covering your information assets - wgfoa€¦ · covering your information assets: developing...

Covering Your Information Assets: Developing security in a constantly changing environment.

Synercomm, Inc.Jeffrey T. Lemmermann, CPA, CITP, CISA, CEHJeffrey.Lemmermann@SynerComm.com

Wisconsin Government Finance Officers Association

September 12, 2019 – Green Bay, WI

Who Am I

ID• Jeffrey T. Lemmermann

• Information Assurance Consultant – SynerComm• January 2018

EXP• 24 Years with CliftonLarsonAllen

• Risk Services Practice Manager• IT Audit / IT Security Specialist

• 5+ Years as CIO/CFO – Manufacturing Industry

CERT• CPA, CITP, CISA, CEH

• CITP – Wisconsin Champion (If you are a CPA )

“Security Assessment & Consulting, IT Audit, Compliance with IT Frameworks (NIST, COBIT) and continuing an ongoing crusade to

promote information security!”

Information Security

1. 5G Fixed to 5G Mobile (4)

2. Expanded Chatbot Use

3. Cloud Computing Evolution

4. Blockchain Understanding (5)

5. Data Analytics (2) / Machine Learning (6)

Topping The Charts Everywhere!Forbes 2019 Top 10 Digital Transformation Trends

6. General Data Protection Regulation

7. Augmented Reality (7)

8. Edge Computing (3) / Internet of Things (1)

9. Consumption IT [all as a service] (8)

10.Hiring for Digital Transformation (10)

Importance of Data Security

Regulations GDPR / CCPA HIPAA GLBA / SOX 404 Red Flag Rules PCI Standards

Publicity“No such thing is bad publicity

…except your own obituary.”- Brendan Behan, Irish Dramatist

Damage to reputation. Loss of consumer confidence. Redirection of resources

Target40M Credit/Debit Cards

Compromised

46% Dip In 2013 4Q Profits

Atlanta, GA$11M+ in costs so far. 1/3 of applications still affected. 70 computers lost along with data including dash cam footage.

Riviera Beach, Florida5/29/19 Infected email attachment took down all of the city’s online

systems, including email and some phones, as well as water utility pump stations.

6/4/19 Authorized $900,000 to recover/replace affected hardware. 6/17/19 Authorized payment of $600,000 to hackers.

Baltimore, MD5/7/19 RobinHood ransomware attack -city service outages ultimately cost $18 million (and counting) in recovery costs

and lost revenues.

Dark Web / Deep Web / Surface Web

Simple Definition: The part of the internet that isn't visible to search engines.

It requires the use of an anonymizing browser, like Tor, to be accessed.

What is done with that information?

Exchange on the DARK WEB…

Voting Machines!

Data Security 101

Where is our data now? Where should our data go? Where can our data go?

Who can access our data? Who needs to access our data?

Understanding the environment

Where does it start?

You can’t protect…

…what you don’t know about.

Where Is Your Data?

The ObviousNetwork File/Data Servers Laptop ComputersBackup Storage Media

The ObscureSmartphones / TabletsPortable Storage (USB Drives)E-Mail Attachments

The ForgottenDisposed Equipment – LEASED Equipment!

Proper Disposal Rules

“Disposal practices that are reasonable and appropriate to prevent unauthorized access to –or

use of- information in a consumer report.”

Burn, pulverize, or shred papers so they cannot be reconstructed. Destroy or erase electronic files or media so information cannot be

read or reconstructed. Conduct due diligence and hire a document destruction contractor.

Due diligence could include: Reviewing contractor’s independent audit Obtain information from several references Require certification by recognized trade association Review contractor’s information security policies or procedures

Hard Drive Data

Study of 2nd Hand DrivesO & O Company:

2004: 88% of Disks from EBay contained recoverable data. 2005: 71%

Edith Cowan University – Annual study of 2nd hand hard drives 2006: 48% 2009: 39% 2012: 47% 2007: 40% 2010: 2008: 38% 2011:

Type of recoverable data: Internal company memos Legal correspondence of governmental agency Credit ratings (Bank owned hard drive)

File erasing Utilities Eraser (Freeware - up to 35 overwrite passes) Steganos Security Suite (up to 100 passes)

Hard Drive Data Worries

What About Smartphones?Deleting Apps Might Not Delete DataSD Card StorageData Stored By Service Providers

Tablet Computers – Same Issues as Smartphones

Solid State Drives (SSDs) Traditional Disk Wiping Utilities Do Not Work “Nearly impossible to completely delete data from SSD’s”Physical Destruction Highly RecommendedNewer SSDs – Deletion Utilities with Drives

Smartphone / Tablet Drive Data

Study of 2nd Hand Smartphones AVAST purchased 20 Android smartphones from eBay Factory Data Reset was performed on the devices What was still found on the phones:

40,000 photos: 1,500 were family photos including children750 email and text messages250 names and associated email addresses Identifiable information from four owners1 completed loan application

Recommendation First encrypt device and SD card Then perform factory data reset

Data Security

How can we keep our data safe?

