Ctrl-Alt-Del and “Lock Computer” or Windows Key
and “L”
• Set Tablets/Phones to Lock – Resume w/Password
• Secure Critical IT Resources• Servers, switches, even user workstations
• Behind Locked Doors – Authorized personnel only
• Lock sensitive documents and materials in a safe location- “Clean Desk Policy”
Physical Security
• Dispose of sensitive documents and equipment
appropriately – Clean Desk Policy
• Do not write down password and use “better”
passwords
• Always question unescorted strangers• ALWAYS report incidents and suspicious activities
Better Passwords
Better Passwords
Better Passwords• Passwords should be long
• Longer = Harder to crack• DoD recommends 15+ characters• 8 characters can be cracked in less than 24 hours
• Passwords should be random• Don’t use dictionary words/phrases or common
combinations• Should be as complex as possible
• Passwords should be unique• Different passwords for applications/sites• Don’t follow patterns
• Passwords should be private• Don’t share… EVER• You will never be asked for your password by reputable
sources
Better Passwords
Choosing Great Passwords (examples):
Better Passwords
Choosing Go0d! Passwords (examples):
• Friendship = “Fr13nd+sh1p”• Lifelong = “L!f3l0ng”• Teddybear = “T3ddy^BaRe”• I love my 2 cats = “I love my 2 c@ts”• Gators Rule! = “G@tor5 Rul3!”• I like to go to the movies and watch 2 in a row! =
“Iltgttmaw2iar!”• I work at 125 East Colonial Dr + 02/13/2007 =
“SLHw@125ecolDR021307”
Better Passwords
Better Passwords
Better Passwords
Password Manager• All usernames & passwords, protected by a single
"master password“
• Store on a server, computer, smartphone
• Most can generate long, random and unique passwords
for each app/site you visit
• Many different ones out there• LastPass
• iPassword
• KeePass
• Use a REALLY good master password – it should be the
only one you have to remember!
Better Passwords
Strong Password Policy:
• Minimum 8 characters
• At least one UPPER, lower and numeric
character
• Changes every 90 days
• Remembers last 6 passwords
• Network locks account after five failed
attempts for 15 minutes
Better Passwords
Multi-Factor Authentication“Security enhancement that allows you to present two
pieces of evidence – your credentials – when logging in to
an account.”• Common Uses
• Banking
• Remote Access to Network
• Legal Requirements – PCI Requirement 8.3
• Common Methods• SMS Text to Phone
• Authenticator App
• Call to Phone
Security in Practice
At your Municipality• Do not take files home to work on your home PC
• Refrain from bringing files or programs in from home.
• Refrain from installing any software not approved by IT (All
users should be restricted users on their machines)
• Better Passwords
Security in Practice
At your Municipality• Use best judgment with email and attachments
and when browsing Internet
• Physically secure your devices/work area
• Strange system behaviors, phone calls or
requests?
• Mandatory Annual Training – PCI
• BE VIGILANT!!!
Security in Practice
At Home/On the Road• Use multifaceted Antivirus/Antimalware
• Make sure PC and Antivirus/Antimalware are
up to date
• Secure your home Wi-Fi
• Be wary of free Wi-Fi
• Unencrypted
• Packetsniffers
Security in Practice
At Home/On the Road
• Do not use the same passwords for Email,
Facebook, Banking, WORK… etc..
• Multifactor Authentication
• Password Managers
• Do not let anyone utilize devices that attach to
your municipality’s network
• BE VIGILANT
Security in Practice
Recognizing Threats• Antivirus/Antimalware Notifications
• Fake Antivirus Messages
• PopUps and Strange Messages
• System is extremely slow
• Mouse moves by itself
• Standard programs won’t open
• Unfamiliar programs/Toolbars
• Passwords Change
Security in Practice
Responding to an attack at home• Disconnect from Internet ASAP
• Scan your device multiple times in Safe Mode
• Change passwords to accounts – Email/Social
Media/Online Banking etc.
• BACKUPS – Use an online backup such as Carbonite
• Reinstall OS and Apps
Cyber Security in Your Municipality
Policies, Policies, Policies• Create an IT security policy
• Password Standards
• New Hire/Termination
• Hardware Replacement Program
• Restricted Users
• Standardization
• Remote Access/Email – Multifactor Authentication
• Mobile Device/Bring Your Own Device (BYOD)
• Acceptable Usage Policy
• Internet/Email Usage
• Disaster Recovery Plan
• Ensure all users have read and have signed policy
• Adherence!
Cyber Security in Your Municipality
TECHNICAL• BACKUPS ARE CRITICAL! Have a solid backup plan in place and ensure
backups are maintained properly and tested on a regular basis
• Implement a patch management schedule for servers and workstations
– vulnerabilities are discovered frequently• Operating System and Application Patches
• Anti-Virus and Anti-Malware
• Lock critical infrastructure – Servers, Networking Devices, etc..
• Limited access to data centers/closets. Keep audit logs of entry
Cyber Security in Your Municipality
TECHNICAL• Network Monitoring
• Audit Server Logs
• Audit Login Accounts
• Web Filtering
• Next Generation Firewall
• Managed Services• 24/7 monitoring of network
• Much less expensive than hiring full-time cyber-security personnel or
doing nothing at all
• Security Training Resources
• MS-ISAC
• Glatfelter Cyber Self Assessment Checklist
• Pagerduty Security Training For Everyone
• KnowBe4
Cyber Security in Your Municipality
TRAINING• Stay up to date with the current threat landscape.
• Create a training program that is required for all users
• Update the training annually as threats are constantly
evolving
• Conduct mandatory yearly training for all users
• PCI Requirement 12.6 requires formal ANNUAL security
awareness training
Cyber Security in Your Municipality
RESPONSE & RECOVERY
• IT Disaster Recovery Plan and/or Incident
Response Plan (Review regularly)• Responsibilities
• Contact information
• Mission Critical Data
• Restoration Priorities
• Assess the threat/Capture extent of damage
• Take steps to minimize additional damage
• Work with Law Enforcement
• Contact any individuals who might be affected
Thank You!
Contact:Mike Taylor
Associate Director,
TSD Infrastructure
Florida League of Cities