Hillen Presentation 2017 MTASC AM€¦ · 10/10/2017 5 •INTERNET OFTHINGS •• Insecure Web...
Transcript of Hillen Presentation 2017 MTASC AM€¦ · 10/10/2017 5 •INTERNET OFTHINGS •• Insecure Web...
10/10/2017
1
•
•:IOT,VENDORS,
•MTASC | September 28, 2017
•Managed IT & Cybersecurity. Done Better.
•AGENDA
•Threat Landscape
•Internet of Things
•Threat Intelligence
•Third Party Vendors
•New trends in Ransomware
•Mobile Device Security
•2
•WHO WE ARE
10/10/2017
2
•Shortlisted Top20 IT Providers,
2017
•Top 25Compliance IT
Providers, 2017
•Managed Security100 of MSP500, 2017
• Top 25 CyberSecurity Companies,
2017
• Most OutstandingCloud Hosting Service,
2017
•2016, 2015,•2014
•20 Most Promising ITService Companies, 2017
•Top 20 Leading ITService Companies, 2017
•London, UK
Client Services
•Bangalore,
India Systems
•4
•SOC 1 TYPE 2
•7 CONTROLS
•SOC 2 TYPE 1
•9 CONTROLS
•OUR FOOTPRINT
•EMPLOYEES
•LOCATIONS
•187+
•300+
•CLIENTS
•7
•NORMAN,OK•NOC
•RALEIGH,NC•Security Ops
•Allentown,
PA Data
Center•Corporate HQ
•NEWYORK,NY
•Stamford, CT
Client Services
•WHY WE’RE HERE
•THREAT LANDSCAPE •6
10/10/2017
3
•WHY THE BAD ACTORS ARE WINNING•2017 Focus
•7
•of breaches involved organized crime•51% •61% of victims are from orgs < 1000 users
•of all breaches utilized social attacks •of social engineering used phishing•43% •93%
•were duped more than once•of targets fell for phishing•7% •25%
•of hacking-related breaches leveraged
•stolen and/or weak passwords
•of malware was installed via malicious
•email attachments•81% •66%
2017 Verizon Data Breach Investigations Report
•#1 KILLER:PHISHING •8
•Recent Breaches
80 MILLION+
$100,000,000 +
Spear Phishing People Affected Cost
22 MILLION+
$350,000,000
Phishing Scam People Affected Cost
•+ •$25,000•Cost
•2&200•People Affected•Whaling Scam
•
•INTERNET OF THINGS (IOT)
10/10/2017
4
•The Internet of Things (IoT) and Machine to Machine (M2M) technology will increase productivity in ways not
•seen since the Industrial and Digital Revolutions, but at what cost?
•— (Trustwave, n.d.)
•10
•INTERNET OF THINGS •11
The Internet of things (IoT) is the network of
•physical devices, vehicles, wearables and other
•items embedded with electronics, software,
•sensors, actuators with network connectivity
•enabled to collect and exchange data and be
•controlled remotely across existing
•infrastructure.
2015 ~ 4.9 billion connected devices
2020 ~ 20.8 billion
More than half of major “new” business
•processes and systems will include an IoT
•component by 2020
•Gartner
•INTERNET OF THINGS: TOP VULNERABILITIES •12
Insecure Web Interface
Insufficient Authentication/Authorization
Insecure Network Services
Privacy Concerns
Physical Security
10/10/2017
5
•INTERNET OF THINGS
•• Insecure Web Interface
•- Secure web interface to prevent XSS, SQLi or CSRF
•- Ensure credentials are not exposed in internal or
•external network traffic
•- Configure/confirm account lockout after 3 -5 failed
•login attempts
•13
•INTERNET OF THINGS
•• Insufficient Authentication/Authorization
•- Change default passwords /default usernames
•during initial setup
•- Require strong passwords
•- Implement two factor authentication where
•possible
•14
•INTERNET OF THINGS
•• Insecure Network Services
•- Confirm only necessary ports are exposed and
•available (vuln scan/penetration test)
•15
10/10/2017
6
•INTERNET OF THINGS
Data Privacy Concerns
•- Confirm only data critical to the functionality of the
•device is collected and transmitted
Roomba
•- Mapping your house
•o Looking to monetize $$$?
