Cybersecurity Threats, Trends, and Tips for SMBs

Transcription

1 Cybersecurity Threats, Trends, and Tips for SMBs Date or subtitle May 25,

2 Cybersecurity Threats, Trends, and Tips for SMBs 2

3 Cybersecurity Threats, Trends, and Tips for SMBs Mark Scholl Partner, Wipfli LLP Jason Adamany Founder & President, Adesys

4 Cyber Risk Trends and Threats 4

5 Cyber Risk Trends Big business - More highly skilled hackers (cyber gangs/organized crime) who are financially motivated The bad guys are getting better Toolkits Crimeware as a service They only have to get it right once! We don t see ourselves as targets 5

6 Cyber Risk Trends Dridex Banking Trojan Number of Known Spam Runs Per Day April 2016 Symantec Internet Security Threat Report 6

7 Cyber Trends - Breach Timeline Verizon 2016 Data Breach Investigations Report 7

8 Cyber Risk Trends New platforms create new cyber attack opportunities The Internet of Things (IoT) Cars Smart home devices (e.g., security systems) Medical devices (e.g., scanners, insulin pumps, implantable defibrillators) Embedded devices (e.g., webcams, Internet phones, routers) 8

9 Cyber Risk Trends Cyber thieves are expanding from account takeover and identity theft scams to extortion 63% of confirmed data breaches involved leveraging weak, default, or stolen passwords* Phishing and spam has continued to trend upward, most opportunistic attacks * Verizon 2016 Data Breach Investigations Report 9

10 Cyber Risk Trends How do we get Crimeware? Verizon 2016 Data Breach Investigations Report 10

11 Cyber Threats - Scams 11

12 Scams Phishing/Spam usage continues to grow - more than half of inbound business traffic was spam in % of phishing attacks are from organized crime syndicates 30% of phishing messages were opened in 2015, up from 23% in % of targets went on to open the malicious attachment or click the link April 2016 Symantec Internet Security Threat Report 12

13 Scams Phishing Targets In the last 5 years, there has been a steady increase in attacks targeting businesses with less than 250 employees 13

14 Scams Spear Phishing (Example) 14

15 Cyber Risk Trends Business Compromise (BEC) Scams Attacker targets a senior manager (e.g., CEO, CFO) Attacker gains access to victim s account or uses a look-alike domain to send a message tricking an employee to perform a wire transfer Wire transfers are typically $100,000 or higher The FBI urges businesses to adopt two-step or twofactor authentication for 15

16 Cyber Risk Threats - Social Media Scams April 2016 Symantec Internet Security Threat Report 16

17 Social Media Scams Manual Sharing Example These rely on victims to actually do the work of sharing the scam by presenting them with intriguing videos, fake offers, or messages that they share with their friends 17

18 Cyber Risks Malware Types Top Five Malware Varieties Within Crimeware Verizon 2016 Data Breach Investigations Report 18

19 C2 - Reverse Tunnel Defeats Perimeter Protection Command and control attacks - malicious code initiates outbound connection to attacker allowing the attacker to execute code remotely 19

20 Cyber Threat Trends Vulnerabilities Zero-Day Vulnerabilities Firmware OS Vulnerabilities Heartbleed, ShellShock, Poodle Backdoor credentials/hard-coded logins (Fortinet, Juniper) Bypass traditional authentication methods Client-Side Attacks Target vulnerabilities in client applications that interact with a malicious server or process malicious data Web browser plug-ins o Adobe, Java, Silverlight o Microsoft Active X, Apple Macro Malware 20

21 Cyber Threat Trends Vulnerabilities For 2015, Adobe Flash Player accounted for 4 of the top 5 most frequented zero-day vulnerabilities 21

22 Cyber Risk Trends Watering Hole Attacks The attacker guesses or observes which websites a group often uses and infects one or more of them with malware ethnic groups, governments, industries, organizations, etc. Malicious code is inserted on the legitimate website Website visitor is tricked into clicking on the link 22

23 Cyber Threat Trends - Macro Malware Beware of s with Excel or Word attachments Invoice Purchase Order 23

24 Cyber Risk Trends Ransomware Example Employee opens Personal files (and data on shared drives) encrypted Ransom demand to provide key to decrypt Ransom demand increases after 72 hours pass 24

25 Cyber Threats - Employee Misuse Improper disposal of digital and paper documents containing sensitive information Lost/stolen laptops, mobile devices, or USB storage devices 34% of physical theft is from the employees vehicle* For non-encrypted devices, the determination of a breach can be difficult, given that you no longer have custody Sending sensitive information to the wrong person *Verizon 2016 Data Breach Investigations Report 25

26 Other Cyber Threats Mobile Malware POS compromise ATM/Payment card skimming Web defacement Denial of service attacks Physical theft Cyber-espionage 26

27 TeslaCrypt Ransomware 27

28 Tips for Establishing a Cybersecurity Program 28

29 Defense in Depth Concept Internet Network Hosts Applications Data 29

30 Account Takeover/Identify Theft Safeguards Use strong authentication Multi-factor or out of band authentication (We are seeing better biometric technologies) Avoid sharing system login accounts and passwords Avoid re-use of passwords Encrypt your sensitive data Mobile devices and USB media Laptops (e.g., whole disk encryption) Sending sensitive information 30

31 Account Takeover/Identity Theft Safeguards Vulnerability management program - patch promptly Operating systems (Microsoft, Linux) Applications and web plug-ins Firmware and embedded devices Endpoint Protection (i.e., virus protection) Firewall Remote access Employ a data backup and recovery plan for all critical information 31

32 Account Takeover/Identity Theft Safeguards Block access to unauthorized cloud storage (OneDrive, Google Drive, Dropbox) Restrict users ability (permissions) to install and run unwanted software applications Log and monitor security events Make people your first line of defense train your staff Don t forget physical security Alert someone!!! 32

33 Scams/Ransomware Safeguards Strong data backup strategy Spam filtering/blocking Don t forget to block/forbid access to personal on your network If server is hosted internally, block internal coming from outside your network Web content filtering/blocking Malware protection/vulnerability management program (make sure it is up to date!) Restrict user access privileges 33

34 Scams/Ransomware Safeguards User education Avoid enabling macros from attachments Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g.,.com vs..net) Do not follow unsolicited Web links in s Be suspicious Social Engineering Testing 34

35 Threat Intelligence and Collaboration What are the trending cyber risks? How are you responding to current cyber threats? 35

36 Threat Intelligence and Collaboration External Resources Regulatory bulletins and alerts (SANS, Microsoft, US- CERT) Data breach intelligence reports (Verizon, Symantec) FBI ( NIST ( Industry peer groups, conferences, webinars 36

37 Cyber Incident Management and Resilience Enhanced incident response plans tabletop testing Have arrangements with vendors who can work with your institution to implement incident response a proactive approach, not when an incident has occurred Work with regional crime taskforces Ensure plan includes how you will notify customers Ensure there is periodic tabletop testing of your incident response program Employees should know how and when to escalate an event ongoing employee awareness program 37

38 Quick Takeaways There is no silver bullet for protecting your information system assets Layered approach Trust No One!!! 100% protection is not possible Playing offense is almost always easier than playing defense Cyber incidents will happen (not if, but when ) 38

39 Questions 39

40 Contact Information Mark Scholl Partner Wipfli LLP Certified Ethical Hacker (CEH) Certified Information Systems Auditor (CISA) Certified Information Systems Security Professional (CISSP) Microsoft Certified Systems Engineer (MCSE) 40