You are the weakest link! Presented by Michael Hammond, CISA, CRISC, CISSP, C EH Director, IT Audit & Security O Connor & Drew P.C. mhammond@ocd.

Transcription

1 You are the weakest link! Presented by Michael Hammond, CISA, CRISC, CISSP, C EH Director, IT Audit & Security O Connor & Drew P.C. mhammond@ocd.com

2 Agenda Why do we keep getting hacked? How are they doing it? What is Phishing? What can we do about it?

3 Why do we keep getting hacked? Three reasons: Corporate / Higher Education Target of opportunity (Hack)-Activism

4 Why do we keep getting hacked? Three reasons: Corporate / Higher Education Companies or Nation States want the info we have Intellectual property / Research Recently, physical harm

5 Why do we keep getting hacked? Three reasons: Target of opportunity Casting a wide net Lets see who we pick up The thief who tries every door, just to find the open car

6 Why do we keep getting hacked? Three reasons: Activism Payback for a perceived wrong Anonymous Fight against ISIS

7 We are really, REALLY, bad at security Our teams find: 50% of assessments have the Crown Jewels by 9:30am 100% of assessments have the Crown Jewels by lunch time ON MONDAY

8 How are they doing it?

9 How are they doing it?

10 How are they doing it? Recon LinkedIn Twitter FaceBook theharvester

11 How are they doing it? Recon LinkedIn Twitter FaceBook theharvester

12 How are they doing it? 2005 PC World article on Phishing Defined 12 types of phishing Instant messaging Malware based Session hijacking Pharming MiTM Search Engine

13 How are they doing it? Not much has changed in the past 10 years Present day Spam Phishing Spear Phishing Watering hole attack

14 Phishing Home Attacks

15 Phishing Home Attacks

16 Phishing Home Attacks Links on your phone are especially dangerous. You often cannot hover over the link. How many errors can you spot?

17 Phishing Home Attacks Links on your phone are especially dangerous. You often cannot hover over the link.

18 Phishing Home Attacks Same , but from my computer Hovered over link Microsoft doesn t need Bitly

19 Phishing Shortened URLs? Use

20 Phishing Work Attacks

21 Spear-Phishing Targeting Attacks

22 Spear-Phishing & Watering hole Targeting Attacks

23 Opps, you clicked. Now what? Backdoor

24 Is it really this easy? Backdoor WinSpy

25 Is it really this easy? Backdoor WinSpy

26 Is it really this easy? Backdoor WinSpy

27 Is it really this easy? Backdoor WinSpy

28 Amazing Exfil

29 What can we do about it? Top 4 END USER EDUCATION Perimeter security Desktop security FTC?

30 What can we do about it? End user education Awareness is key This session, tell your friends Social Engineering Tests Call the helpdesk, can you obtain someone else's password reset? Fake campaign (with immediate re-education)

31 What can we do about it? End user education IT Department notices; will never request passwords or other personal information via . Should not include a link to the IT site for more info Reinforcing bad behavior

32 What can we do about it? End user education Social Engineering Tests First - educate employees (people are emotional, computers are not) Second test Immediate feedback on what they did wrong and how to prevent the behavior in the future

33 What can we do about it? End user education Be wary of s with links or grammatical errors Don t give in to pressure to provide info I m the President/VP/CFOs assistant I m from IT, I need to reset your password I m going to get fired if I don t get this document out tonight

34 What can we do about it? End user education Don t open LinkedIn invites via Be alert during: Benefits annual enrollment periods Shipping notices during the holidays IRS tax refund by April 15th

35 What can we do about it? End user education

36 What can we do about it? End user education

37 What can we do about it? Perimeter security Advanced firewall protection Unified Threat Management (UTM)

38 What can we do about it? Desktop security Keep operating systems and browsers patched Anti-Virus / Anti-Malware up to date and running Data Loss Prevention (DLP) tools

39 What can we do about it?

40 HOMEWORK - Google Alerts FREE!

41 Conclusion Hackers are doing a great job (we make it easy for them) Educate yourself PLEASE, don t click on links in Know who to call in IT when you suspect an issue

42 Our Staff

43 Michael Hammond IT Audit & Security Director Michael is the Director of IT Audit & Security at O Connor & Drew. With over 20 years in various strategic and administrative IT positions, including 15 years designing and implementing security architecture and security controls, Michael is widely considered a foremost expert in IT security. Michael has traveled extensively as a frequent speaker on trending security topics. In addition to speaking on audit and security, Michael has performed audits and assessments on five continents spanning more than 12 regulatory authorities. Certifications and designations: Certified Information Systems Auditor (CISA) Certified in Risk and Information Systems Control (CRISC) Certified Information Systems Security Professional (CISSP) Certified Ethical Hacker (C EH) Michael is a member of the financial services InfraGard association. A joint partnership between the FBI and private sector.

44 Nick DeLena Senior IT Audit Manager Nick is the lead Senior IT Audit Manager at O Connor & Drew. He works in concert with internal senior management to scope and budget engagements. He provides oversight and training to existing staff. Nick s prior engagements includes SOX compliance, SAS70, and FFIEC compliance. In addition to Nick s 5 years audit and advisory experience, he also has 12 years in various IT operations and analyst positions. Certifications and designations: Executive Masters in Business Administration (MBA) Certified Information Systems Auditor (CISA) Certified in Risk and Information Systems Control (CRISC) CompTIA Security+ ITIL v3 Foundations Certification (ITILv3F) Nick is a member of the science and technology InfraGard association. A joint partnership between the FBI and private sector.

45 George Calapai IT Auditor George is a staff auditor with O Connor & Drew. Prior to joining the firm, George was a senior IT management consultant and technical services lead for a number of medical startups. Currently, George performs IT audit control testing for O Connor & Drew clients. Recent controls testing work includes: IT Risk and control assessments Database account administration audits Routing, firewall, wireless and IDS/IPS VMware

46 O Connor & Drew P.C. LinkedIn: