10/10/2017

1

•

•:IOT,VENDORS,

•MTASC | September 28, 2017

•Managed IT & Cybersecurity. Done Better.

•AGENDA

•Threat Landscape

•Internet of Things

•Threat Intelligence

•Third Party Vendors

•New trends in Ransomware

•Mobile Device Security

•2

•WHO WE ARE

10/10/2017

2

•Shortlisted Top20 IT Providers,

2017

•Top 25Compliance IT

Providers, 2017

•Managed Security100 of MSP500, 2017

• Top 25 CyberSecurity Companies,

2017

• Most OutstandingCloud Hosting Service,

2017

•2016, 2015,•2014

•20 Most Promising ITService Companies, 2017

•Top 20 Leading ITService Companies, 2017

•London, UK

Client Services

•Bangalore,

India Systems

•4

•SOC 1 TYPE 2

•7 CONTROLS

•SOC 2 TYPE 1

•9 CONTROLS

•OUR FOOTPRINT

•EMPLOYEES

•LOCATIONS

•187+

•300+

•CLIENTS

•7

•NORMAN,OK•NOC

•RALEIGH,NC•Security Ops

•Allentown,

PA Data

Center•Corporate HQ

•NEWYORK,NY

•Stamford, CT

Client Services

•WHY WE’RE HERE

•THREAT LANDSCAPE •6

10/10/2017

3

•WHY THE BAD ACTORS ARE WINNING•2017 Focus

•7

•of breaches involved organized crime•51% •61% of victims are from orgs < 1000 users

•of all breaches utilized social attacks •of social engineering used phishing•43% •93%

•were duped more than once•of targets fell for phishing•7% •25%

•of hacking-related breaches leveraged

•stolen and/or weak passwords

•of malware was installed via malicious

•email attachments•81% •66%

2017 Verizon Data Breach Investigations Report

•#1 KILLER:PHISHING •8

•Recent Breaches

80 MILLION+

$100,000,000 +

Spear Phishing People Affected Cost

22 MILLION+

$350,000,000

Phishing Scam People Affected Cost

•+ •$25,000•Cost

•2&200•People Affected•Whaling Scam

•

•INTERNET OF THINGS (IOT)

10/10/2017

4

•The Internet of Things (IoT) and Machine to Machine (M2M) technology will increase productivity in ways not

•seen since the Industrial and Digital Revolutions, but at what cost?

•— (Trustwave, n.d.)

•10

•INTERNET OF THINGS •11

The Internet of things (IoT) is the network of

•physical devices, vehicles, wearables and other

•items embedded with electronics, software,

•sensors, actuators with network connectivity

•enabled to collect and exchange data and be

•controlled remotely across existing

•infrastructure.

2015 ~ 4.9 billion connected devices

2020 ~ 20.8 billion

More than half of major “new” business

•processes and systems will include an IoT

•component by 2020

•Gartner

•INTERNET OF THINGS: TOP VULNERABILITIES •12

Insecure Web Interface

Insufficient Authentication/Authorization

Insecure Network Services

Privacy Concerns

Physical Security

10/10/2017

5

•INTERNET OF THINGS

•• Insecure Web Interface

•- Secure web interface to prevent XSS, SQLi or CSRF

•- Ensure credentials are not exposed in internal or

•external network traffic

•- Configure/confirm account lockout after 3 -5 failed

•login attempts

•13

•INTERNET OF THINGS

•• Insufficient Authentication/Authorization

•- Change default passwords /default usernames

•during initial setup

•- Require strong passwords

•- Implement two factor authentication where

•possible

•14

•INTERNET OF THINGS

•• Insecure Network Services

•- Confirm only necessary ports are exposed and

•available (vuln scan/penetration test)

•15

10/10/2017

6

•INTERNET OF THINGS

Data Privacy Concerns

•- Confirm only data critical to the functionality of the

•device is collected and transmitted

Roomba

•- Mapping your house

•o Looking to monetize $$$?

Pets, children

•16

•INTERNET OF THINGS

•• Physical Security

•- Ensuring data storage medium can not be easily

•removed.

