covering your information assets - wgfoa€¦ · covering your information assets: developing...
TRANSCRIPT
Covering Your Information Assets: Developing security in a constantly changing environment.
Synercomm, Inc.Jeffrey T. Lemmermann, CPA, CITP, CISA, [email protected]
Wisconsin Government Finance Officers Association
September 12, 2019 – Green Bay, WI
Who Am I
ID• Jeffrey T. Lemmermann
• Information Assurance Consultant – SynerComm• January 2018
EXP• 24 Years with CliftonLarsonAllen
• Risk Services Practice Manager• IT Audit / IT Security Specialist
• 5+ Years as CIO/CFO – Manufacturing Industry
CERT• CPA, CITP, CISA, CEH
• CITP – Wisconsin Champion (If you are a CPA )
“Security Assessment & Consulting, IT Audit, Compliance with IT Frameworks (NIST, COBIT) and continuing an ongoing crusade to
promote information security!”
Information Security
1. 5G Fixed to 5G Mobile (4)
2. Expanded Chatbot Use
3. Cloud Computing Evolution
4. Blockchain Understanding (5)
5. Data Analytics (2) / Machine Learning (6)
Topping The Charts Everywhere!Forbes 2019 Top 10 Digital Transformation Trends
6. General Data Protection Regulation
7. Augmented Reality (7)
8. Edge Computing (3) / Internet of Things (1)
9. Consumption IT [all as a service] (8)
10.Hiring for Digital Transformation (10)
Importance of Data Security
Regulations GDPR / CCPA HIPAA GLBA / SOX 404 Red Flag Rules PCI Standards
Publicity“No such thing is bad publicity
…except your own obituary.”- Brendan Behan, Irish Dramatist
Damage to reputation. Loss of consumer confidence. Redirection of resources
Target40M Credit/Debit Cards
Compromised
46% Dip In 2013 4Q Profits
Atlanta, GA$11M+ in costs so far. 1/3 of applications still affected. 70 computers lost along with data including dash cam footage.
Riviera Beach, Florida5/29/19 Infected email attachment took down all of the city’s online
systems, including email and some phones, as well as water utility pump stations.
6/4/19 Authorized $900,000 to recover/replace affected hardware. 6/17/19 Authorized payment of $600,000 to hackers.
Baltimore, MD5/7/19 RobinHood ransomware attack -city service outages ultimately cost $18 million (and counting) in recovery costs
and lost revenues.
Dark Web / Deep Web / Surface Web
Simple Definition: The part of the internet that isn't visible to search engines.
It requires the use of an anonymizing browser, like Tor, to be accessed.
What is done with that information?
Exchange on the DARK WEB…
Voting Machines!
Data Security 101
Where is our data now? Where should our data go? Where can our data go?
Who can access our data? Who needs to access our data?
Understanding the environment
Where does it start?
You can’t protect…
…what you don’t know about.
Where Is Your Data?
The ObviousNetwork File/Data Servers Laptop ComputersBackup Storage Media
The ObscureSmartphones / TabletsPortable Storage (USB Drives)E-Mail Attachments
The ForgottenDisposed Equipment – LEASED Equipment!
Proper Disposal Rules
“Disposal practices that are reasonable and appropriate to prevent unauthorized access to –or
use of- information in a consumer report.”
Burn, pulverize, or shred papers so they cannot be reconstructed. Destroy or erase electronic files or media so information cannot be
read or reconstructed. Conduct due diligence and hire a document destruction contractor.
Due diligence could include: Reviewing contractor’s independent audit Obtain information from several references Require certification by recognized trade association Review contractor’s information security policies or procedures
Hard Drive Data
Study of 2nd Hand DrivesO & O Company:
2004: 88% of Disks from EBay contained recoverable data. 2005: 71%
Edith Cowan University – Annual study of 2nd hand hard drives 2006: 48% 2009: 39% 2012: 47% 2007: 40% 2010: 2008: 38% 2011:
Type of recoverable data: Internal company memos Legal correspondence of governmental agency Credit ratings (Bank owned hard drive)
File erasing Utilities Eraser (Freeware - up to 35 overwrite passes) Steganos Security Suite (up to 100 passes)
Hard Drive Data Worries
What About Smartphones?Deleting Apps Might Not Delete DataSD Card StorageData Stored By Service Providers
Tablet Computers – Same Issues as Smartphones
Solid State Drives (SSDs) Traditional Disk Wiping Utilities Do Not Work “Nearly impossible to completely delete data from SSD’s”Physical Destruction Highly RecommendedNewer SSDs – Deletion Utilities with Drives
Smartphone / Tablet Drive Data
Study of 2nd Hand Smartphones AVAST purchased 20 Android smartphones from eBay Factory Data Reset was performed on the devices What was still found on the phones:
40,000 photos: 1,500 were family photos including children750 email and text messages250 names and associated email addresses Identifiable information from four owners1 completed loan application
Recommendation First encrypt device and SD card Then perform factory data reset
Data Security
How can we keep our data safe?
