Don't Be The Next Target! Protecting Your Business – Back to the Basics

Welcome!

Protect, Detect, Respond. Security principles are timeless

Jamie Bass, CISSP-ISSEP Jamie.Bass@ForthrightSecurity.com

812-233-4131

1

Introduction Jamie Bass has over 15 years of experience in Cyber operations with the United States Navy and Marine Corps. He has an extensive background in cyber security, information assurance, robotics, automation, plastics, systems integration, and systems engineering.

QUALIFICATIONS: CEO of GRAVICOM LLC, and CEO of Forthright Security LLC Senior Systems Engineer on the Navy Information Application Product Suite (NIAPS) 1 of 973 CISSP-ISSEPs worldwide (Systems Engineering Certification) 1 of 600 Fully Qualified Navy Certification Agents (Navy Validators) worldwide 1 of 36 USMC Validators worldwide Currently hold (5) patents AAS in Robotics / Computer Integrated Manufacturing (CIM)

CERTIFICATIONS: (ISC)2 – Certified Information Systems Security Professional & Security Engineer (ISSE), CISSP-ISSEP Microsoft – Microsoft Certified Professional (MCP) CompTIA - A+ and Network +, Army IASO, Fully Qualified Navy Validator, USMC Validator Committee on National Security Systems (CNSS) - CNSS 4012, CNSS 4015, and CNSS 4016 Certified Risk Analyst EC Council - Working on Certified Ethical Hacker (CEH)

Pastoral Staff – House Of Prayer Evansville, & City-wide Pastor’s Prayer Network LinkedIn Profile - www.linkedin.com/in/jamiebass2/

2

Bottom Line Up Front STOP FOCUSING ON PRODUCTS, AND START FOCUSING ON

PROTECTION OF INFORMATION AND ASSETS.

WHAT ARE YOU TRYING TO PROTECT? WHAT IS CRITICAL TO THE SURVIVAL OF YOUR BUSINESS & YOUR REPUTATION?

• This is a CEO issue. IT CANNOT BE DELEGATED TO THE IT DEPARTMENT! • The key is PROTECTING INFORMATION, not protecting systems. • The DoD admitted that they can’t keep perpetrators out, they can only manage

what is accessed. Find out what information is really important – keep asking ‘Why is that?’…

• The average data breach costs $188 per record. Most breaches involve tens of thousands of records. ($20M+). You are legally required to report a breach.

• Protect, Detect, Respond. Most don’t have ‘Detect’, which severely limits ‘Respond’. Due diligence and due care apply in determining legal liability.

3

We hear the hype ALL THE TIME.

What do we do?

Focus On The Basics

• Protect (your INFORMATION, users, assets, systems,

environment, etc.),

• Detect (understand what isn't normal), and

• Respond (activate contingency or incident response plan).

4

Agenda

5

• Hackers – Who are they?

• Protect, Detect, & Respond methodology

• Risk Discussion

• PROTECT

• General Threats

• DETECT

• RESPOND

• Conclusions

• Backup Slides • Case Studies • Technical Evaluations

Who Are These People?

6

How most people see hackers….

7

Or maybe….

8

REALITY:

1. Many ‘hackers’ work in office

environments, for regular salaries.

They simply have objectives,

targets, and tools.

2. Many are aiming for the easy ‘low

hanging fruit’, or easily obtainable

information. Scripts do the work,

and they use that information to

steal for financial gain. Many are

paid on commission.

3. There are only a few innovative

hackers at the top that develop

tools for the rest.

The ‘Common’ Hacker

HACKING IS A BUSINESS, AND IT MAKES MONEY. IT IS PROFIT MOTIVATED!

IF YOU MAKE EXPLOITATION HARD FOR THEM, THEY’LL LIKELY MOVE ON TO THE

NEXT TARGET.

9

The

Protect, Detect, Respond

Concept

10

What Can Be Done?

Home Security

Protect Detect Respond

Doors Windows Locks Fence

Alarms

Motion Sensors Crime Watch Monitoring

Dog Gun Police Insurance

Which column is most neglected?

11

Protect Respond Detect Doors Windows Locks Fence

Alarms

Motion Sensors Crime Watch Monitoring

Dog Gun Police Insurance

Must Have – But They ALL Break

Must Be Able To Detect The Break

Must Be Able To Respond Quickly

You CANNOT keep people out – But you CAN DETECT them.