"The search for static security - in the law and elsewhere - is misguided. The fact is security can only be achieved through constant change, adapting old ideas that have outlived their usefulness to current facts."

- Canadian physician, William Osler

Case Study – Public School District

Case Study: Open Records

How “open” do you mean?

Security Points

Five Key Points of Data Security:Physical SecurityNetwork SecurityApplication SecurityExternal SecurityPlanning & Governance

Physical Security Fail

How to avoid this:

(1) Physical Security

Access to Equipment Locked server room, mobile equipment logs

Theft Prevention Procedures Cameras, user policies on mobile equipment

Separation of Duties Ordering / Inventory separate from Installers

Hardware Inventory Serial numbers, internal configurations, assignments

(2) Network Security

Password Policies Minimum characters, forced changes, complexity No sticky notes!

Unattended Terminal Protection Password protected screensavers, firm policies

Network File Structure Security User site of files, annual review process!

Auditing Logs Activate logging, review logs

Control of Backup Tapes Physical security, password protection

Top 3 Ways We Compromise Your Org

BadPasswords

Social Engineering

Permissions

Methods of Compromise

21

Bad Pa$$words

• Reusing your password across multiple systems and services?

• Using a predictable convention?

• Incrementing a number at the end?

• NOT using a password manager?

• Have you shared your password with anyone else?

• Is it written on a sticky note somewhere on your desk?

Predictable Management SharingReuse

Bad Passwords : Bad Practice

02

Known Bad

03

Locally Bad

01

Seasonally Bad

Password1

P@$$word1!

QWERTY

Packers12

Packers19

$CompanyName19

$ChildName$BirthYear

Spring 2019

Spring19

Spring2019!

Spring19!

Bad Passwords : Insider Secrets

Password Complexity Demo

Importance of non-dictionary passwordsDictionaries now including numbers added to wordsAlternate spelling meth0ds 1nclud3d

Importance of lengthEase of brute-force attacks Flaw in some encryption methods

Importance of other charactersAdds to password possibilitiesHelps to beat dictionary cracks

Password Recommendations

Secure Password Techniques:Use modified pass phrases

4score&7yearsagoLet’sg0r3d

Connect words with modifier in middleMilwaukeejtl07BucksAries01thejtlram

Stick with constant formulasUse secure password database managers

PC / PocketPC – KeePass (http://keepass.sourceforge.net)Android – KeePass, LastPass, SplashId iPhone / iPad – DataVault Password Manager (iTunes store)

(3) Application Security

Key Application Security Accounting, HR, or other sensitive data applications Follow password standards of network Segregation of duties / Reporting Controls

Anti-Virus Protection (Symantec, McAfee, etc.) Server based, automatic updates of workstations E-mail protection

Patch Maintenance Windows Update Services

Employee Training Dangerous Files, E-Mail Concerns, Web Surfing

Spyware Protection

Spyware – Detecting & Eliminating

Signs you have been infected: Random “Security” Pop-up windows appear when browsing. Drop in computer performance. Normal home page has been replaced / new search bars.

Removal help: Cleaning Programs: ComboFix, SpyBot Search & Destroy Monitoring & Prevention: SuperAntiSpyware, MS Defender

Other Tools: CCE – Comodo Cleaning Essentials www.processlibrary.com Online File Scans:

www.virustotal.com Malwr.com (will give screen shots of execution of file…)

(4) External Access Security

Cannot have without other elements!Weakness in other areas can defeat the best external security.

Access method security (vpn, citrix, etc.) Data Encryption User Education

Activities to avoid Popular methods of capturing data:

Shoulder surfing Key logging / capturing programs Packet sniffingWireless worries

Wireless Security

Control AccessUPDATE FIRMWAREChange Defaults!

Administrator Password / Network SSID MAC Filtering

List of authorized wireless Ethernet cardsScan self for “rogue” access points

HeatmapperWiFi Analyzer (Android Tool)

Control own equipment’s accessCurrent Encryption (WPA2)

Real World Outdated Tech

Case Study: Wireless Risks

The “Cantenna” T.J. Maxx Breach

(5) Planning & Governance

Align IT Goals with Business Goals Does the IT Department work for you or run you? Is IT Planning part of the overall strategic planning process? Steering committee: department head involvement!

Must-Have Plans: Disaster Recovery \ Business Continuity

Testing! Involvement of all departments – what are their needs?

System Security Plan Incident Response Plan

Data disclosure events Contact Requirements

Policies & Procedures

Policies in general: Signature requirements \ acknowledgement Redistribution of policy \ general availability Centralize & minimize total number Training opportunity on changes!

Important groupings: Computer Use Policy

Internet Use E-Mail Use

IT Security Policy Confidentiality statements Data handling and storage Data retention & destruction

Policies & Procedures – Updating

The importance of reviewing and updating policies:

What happens when two worlds collide? Can social media be used for public debate? What rules are in place for posting information by the elected? How can the use of social media be policed?

Sunshine Laws

Data Security

Updating our policies and procedures is a critical part of the circle.

35

What is this hacking thing you speak of?

