Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR...
Transcript of Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR...
![Page 1: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/1.jpg)
2015 FALL CONFERENCE & TRAINING SEMINAR
Cybersecurity From the Trenches:Best Practices
Rick Krepelka, Chief Operations Officer Golden State Risk Management Authority
Chris George, CEO and Chief ArchitectProtelligent, Inc.
![Page 2: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/2.jpg)
• Review actual cyber security incidents experienced by a CA public risk pool
• Understand what was done to mitigate/avoid incidents in the future
• Hear expert advice regarding resources and solutions available to provide security and risk mitigation
• Learn what you can do now
Overview
![Page 3: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/3.jpg)
• Small businesses are making the leap to computerized systems and digital records, and have become attractive targets for hackers.
• VISA estimated nearly 90% of credit card data breaches reported in 2013 involved small business customers. 1
• In 2015, the Verizon Communications Inc.'s forensic analysis unit, which investigates attacks, small organizations reported 694 security incidents. 83% with confirmed data loss (large organizations reported 50,081 incidents, ~1% with confirmed data loss)
• Verizon 2015 Data Breach Investigations Report– http://www.verizonenterprise.com/DBIR/2015/
www.protelligent.net
Small Business Breaches
![Page 4: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/4.jpg)
• While large businesses can dedicate resources to cybersecurity, small businesses face the same cybersecurity challenges and threats with limited resources, capacity, and personnel.
• 44% of SMBs reported being the victims of a cyber-‐related attack, with an average cost of approximately $9,000 per reported attack.1
• Nearly 59% SMBs do not have a contingency plan that outlines procedures for responding to and reporting data breaches.2
www.protelligent.net
Small Business Breaches
1.2014 Small Business Technology Survey, National Small Business Association2.www.staysafeonline.org
![Page 5: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/5.jpg)
• Ever increasing dependency on integration and cooperation with 3rdparty partners
Risk: 3rd Party Partners
![Page 6: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/6.jpg)
• About Chris Vickery• How he got the data• Notification from Systema and Vickery• The incident plays out
The Systema Incident
![Page 7: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/7.jpg)
• Keep apprised of progress• Notify cyber security insurer• Reportable or not reportable?• Systema’s adjustments
Our Response
![Page 8: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/8.jpg)
www.protelligent.net
• Target’s big breach• APTs (Advanced Persistent Threats)
Recent Third Party Related
![Page 9: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/9.jpg)
www.protelligent.net
Target’s Big Breach and APT
• Target's attackers had carefully read the APT playbook and followed the Modus Operandi, also known as the "APT kill chain".
![Page 10: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/10.jpg)
• Not positive where it came from –possibly a downloaded software demo or website ad
• Detected when an internal user couldn’t open a file
Risk: Crypto Virus
![Page 11: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/11.jpg)
• Physically disconnected office from the Internet
• Physically disconnected server from network
• Identify infected workstation• Verify no other devices infected• Ignore ransom demand• Restore from backup• Educate internal users
Our response
![Page 12: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/12.jpg)
www.protelligent.net
Ransomware• What is it?
– Virus that encrypts data on your computer and network drives (Cryptolocker, CryptoWall)
– Asks for you to pay money ($200-‐$5000) to unlock the encryption and get your data back
• How do we get it?– malicious email that appear legitimate
• 23% of recipients open message, 11% click on attachments1
– Compromised ads on popular websites1.Verizon Communication’s 2015 Data Breach Investigation Report
![Page 13: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/13.jpg)
www.protelligent.net
Ransomware
• Protecting ourselves1. Reliable/tested file backups and restore2. Educate staff about phishing and ransomware
• Be aware of email requests urgently asking you to take action• Never give sensitive personal or financial information over email• If an offer seems too good to be true, it likely is• Recall if you initiated an action that the email is asking you to take (like
password resets, account updates, etc.)• Only download software from known/trusted sites• Don’t open attachments in unsolicited email• Use same precautions on your mobile device as you would on your
computer/laptop• Employee Security Awareness Training and Education (SATE)
![Page 14: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/14.jpg)
www.protelligent.net
Ransomware
• Protecting ourselves3. Plan for infection/containment/restoration
• Removed infected device from the network• Secure wipe of the hard drive• Clean installation of operating system and applications• Restore of data sets
4. Endpoint protection• Antivirus/HIPS• Automated patching • Strong Passwords• Pop-‐up Blocker• URL filtering
![Page 15: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/15.jpg)
• We share sensitive data with members and 3rd parties via Sharefile (Citrix)
• Our user downloads file that contains an infected payload – even under strange circumstances
• Email relay malware initiated• Within a day, our domain is blacklisted
Risk: Complacent Users
![Page 16: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/16.jpg)
• Indentify infected workstation• Submit request for deletion from lists• Change all Sharefile and critical system passwords
• Educate internal users
Our response
![Page 17: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/17.jpg)
www.protelligent.net
Social Engineering• The oldest tool is still one of the most effective
– “Watering hole”– Malvertising– ‘Trusted resource’ email, text, voice– USB/SD Cards and our Nation’s Capital
– “-‐ishing”• Phishing (random)• Spearfishing (targeted)• Vishing (phone call)• Smishing (SMS text)
– Employee Security Education and Awareness Training (SATE)
![Page 18: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/18.jpg)
Social Engineering
www.protelligent.net
![Page 19: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/19.jpg)
• PDA risks• More than data -‐> control• Highly targeted attacks• Our members
Risk: ???
![Page 20: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/20.jpg)
• More internal training and updates• More formalized risk assessment and response planning
• Store some sensitive data off network when practical
• Ask vendors about their security• Revamp internal policies
Our response
![Page 21: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/21.jpg)
Protection and Response• Murphy's law – What can go wrong, will – so we need:
– Plans, procedures, and policies• FEMA: Business Continuity and IT Disaster Recovery Planning– http://www.fema.gov/planning-‐templates
• FCC: SMB Security Planning Wizard– fcc.gov/cyberplanner
www.protelligent.net
![Page 22: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/22.jpg)
www.protelligent.net
Host Intrusion Prevention Systems (HIPS)
• With IoT, cloud movements, etc. attacks more focused on direct application access, instead of gaining endpoint control
• HIPS is a combination of firewall, IDS, and anti-‐malware to monitor activity and behavior from the network to the application layer– McAfee HIPS– Symantec Endpoint Protection– Trend Micro Deep Security
![Page 23: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/23.jpg)
Protection and Response• Maintain relevant technology (from the perimeter to the endpoint)– Internet/email URL/content filtering, intrusion/malware prevention and detection systems, email/wireless security
– Endpoint operating system and application patching and updating
– HIPS and application-‐aware defense at the endpoint device
– Encrypted backup and disaster recovery
www.protelligent.net
![Page 24: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/24.jpg)
• Training and awareness– Top to bottom employee security awareness training and education
– Subscribe to security notification services
• Insurance• Consult an expert– Routine security assessment/audit– Enforce need-‐to-‐know, review employee/vendor access
– Annual reviews– Outsourced Security Operations Center
Protection and Response
![Page 25: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/25.jpg)
Technology / Toolsets• Layered Security Implementation– Network Border
• Firewall, VPN, and nextgen security (anti-‐x, IPS, URL filter)
– Domain/Application Security• Active Directory Group Policy, mail security
– Computing device (server, laptop, mobile)• HIPS, Anti-‐X, automated patch management
– Staff member• Education, policy/procedure
– Data sets• Backup/DR and Continuity Planning
![Page 26: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/26.jpg)
Technology / Toolsets• Mobile Security (iOS and Android)– BYOD vs. organization provided equipment
• Understand organization data is sitting on BYODs• Security process/procedure should extend equally to BYODs
– Password Protect– Remote wipe
• Find my iPhone, Android Device Manager, and 3rdparty solutions
– Anti-‐X/HIPS solutionswww.protelligent.net
![Page 27: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/27.jpg)
Password Management• Password challenges– More login-‐based websites/services than ever before
– Homogony of username/password across sites
• Best-‐practices• Password databases– Centralized password management– Enforces secure, single-‐site usernames/passwords
www.protelligent.net
![Page 28: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/28.jpg)
www.protelligent.net
• CERT: Protect your Workplace Campaign– us-‐cert.gov– https://www.us-‐cert.gov/mailing-‐lists-‐and-‐feeds
• Microsoft:– Internet Safety Toolkit– Microsoft Technical Security Notifications
• FEMA: Business Continuity and IT Disaster Recovery Planning– fema.gov
• FCC: SMB Security Planning Wizard– fcc.gov/cyberplanner
• On Guard Online: SMB Employee SATE– onguardonline.gov
• National Cyber Security Alliance: Online Safety– staysafeonline.org
Resources
![Page 29: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/29.jpg)
• Get educated/alerted– Sign up for email alerts (CERT, Microsoft, etc.)– Send a staff member to security seminar/webinar to stay up-‐
to-‐speed on the changing security and threat landscape
• Start talking with your executive/management team• Continually educate/update your staff on how to stay alert for potential threats
• Updated your IT and business continuity plans to include security policy/procedures
• Enforce a strong password management policy in your organization
What Can I Do Now?
www.protelligent.net
![Page 30: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/30.jpg)
• Implement automated patch management• Evaluate current backup strategy
– Is it stored offsite? Encrypted in-‐flight and at-‐rest? What media is used? What is the process/procedure for recovery?
• Evaluate current hardware and software technologies for outdated/unsupported products
• Evaluate and update policies/procedures– IT Plan, Security Plan, DR and Business Continuity
• Consult a reputable security services organization that can provide you guidance, ongoing auditing, reviews
• Consider utilization of an outsourced SOC to manage and maintain your security practice
What Can I Do Now?
www.protelligent.net
![Page 31: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/31.jpg)
![Page 32: Cybersecurity+From+the+Trenches: Best+Practices Rick ... · 2015 FALL CONFERENCE & TRAINING SEMINAR Cybersecurity+From+the+Trenches: Best+Practices Rick+Krepelka,+Chief+Operations+Officer+](https://reader036.fdocuments.us/reader036/viewer/2022071009/5fc6f92cbcba8b72d506a8d3/html5/thumbnails/32.jpg)
www.protelligent.net
Christopher [email protected](855) PRO-‐TELL
California Office2100 Main Street Suite 230Irvine, CA 92614
Phone: (949) 221-‐8900
Washington Office15407 East Mission AvenueSuite 425Spokane Valley, WA 99037
Phone: (509) 378-‐3460
Q & A