Did you know that The DoD admitted that even with all of the resources, technology, and people

they have, they can’t keep perpetrators out. They can only manage what data is accessed.

Detection is a crucial part of the

chain! What Can Be Done?

12

A System Firewalls

Passwords

Encryption

Technology Security is NOT

Security Is A System

The System is a combination of People, Policies, Training and Technology all working together

13

The Risk

14

Impact VS. Likelihood

• Adequate Security means that we don’t spend a

dollar to protect a dime.

• Impact vs. Likelihood is the industry standard to

categorize and prioritize potential risks and helps us

evaluate all risks against a common scorecard

approach.

• Documentation and monitoring of risk is important!

A B

C D

15

(When) Will It Happen To You?

16

Did you know that HALF of American small

businesses were hacked last year?!?! • Meridian Health in Muncie, Indiana, had 1,200 workers’ W-2

forms stolen when an employee was duped by an email

purporting to come from a top company executive. • How many companies didn’t report?

• Many small companies are just one data breach or

one fraudulent wire transfer away from going out of

business.

Compliance Do Industry Compliance Standards = Security?

PCI-DSS, HIPAA, ISO, COBIT, Etc.

If Compliance = Security, how do Hospitals, Financial

Institutions and Retailers get hacked every day?

Compliance Security!

However….

Good security usually results in good compliance.

17

PROTECT

(what most of us do already)

18

PROTECT

Simple steps can have huge results:

• The Australian government reported resisting 85

percent of cyberattacks by taking three basic steps: 1. Restricting which programs can run on government

computers, (Application White-Listing)

2. Keeping software updated regularly (Patching), and

3. Minimizing the number of people who have

administrative control over networks and key machines.

Cybersecurity doesn’t have to be rocket science;

it’s just computer science.

19

PROTECT – Know Thyself

• Believe it or not, most companies really don’t know

what INFORMATION they even need to protect! • Privacy/Health Data, Strategic Data, Financial Data, etc.

• Identify your most critical data first, and make sure it is

protected (access controls, encryption, and backed

up). Know the threats against your data! • Monitor changes to the data so you can detect unauthorized access or changes. • Have an Incident Response Plan (IRP) and a Continuity Of Operations Plan (COOP)

so you can recover business operations.

20

• Training is a CRUCIAL piece of information security.

• Employees need to be trained on what is important to

the company’s mission, what data is important, and

what common social engineering strategies are used.

• Initial training and (at minimum) annual refresher

training is required.

• An ounce of prevention is worth a pound of cure….

PROTECT – Training

21

PROTECT – Reduce Risk • Following the NIST guidelines can reduce legal liability if

cybersecurity problems arise or are discovered.

22

The “standard” for

“due diligence” is the

NIST Cybersecurity

Framework.

https://www.nist.gov/

cyberframework

22

Quick Discussion About

Threats

23

How Can You Be Safe?

Start with 3 important questions:

1) What are you Protecting?

2) What are the Threats?

3) What is happening right now?

24

What Are You Trying To Protect?

● Company Secrets, Intellectual Property

● Customer Emails, Credit Card Details, Purchases

● Company Accounting System

● Patient Health Records

● What’s Important?

25

What Are Your Threats To That?

● Contractors?

● Service Providers?

● Employees?

● Hackers?

● Ransomware?

26

What Are The Threats?

Bots, Phishing, Social Engineering, Malware of all sorts

Who Has Been Affected?

Millions spent to respond and Millions in lost revenue

The Heritage Foundation Issue Brief #4487 on Cyber Security November 18, 2015

● Morgan Stanley – 350,000 Client Records Stolen Anthem – 80 Million Client Records Stolen Penn State – 18,000 Student Records Stolen All Had Passwords - Firewalls - AntiVirus

●

●

●

27

What Are The Threats?

False Security: Can only be uncovered by testing.

● Passwords Don’t Work – Malware Doesn’t Care

● Insider Threats are Huge – Employees Steal Data

● The FBI says it takes an average of 14 months for companies to detect an intruder. Most won’t know until it’s too late.

28

What Are The Threats?

