Network and Systems Engineer, Raytheon Company. Industry ... Your Business IS Information. Customer ... No data loss pre
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
1
CYBER ATTACK! IS YOUR BUSINESS READY? IT Audit and Security O’Connor & Drew, P.C. www.ocd.com @ocdcpa
October 2014
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
2
Jake McAleer, CISA
[email protected] Professional Profile • Senior IT Audit and Security Manager, O’Connor & Drew, P.C. • Director of Operations, Dyn • Senior IT Auditor, State Street Bank • Network and Systems Engineer, Raytheon Company Industry Expertise • Internet Services and Infrastructure (IaaS, PaaS, SaaS, Colocation, Data Center) • Financial Services • Manufacturing • Government • Not-for-Profit Organizations • Family-Owned Businesses
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
3
Cyber Attacks In The News Target • 70+ Million credit cards stolen • $61 million cost (to date), CIO resigns, CEO eventually leaves
University of Maryland • Records of more than 300,000 faculty members and students
dating back to 1998 were compromised in a data breach
meetup.com • Website was down for almost a week due to a DDoS attack
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
4
You have information they want.
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
5
Information IS Your Business Your Business IS Information Customer Data • Personally Identifiable Information (PII) – SSN, Credit Card
Numbers, Routing Numbers, License Numbers, etc • Sensitive – Address, E-mail Address, Phone Number, etc
Business Data • Sales Information • Customer Lists • Contracts • Acquisitions/Business Valuation
Employee Data • Compensation • HR Data (PII and HIPAA)
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
SMBs Are Often Easy Targets • Limited IT staff
• Less technical controls • Outdated anti-virus • Unpatched end user systems
• No data loss prevention (DLP) software • Limited or no policies (AUP, ICG, etc) • Lack of employee awareness and training
• Lack of website filtering
6
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
7
Statistics About Data Breaches • Two-thirds of the breaches took months or more to
discover. http://adage.com/article/datadriven-marketing/nrf-offensive-data-breaches/291476/
• 69% of all breaches were discovered by someone outside
the affected organization. http://adage.com/article/datadriven-marketing/nrf-offensive-data-breaches/291476/
• German and US companies had the most costly data
breaches ($199 and $188 per record, respectively) https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-BreachReport_daiNA_cta72382.pdf
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
How can they get my business’ information?
8
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
9
Threats Come In Many Different Forms • External access • Insecure firewall settings; poorly patched servers and applications • Internal resources (infected with malware) • Compromised servers, laptops, desktops • 3rd party hosting/cloud providers • Compromised backups; shared resources (storage, VMs, etc) • Cloud storage accounts (Dropbox, OneDrive, Carbonite) • Disgruntled employees • Theft, disruption, use of old account credentials
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
10
Threats Come In Many Different Forms • E-mail • Accidental forwarding to 3rd parties (typos, wrong attachment, etc) • Intentional forwarding to 3rd parties (competition, personal e-mail accounts, etc) • Compromised account (weak password, insecure connection, etc) • Social Engineering • Phishing, pretexting, baiting, etc. • Assets (Thumb drives, Laptops, Cell Phones, etc) • Lost or stolen devices without PINs/passwords and encryption • Unattended unlocked devices
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
11
Malware (malicious software) is used to disrupt computer networks, gather sensitive information, or gain access to private computer systems. This software typically relies on local access and/or internal network access to gather data. Viruses, trojans, worms, and ransomware are just some examples.
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
12
Malware – A Threat To All Businesses • Malware Wants Data • Names, Date of birth (DOB), SSNs • Addresses, Phone numbers, E-mail addresses • Confidential competitor information • Malware Looks Everywhere • Company directories • Local files (Word Docs, Spreadsheets, etc) • E-mail • Network file shares (NAS, NFS) • Malware Doesn’t Care Where It Gets The Data • A computer is a computer
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
13
Attacker
Internet
Office LAN
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
14
Attacker
Internet
Office LAN
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
15
Attacker
Internet
Office LAN
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
16
Attacker
Internet
Office LAN
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
17
Attacker
Internet
Office LAN
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
18
Attacker
DATA BREACH! Internet
Office LAN
:-(
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
Ever visited a website with ads?
19
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
20
Ever used one of these? CD/DVD
Public WIFI
Thumb Drive
E-Mail Attachments
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
21
We all have! Much of what you do day to day for work and personal purposes exposes you to cyber threats.