"The search for static security - in the law and elsewhere - is misguided. The fact is security can only be achieved through constant change, adapting old ideas that have outlived their usefulness to current facts."
- Canadian physician, William Osler
Case Study – Public School District
Case Study: Open Records
How “open” do you mean?
Security Points
Five Key Points of Data Security:Physical SecurityNetwork SecurityApplication SecurityExternal SecurityPlanning & Governance
Physical Security Fail
How to avoid this:
(1) Physical Security
Access to Equipment Locked server room, mobile equipment logs
Theft Prevention Procedures Cameras, user policies on mobile equipment
Separation of Duties Ordering / Inventory separate from Installers
Hardware Inventory Serial numbers, internal configurations, assignments
(2) Network Security
Password Policies Minimum characters, forced changes, complexity No sticky notes!
Unattended Terminal Protection Password protected screensavers, firm policies
Network File Structure Security User site of files, annual review process!
Auditing Logs Activate logging, review logs
Control of Backup Tapes Physical security, password protection
Top 3 Ways We Compromise Your Org
BadPasswords
Social Engineering
Permissions
Methods of Compromise
21
Bad Pa$$words
• Reusing your password across multiple systems and services?
• Using a predictable convention?
• Incrementing a number at the end?
• NOT using a password manager?
• Have you shared your password with anyone else?
• Is it written on a sticky note somewhere on your desk?
Predictable Management SharingReuse
Bad Passwords : Bad Practice
02
Known Bad
03
Locally Bad
01
Seasonally Bad
Password1
P@$$word1!
QWERTY
Packers12
Packers19
$CompanyName19
$ChildName$BirthYear
Spring 2019
Spring19
Spring2019!
Spring19!
Bad Passwords : Insider Secrets
Password Complexity Demo
Importance of non-dictionary passwordsDictionaries now including numbers added to wordsAlternate spelling meth0ds 1nclud3d
Importance of lengthEase of brute-force attacks Flaw in some encryption methods
Importance of other charactersAdds to password possibilitiesHelps to beat dictionary cracks
Password Recommendations
Secure Password Techniques:Use modified pass phrases
4score&7yearsagoLet’sg0r3d
Connect words with modifier in middleMilwaukeejtl07BucksAries01thejtlram
Stick with constant formulasUse secure password database managers
PC / PocketPC – KeePass (http://keepass.sourceforge.net)Android – KeePass, LastPass, SplashId iPhone / iPad – DataVault Password Manager (iTunes store)
(3) Application Security
Key Application Security Accounting, HR, or other sensitive data applications Follow password standards of network Segregation of duties / Reporting Controls
Anti-Virus Protection (Symantec, McAfee, etc.) Server based, automatic updates of workstations E-mail protection
Patch Maintenance Windows Update Services
Employee Training Dangerous Files, E-Mail Concerns, Web Surfing
Spyware Protection
Spyware – Detecting & Eliminating
Signs you have been infected: Random “Security” Pop-up windows appear when browsing. Drop in computer performance. Normal home page has been replaced / new search bars.
Removal help: Cleaning Programs: ComboFix, SpyBot Search & Destroy Monitoring & Prevention: SuperAntiSpyware, MS Defender
Other Tools: CCE – Comodo Cleaning Essentials www.processlibrary.com Online File Scans:
www.virustotal.com Malwr.com (will give screen shots of execution of file…)
(4) External Access Security
Cannot have without other elements!Weakness in other areas can defeat the best external security.
Access method security (vpn, citrix, etc.) Data Encryption User Education
Activities to avoid Popular methods of capturing data:
Shoulder surfing Key logging / capturing programs Packet sniffingWireless worries
Wireless Security
Control AccessUPDATE FIRMWAREChange Defaults!
Administrator Password / Network SSID MAC Filtering
List of authorized wireless Ethernet cardsScan self for “rogue” access points
HeatmapperWiFi Analyzer (Android Tool)
Control own equipment’s accessCurrent Encryption (WPA2)
Real World Outdated Tech
Case Study: Wireless Risks
The “Cantenna” T.J. Maxx Breach
(5) Planning & Governance
Align IT Goals with Business Goals Does the IT Department work for you or run you? Is IT Planning part of the overall strategic planning process? Steering committee: department head involvement!
Must-Have Plans: Disaster Recovery \ Business Continuity
Testing! Involvement of all departments – what are their needs?
System Security Plan Incident Response Plan
Data disclosure events Contact Requirements
Policies & Procedures
Policies in general: Signature requirements \ acknowledgement Redistribution of policy \ general availability Centralize & minimize total number Training opportunity on changes!
Important groupings: Computer Use Policy
Internet Use E-Mail Use
IT Security Policy Confidentiality statements Data handling and storage Data retention & destruction
Policies & Procedures – Updating
The importance of reviewing and updating policies:
What happens when two worlds collide? Can social media be used for public debate? What rules are in place for posting information by the elected? How can the use of social media be policed?
Sunshine Laws
Data Security
Updating our policies and procedures is a critical part of the circle.