Insider Attacks:

“90% of I.T. employees indicate that if they lost their jobs,

they’d take sensitive company data with them...

59% of employees who leave an organization voluntarily or involuntarily, say they take sensitive data with them.”

Deloitte via WSJ – 05/02/16

29

Ransomware

“The FBI said the number of so-called ransomware attacks is on the rise. Hackers break into a corporate network, encrypt data and hold it ransom until the victim agrees to pay...”

- WSJ 05/04/16

30

What Threat?

31

DETECT

(We’re monitoring, but nobody’s

monitoring the monitor…)

32

DETECT – Information

• We can often tell if a system has a malware, but can

you tell when your data has been accessed?

• Can you tell if someone has more access than they

should?

• Do you know what the baseline looks like?

Those are hard questions. Basic suggestions:

1. You have to understand what information you’re

trying to protect before you can understand who is

and is not supposed to have access.

2. Access should be based on roles, not on individuals.

3. Data At Rest Encryption and Data Loss Prevention

(DLP) tools can enforce policies and roles. They can

also give you the audit trail you need for compliance.

33

DETECT – The Network • Do we know if our systems talk to a ‘Known Bad Actor’?

• Can we detect a system ‘beaconing’ out?

• Can we detect data exfiltration?

• Can we detect an attack that occurs over 6 weeks time?

Those are also hard questions. Basic suggestions:

1. Focus on Information and Assets.

2. You have to have a baseline and understand what

‘normal’ looks like for your environment.

3. Many tools (AlienVault, LogRhythm, IBM, HPE, Splunk,

etc.) are available to give a ‘single pane of glass’ view

into all activities happening on a network. NOTE: Detection usually involves a blinky light product due to the nature of the changing threat environment and the speed of the attack.

4. Training your people to understand the network, the

baseline, and the tools is CRUCIAL to success.

34

RESPOND

(We Kind Of Do That)

35

RESPOND – Low & Medium Severity

• Somebody DID something…..

• One of our people reported a strange email that

seemed legitimate.

• I clicked on something that I shouldn’t have….

• The server hardware crashed!

• Our data is gone!

36

The #1 thing in an incident response plan is to limit

damage and bring back integrity.

Backups are critically important, and should be checked

regularly (monthly or more).

Have a documented procedure for isolation & recovery,

and have an ‘after action’ report closing out the incident.

RESPOND – Catastrophic • Do you have a plan for a Data Breach?

• Do you have a plan for a Fire? Flood? Pandemic?

• Do you have a plan for Social Unrest? War?

37

Here are a few suggestions to help:

1. Use an external (off-site) backup facility. Many will

also provide spinning up virtual machines from your

backups to get you up and running quickly.

2. Do you have a plan for a data breach? This is

something you should know BEFORE IT HAPPENS!

3. Extreme circumstances of fire, flood, pandemic, social

unrest, war, etc. are all ususally specific to your line of

business. Plan accordingly. Ask the hard questions.

4. MOST IMPORTANT: TEST YOUR INCIDENT

RESPONSE AND CONTINGENCY PLANS REGULARLY!

OTHERWISE YOU WON’T KNOW IF THEY WORK!

STRATEGIES, KEY POINTS,

AND ADDITIONAL INFO

38

Cyber Insurance

“...Cyber Liability Insurance Coverage (CLIC) has been available for more than 13 years…

The average cost of a data breach to the affected business is $3.8 million...a 23 percent increase since 2013...”

CNN.com June 30, 2015

39

Attitude?

“Security is also a Frame of Mind...

It’s about Culture, Structure and Strategy...

Every aspect of doing business requires looking at it

through a security lens...”

Paraphrased from TheGuardian.com Mar 11, 2014

40

Key Points

● Compliance is NOT security

● Security is a State of Mind

● Liability for losing customer data is Real & Expensive

● A Complete System is required for modern security

41

CONCLUSION STOP FOCUSING ON PRODUCTS, AND START FOCUSING ON

PROTECTION OF INFORMATION AND ASSETS.

WHAT ARE YOU TRYING TO PROTECT? WHAT IS CRITICAL TO THE SURVIVAL OF YOUR BUSINESS & YOUR REPUTATION?