Computer Information Hacking

Attack Origins

Points of Origins of Network Attacks InternalHarder to protect against – productivity vs. securityMotivations:

Personal GainRevenge (Missed promotion, about to be fired)Job Security

ExternalHard to identify sourceMotivations:

Random AttackRevenge (Former employee, angry client, competitor) Industrial Espionage

37

Close your eyes.

Imagine a “hacker”

Computer Information Hacking

38

What Hackers Look Like

39

What Hackers Look Like - 2

40

Social Engineering Expert

• FBI Most Wanted List - 1994• Banned from the Internet on January 21, 2000• Current Chief Hacking Officer of KnowBe4• CEO of Mitnick Security

Kevin Mitnick

“Any act that influences a person to take an action

that may or may not be in their best interest.”

Social Engineering

Social Engineering : what is it?

Social Engineering Defined

Social Engineering Tactics:

PhishingBanking Spoofs, E-Bay Accounts, etc.New Evolution: Pharming

“Poisoning” of DNS Record to redirect requestSite could be exact duplicate of intended site

MalwareKey-loggers & Screen Capture ProgramsBrowser Hi-jacksDrive-by Malware Infections

Friendliness / Naivety

2019 Recent Attacks:

Business eMail FraudCity of Ottawa, Canada – urgent email to staffWire of $100,000 to scammer – procedures not followed

Payroll RedirectionCity of Tallahassee, FL - 3rd party vendor compromised $498,000 in payroll checks redirected to scam accounts Thomas County School System – Thwarted $2M attempt

RansomwareGreenville, NC – Stuart, FL – Augusta, MN, Imperial County, CA – Baltimore, MD – Albany, NYRiveria Beach, FL – Who is next???

How does it start and spread?

Phishing Emails Attachments / Website Links

Compromised Websites Drive-By Downloads Social Media Post Links Remote Desktop Protocol

Free Software Removable Media (Thumb drives)

Social Engineering : Phishing Examples

Social Engineering Email

Social Engineering : Phishing Examples

Social Engineering Website

Social Engineering : Phishing Examples

Fake Invoice Scams• Compromise target email system• Send bogus invoices from email account

Real World - Phishing

Social Engineering : Phishing Examples

Fake Invoice Scams• Examine links closely• Account Payable Verification Procedures

Real World - Phishing

49

“an electronic fraud tactic utilizing voice technologies in which individuals are tricked

into revealing critical financial or personal information to

unauthorized entities.”

Vishing

Security Awareness

Vishing: what is it?

Vishing Defined

Social Engineering : Vishing Examples

Jury Duty Scams• Missed jury duty – warrant issued• Must come down to location or call back• Buy payment cards

• Payment system is down

Real World - Vishing

Example!

51Security Awareness

Social Engineering : Vishing Examples

Social Engineering Combined

Social Engineering : Vishing Examples

My Dad – Combined Computer Help / Call

Real World – Fish/Vish

A Typical Classic IT Hack

Organization Data Store

Unethical Hacker

SS’s Information

SS’s Information

Employee

Customer

Vendor

HH Buys Information

Transfers Money

Opens Charge Account

UH Steals Information

Cracks Database

Wireless Sniff

Social Engineering

UH Posts Information

A Ransomeware Attack

SS’s Computer Infected

Spread Infection

Lock Screen

Encrypt Files Local Stores

Network Shares

UH Receives Payment

Decrypt key is sent*

Backdoor left on machine

Will return for more!* most of the time

UH Demands Payment

Paycard or Bitcoin

Delay escalates amount

Can threaten to post files

Access

Attacker

Internal System 1

Internal System 3

Admin Wkst #1

Admin Wkst #2

Admin Server #1

Permissions : Admin Rights

Phished Machines Admin Rights

Internal System 2

Stepping Stones in Hacking

Defense - Scanning Yourself

Social Engineering / Online Searches Testing tools – KnowBe4 Areas of search

Have I Been pwned (https://haveibeenpwned.com) ARIN Records – DNS Stuff

Vulnerability Assessments Finding rabbit holes - weak points in your network Online Tools

Shields Up Nessus (www.nessus.org) OpenVAS (www.openvas.org)

Free Nessus vs. $1500 Version Windows & Linux Versions External & Internal Use

Penetration Testing How far down does the rabbit hole go? Care in performing exploits – not for amateurs! Metasploit

Understand Your Enemies

You have to understand their tactics to better stop them.Hacking for Dummies by Kevin Beaver, Stuart McClure

Certified Ethical Hacking – Training & Certification Vulnerability Assessments Penetration Testing

On-line Resources Krebs on Security - krebsonsecurity.com SANS – www.sans.org NIST – www.nist.gov

Questions & Answers

SynerComm’s goal is to be a Trusted Advisor and Preferred IT Solutions Provider by assisting our clients to achieve a goal, solve a problem, or satisfy a need.

Jeffrey T. Lemmermann, CPA, CITP, CISA, CEHInformation Assurance Consultant - SynerComm, Inc.

Jeffrey.Lemmermann@synercomm.com