www.parmenion.co.uk

Online security for our customers

Agenda

• Introduction• What is information security

• What is the scale of the problem

• How does an attack work?

• Consequences

• What can I do?

Introduction

Introduction

What is Information Security?

Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).

• Protecting confidentiality

• Ensuring integrity

• Maintaining availability

What is information security?

• Physical Security – the protection of property, e.g. using fences and locks

• Personal Security – e.g. using background checks;

• Contingency Planning and Disaster Recovery –how to resume normal operations after an incident, also known as Business Continuity Planning;

• Operational Security – protecting business plans and processes, and

• Privacy – protecting personal information

http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf

Cyber security

Privacy

Physical Security

Contingency planning and

Disaster recovery

Operational Security

Personnel Security

Increasing press profile

Scary news stories about information security breaches have been making headlines more frequently than ever and is increasingly on the minds of people in the UK:

Size of breaches

Threat landscape – how does this apply to me?

• 90% of large organisations had a security breach

• 74% of small organisations had a breach

• £75k - £311k is the average cost to a small business

• Median number of breaches for large organisation was 14

• 81% of breaches leveraged either stolen or weak passwords

?

?

?

? ?

?

Threat landscape – how does this apply to me?

• 90% of large organisations had a security breach

• 74% of small organisations had a breach

• £75k - £311k is the average cost to a small business

• Median number of breaches for large organisation was 14

• 81% of breaches leveraged either stolen or weak passwords

Threat landscape

Phishing emails and repeated use passwords were the most common methods used to get into systems. 55% of users in the UK use the same password for most, if not all, websites they use (Ofcom 2015)

22,000 phishing emails came to Parmenion addresses last month. Most were blocked but a few still get through.

4.7 billion usernames and passwords have been stolen from other systems. Check here if yours have been: https://haveibeenpwned.com

Everyone is under attack all the time

Motivation

• Fame

• Challenge

• Boredom

• Revenge

• Corporate/political gain

• Money

Marketplace

“Customer service is the motto. Hackers are now extending their service hours, guaranteeing their work, and expanding their offerings to keep customers coming back.”

Dell SecureWorks

Marketplace

Item Recent Prices (2016)

Angler Exploit Kit $100 – $135

UK ‘Fullz’ $25

Physical Counterfeit Driver’s License (U.S., U.K., Germany, Israel, International Driver’s Permit)

$173

Popular U.S. Online “Business” Payment Account Credentials $20 – $149

Bank Account Credentials (UK) $700 for an account with abalance of $10,000

High Quality Bank Accounts with Verified, Large Balancesof $70,000 – $150,000

6% of the balance of the account

How does an attack work?

How does an attack work?

“Don’t assume a crack isn’t too small to be noticed or too small to be exploited. If you do a pen test and you say ‘We look great on these 97 things, but these 3 things over here are kind of esoteric and probably don’t matter that much’ –that’s all we need. […]We’re going to look for that esoteric edge case to break in.”

Chief of ‘Tailored Access Operations’, NSA

How does an attack work?

• Initially gain entry

• Establish persistance to allow repeat entry

• Lateral movement to other systems

• Exfiltration to exploit

https://blogs.sophos.com/2014/04/11/how-do-apts-work-the-lifecycle-of-advanced-persistent-threats-infographic/

http://www.uidaho.edu

Phishing

• Fraudsters impersonate a legitimate company and attempt to steal people’s personal information, login credentials or install malware.

• For example, PayPal scammers might send out an attack email that instructs them to click on a link in order to rectify a discrepancy with their account.

• The link can then perform a number of actions:

• A fake PayPal login page that collects a user’s login credentials and delivers them to the attackers.

• A site that installs malware on the users machine

• Phishing could be generic and untargeted or customized with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender. These more targeted attacks are referred to as spear phishing.

Phishing email – Spot the difference

6 ways to spot a phish

1. Unusual sender address (hover over the From: email address to check)

2. Fraudulent / fake website addresses that are similar to but not the same as the real thing (hover over the web link in the email to check the real website address)

3. Forceful / fake urgency to get you to respond before you think

4. Requests for passwords or other confidential information

5. Poor spelling and grammar

6. Usually sounds too good or bad to be true or just unexpected

Phishing

Malware – What is it?

• Short for 'Malicious Software'

• A program that does something you do not want it to do

• Types of Malware include• Ransomware

• Spyware

• Adware

• Viruses

Malware – What does it do?

