10/30/2017 - cdn.ymaws.com€¦ · 2. current state of cybercrime 3. social engineering 4. how...

10/30/2017

1

WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING

Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. | ©CliftonLarsonAllen LLP

How Cybercrime Affects Schools 2017 MASBO Fall Conference


Introduction

I am going to share with you:

1. Who am I

2. Current state of cybercrime

3. Social Engineering

4. How cybercrime is affecting our schools

5. How schools can protect themselves


Who am I

David Anderson

• MN Farm kid turned hacker

• Worked in IT/IT Security 9+ years

• Yes, I am older than 18

10/30/2017

2

Current State of Cybercrime

What are the bad guys up to?


Current State of Cybercrime

• All about the Benjamins

– Theft of personally identifiable information (PII)

– Payment fraud

– Ransomware

• Many attacks are perpetuated by organized crime


Organized Crime

• Hacking is run like a business where people specialize in different areas

– Writing malware

– Renting botnets

– Stealing data

– Selling data (collect data from various sources/BIG DATA)

– Etc.

• Most attacks are completely automated

10/30/2017

3


The Cost

Global cybercrime cost businesses up to:

$400 BILLION annually

Some estimate it will reach:

$2.1 TRILLION by 2019


Theft of PII

• Every organization stores information about their employees in electronic format

– Payroll/Tax/W2 ◊ Name, Address, SSN, etc.

– Email address

• Some organizations store other sensitive data

– Credit card information

– Health information


Theft of PII

• All this information has value

– Submit fraudulent tax returns

– Submit fraudulent insurance claims

– Purchase items with stolen credit card information

– Use emails for phishing campaigns

• Attackers buy and sell data on cyber black market

– Similar to amazon.com for stolen information

10/30/2017

4


Theft of PII

• Children are 51x more likely to be affected

• It is of higher value because

– Can be used with any name/DOB to create fake ID ◊ Illegal immigration

◊ Financial fraud

◊ Circumvent bad credit (parents and siblings )

– Child won’t know until they become an adult ◊ No crime without a victim


Marketplace for Stolen Credit Cards


Payment Fraud

• Every organization interacts with their bank electronically

– Wire transfers

– ACH payment

– Online banking

• Corporate Account Take Over (CATO)

– Compromise accounts/credentials that can move money

10/30/2017

5


Payment Fraud

• Can occur via technical means

– Attackers “hack” into finance computers

– Banking Trojans monitor online banking

– Create fake employees in payroll/ACH file

• Can occur via non-technical means

– Social engineering

– Coerce employee to send money

◊ E.g. Fake CEO emails cost businesses over BILLIONs over last 3years


Ransomware

• Cryptolocker, Locky, WannaCry, etc.

• Encrypts all data, holds in “ransom” for $$

– Data on local machine and on network

• Can affect non-Windows OS (e.g. Mac)


Ransomware

10/30/2017

6


Ransomware


Ransomware

“Theresa and Billy Niedermayer paid an $800 ransom to get precious family photos of their three young boys back from cybercriminals.”

Social Engineering

I am a Nigerian Prince…

10/30/2017

7


Social Engineering

• Employees are HIGHLY targeted with “social engineering”

• Every employee plays a role in securing the organization

• Employees become the first line of defense


Social Engineering

Trick user into doing something that helps the attacker • Visit malicious website

• Open malicious attachment

• Provide confidential info

• Allow access to building or systems

“Why break a window when you can get the user to open the door?”


Social Engineering

10/30/2017

8


Social Engineering

• [audio sample]

How Cybercrime is Affecting Our Schools

No one is immune…


Case Study #1

• Bloomington MN Public School

– Lost W2 info on all 1,800 employees

– Occurred February 2017

– How it happened? ◊ Email phishing scam

◊ Most likely social engineering attack where attacker requested W2 information

10/30/2017

9


Cast Study #1

• This happened to several schools in 2017

– Dracut Schools

– Tipton County Schools

– Odessa School District

– Lexington School District Two

– Mercedes Independent School District

– Morton School District

– Davidson County Schools


Cast Study #1

• Continued…

– Belton Independent School District

– Argyle School District

– Manatee County School District

– Corsicana Independent School District

– Mercer County Schools

– Bloomington Public Schools

– Black River Falls School District


Cast Study #1

• Continued…

– Trenton R-9 School District

– Barron Area School District

– Mount Healthy City Schools

– Abernathy Independent School District

– Redmond School District

– Independence School District

– Yukon Public Schools

10/30/2017

10


Cast Study #1

• Continued…

– Groton Public Schools

– Tyler Independent School District

– Glastonbury Public Schools

– Ark City School District

– Ben Bolt Independent School District

– Powhatan County Public Schools

– Walton School District


Case Study #2

• Los Angeles Valley College

– Virus locked up files, email, voicemail, etc.

– Occurred December 2016

– Paid hackers $28K after ransomware outbreak


Case Study #3

• Spring Branch Independent School District (TX)

– Student “hacked” school and changed grades

– Occurred April 2017

– Student gained access to administrator password

10/30/2017

11


Case Study #4

• Metropolitan State University (St. Paul)

– Website got hacked

– Found out because hacker bragged online

– Occurred January 2015

– Controls were not sufficient to detect or respond efficiently

◊ “spokeswoman said she did not know how far back in time the affected data goes”

How Schools can Protect Themselves

What can be done about this?


Action Items

• User awareness training

– Help employees understand cyber risks that affect them

– Understand that IT will never ask for your password

– Train employees that it is OK to be skeptical about odd requests

– Train employees to perform call back verification

– Perform focused training on employees that have access to sensitive info (IT, HR, C-suite, etc.)

10/30/2017

12


Action Items

• Harden email systems

– Many email phishing attacks take advantage of weak email settings

– Configure email system to block emails that spoof internal employees

– Tag external emails as “External” to help users identify the message did not originate internally


Action Items

• Test backup systems

– Periodically test backup systems to ensure you can recover from ransomware

– Have IT perform a full, bare-metal recovery of main file share

– Have IT document how long it takes to recover various files or systems


Action Items

• Configure auditing/logging

– Ensure all systems are configured to log important information

– Successful logins is just as important to log as failed logins

– Retain logs for at least 1 year, longer is better

10/30/2017

13


Action Items

• Audit systems for default/weak passwords

– Most systems have default passwords and they are all documented online

– Don’t overlook “simple” systems ◊ E.g. Printers, IP cameras, etc.

Questions?

twitter.com/CLAconnect facebook.com/ cliftonlarsonallen

linkedin.com/company/ cliftonlarsonallen

CLAconnect.com

Thank you! David Anderson Manager, Information Security 612-376-4699 [email protected]

http://www.twitter.com/CLA_CPAs

http://www.facebook.com/CliftonLarsonAllen

http://www.linkedin.com/company/cliftonlarsonallen

10/30/2017 - cdn.ymaws.com€¦ · 2. current state of cybercrime 3. social engineering 4. how...

Documents