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
22
Social Engineering “Psychological manipulation of people into performing actions or divulging confidential information” -Wikipedia
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
23
Examples Of Social Engineering • Pretexting • Using some information (name, address, phone #) in an attempt to gain access to other information or account details (SSN, CC #). • Baiting • Leaving CDs, DVDs, USB drives around and waiting for employees to pick them up and plug them into work computers.
• Tailgating or Piggybacking • Following someone into a secured space who has valid access. • Name/Title Dropping • Using social media to find officers and then pretending to be working on “a special project for them” or pretending to be tech support calling to troubleshoot an issue, but needs your password first.
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
24
Examples Of Social Engineering • Confidence • “Looking the part”, “He was dressed up”, “He looked like he worked here” • Role Playing • Pretending to be maintenance or repair workers, contractor, delivery person, or law enforcement
• Buddies at work • “I locked myself out of my account and need to go! What’s your password so I can get this done and head out for the weekend?” • Phishing/Spearphishing • Attempting to gather sensitive information by posing as a trusted source or known entity (posing as bank website, Facebook, etc)
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
25
Phishing - Can You Spot the Problem?
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
26
Phishing - Can You Spot the Problem? Not sent from @verizonwireless.com
Does not actually go to verizonwireless.com when clicked
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
Information Security Is Everyone’s Responsibility.
27
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
28
Ways To Minimize Risk • • • • • • • • •
Anti-virus and Anti-Malware Firewalls IDS/IPS Automatic e-mail scanning Web filtering Employee awareness and training Automated backups (preferably offsite) Only get software and equipment from reputable sources Limit what you host onsite • Consider cloud providers and 3rd party hosting Make sure they’re up to date! Support and patching are important…
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
Website Outage - DDoS
29
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
Outsourcing Considerations • Consulting • Outside expertise and fresh perspective • Vendor specific experience, “set it and forget it” • Staff augmentation vs. project by project • Infrastructure Hosting • E-mail • Anti-SPAM and Anti-Phishing protection • VoIP • Website • Mass e-mail lists • Backup service • Ask for a SOC 2 or 3 from infrastructure providers!
30
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
31
O’Connor & Drew’s Key IS Wins for 2014 • Patch frequently and utilize anti-virus software • Settings enforceable with a GPO in Windows • Application support is important for continued patches
• Get rid any systems running Windows XP or older • Windows XP and Office 2003 support officially ended April 2014
• Uninstall Java from all office systems;
Consider using something other than Internet Explorer (IE) • First half of 2013, Java was the most common zero-day focus for attackers.
Second half of 2013, observed a burst of Internet Explorer (IE) zero-days. http://www2.fireeye.com/rs/fireye/images/fireeye-advanced-threat-report-2013.pdf
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
32
O’Connor & Drew’s Key IS Wins for 2014 • Encrypt all assets that leave the office (laptops, thumb drives,
smartphones, etc) and ensure they have a password/PIN enabled • “UC San Francisco is alerting some individuals to a burglary involving
unencrypted desktop computers that contained some personal and health information.”1 • Secure and segregate your office WIFI • Use hardened security (e.g. WPA2 or individual certificates) and segregate
WIFI to limit access to key resources such as file shares • Utilize industry tools to scan your internal and external network • Ensure firewalls are appropriately configured, devices are patched
appropriately, and generate an inventory of what’s on your network
1
https://www.ucsf.edu/news/2014/03/112556/computer-theft-uc-san-francisco
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
33
Policies and Procedures • AUP (Acceptable Use Policy) • Users understand potentially everything they do is monitored • No outside software may be installed • Limited personal use • Consequences for not following policies • Don’t leave laptops in plain view or unlocked vehicles Example Template:
http://www.sans.org/security-resources/policies/Acceptable_Use_Policy.pdf
• Information/Data Classification Guide (IGG/DCG) • Types of data (confidential, internal use only, public, etc) • Owners, handlers • How to properly handle, store, destroy More information and examples:
http://www.giac.org/paper/gsec/736/data-classification/101635 http://www.sans.org/reading-room/whitepapers/auditing/information-classification-who-846
• Written Information Security Program - WISP • Legally required document for businesses with Massachusetts customers
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
34
SANS 20 Critical Security Controls • A list of the top 20 critical security controls (CSCs) were
agreed upon and outlined, taking risk into consideration. • Collaborative work across various governmental, public, and private organizations • U.S. Department of Homeland Security • U.S. Department of State, Office of the CISO
• MITRE Corporation • SANS Institute