•- Restrict access to USB ports

•o Firmware extraction (usernames/PW)

•oUser CLI

•o Admin CLI

•oPrivilege escalation

•oReset to insecure state

•17

•INTERNET OF THINGS

•• What Do I Do?

•- Network segmentation

•- Monitoring of the environment

•o Current Devices

•o Knowing when a new one is connected

•- Configuration management

•- Firmware updates

•- Awareness of automate processes

•o AV software on cardiac tool during a

•proceedure

•18

10/10/2017

7

•THREAT INTELLIGENCE

•“Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice,

•about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the

•subject’s response to that menace or hazard.”

•Gartner

•20

•THREAT INTELLIGENCE

•• Using multiple sources to improve your security

•posture, detect events sooner, and potentially

•prevent “incidents”.

•- Internal

•- External

•21

10/10/2017

8

•THREATINTELLIGENCE •22

•• Internal Sources

•- SIEM

•- IPS/IDS

•- NetFlow

•- Endpoint

•o Cy lan ce

•o Carbon B lack

•o CrowdStrike Falcon®

•- Honeypots

•o Cana ry

•THREATINTELLIGENCE •23

•- For your org

•o B lu e l i v

•o Ints ights

•- For third parties

•o B i tS igh t

•o SecurityScorecard

External Sources

•- Data feeds/crowdsourced platforms

•o F i r eE ye

•oMalwareDomains .com

•- S e rv i c e

•o Cisco Umbrella OpenDNS

•- Multi-State Information Sharing and Analysis Center

•(MS-ISAC)

•- Have I been pwned?

•ohttps://haveibeenpwned.com

Troy Hunt, a Microsoft Regional Director

•and Most Valuable Professional awardee

•for Developer Security

•THIRD PARTY VENDORS

10/10/2017

9

•THIRD PARTY VENDORS

What happens once if there is an event?

•- Typically based on agreement/contract

Due Diligence Questionnaire (DDQ)

Review of other artifacts

•- Statement on Standards for Attestation

•Engagements No. 16 (SSAE 16)

Technical evaluations

•- Frequency

•- Independent third party

•- Describe the pentest methodology (vuln scan,

•external only, internal)

•- Social engineering

•25

•THIRD PARTY VENDORS •26

•- Tra in in g

•o Forma l

•o Documen ted

•o Tailored by job function

•- Incident Response

•oPolicies and procedures

•o Data mapping

•oDescribe last event

•• “Describe how your organization is addressing

•the following”:

•- Governance and Risk Assessment

•- Access Rights and Controls

•o Access rev iew

•oRights review

•- Data Loss Prevention

•o Movement of data

•- Vendor Management

•o How do they select their vendors

•o Ove r s igh t

•THIRD PARTY VENDORS •27

•• Check on them:

•oBitSight

•o SecurityScorecard

10/10/2017

10

•NEW TRENDS IN RANSOMWARE

•NEW TRENDS IN RANSOMWARE

Ransomware Reaches Peak With WannaCry and

•Petya

•- WannaCry infected >300,000 computers in 150

•countries

•oExploited a vulnerability in Windows’ Server

•Message Block (SMB) protocol.

•o Worm looks for open port 445; spreads w/o

•user interaction.

Enterprises Still Trip Over Old Vulnerabilities

•29

•NEW TRENDS IN RANSOMWARE

More evasion techniques: “no executable”

A decline of ransomware will only come as a

•result of law enforcement action / cooperation

Targets move from individuals to higher-value

•data, deeper pockets

•30

10/10/2017

11

•RANSOMWARE PREVENTION

Backups, backups, backups — and test those backups regularly.

Keep web browsers and plug-ins such as Adobe Flash and Microsoft Silverlight updated

Uninstall any browser plug-ins that are not required for business purposes, and prevent re-

•instalation

Disable Microsoft Office macros by default, and selectively enable them for those who need

•macros.

Scan incoming emails for suspicious attachments, including examining all compressed

•attachments.

Do not give all users in the organization local administrative access to their workstations.