The Angler exploit kit is a popular choice. It can be bought for $100-$135. It can be used by a relatively low technically skilled person and if users hit is infected the typical actions are:

• Install other malware (financial – designed to transfer money from bank accounts, ransomware – encrypt files and require money to decrypt)

• Collect confidential data (usernames, passwords, card details, etc.) and upload it to the servers they control

• or tie the infected system into a botnet (a “zombie army” of computers used to deliver additional attacks).

Repeated email / password attack

According to Shape, compromised credentials from these massive data breaches were used to target websites in the retail, finance, travel, and government industries.

Their report also noted that the success rate for credential stuffing attacks was between 0.1 percent and 2 percent.

That means, if 1 million credentials were stolen from a website like LinkedIn and then used in a credential stuffing attack on Amazon.com, then a hacker would be able to access between 1,000 to 20,000 accounts.

This number grows exponentially if those same credentials can be used to access other websites and applications.

http://info.shapesecurity.com/rs/935-ZAM-778/images/Shape-2017-Credential-Spill-Report.pdf

Social engineering

Social engineering is a way that cybercriminals use human-to-human interaction in order get the user to divulge sensitive information.

Consequences

ConsequencesRegulator fines

• Zurich UK fined £2.275 million by FSA for losing details of 46,000 customers• HSBC Life fined £1.61 million by FSA for repeated transmission of unencrypted data• The Money Shop fined £180,000 for failing to take steps to address risks of loss of client data after servers

were stolen, even though there was no evidence of any harm to individuals, or that the data had been accessed.

• HCA International Ltd fined £200,000 when an Indian company they were using for transcription had their unsecure server hacked, revealing their client’s personal details.

Financial loss

• Several SWIFT banks have been hit for over $100m in total so far this year

As well as:

• Reputational damage / loss of goodwill• Impairment of business performance• Disruption to business activities

Where does that leave us?

HackersCybercriminals

HacktivistsCrackers

Disgruntled staff

FCA

ICO

Rock Hard place

YouScript kiddies

Untrained staff

What can I do?

Where can I do?

Cyber focus

• This presentation is focused on immediate protections for the cyber side of information security

• This is only a starting point, it is not a comprehensive list

• The order is not an implementation order or importance

Risk

A comprehensive solution for cyber attacks is not possible, the key is to understand your risks and make a conscious decision on how much to accept.

Skill Level Example Quantity of Attacks Cost to defend

Very low Script kiddies Very high Low

Low Untargeted Phishing Very high Low

Medium Targeted Phishing High Low

High Disgruntled Ex-Employee Medium Medium

Very High Motivated hacker Low High

Extreme State level attack Very low Extreme

Layers

Organizations need to widen their security nets to protect and defend against opportunistic attacks and infections. The term layered security describes a defensive strategy featuring multiple defensivelayers that are designed to slow down an attacker. The military calls this deep defense or defense in depth.

Essentially no one defense is a silver bullet.

https://uk.sans.org/reading-room/whitepapers/analyst/layered-security-works-34805

POLICIES, PROCEDURES & AWARENESS

PHYSICAL

PERIMETER

NETWORK

HOST

APP

DATA

Training

Staff are a first line of defence for:

• Preventing social engineering attacks

• Preventing phishing attacks

• Detecting attacks / infiltrations

Action, talk to Your employees about:

• Keeping a clean machine – what needs to be installed

• Following good password practices –complexity and reuse

• When in doubt, throw it out –suspicious emails, websites

• Backing up their work

• Staying watchful and speaking up

FirewallsFirewalls are designed to prevent only allow specific communications in and out of a network. Different types of Internet communication use different ports, e.g. web traffic flows on ports 80 and 443. Firewalls can close down these channels where they are not needed to prevent any malicious use.

Some malware needs to communicate out/in for instructions and firewalls can prevent this.

Actions:

• Ensure you have a firewall to control access

• Use a whitelist mode rather than blacklist

Web and spam filtering

This is really an extension on firewalls. Some firewalls as well as blocking specific channels can perform deeper inspection and look at the specific traffic going through and block that. Many attacks are delivered from malicious websites or by adverts. By blocking these there are less vectors for attacks.

Lists of categorised sites can be subscribed to that are updated continually. These categories include malicious and advert as well as other categories such as social (e.g. Facebook), files (e.g. dropbox), news, email, etc.

Actions:

• Determine if your network can support filtering

• Determine what you would like to block (minimum malicious)

• Implement blocking and whitelist and legitimate sites needed for business but blocked

Patching

Defects in operating systems and clients like web browsers, email programs, image viewers, instant messaging software, and media players may allow malicious websites, etc. to infect or compromise your computer with no action on your part or simply viewing or listening to the website, message, or media.

Many attacks are ‘zero day’, i.e. attacking previously unknown vulnerabilities however patching will prevent follow up attacks.

Actions:

• Turn on automatic updates where possible

• Do not forget Adobe Flash and Java

• Centralised monitoring where appropriate

Virus protection

Anti-virus software and malicious code detection tools are commonly used to protect information systems from malicious attacks.

As with patching, many attacks are ‘zero day’, i.e. the virus’ and malware are designed to get past anti-virus software however patching will prevent follow up attacks.

Actions:

• Ensure you have anti-virus software

• Ensure it is up to date and auto updates

• Centralised reporting where appropriate

Restrict administration access

Computers generally have different levels of access with administrative access being the most comprehensive/powerful. Administrative access is not needed for most day to day use and is typically reserve for installing programs and changing settings.

Some malware requires administrative access to install.

Actions:

• Users should not have administrative access by default

• Only specific designated users should be administrators

Appropriate Access

Do all employees need access to all files? There may be sensitive information such as HR files and salaries or client data that not everyone needs access to do their job. The less information that can be seen the less information exposed during a breech. Information does not have to be sensitive, a breach could be ransomware encrypting files and if the user cannot access the files they cannot be encrypted.

Actions:• Map who needs access to what within your organisation

• Revisit this frequently as it soon goes out of date

• Try to think about roles rather than people

• Use this information to grant access to files

• No access should be the default

Password re-use / password managers

55% of net users use the same password for most, if not all, websites. (2013)

Websites attacks can reveal lists usernames and passwords. The more websites a user uses the more change they will be part of a leaked set. If the password is not unique there is risk that their other services could be compromised.

If you have been included on a leaked set you can find out from https://haveibeenpwned.com which has an index of 4.7 billion accounts.

Actions:

• Do not use the same password for multiple sites / services

• If needed update historic accounts

• Consider a password manager to keep track of accounts and passwords

Use multi-factor authentication

There are generally considered to be three types/factors of authentication:

• Something you know – e.g. a password

• Something you have – e.g. your phone

• Something you are – e.g. your fingerprint

Multi-factor authentication uses more than one factor and gives a much higher assurance that the correct user is accessing the service. With just a password anyone from around the world could access your account, also linking it to your phone restricts it to just you.

Actions:

• Where available use enable multi-factor authentication

Encryption

A study on the total economic impact of lost laptops over 329 participating companies was $2.1B, or on average $6.4M per organization. Although 46% of the lost systems contained confidential data only 30% of laptops lost had disc encryption.

Disk encryption is more accessible than ever. Bitlocker on Windows is now included in Pro editions.

Actions

• Ensure laptops have disk encryption

• Make sure you securely store the decryption key

• Consider disk encryption for desktops / servers as well

ftp://download.intel.com/technology/product/cost_of_a_lost_laptop.pdf

Tested backupsInformation security includes data availability and data integrity. These can be compromised by equipment failures, accidental deletion or ransomware encryption.

A defence against all of these is backups. These can be on premise or to the cloud but a couple of key requirements are:

• Tested – Don’t wait until you need them to test

• Versions / point in time – There is no point in only having a backup of your ransomware encrypted data

Actions:

• Ensure you have backups

• Test your backups

In summary

• Training and awareness is the first line of defence

• Use a firewall, whitelist mode is best

• Web and spam filtering can restrict access to illegitimate content

• Restrict access to systems based on roles and responsibilities

• Use strong, unique passwords for each service and use a password manager for extra security and convenience

• Use multifactor authentication where possible

• Encrypt your data

• Back up your data and test regularly

www.parmenion.co.uk

Thank YouParmenion Capital Partners LLP2 College Square, Anchor Road, Bristol, BS1 5UE.

T: 0345 519 0100E: mail@parmenion.co.ukW: www.parmenion.co.uk

Parmenion Capital Partners LLP is authorised and regulated by the Financial Conduct Authority. FCA Number 462085.Registered in England and Wales OC322243.Wholly owned subsidiary of Aberdeen Asset Management PLC and Aberdeen Investments Limited.