35
What is this hacking thing you speak of?
Computer Information Hacking
Attack Origins
Points of Origins of Network Attacks InternalHarder to protect against – productivity vs. securityMotivations:
Personal GainRevenge (Missed promotion, about to be fired)Job Security
ExternalHard to identify sourceMotivations:
Random AttackRevenge (Former employee, angry client, competitor) Industrial Espionage
37
Close your eyes.
Imagine a “hacker”
Computer Information Hacking
38
What Hackers Look Like
39
What Hackers Look Like - 2
40
Social Engineering Expert
• FBI Most Wanted List - 1994• Banned from the Internet on January 21, 2000• Current Chief Hacking Officer of KnowBe4• CEO of Mitnick Security
Kevin Mitnick
“Any act that influences a person to take an action
that may or may not be in their best interest.”
Social Engineering
Social Engineering : what is it?
Social Engineering Defined
Social Engineering Tactics:
PhishingBanking Spoofs, E-Bay Accounts, etc.New Evolution: Pharming
“Poisoning” of DNS Record to redirect requestSite could be exact duplicate of intended site
MalwareKey-loggers & Screen Capture ProgramsBrowser Hi-jacksDrive-by Malware Infections
Friendliness / Naivety
2019 Recent Attacks:
Business eMail FraudCity of Ottawa, Canada – urgent email to staffWire of $100,000 to scammer – procedures not followed
Payroll RedirectionCity of Tallahassee, FL - 3rd party vendor compromised $498,000 in payroll checks redirected to scam accounts Thomas County School System – Thwarted $2M attempt
RansomwareGreenville, NC – Stuart, FL – Augusta, MN, Imperial County, CA – Baltimore, MD – Albany, NYRiveria Beach, FL – Who is next???
How does it start and spread?
Phishing Emails Attachments / Website Links
Compromised Websites Drive-By Downloads Social Media Post Links Remote Desktop Protocol
Free Software Removable Media (Thumb drives)
Social Engineering : Phishing Examples
Social Engineering Email
Social Engineering : Phishing Examples
Social Engineering Website
Social Engineering : Phishing Examples
Fake Invoice Scams• Compromise target email system• Send bogus invoices from email account
Real World - Phishing
Social Engineering : Phishing Examples
Fake Invoice Scams• Examine links closely• Account Payable Verification Procedures
Real World - Phishing
49
“an electronic fraud tactic utilizing voice technologies in which individuals are tricked
into revealing critical financial or personal information to
unauthorized entities.”
Vishing
Security Awareness
Vishing: what is it?
Vishing Defined
Social Engineering : Vishing Examples
Jury Duty Scams• Missed jury duty – warrant issued• Must come down to location or call back• Buy payment cards
• Payment system is down
Real World - Vishing
Example!
51Security Awareness
Social Engineering : Vishing Examples
Social Engineering Combined
Social Engineering : Vishing Examples
My Dad – Combined Computer Help / Call
Real World – Fish/Vish
A Typical Classic IT Hack
Organization Data Store
Unethical Hacker
SS’s Information
SS’s Information
Employee
Customer
Vendor
HH Buys Information
Transfers Money
Opens Charge Account
UH Steals Information
Cracks Database
Wireless Sniff
Social Engineering
UH Posts Information
A Ransomeware Attack
SS’s Computer Infected
Spread Infection
Lock Screen
Encrypt Files Local Stores
Network Shares
UH Receives Payment
Decrypt key is sent*
Backdoor left on machine
Will return for more!* most of the time
UH Demands Payment
Paycard or Bitcoin
Delay escalates amount
Can threaten to post files
Access
Attacker
Internal System 1
Internal System 3
Admin Wkst #1
Admin Wkst #2
Admin Server #1
Permissions : Admin Rights
Phished Machines Admin Rights
Internal System 2
Stepping Stones in Hacking
Defense - Scanning Yourself
Social Engineering / Online Searches Testing tools – KnowBe4 Areas of search
Have I Been pwned (https://haveibeenpwned.com) ARIN Records – DNS Stuff
Vulnerability Assessments Finding rabbit holes - weak points in your network Online Tools
Shields Up Nessus (www.nessus.org) OpenVAS (www.openvas.org)
Free Nessus vs. $1500 Version Windows & Linux Versions External & Internal Use
Penetration Testing How far down does the rabbit hole go? Care in performing exploits – not for amateurs! Metasploit
Understand Your Enemies
You have to understand their tactics to better stop them.Hacking for Dummies by Kevin Beaver, Stuart McClure
Certified Ethical Hacking – Training & Certification Vulnerability Assessments Penetration Testing
On-line Resources Krebs on Security - krebsonsecurity.com SANS – www.sans.org NIST – www.nist.gov
Questions & Answers
SynerComm’s goal is to be a Trusted Advisor and Preferred IT Solutions Provider by assisting our clients to achieve a goal, solve a problem, or satisfy a need.
Jeffrey T. Lemmermann, CPA, CITP, CISA, CEHInformation Assurance Consultant - SynerComm, Inc.