Security update 2016

David M. Cieslak, CPA.CITP, CGMA, GSEC

Arxis Technology, Inc.

Map • Terminology

• Current Threats

• Best Practices

• Authentication

Terminology

Goals of IT Security

• Confidentiality • Data is only available to authorized individuals

• Integrity • Data can only be changed by authorized individuals

• Availability • Data and systems are available when needed

• Accountability • Changes are traceable/attributable to author

Threats & Vulnerabilities

• Threats • Active agent that seeks to violate or circumvent policy

• Part of the environment – beyond user’s control

• Vulnerability • A flaw or bug

• Part of the system – within user’s control

• Risk • Likelihood of harm resulting of exploitation of vulnerability by threat

IT Security Response

• No single product, vendor or strategy

• Defense in Depth, i.e. Layers of Security

Hacking • By force

• Dictionary scans - weak/missing passwords

• Unpatched systems • Denial of service (DOS) or Distributed

DOS (DDOS) • Man in the middle

• Social engineering • E-mail – phishing, spear phishing • Infected web sites

• Physical access • Theft • USB firmware

Current Threats

Top Threats

• The Human Factor 2016: People are the key • Social engineering became the top attack technique in 2015 for beating cyber

security, replacing exploits of hardware and software vulnerabilities. Proofpoint study found that attackers engaged people through email, social media and mobile apps to do the dirty work of infecting systems, stealing credentials and transferring funds.

• The researchers found that 99.7% of documents used in attachment-based campaigns relied on social engineering and macros, rather than automated exploits. Some 98% of URLs in malicious messages link to hosted malware, either as an executable or an executable inside an archive.

#PSTech

Top Threats

• Smishing • SMS phishing where text messages are sent trying to encourage people to pay money out or

click on suspicious links. • Sometimes attackers try to get victims on the phone by sending a text message asking them

to call a number, in order to persuade them further. • Unsolicited text messages from unknown numbers should raise alarm bells, but often banks

do text their customers for a variety of reasons. • In that case, you should call the bank using a number from a bank statement or a verified

source, not a text message.

• Spear Phishing • Personalized e-mail solicitations, usually addressed from someone within the company in a

position of trust, directly requesting information such as login IDs and passwords

• Whaling / Business E-mail Compromise • Digital con game targeting upper managers in private companies.

Business E-Mail Compromise (BEC)

• Assume all of the following are fraudulent • All email/fax requests from a vendor to change bank accounts

• All email/fax requests from the company President

• All email/fax requests to set-up a new vendor (pick up the phone, call the party in question and verify the request is legitimate.)

• All email/fax requests (from senior mgmt.) to immediately wire refund money to a customer

Top Threats

• Ransomware • CryptoWall

• CryptoLocker

• CoinVault

• Bitcryptor

• Locky

• TeslaCrypt

Stampado • $39 on Dark Web

• Threatens to delete files every six hours post-infection

• Computers infected by the Stampado are given 96 hours to pay 1 bitcoin ($660) to decrypt files

Ransomware

• Recovering data encrypted by a ransomware attack is next to impossible, so prevention offers the better approach.

• Prevention • Make sure employees are aware of ransomware and of their critical roles in

protecting the organization’s data.

• Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).

• Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.

• Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.

Ransomware

• Prevention • Configure access controls, including file, directory, and network share

permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.

• Disable macro scripts from office files transmitted over e-mail. • Consider installing MS Office Viewers • Implement software restriction policies or other controls to prevent programs

from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).

• Segment the company network • Authenticate in-bound e-mail • Add Ad blocking • Monitor file activity

Ransomware

• Business Continuity Efforts • Back up data regularly and verify the integrity of those backups regularly.

• Secure your backups • Encrypt backups

• Make sure they aren’t connected to the computers and networks they are backing up, i.e. disconnected, off-site, etc.

Top Threats

• Unpatched vulnerabilities (still!)

• USB Flash Drive worms

• IoT (Internet of Things)

Best Practices

IT Security – Internal “Short List”

Education

Latest versions / Patches

Encryption

Security Suite, i.e. anti- • Virus • Botnets • Spam • Spyware

Passwords / Passphrases

Authentication – multi-factor

Wireless Security

Firewall • Perimeter • Personal/Application • Web Application Firewall

Web-based e-mail/ file sharing

Router/IP Addressing

Physical Access

Mobile devices

Encrypted Backups – key to recovering from ransomware

Windows 10 Security • Win10 will block untrusted applications

from installing on the system. Trustworthiness will be verified with the application's digital signature.

• Win10 include several new authentication and trust features, including

• Identity protection and access control built-in to withstand phishing attacks

• Two-factor authentication requiring users to use a PIN or a biometric

• Data loss prevention tool to automatically encrypt corporate data saved in pre-determined locations

Windows 10 Boot • Secure Boot (feature in

the Unified Extensible Firmware Interface - UEFI)

• Windows Trusted Boot

• Together, create an architecture that is fundamentally resistant to bootkits and rootkits.

MS Edge • IE web browser was hammered

in 2014 across all Windows platforms - there were over 200 vulnerabilities patched in various versions of IE in 2014 alone

• Edge’s engine will feature HTTP Strict Transport Security (HSTS). HSTS is an HTTP header that informs the browser to always request a given domain over SSL. This will help reduce the man-in-the-middle attack surface.

Authentication

Authentication Types • What you….

• Know - Password / passphrase • Have

• Device – smart phone, laptop • Connected / disconnected tokens

• Are (Biometric) - Fingerprint readers, retina scanners or voice recognition

• Location • IP address

• MFA (Multi-factor authentication) – employ 2 or more types for significantly stronger confidence

#PSTech

KNOW

Shared secrets

shhh!

Easily breached, stolen, or phished

• 2016 Verizon Data Breach Investigations Report (DBIR)…

63% of attacks it studied leveraged stolen credentials at some point in the attack

Passwords

• Two most common computer passwords in 2015 were “123456” and “password”

• Three recommendations: • Have a robust password policy

• Train employees about data security

• Undergo a thorough risk assessment

Microsoft • Microsoft recently announced

they will begin dynamically banning weak/easily guessed passwords across Microsoft services (including Outlook, Skype, Xbox and more).

• Pulled from the annual "Worst Password List" by SplashData, banned passwords will include "123456" and "password" at the top of the list, along with the ever-popular "qwerty" and new entrant “starwars”

Passwords

• Four characteristics of a strong password policy • Strength of the password itself: longer words and phrases with a diversity of

keyboard characters (lowercase and capital letters, symbols, and numbers) are better.

• Number of times a password must be changed. Creating a new password every 60 days is better than allowing a password that can remain unchanged for six months.

• A timeout function, which automatically logs a user out of a system when there is no activity for a set amount of time.

• A policy that includes lockouts – meaning that when a user types an incorrect password, say, three times in a row, the user must wait for an hour to try again or contact the IT department to regain access.

Passphrases

• Passphrases • Difficult to guess given information about you or a dictionary cracking tool • Easy to type so that someone cannot watch it being typed Long - longer the better

• General:

• I love to run 1L0ve2run! • Go UCLA Bruins! G0uclaBru1ns! • Vegetables are good for you? V3get4bl3sRg00d4u?

• To make unique for each web site/login: • Facebook / Vegetables are good for you? FV3get4bl3saRg00d4cu? • LinkedIn / Vegetables are good for you? LV3get4bl3siRg00d4nu?

Single Sign-On (SSO) • Session/user authentication process that

permits a user to enter one name and password in order to access multiple applications.

• Credentials for authorization are stored on a dedicated SSO policy server, which passes along the specific authentication credential it has stored for an individual user.

• Process authenticates the user for all the applications they have been given rights to and eliminates further prompts when the user switches applications during the same session.