Use the analog solution: people (UAT)

•31

•

•MOBILEDEVICE SECURITY

•MOBILE DEVICE SECURITY

Mobile Device Management (MDM)

•- Microsoft Intune

•- VMware Airwatch

•- Citrix XenMobile

•- IBM MaaS360

Support for:

•- iOS, Android, Windows Phone

•- Remote Lock (should already have a PIN)

•- Remote Wipe

•- Enterprise Wipe (BYOD)

•33

10/10/2017

12

•SMARTPHONES & OTHER MOBILE DEVICES

•Best Practices

•34

•SMARTPHONES & OTHER MOBILE DEVICES

•Additional Best Practices

•35

•WHAT TO DO •36

10/10/2017

13

•MOST OF US ARE GUILTY •37

AGIO

•PHISHINGINDICATORS •39

“Verify your account.”Businesses should not ask you to send passwords, login names,

SSNs or other personally identifiable information (PII) via e-mail.

“If you don’t respond within 48

hours, your account will be

closed.”

These messages convey a sense of urgency so you’ll respond

immediately without thinking.

“Dear Valued Customer,”Phishing e-mail messages are usually sent out in bulk and often

do not contain your first or last name.

“Click the link belowto gain access to your account.“

HTML-formatted messages can contain links or forms you can fill

out just as you would fill out a form on a website.

Initiated communicationsE-mail messages asking the user to perform an action that werenot initiated by the user should be suspect.

Grammar and spelling errors

Phishing is often conducted by individuals that are not native

English speakers, and the messages will have grammar and

spelling errors.

10/10/2017

14

•RECENT EXAMPLE: •40

Sender email domain

@docusgn.com, not

docusign.com

Hovering over button

displayed link not associated

with docusign.com

http://knoxvilleupholstery.com/file.php?doc

ument=MzU1NWNhcnJpZS5ib3dlcnNAYWd

pby5jb201MTc4

•HOW TO SPOT A BAD URL IN YOUR BROWSER

•http://www.myworksite.com/CFjkf24td67fhR8Yf/index.html

•Find the last dot before the first slash.

•Immediately to the left is “myworksite” so

•this address goes to myworksite.com.

•http://www.myworksite.com.fakesite.com/wrf3td9BG/index.html

•Although it says “myworksite” Find the last dot before the first slash.

•it’s not near the first slash; Immediately to the left is “fakesite” so this

•therefore, it’s irrelevant. address goes to fakesite.com.

•41

•PHYSICAL SECURITY•Focus Areas

•42

10/10/2017

15

•PASSWORD MANAGEMENT•Elements of a Strong Password

•43

•PASSWORD MANAGEMENT

•Creating a Strong Password

•44

•MALWARE

•Types of Malware & How They Infect a Computer

•45

10/10/2017

16

•MALWARE

•Best Practices

•46

BE CAUTIOUS ON SOCIALMEDIA

47

•FACEBOOK SECURITY RECOMMENDATIONS •48

•Get Alerts & Use Two-Factor Authentication

10/10/2017

17

•FACEBOOK SECURITY RECOMMENDATIONS •49

•Review Privacy Settings & Apps

•*Additional: Review Apps section and remove any apps and devices•not in use.

•LINKEDINSECURITYRECOMMENDATIONS

•Setup Two-Step Verification

•50

•LINKEDINSECURITYRECOMMENDATIONS

•Review Privacy Settings

•51

10/10/2017

18

•LINKEDINSECURITYRECOMMENDATIONS

•Get an Archive of Your Data

•52

•TWITTER SECURITY RECOMMENDATIONS•Setup Two-Factor Authentication & Password Reset Setting

•53

•TWITTER SECURITY RECOMMENDATIONS

•Review Privacy Settings

•54

10/10/2017

19

•BRILLIANCEINTHEBASICS •55

•Limit use of administrative accounts

•Keep your PC’s, Mac’s, iPhones, iPads, printers, and home routers updated

•Enable two-factor authentication/two-step

•Use a password manager to store different/complex passwords (LastPass, KeePass, or Password Safe)

•Install anti-virus on all computers (yes, even Mac OS X)

THINK BEFOREYOU CLICK

•Know the Sender & Double Verify an Attachment

•

•Ray Hillen | 919.601.5026 | ray.hillen@agio.com

•Managed IT & Cybersecurity. Done Better.