• This is a CEO issue. IT CANNOT BE DELEGATED TO THE IT DEPARTMENT! • The key is PROTECTING INFORMATION, not protecting systems. • The DoD admitted that they can’t keep perpetrators out, they can only manage

what is accessed. Find out what information is really important – keep asking ‘Why is that?’…

• The average data breach costs $188 per record. Most breaches involve tens of thousands of records. ($20M+). You are legally required to report a breach.

• Protect, Detect, Respond. Most don’t have ‘Detect’, which severely limits ‘Respond’. Due diligence and due care apply in determining legal liability.

42

REMEMBER

Focus On The Basics

• Protect (your INFORMATION, users, assets, systems,

environment, etc.),

• Detect (understand what isn't normal), and

• Respond (activate contingency or incident response plan).

43

What Is Your Risk?

Don’t feel bad, it takes time, determination, and

management buy-in to have a good Cyber program.

What do you need to do today?

MAKE A PLAN, AND EXECUTE. BE PERSISTENT!

Thank You!

Jamie.Bass@ForthrightSecurity.com

812-233-4131

44

Slides available at: https://www.gravicom.us/blog/Tropicana2017 https://www.forthrightsecurity.com/blog/Tropicana2017

45

BACKUP

TECHNICAL SLIDES

46

Nobody has it covered Here’s the list that always comes out: • MALWARE! (Malware is an URGENT and ACTIVE threat)

• Disaster Recovery and Back Ups Tested (CryptoLocker anyone?)

• Policy (Rarely enforced, not many people know/care about them)

• Segmentation (Target HVACPOS hack)

• Web Applications (Pay no attention to the man behind the curtain)

• IP-Telephony (Extremely sensitive data – Legal, Stocks, Trades,

Mergers, Acquisitions, Employee Issues, etc.)

• Server & Operating System Security (Auditing & Alerting)

• Remote Access / BYOD (Better be sandboxing & multi-factor auth!)

• Wireless (What about Exec’s home network?)

• Partners, Guests, and Contractors (Insider threats)

47

The formula that discovers risk

1. Work with business leaders to discover the critical business information, and the assets.

NOTE: This is a discussion with the asset owner, not the technical folks.

2. Work with power users to discover workflow

3. Consider the entire system as a whole – People, Technology, Operations

4. Conduct an Internal Review.

5. Do the IT Walkthrough

6. Collect the Evidence

7. The “So What” test

8. Deliver Measureable Risk (Impact vs. Likelihood)

9. Manage Risk on an ongoing basis (the world changes!)

48

What do executives want to see?

• What are the top 5 to 7 threats our company faces?

• What are the odds we’ll be compromised by these

threats over the next 12 months?

• Are we trending up or down?

• How are we managing? What’s the plan and what is

being measured?

49

Supply Chain Vulnerabilities

The problem: Extremely hard to detect

The risk: Complete compromise

Likelihood: Low

Impact: High

Solution: • Validate Serial Numbers, • Purchase from manufacturers or direct resellers • Pay close attention to Firmware versions • Certificates of Authenticity • Sealed, Tamperproof Containers • Auditing, Auditing, Auditing!

50 Confidential and proprietary for authorized Forthright Security personnel only. The receiving party shall not use, disclose, distribute, or make copies unless authorized.

Industrial Control Systems

The problem: Not designed for Security, Not easily upgradable

The risk: Could be catastrophic, depends on what

the ICS/SCADA system controls

Likelihood: Medium, depends on connectivity

Impact: High, Kinetic effects possible

Solution: • Don’t put on the network unless you have to. If you do, isolate each device on

its own network (if possible) and use 3rd party protections (like Tempered Networks)

• Institute strong detection mechanisms, and re-apply MD5 validated firmware and configs regularly (assures integrity)

• Assure ‘Fail-Safe’ mechanisms exist. Practice the ‘What if…’ • http://energy.gov/oe/downloads/21-steps-improve-cyber-security-scada-

networks

51

Accidental Network Interconnectivity

The problem: Accidental backdoors let attackers in

The risk: Network bridges allow attackers

access to your corporate network

(This is how Target got hacked)

Likelihood: Happens often – Anything with

cellular and Wi-Fi connections.