Pets, children
•16
•INTERNET OF THINGS
•• Physical Security
•- Ensuring data storage medium can not be easily
•removed.
•- Restrict access to USB ports
•o Firmware extraction (usernames/PW)
•oUser CLI
•o Admin CLI
•oPrivilege escalation
•oReset to insecure state
•17
•INTERNET OF THINGS
•• What Do I Do?
•- Network segmentation
•- Monitoring of the environment
•o Current Devices
•o Knowing when a new one is connected
•- Configuration management
•- Firmware updates
•- Awareness of automate processes
•o AV software on cardiac tool during a
•proceedure
•18
10/10/2017
7
•THREAT INTELLIGENCE
•“Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice,
•about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the
•subject’s response to that menace or hazard.”
•Gartner
•20
•THREAT INTELLIGENCE
•• Using multiple sources to improve your security
•posture, detect events sooner, and potentially
•prevent “incidents”.
•- Internal
•- External
•21
10/10/2017
8
•THREATINTELLIGENCE •22
•• Internal Sources
•- SIEM
•- IPS/IDS
•- NetFlow
•- Endpoint
•o Cy lan ce
•o Carbon B lack
•o CrowdStrike Falcon®
•- Honeypots
•o Cana ry
•THREATINTELLIGENCE •23
•- For your org
•o B lu e l i v
•o Ints ights
•- For third parties
•o B i tS igh t
•o SecurityScorecard
External Sources
•- Data feeds/crowdsourced platforms
•o F i r eE ye
•oMalwareDomains .com
•- S e rv i c e
•o Cisco Umbrella OpenDNS
•- Multi-State Information Sharing and Analysis Center
•(MS-ISAC)
•- Have I been pwned?
•ohttps://haveibeenpwned.com
Troy Hunt, a Microsoft Regional Director
•and Most Valuable Professional awardee
•for Developer Security
•THIRD PARTY VENDORS
10/10/2017
9
•THIRD PARTY VENDORS
What happens once if there is an event?
•- Typically based on agreement/contract
Due Diligence Questionnaire (DDQ)
Review of other artifacts
•- Statement on Standards for Attestation
•Engagements No. 16 (SSAE 16)
Technical evaluations
•- Frequency
•- Independent third party
•- Describe the pentest methodology (vuln scan,
•external only, internal)
•- Social engineering
•25
•THIRD PARTY VENDORS •26
•- Tra in in g
•o Forma l
•o Documen ted
•o Tailored by job function
•- Incident Response
•oPolicies and procedures
•o Data mapping
•oDescribe last event
•• “Describe how your organization is addressing
•the following”:
•- Governance and Risk Assessment
•- Access Rights and Controls
•o Access rev iew
•oRights review
•- Data Loss Prevention
•o Movement of data
•- Vendor Management
•o How do they select their vendors
•o Ove r s igh t
•THIRD PARTY VENDORS •27
•• Check on them:
•oBitSight
•o SecurityScorecard
10/10/2017
10
•NEW TRENDS IN RANSOMWARE
•NEW TRENDS IN RANSOMWARE
Ransomware Reaches Peak With WannaCry and
•Petya
•- WannaCry infected >300,000 computers in 150
•countries
•oExploited a vulnerability in Windows’ Server
•Message Block (SMB) protocol.
•o Worm looks for open port 445; spreads w/o
•user interaction.
Enterprises Still Trip Over Old Vulnerabilities
•29
•NEW TRENDS IN RANSOMWARE
More evasion techniques: “no executable”
A decline of ransomware will only come as a
•result of law enforcement action / cooperation
Targets move from individuals to higher-value
•data, deeper pockets
•30
10/10/2017
11
•RANSOMWARE PREVENTION
Backups, backups, backups — and test those backups regularly.
Keep web browsers and plug-ins such as Adobe Flash and Microsoft Silverlight updated
Uninstall any browser plug-ins that are not required for business purposes, and prevent re-
•instalation
Disable Microsoft Office macros by default, and selectively enable them for those who need
•macros.
Scan incoming emails for suspicious attachments, including examining all compressed
•attachments.
Do not give all users in the organization local administrative access to their workstations.