• Great starting point for a SMB • Tangible, measurable, includes examples of processes and technologies to implement
http://www.sans.org/critical-security-controls
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
Number 1: Inventory Devices Inventory of Authorized and Unauthorized Devices Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. https://www.sans.org/media/critical-security-controls/fall-2014-poster.pdf
35
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
Number 2: Inventory Software Inventory of Authorized and Unauthorized Devices Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. https://www.sans.org/media/critical-security-controls/fall-2014-poster.pdf
36
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
Number 3: Secure Configurations Inventory of Authorized and Unauthorized Devices Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. https://www.sans.org/media/critical-security-controls/fall-2014-poster.pdf
37
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
38
Number 4: Continuous Assessments Inventory of Authorized and Unauthorized Devices Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
https://www.sans.org/media/critical-security-controls/fall-2014-poster.pdf
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
39
Additional Resources Cyber Security Planning Guide • http://transition.fcc.gov/cyber/cyberplanner.pdf
Ten Cybersecurity Tips For Small Businesses • http://www.dhs.gov/sites/default/files/publications/FCC%20Small%20Biz%20Tip%20Sheet_0.pdf
FCC Website For Small Businesses • http://www.fcc.gov/cyberforsmallbiz
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
Questions? O’Connor & Drew’s IT Audit and Security Team is here to help! Jake McAleer
[email protected] Senior IT Security and Audit Manager O’Connor & Drew, P.C. @ocdcpa
40
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
41
Download Link • Please visit the following link to download a digital copy of
the presentation:
http://www.ocd.com/2014techconnect
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
42
IT Frameworks Frameworks help design a program that facilitates CIA There are many different frameworks and standards • Some are industry specific • North American Electric Reliability Corporation (NERC)
• Some are very high level • COBIT • Some are process specific • ITIL • Some are generic (very long, complex, and/or high level) • NIST • ISO • COSO
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
43
Regulations and Industry-Specific Rules • Different countries have specific laws covering
personal information, how it must be protected, and data breach disclosure requirements. • EU privacy protection is notoriously strict • US laws often vary by state, some federal oversight
• Different industries have specific requirements • PCI • HIPAA • BASEL II and GLBA
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
44
MA 201 CMR 17.00 - PII • PII is “a Massachusetts resident's first name and last name
or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.” http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
45
MA 201 CMR 17.00 - Requirements • Every person that owns or licenses personal information
about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program. [Every person…] shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system. http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
• MA 201 Compliance Checklist: http://www.mass.gov/ocabr/docs/idtheft/compliance-checklist.pdf
• Notification Requirement http://www.mass.gov/ocabr/data-privacy-and-security/data/requirements-for-securitybreach-notifications.html
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
46
Cyber Insurance • General liability policies often do not cover digital loss • Insurance is not a replacement for security • Not all cyber insurance policies are created equal • Coverage amounts • What they cover • How they are activated • What must be in place in order to be “covered” “Partners bought the policy in 2007 and made a claim two years after an employee left the records of 192 Massachusetts General Hospital patients on an MBTA train. The hospital paid a $1 million fine to the US Department of Health and Human Services, which was covered by the cyber insurance.”
https://www.bostonglobe.com/business/2014/02/17/more-companies-buying-insurance-against-hackers-and-privacy-breaches/9qYrvlhskcoPEs5b4ch3PP/story.html
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
47
Crisis Management – Cyber Attack • Is it clear how an employee, customer, or outside firm
reports a potential issue or concern to your business? • 69% of breaches were discovered by an outsider
• Internally • Who would take the lead on managing a crisis management plan? • Who needs to be involved/notified? Who can declare an event? • Externally • Can your firm do a mass notification (email list, social media, etc)? • Who manages external communications? • Legal • What laws/regulations is your industry held to? • Reporting requirements
O'Connor & Drew, P.C.
www.ocd.com
@ocdcpa
48
Crisis Management - Social Media “[During the Boston Marathon bombings…] Boston Police Department tweets in effect became the official source of information for everyone, including the media, especially after numerous reports by the press turned out to be false.” http://www.emergencymgmt.com/training/Bostons-Experience-Social-Media.html
• Can you blog or post on your website and keep it updated? • Who can access and help with communications? Are they
external to your organization? Are they available in an emergency?
It’s important to realize that some companies block social media such as Twitter and Facebook.
