cybersecurity, phishing, and mfa for vpn€¦ · 2018-12-07 · either download malicious software...

Cybersecurity, Phishing, and MFA for VPNIrwin GainesReport to UECDec 7 2018

“Rebranding” of former computer security team

We are now the Cybersecurity team

All communication to [email protected](including incident reports, phishing reports or questions, other cybersecurity questions, etc.)

new web page at http://securityawareness.fnal.gov

Emphasis on partnership between cybersecurity team, management, and employees

1/14/2019 Phishing Report - Irwin Gaines2

mailto:[email protected]

http://securityawareness.fnal.gov/

• Cybersecurity is everyone’s responsibility• Phishing: Forged email trying to induce the recipient to click on a link which will

either download malicious software to their computer (or mobile device) or take the user to a seemingly legitimate website to “phish” for user credentials or other personal information.– Why phishing exercises– What were the exercises– Results of the exercises– Consequences: moving forward (Proofpoint)

• MFA and VTC– MFA already in use at Fermi but primarily for privileged access to enterprise systems and

any access to business and HR systems; scientists and user community not impacted– New threats require additional use, in particular VPN which will impact scientists and users


Outline

• Statistically, phishing remains as one of the primary means to compromise an individual or company– According to a study done by Google, phishing poses the biggest threat to your online

security [1]– 91% of cyber attacks (from 2015 to 2016) start with a phishing email [2]– Notable compromises have been accomplished via phishing – a handful of examples

include: PNNL/ORNL [3], Sony [4], and DNC [5].– Phishing combined with password reuse leads to further possible compromises via

credential stuffing

• Fermilab has implemented anti-phishing training and incorporated phishing assessment as part of its security awareness training– There previously hasn’t existed means to actually test the effectiveness of this training

Why phishing exercises


• We have not done phishing exercises in the past, partly because of my (now proved to be mistaken) belief that our employees and users would not click on malicious links in email

• But with the increasing prevalence of phishing and with the frequent breaches of government systems because of responses to phishing, the government and DOE are requiring such exercises

• Seeing the handwriting on the wall, we began regular exercises last summer (shortly before we were told to do them)

Why phishing exercises (2)


• On Tuesday, June 26, 2018 (starting at 8:50am), a flood of reports (over 40) came into Fermi’s Incident Response (FIR) Team

• Link was blocked within five minutes by FIR

• Looking into the email, it appeared that the sender’s account was compromised

Initial Flood of Phishing Reports

1/14/2019 Art Lee | User Compromise Involving Lab Director Phishing Emails7

• A number of different campaigns have been run – these were all based on real-world scenarios and had different goals to assess awareness with Fermi users (those with mailboxes). All had a variety of clues indicating they were not legitimate

• July 2017– The first campaign was a package delivery phish which simulated a UPS delivery

notification – its intent was to look slightly “genuine”– The second campaign was a password reset phish which was based on a real password

reset email – its intent was to see the response rate for garden variety phishing• Aug 2017

– The first campaign was a password reset phish modeled after a real email reported to CST last month• This included a link to a website (hosted on by the testing provider) that simulated a web-

based password reset form– The second campaign was a scam phish requesting a user to send money as an

investment to receive more money• This was based on real (and frequent) scam emails, however has been modified for context

Phishing exercise details


• Sep 2017– The first campaign was a Facebook deactivation confirmation phish

• This was based on real phishing emails not generally received by Fermi users; however these are very common

– The second campaign was a scam phish impersonating a Charles Schwab email requesting a user to receive money• This was based on a real phishing email received by Fermi users

• Oct 2017– The first campaign was a FedEx delivery notification phis

• This was based off a real FedEx delivery email. This is a followup to the UPS delivery notification phish from July of this year.

– The second campaign was a scam phish noting that a foreign email address was added to a user’s Paypal account• This was based on a real phishing scheme – however this has not been reported to us from

Fermi users.

Phishing exercise details (2)


• Nov 2017– The first campaign was a Netflix billing campaign

• This was based off a real Netflix phishing scam. It was designed to trick users into thinking that their Netflix payment was not validated, resulting in a suspension of the account.

– The second campaign was a USPS phish noting the delivery status of the shipment.• This was targeted specifically to repeat offenders that clicked on both the past UPS and

FedEx package delivery phish campaigns.• Feb 2018

– The first campaign was a Microsoft security alert• This is an email from “Microsoft” stating that someone else may have accessed his/her

account. If the user clicks the link to verify the account, a fake login page will be shown. The user may enter his/her credentials into this form.

– The second campaign was a DropBox sharing notification• This is an email from “DropBox” stating that a person has shared a PDF regarding neutrinos

with the user

Phishing exercise details (3)


UPS Quantum View campaign


ICT Service Desk campaign


Please reset your password campaign (1 of 2)


Please reset your password campaign (2 of 2)


LETTER FROM HOSPITAL campaign


Sorry to see you leave Facebook! campaign


Your Schwab Brokerage Deposit campaign


FedEx Tracking Email campaign


Paypal email address campaign


Netflix Billing Campaign


USPS Delivery Status


Microsoft Security Alert

1/14/201922 Phishing Report - Irwin Gaines

Microsoft Security Alert


DropBox Sharing


Phish landing page


Campaign # clicks % clicks # reports # repeatsUPS delivery 753 27% 38ICT service desk 177 7% 52Reset password 327/199 12%/8% 62Letter from hospital 7 0.3% 25Facebook deactivation 159 5.8% 54Schwab brokerage 37 1.3% 44FedEx tracking 345 13% 110 293Paypal email addr 227 8% 122 206Netflix 115 4% 84 164USPS (only 137 users) 50 36% 1 50Microsoft alert 57/10 2%/0.4% 166 96Dropbox 115 4% 50 179

Results of Phishing Exercises


Overall lessons learned


• Click rates are still higher than we would like, but overall performance is improving

• Repeat offenders be a problem, considering 137 users fell for both the UPS and the FedEx shipping phishes, and 50 still fell for the USPS phish

• Users reporting phishes has gone way up

• Many users read the phish email from mobile devices and/or from outside of Fermilab (and so will not be protected by web blocks at the lab)– Note that first report of a new phish will have the landing site for that phish blocked in our

web proxies, providing protection for anyone who is on site when they click

Going forward


• Regular phishing campaigns will continue to be implemented – some will use varied attack vectors

• There will be consequences to users when they repeatedly “fail” a phishing exercise– Currently 43 3-time offenders have had Remedial Phishing Training added to their ITPs

• URL “defanging” service being implemented from ProofPoint– This will prepend links to ProofPoint’s servers to verify if a link is legitimate or not– Unlike controls like the proxy servers, this can mitigate risks outside of the lab– This can also mitigate risks regardless of platform (Windows, MacOS, iOS, Android, etc.)– Whitelisting and blacklisting will be possible for versatility

• Still need to raise ongoing awareness with users– securityawareness.fnal.gov

• ProofPoint URL DecoderSelf-service tool for decoding a ProofPoint URL• ProofPoint URL:https://urldefense.proofpoint.com/v2/url?u=https-3A__powerpedia.energy.gov_wiki_IM-2D24-5FData5FCalls&d=DwMFAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ct1EoviYG4gx4IPJGo2How&m=GGGQWNlRADGtfJDUdQMMNdYP2tEjYN-0bovWUq4yFN4&s=kJSAJqFIZym8fe7uhNnXiJ2kJCTEVOkYm-wE4IBfiTA&e=• Decoded URL:hxxps://powerpedia.energy.gov/wiki/IM-24_Data_Calls

Proofpoint decoding


References


• [1] https://www.engadget.com/2017/11/11/google-study-hijack/

• [2] http://www.darkreading.com/endpoint/91--of-cyberattacks-start-with-a-phishing-email/d/d-id/1327704

• [3] https://www.computerworld.com/article/2510012/malware-vulnerabilities/second-doe-lab-is-likely-victim-of-spear-phishing-attack.html

• [4] https://www.tripwire.com/state-of-security/latest-security-news/sony-hackers-used-phishing-emails-to-breach-company-networks/

• [5] https://www.engadget.com/2017/11/03/ap-investigation-russia-hack-dnc-clinton-emails/

• Multi Factor Authentication (MFA) is the use of at least two of three possible modalities for identification: something you know (a password); something you have (smartcard or phone); something you are (fingerprints)

• Fermilab is presently (under DOE mandate) using PIV-I smart cards for access to enterprise privileged systems and RSA tokens (both hardware and software tokens) for access to business and HR systems. Note that the RSA tokens do not satisfy the strictest level of authentication assurance and so need to be migrated to a “better” token

• Recent cyber attacks have highlighted a possible vulnerability in VPN access to the lab, which presently only requires use of the services password that is also used for email access

• Current MFA upgrade project will– Switch to a single token (Yubikey) for most access (so no need for two types of tokens)– Satisfy DOE requirements for authentication assurance– Extend to additional systems (in particular VPN)

MFA and VPN


• Project in initial stages, in particular we need to understand use cases for remote science access to data acquisition and analysis systems

• We intend to support both token-based and software-based authentication methods• Will take several months to roll out credentials to all VPN users• Currently asking users to make sure they have the root certificate from the Fermliab

CA installed on the machines they will be using for token-based VPN access in the future.

• Will be reaching out to user community to identify who needs to use VPN and what devices they will be using for this access. For example, we need to know:– Will users be present at Fermilab to be issued hardware tokens or are they only remote

users– Are they using access devices with USB ports– Will they have access to smartphones or other devices to do software authentication

MFA usage for VPN


• Watch FermiNews and VPN users mailing list for updated information over next several months

• VPN already accepts Yubikey and RSA authentication. • Pilot users will be issued Yubikey tokens in January, RSA tokens already available

at Service Desk. Volunteers for pilot program eagerly accepted.

Future path


cybersecurity, phishing, and mfa for vpn€¦ · 2018-12-07 · either download malicious software...

Documents