Use the analog solution: people (UAT)
•31
•
•MOBILEDEVICE SECURITY
•MOBILE DEVICE SECURITY
Mobile Device Management (MDM)
•- Microsoft Intune
•- VMware Airwatch
•- Citrix XenMobile
•- IBM MaaS360
Support for:
•- iOS, Android, Windows Phone
•- Remote Lock (should already have a PIN)
•- Remote Wipe
•- Enterprise Wipe (BYOD)
•33
10/10/2017
12
•SMARTPHONES & OTHER MOBILE DEVICES
•Best Practices
•34
•SMARTPHONES & OTHER MOBILE DEVICES
•Additional Best Practices
•35
•WHAT TO DO •36
10/10/2017
13
•MOST OF US ARE GUILTY •37
AGIO
•PHISHINGINDICATORS •39
“Verify your account.”Businesses should not ask you to send passwords, login names,
SSNs or other personally identifiable information (PII) via e-mail.
“If you don’t respond within 48
hours, your account will be
closed.”
These messages convey a sense of urgency so you’ll respond
immediately without thinking.
“Dear Valued Customer,”Phishing e-mail messages are usually sent out in bulk and often
do not contain your first or last name.
“Click the link belowto gain access to your account.“
HTML-formatted messages can contain links or forms you can fill
out just as you would fill out a form on a website.
Initiated communicationsE-mail messages asking the user to perform an action that werenot initiated by the user should be suspect.
Grammar and spelling errors
Phishing is often conducted by individuals that are not native
English speakers, and the messages will have grammar and
spelling errors.
10/10/2017
14
•RECENT EXAMPLE: •40
Sender email domain
@docusgn.com, not
docusign.com
Hovering over button
displayed link not associated
with docusign.com
http://knoxvilleupholstery.com/file.php?doc
ument=MzU1NWNhcnJpZS5ib3dlcnNAYWd
pby5jb201MTc4
•HOW TO SPOT A BAD URL IN YOUR BROWSER
•http://www.myworksite.com/CFjkf24td67fhR8Yf/index.html
•Find the last dot before the first slash.
•Immediately to the left is “myworksite” so
•this address goes to myworksite.com.
•http://www.myworksite.com.fakesite.com/wrf3td9BG/index.html
•Although it says “myworksite” Find the last dot before the first slash.
•it’s not near the first slash; Immediately to the left is “fakesite” so this
•therefore, it’s irrelevant. address goes to fakesite.com.
•41
•PHYSICAL SECURITY•Focus Areas
•42
10/10/2017
15
•PASSWORD MANAGEMENT•Elements of a Strong Password
•43
•PASSWORD MANAGEMENT
•Creating a Strong Password
•44
•MALWARE
•Types of Malware & How They Infect a Computer
•45
10/10/2017
16
•MALWARE
•Best Practices
•46
BE CAUTIOUS ON SOCIALMEDIA
47
•FACEBOOK SECURITY RECOMMENDATIONS •48
•Get Alerts & Use Two-Factor Authentication
10/10/2017
17
•FACEBOOK SECURITY RECOMMENDATIONS •49
•Review Privacy Settings & Apps
•*Additional: Review Apps section and remove any apps and devices•not in use.
•LINKEDINSECURITYRECOMMENDATIONS
•Setup Two-Step Verification
•50
•LINKEDINSECURITYRECOMMENDATIONS
•Review Privacy Settings
•51
10/10/2017
18
•LINKEDINSECURITYRECOMMENDATIONS
•Get an Archive of Your Data
•52
•TWITTER SECURITY RECOMMENDATIONS•Setup Two-Factor Authentication & Password Reset Setting
•53
•TWITTER SECURITY RECOMMENDATIONS
•Review Privacy Settings
•54
10/10/2017
19
•BRILLIANCEINTHEBASICS •55
•Limit use of administrative accounts
•Keep your PC’s, Mac’s, iPhones, iPads, printers, and home routers updated
•Enable two-factor authentication/two-step
•Use a password manager to store different/complex passwords (LastPass, KeePass, or Password Safe)
•Install anti-virus on all computers (yes, even Mac OS X)
THINK BEFOREYOU CLICK
•Know the Sender & Double Verify an Attachment
•
•Ray Hillen | 919.601.5026 | [email protected]
•Managed IT & Cybersecurity. Done Better.