2015 – Top IT Risks for Today’s Auto Dealers
Transcript of 2015 – Top IT Risks for Today’s Auto Dealers
2015 – Top IT Risks for Today’s Auto Dealers
Michael Hammond, CISA, CRISC, CISSP, C|EH Director, IT Audit & Security
O’Connor & Drew P.C. [email protected]
www.ocd.com
Top IT Risks
2
Where is your important data? Phishing WISP Patching (OS and applications) Reliance on your DMS
Where is your important data?
3
Do you have an inventory of all company confidential/sensitive data? Do you have an inventory of State/Federal protected data?
You can’t protect what you don’t know you have
Where is your important data?
4
Data has a lifecycle
Acquire/Create
Classification
Storage (At Rest/In Motion)
Manipulation
Backup
Destruction
Where is your important data?
5
Collection Credit Card applications New employee on-boarding documents
Classification Are documents labeled? If not, are you wasting time protecting every document, or worse, not protecting the ones that should be labeled?
Storage Laptops, phones, and removable media should always be encrypted Desktops should also be encrypted
Where is your important data?
6
Manipulation When the data is moved from the source to another location, or aggregated, did the classification change? Did two non-sensitive documents elevate to necessitate being protected?
Backup Encrypted before leaving the building? External USB? Site to Site? Cloud?
Destruction Drives MUST always be wiped Documents should be shredded, regardless of classification
Phishing
7
Phishing
8
Phishing
9
• Recon ▫ LinkedIn ▫ Twitter ▫ FaceBook ▫ theHarvester
Phishing
10
• 2005 PC World article on Phishing ▫ Defined 12 types of phishing Instant messaging Malware based Session hijacking Pharming MiTM Search Engine …
Phishing
11
• Not much has changed in the past 10 years ▫ Present day Spam Phishing Spear Phishing Watering hole attack
Phishing
12
• Home Attacks
Phishing
13
• Home Attacks
Phishing
• Home Attacks ▫ Links on your phone are
especially dangerous. ▫ You often cannot “hover
over” the link.
How many errors can you spot?
Phishing
• Home Attacks ▫ Same email, but from my
computer ▫ Hovered over link ▫ Microsoft doesn’t need
Bitly
http://bit.ly/1WB0vwF
Phishing
• Shortened URLs? • Use
www.getlinkinfo.com
http://www.budaisoszoba.hu/wp-content/languages/HU/WOWEXodObATuXIC/ifeamaka1_tman-outluk22222222222222222.html
Phishing
• Work Attacks
Spear-Phishing
• Targeting Attacks
Spear-Phishing & Watering hole
• Targeting Attacks
Opps, you clicked. Now what?
• Backdoor
Is it really this easy?
• Backdoor ▫ WinSpy
Phishing – What can you do?
• It starts with educating all employees • Conduct training sessions • Execute Phishing Exercises ▫ Start with obvious looking phishing emails ▫ Work up to more sophisticated emails
Continuous education is key
Phishing – What can you do?
• After employees are trained, focus on technology ▫ Edge devices (UTMs, Enhanced DNS) ▫ Anti-virus updates ▫ Patching desktops
WISP
24
Massachusetts Written Information Security Program Required by the State (201 CMR 17.00)
http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf One of the first and most strict in the US
“create effective administrative, technical and physical safeguards for the protection of personal information of residents of the Commonwealth of Massachusetts” “procedure for evaluating our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information of residents of the Commonwealth of Massachusetts.”
WISP
25
201 CMR 17.00 Compliance Checklist http://www.mass.gov/ocabr/docs/idtheft/compliance-checklist.pdf
WISP
26
Regular monitoring to ensure that the WISP operates effectively to protect both paper and electronic records, to detect any unauthorized use of or access to personal information, and to identify any areas where upgraded safeguards are needed; We see ineffective preventative controls, and almost no monitoring/detective controls
Review of the WISP's scope at least annually, and whenever there is a material change in business practices that may reasonably implicate the protection of personal information; About 40% of companies lack a WISP. Most companies cannot produce evidence of annual review
WISP – What can you do?
27
Ensure you have a WISP Validate it is up to date and reflects any significant changes in personnel, process, or technology Test against the areas defined within the document
Patching
28
Phishing takes advantage of software to exploit a vulnerability. Top 10 Internal Vulnerabilities a/o July 2015
1. Oracle Java SE 2. Microsoft XML Parser 3. Obsolete SNMP Version 4. Microsoft various (3) 5. Oracle Java SE/JRE/JDK 6. Adobe Flash 7. Microsoft Windows Shell 8. Microsoft Windows Journal
https://www.qualys.com/research/top10/
Patching
29
Still The Top 3 Oracle JAVA – Not Updated with Windows Update Microsoft OS Patches Adobe (Flash/Reader) – Not Updated with Windows Update
Why? Law of large numbers. “Stable, long-term results”. These products are installed almost everywhere.
Law of large numbers. Encyclopedia of Mathematics. URL: http://www.encyclopediaofmath.org/index.php?title=Law_of_large_numbers&oldid=26552
Patching
30
Starting to see Mac OSX exploits Still far less than Windows Still requires AV/patching
Are you managing iOS/Android? Paranoid? Only allow iOS on your network Deploy Mobile Device Management (MDM)
Patching – What can you do?
31
Validate patching is up to date Manual spot checks; Automated tools (examples) Shavlik WSUS SolarWinds ManageEngine LogMeIn Dell (KACE)
Ensure patching tools include software in addition to Microsoft
DMS
32
There is a misconception the DMS provider is “watching” all the computers on the network. We see the DMS patching and maintaining only those PCs connecting to the DMS This leaves many computers, printers, WiFi, and other devices exposed and vulnerable
This is a HUGE gap!
DMS
33
DMS – What can you do?
34
Identify DMS and non-DMS managed equipment Validate the DMS patches are working Implement the non-DMS patches (see patching above)
The Team
35
Staff Michael Hammond– IT Audit & Security Director, with the firm since October 2012. • Certified Information Systems Auditor (CISA) • Certified in Risk and Information Systems Control (CRISC) • Certified Information Systems Security Professional (CISSP) • Certified Ethical Hacker (C|EH) • Michael is a member of the financial services InfraGard
association. A joint partnership between the FBI and private sector.
• Michael is a veteran of the United States Air Force
https://www.linkedin.com/in/michaelwhammond
36
Staff Nick DeLena– Senior IT Audit Manager Nick is the lead senior IT audit manager at O’Connor & Drew. He works in concert with internal senior management to scope and budget engagements. He provides oversight and training to existing staff. Nick’s prior engagements includes SOX compliance, SAS70, and FFIEC compliance. In addition to Nick’s audit and advisory experience, he also has 12 years in various IT operations and analyst positions. Certifications and designations: • Executive Masters in Business Administration (MBA) • Certified Information Systems Auditor (CISA) • Certified in Risk and Information Systems Control (CRISC) • CompTIA Security+ • ITIL v3 Foundations Certification (ITILv3F) • Nick is a member of the science and technology InfraGard association.
A joint partnership between the FBI and private sector.
• https://www.linkedin.com/in/nickdelena
37