ELECTRONIC SECURITYPRESENTED BY BENJAMIN HENDRICKS, I.T. DIRECTOR

SEPTEMBER 2014

1

WHAT IS ELECTRONIC SECURITY?

• Firewalls• Content Filters• Intrusion Detection/Prevention• Anti-Virus/Anti-Malware• Virtual Private Network (VPN)

• Passwords• HTTPS/SSL• Education

Systems designed to deny access to unauthorized systems and data.

2

KINDS OF THREATS?

• Virus/Malware – self installing and propagating software• Ransomware – software that will encrypt files or cripple a computer• Phishing – sites/services created to fool you into providing private information • Social Engineering – attempts to gain trust and reveal private information• Zero-Day – threats too new to be detected by typical software/systems• Hackers – organized individuals working to break through security• Account Hijacks – using good standing accounts to gain access to information

3

WHAT DOES WOOD COUNTY USE?

• Firewalls – act like gate security allowing and denying specific communications• FireEye – web inspection tool created to detect zero-day threats• iPrism – web content filter based on site categories (i.e. weapons, shopping, etc…)• Barracuda – email spam and virus filtering• Access Control Lists – control communications between offices• Employees

4

RECENT ISSUES

• Target – up to 70 million payment cards exposed• Home Depot – 56 million payment cards at risk and still investigating• J.P. Morgan – largest U.S. bank, no customer accounts at risk and still investigating• HeartBleed bug – websites exposed a risk that allowed access to HTTPS/SSL

communications

5

FOCUS ON J.P. MORGAN• Spend more than $250 million on cyber security• Hackers gained access to internal systems for a period of 2 months and stole

gigabytes of data, no customer financial information.

WHY IS THIS IMPORTANT?

• Access was obtained through an employee’s PC via a phishing attack.• From the employee PC, a secure connection was made from the PC to a server

outside of the company.

• The connection allowed access to data that was available to the employee.• Proves that no amount of money can defend the best efforts and that security is only

as good as the weakest link. 6

PHISHING

• Emails are the most popular phishing method• Legitimate looking emails will fool you into going to a website that could convince you to

supply your credentials. Once you supply a single site’s credentials others could be compromised

• Supply Gmail, gain access to email, associated Google accounts (Play, Books, Drive, Wallet)• Information harvesting on a single email account can lead to other accounts (email, PayPal,

eBay, Amazon, etc…) – how many use the same password for multiple accounts?

• Examples…

7

SOCIAL ENGINEERING

• Phone calls are the popular method• Callers will try to get you to reveal personal information or remote access to your

computer

• Microsoft scam directed people to click a link on a “Microsoft” looking site • Malware was installed on the computer and held the computer for ransom

• Not limited to PCs or private data, could be for products that are shipped and then invoiced with out an authorization or purchase order

8

SOCIAL MEDIA

• Fake accounts will fool you into liking, friending, or following someone that wants access to your profile.

• Applications associated with a social media account will require more access to you PC/phone than necessary

• How many “My account was hacked, ignore the last posts or messages from me!” posts/emails have you seen?

9

WHAT CAN YOU DO WHILE AT WORK?

• Wood County doesn’t have millions to spend on cyber security• Affordable measures are being used (firewalls, FireEye, iPrism, ACLs)• Use the available email encryption service

• For all “…@co.wood.oh.us” email addresses• Encrypt social security numbers, credit card numbers, or confidential information per law• Use any form of “confidential” or “encrypt” in the email subject

• Install updates when they are available10

WHAT CAN YOU DO WHILE AT WORK?

• The best and most affordable defense is YOU!• Change your passwords on a regular basis (1year, 6 months, 3 months, etc…)• Investigate links to websites from emails before clicking on them.• Be suspicious of calls asking about information you’re not used to hearing and ask

questions.

• Refrain from visiting sites that are not work related.• When searching online, avoid clicking on advertisements• Know the technology staff that may work on your system• Ask questions before allowing someone to remote to your computer if the request is

unexpected

• Contact IT immediately upon possible breach 11

WHAT CAN YOU DO OUTSIDE THE OFFICE?

• Pay attention to the permissions that applications are requesting• I.E. – A note taking app shouldn’t need access to your contacts or network

• Change your passwords on a regular basis• Keep your anti-malware software up to date• Keep Windows/iOS/ChromeOS/Android up to date• Replace/Upgrade Windows XP if the computer is used on the internet• Ask yourself “is this legit” to links before clicking on them and investigate if

you have any suspicion12

WHAT CAN YOU DO OUTSIDE THE OFFICE?

• Verify that sites asking for your credentials have valid SSL certificates• Expired certificates may be OK• Certificates issued to names that are not associated with the site should be avoided

• Be cautious when using “free Wi-Fi” networks• Use or check the privacy controls available in applications• Enable auto-lock and passwords on mobile devices• Educate yourself on trends

• www.stopthinkconnect.org – Department of Homeland Security sponsored campaign• https://www.us-cert.gov/ncas - US-CERT National Cyber Awareness System

13

QUESTIONS?

14