Impact: High – Covert Communications Channel

Solution:

• 802.1X Implementation • Wireless should be a captive portal • Data Loss Prevention (DLP) • Network Intrusion Detection /

Prevention (IDS/IPS) • WIDS & Rogue device detection 52

Insider Threats How bad is the threat? Watch This: https://youtu.be/S3YpvcYfwt8?t=8m11s

Most are accidental, but just as damaging as an intentional

• Accidentally falling victim to clicking a link or opening an email (Called Social Engineering)

Statistics • Accidental: 68% of network intrusions start this way. • Intentional: 50% of employees keep confidential company

information when they leave, and 40% plan on using confidential information in their new job. (2013 Wall St. Journal link)

HOW TO FIX: • People: Employee training • Technology: Email screening. Web Proxy. • Operations: Enforce policies on corporate data. Mandatory policy

that employees take at least one continuous week on vacation. 53

Case Study

TARGET: $148M loss

Method of exploit: HVAC system compromised,

which was indirectly (and

remotely) connected to the

Point Of Sale (POS) network.

How To Fix: Network Segmentation

Internal IDS/IPS & Netflow

Scary Thing: Major stock hit, major lawsuits

CEO fired, Major PR nightmare

HUGE $148M loss

Loss of consumer confidence 54

55

Case Study Office of Personnel -22 Million people compromised

Management: -5+ Million fingerprints compromised

-Extremely sensitive data on

everyone the subject knows

Method of Exploit: -Availability prioritized over security

-Lack of IT asset inventory

-Lax security controls & weak

authentication.

How To Fix: -Current Hardware & Software

-Vulnerability management program

-IDS/IPS, Netflow, multi-factor auth.

Scary thing: -Data is not for sale on black market

-Combine with Anthem? United? etc.

Hack went undetected for 343 days!

56

Case Study Ashley Madison: 32 Million user accounts leaked

Method of Exploit: You could use the password

“Pass1234” from the internet to

VPN to root on all servers

How To Fix: Strong Passwords, expire regularly

Firewall, Restricted IP, Multi-factor

Hire external Penetration Tester

Scary Thing: -Blackmail. People could coerce

your employees to steal your

company’s data.

-Your business is looked upon

poorly if your company’s

employees sign up at an adultery site.

Are your employees using their same passwords on your systems that they use on their personal accounts??? You might be vulnerable already….. 57

Case Study

Anthem: 80 million people compromised

Method of Exploit: Watering-Hole Attack. Attackers

used credentials of valid user to

query database & steal data

How To Fix: Behavioral Analysis

Honeypot files / systems

Multi-Factor Authentication

Scary Thing: Data never showed up on the

black market. Has indicators of

Chinese “Deep Panda” APT

Hack went undetected for 270 days!

58

59

Case Study Hollywood Presbyterian: CryptoLocker – Encrypted data

Paid $17K in ransom (not $3.4M)

Method of Exploit: Unknown. Ransom was paid

before authorities were called.

How To Fix: BACKUPS! Test Backups!

Employee training – Social Eng.

Scary Thing: 158 institutions have been

hacked since 2010.

In July 2015, hackers may have

accessed as many 4.5 million

patient records in UCLA Health

System's computer network.

Under federal law, hospitals are required to report potential

medical data breaches involving more than 500 people.

60

Conclusions

• The average breach costs $188 per record. An average breach contains hundreds of thousands of records. Are your clients prepared to spend millions? Do they have insurance? Do they have a robust industrial security program so they can practice due diligence & due care to prevent lawsuits?

• Accidental network connectivity happens often times without a company knowing about it, which can lead to compromise of secure systems. SCAN REGULARLY to prevent it!

• Industrial Control systems can’t be easily patched, and often can’t be modified. Don’t connect them to the network, and if you do, use something like Tempered Networks to secure the system to communicate securely.

• Supply chain vulnerabilities are hard. Paying attention to firmware versions and running checksums on firmware are a low-cost defense.

61

What Is Your Risk?

Is your customer data leaking right now?

How do you know?

We can help you find out – right now

Thank You!

Jamie.Bass@ForthrightSecurity.com 812-233-4131

62

63

SSL Decryption

• While encryption is a great way to protect data, it is

also a great way to hide threats. • Most network security controls cannot decrypt and inspect HTTPS (SSL) traffic.

• As more applications turn to SSL encryption to help

keep users secure — Facebook, Twitter, YouTube,

Google Search and DropBox to name a few — they

are inadvertently hampering the ability of enterprises

to ensure malicious code isn’t making its way into

network traffic.

• Cyber attackers are exploiting this vulnerability, so

when choosing the right encryption solutions for

your organization, it is necessary to also consider

SSL decryption technology to ensure visibility into

important data at points of ingress and egress. • Bluecoat and ZScalar are the Gartner Magic Quadrant 2016 picks

64

Trends

Most SMB’s will be in the cloud soon

Cloud services are lowering:

● Costs

Complexities

I.T. Staff

●

●

65

Around the World

● Daily Cyber Attacks Against US Gov

● Dams, Water Treatment, Power Grids

● ISIS Paying Big Money to Hackers

66 Confidential and proprietary for authorized Forthright Security personnel only. The receiving party shall not use, disclose, distribute, or make copies unless authorized.

In The News

● Hollywood Hospital - $17,000 in Ransom

● Apple – 600,000 Incidents of Ransomware so far

● iPhone Encryption – FBI hacked it

67

In The News

“The New York State Attorney General’s office said that the number of breach notifications

issued by his office had risen 40% during 2016 compared with the same period a year earlier.”

- WSJ 05/05/16

68

Trends

SMB’s Are More And More Digital

Small and Medium business have to compete more and more with Big Business. Most have:

● Web Sites eCommerce Orders Paypal Square

Multiple Email Accounts Social Media Accounts Etc...

●

●

●

●

●

●

69

Trends

Big Data = Your Data

Facebook leverages big data in it’s marketing

Most businesses use Facebook in their marketing

70

If it’s free to use – You and your information are

the product

Trends

Bring Your Own Device (BYOD) is happening

So what is happening to Security?

Where is Business going to be exposed?

71

What Are The Threats?

BYOD (Bring Your Own Device):

● 20 Years Ago Software was Expensive

● Now iPhone Apps are Free or 99 cents

● Just Search for what you need and install it

What Could Go Wrong?

72

What Are The Threats?

Social Media:

● People used to keep things private

● Now everyone’s life is public

● So our exposure to risk is at new levels

● Now it’s Easy for Hackers to find personal info to

use in a Social Engineering or Phishing Attack

73

What Are The Threats?

Cheap Wireless Routers:

● Installed Randomly for Convenience

● Can be an easy gateway into your company data

from hundreds of feet away

● Most are never monitored for illegal access, and are super easy to hack. (Team Cymru)

74

Who Are The Targets?

“...SMB’s make much more attractive targets for cyber- thieves”

“...a data breach involving an SMB can be far more devastating for the company than a similar type breach at a larger company.” csattorneys.com Nov 5, 2014

75

Ransomware

“More small businesses are falling victim to “ransomware…”

“...Bitcoin is a preferred method of payment, partly because the use of bitcoin makes payments difficult to track.”

WSJ – April 15, 2015

76

Ransomware

“...About 30% of ransomware victims pay to regain their data, estimates Tom Kellermann, chief cybersecurity officer for Trend Micro Inc., an Irving, Texas, cybersecurity firm.”

WSJ – April 15, 2015

77

What Is Happening – Right Now?

● Do you know – right now – what is happening to that data?

● How will you respond to a breach?

● C-Level Execs are liable, Not I.T. (CEOs are often forced out - Ask Target’s CEO!)

78

What Can Be Done?

Consider This Analogy About Home Security:

What secures a home?

Locks – Alarms – Dogs – What Else?

79

Cost and Liability

The Ponemon Institute and Symantec estimate that it costs businesses $188 per record lost.

Just 1000 records = $188,000 in one breach!

How many clients are in your database?

Businesses also suffer potentially priceless damage to

their reputation and trust.

80

How Do You Answer...

Remember – Cybercrime is a Trillion Dollar Industry

• Do you have Policies in place for proper handling of company data?

• Do you have a system to provide Security Intelligence? • Do you have an Employee Cyber Security Training Program?

81

Key Points

● Biggest Threat = Ransomware - Easy Money For Hackers

● Malware is SMART – Typical Anti-Virus is almost useless

● Most Big Co’s have been hacked. SMB’s are even Easier

● Targeted Social Engineering attacks are growing fast

● Employee Security Awareness Training is a Must!

82