• SSO is helpful for • Rapid provisioning/de-provisioning of

users/accounts • Documenting logging and monitoring user

accounts, which not only improves organizational security, but also meets the requirements of the Sarbanes-Oxley Act (SOX)

Single Sign-On (SSO)

• Sample products (Identity as a Service) • Centrify Identity Service

• Microsoft Azure AD Premium

• Okta Identity and Mobility Management

• OneLogin

• Ping Identity Ping One

• Secure Auth IdP

• SmartSignin

• Bitium

#PSTech

HAVE

Security Token • Hardware token, authentication token, USB token, cryptographic token,

software token, virtual token, or key fob) may be a physical device that an authorized user of computer services is given to ease authentication

• Display a series of numbers that are only valid for a short time, and they have to be entered correctly for users to successfully log in to network and online systems.

Soft Token • Smartphone soft token app

performs the same task as a hardware-based security token

• Simpler to deploy and less expensive

• Like a hardware token, a smartphone provides an easy-to-protect and easy-to-remember location for secure login information: on the device itself.

Trusted Platform Module (TPM) • TPM is a tamper-resistant component

on the mother board specifically designed to enhance platform security above-and-beyond capabilities of today’s software by providing a protected space for key operations and other security critical tasks.

• Using both hardware and software, the TPM protects encryption and signature keys at their most vulnerable stages—operations when the keys are being used unencrypted in plain-text form.

• Specifically designed to shield unencrypted keys and platform authentication information from software-based attacks.

Virtual Smart Cards • Virtual smart cards emulate the functionality of traditional smart

cards, but they use the Trusted Platform Module (TPM) rather than requiring the use of a separate physical smart card and reader

Authenticator Apps • Google Authenticator (free on

Android, iOS, and BlackBerry)

• Twilio Authy (free on iOS including Apple Watch, Android, BlackBerry, MacOS, Windows, and Chrome browser)

• Duo Mobile (on iOS, Android, BlackBerry, and Windows Phone)

Two-step Verification

• Involves two subsequent, but dependent stages to check identity

• Required when attempting to use new/untrusted device

• Largely replacing token based solutions

Gatekeeper Chain • Auto lock/unlock machine

based on proximity

• 2FA – Gatekeeper + PIN

• Bluetooth 4.0

• AES-128 and AES-256 bit encryption

• Supports - Win 7, 8 & 10 and Mac OS X

• 6 mos battery life

• 100’ range

• $25

#PSTech

ARE

Biometrics

• Authentication techniques that rely on measurable physical characteristics that can be automatically checked

Characteristics

• Fingerprint

• Hand

• Voice

• Iris

• Facial

• DNA

Spoofing and FAR (False Acceptance Rate)

Intel RealSense

• Three cameras — they “see” like the human eye to sense depth and track human motion

eyeLock nano NXT • Miniaturized Iris recognition

technology

• Ideal replacement for card-based systems – no PIN required!

• Applications include: • Banking – ATMs

• Automotive

• Restrict access to secured entrances/spaces

Hello • Biometric sign-in system

• Fingerprint, iris or facial identification (limited to devices with specialized hardware, such as Intel RealSense 3D camera)

• Authentication happens when the user supplies their unique biometric identifier or PIN to access the device-specific Microsoft Passport credentials

Introducing Windows Hello “Winky”

Passport • More secure way to sign-in to

sites or apps

• Instead of passwords, Windows 10 helps to securely authenticate to applications, websites and networks on your behalf—without sending up a password

• No shared password stored on servers for a hacker to potentially compromise.

Passport

• Benefits • User convenience - The employee provides credentials (such as account and

password, or other credentials), and is then guided to set up Microsoft Passport and Hello. From that point on, the employee can access enterprise resources by providing a gesture.

• Security - Microsoft Passport helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Microsoft Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of Trusted Platform Modules (TPMs).

Summary

• Windows 10 is moving the world to a more secure, password-free experience, powered by Microsoft Passport and Biometrics……

• Windows Hello is your face, iris, or fingerprint

• Microsoft Passport is the password replacement solution focusing on the convenience and security

• Windows Hello and PIN are Microsoft Passport Gestures that provide truly two factor authentication right from the box

#PSTech

LOCATION

IP Address Restrictions • Grant/deny specific computers,

groups of computers, or domains access to Web sites, directories, or files based on origin (IP address) of request

• VPNs/proxies can be used to bypass this limitation

#PSTech

RISK BASED AUTHENTICATION

@dcieslak