SAFE CYBER HYGIENE FOR WORK AND AT HOME August 2017 Cyber Hygiene...GRC 2017 Cyber Hygiene...

GRC 2017 Cyber Hygiene Presentation 8/9/17

© Bloustein Local Government Research Center, Rutgers University 1

NJGovernmentRecordsCouncilAnnualTrainingSeminar

August10,2017ByMarcPfeiffer,AssistantDirectorBlousteinLocalGovernmentResearchCenter

RutgersUniversity

SAFECYBERHYGIENEFORWORKANDATHOME



BOTTOMLINE▪ Criminalstrytomanipulatepeopleinto

divulgingpersonalorbusinessinformationortrickthemintoschemestodefraud

▪ Criminalscanbeindividualsorpartofindustrialized,cybercrimebusinesses

Nosinglefixsincethethreatskeepchanging;It’saperpetutalbattle



SomeCommonTerms

Malware

Destructiveformofcomputersoftwaretransmittedbyemailandwebsitelinks



Phishingaformofsocialengineeringthatappearsasemailoratextmessagethatattackersusetogainlogincredentialsoraccountinformation

Anditsevilcousin,thetargetedSpear-PhishorVish,usingvoicetofoolyou

WHYSHOULDICARE?

•60%ofemployeeswillclickaphishinglink

•30%ofthemwillactuallygiveuporganizationcredentials

•20%statedtheywouldselltheirorganizationalpassword

REALITY:thebulkofsuccessfulattackscomebecauseanemployeeclickedon

somethingtheyshouldn’thave



TypesofAttacksandThreats•TargetedAttacks

–Governmentagenciesaregenerallytargets–Italsohappensifsomethinggoeswrong

•MassAttacks–Thisstemsfromsuccessfulemailphishing,socialengineering,plus“bruteforce”attacksonnetworks

•Man-in-the-MiddleAttack:–Alinktoalog-insitethatlookslegit,butisfraudulentandwillstealyourcredentials

•Unsecurehumans–Clickingonthewronglink/openingthewrongfile–Anemployeewhostealsdataforresaleorillegaluse



PHISHINGEMAILSEXAMPLES

Phishingemailposesasanimportantemailfromatrustedorganization

– Anotificationfromthepostoffice,UPS,FedExshippinginformingtherecipientofadelivery

– Amessagefromautilityproviderorretaileraboutanoverduebill

– Analertabouttherecipient’staxreturn– Invoicesornoticesforgoodsandservices(Amazon,Costco)

– Fakecreditcardrewardschemes– Directionfromyouremployer,i.e.,needtolog-inbecauseyoulostsomepermission

Eachvariationreliesonourinstincttoactonmessagesthatappeartobeurgent



EMAILASSOURCEOFMALWARE?

- Embedded,butfakelinksenticeyoutoopenharmfulwebsites

- Spoofed“from”addresses

- Attachmentsthatareorhaveembeddedvirusesormalware(docx,xlsx,pptx,html,zip)- MSOfficedocumentscanhavemaliciousmacrosinthem

- Embeddedimagescontaininghiddencodeexposingyoutoharm

- Couponsandadvertisementswith“hiddenagendas”



REASONSFORCLICKING?

• CURIOSITY=34%

• METANEXPECTATION=27%

• INVESTIGATION=17%

• KNOWNSENDER=16%

• TRUSTINCONTEXT=11%

• FEAR=7%

• AUTOMATIC=3%

• Clickingonanattachmentoralinkembeddedinasuspiciousemaillaunchesaprogramthatencrypts(orrewrites)yourfiles



SOWHATHAPPENS?

• Thefilesareheldforransom;thehackerwhosenttheemailwillrequireapaymentfromyoubeforetheywill(hopefully)sendyouthekey(alineofcomputercode)thatdecryptsthefilesandrestorethem.

• Hopeyouhavebackupstorestoreyoursystem;otherwiseyoupay!

• Nowknowntohackersasavictimandwillbesubjecttofutureattacks



PROTECTYOURSELFFROMEVILEMAIL

•Learntohoverandreadlinks!

•Besuspiciousofunexpectedemails

•Donotopenattachmentsyouarenotexpecting:

• Confirmfirstwiththesenderifitlooksimportant

• Orjustdeleteit

• Alwaysbesuspicious(donotletyourguarddown)

• Ifitdoesn’tlookright,it’snotright

• Donotlogintoanaccountfromanemaillinkunlessyouverifyit’salegitemailandsite

• Neverunsubscribefromagroupthatyouareunfamiliarwithordidnotsubscribeto



“But,IThinkI’mSmartAboutThis”

• “Iknew,ifthiswassomethingdangerous,myNortonwouldprotectme”

• “IuseFirefoxandMacOS,soI’mnotafraidoftheviruses”

• “AfterIgoogledit,Photocloud.com seemedtobeacleanwebsite”

• “Igoogledtheemailaddress[…]Ifoundnothing”

• “Iconsiderourwebmailtobesafe”



• Asixcharacter,singlecasepassword= 308millionpossiblecombinations

• Combiningupperandlowercaseandusing8charactersinsteadof6=53trillion

• Substitutinganumberforoneofthelettersyields218trillion.

• Substitutingaspecialcharacter6,095trillion

HOWSTRONGISYOURPASSWORD?

• Usestrongpasswordsorbetteryetpass-phrases,donotusenames,dateofbirths,oranythingknownaboutyou

• Changethemperiodically• Donotsharepasswords!But,ifyoumustconsiderthat:

– Anythingthathappensonthataccountgetstreatedasifyoudidit

– Ifyoudoshareapassword,changeittosomethinggenericbeforeandbacktosomethingcomplexafter;orchangeitafterit’suse

• Useapersonalpasswordmanager

WhatThatMeanstoYou



SAFEWEBBROWSING



THEPROBLEMSWITHBROWSING

Thisisnotyourmother’sinternet!

Useofpasswordsoninsecurepages

Malwareloadedpages

Unexpectedpop-ups

HTTP

HTTPS



http://masterupdate.net/.....

If you are unsure about this type of pop-up, search for “flash update” and go to an adobe.com site to check. Don’t download from a pop-up that’s not from the adobe.com website.



No

No

Bewareoffreedownloadsfromcouponanddownloadsites– malwareoftenfollows!

Andwatchwhereyouclick!



• DONOTCLICKONsuspiciouspop-upsorunexpectedmessageswhenbrowsing!– Ifatwork,callIT;ifathome,closethewindowor,disconnect

fromnetwork

– Workiswork,nothome!

– Rememberyourwebbrowsingactivitiesaretracked(evenifyouclearthebrowserhistory)!

– DON’TCLICKonthatpop-up!

– Testapagebylookingatitfullsizeandthenshrinkingit.Ifitwon’tordoesn’t,closethebrowser!

SafeBrowsing@Workand@Home

• DON’TCALLthenumberonthescreen

• Thingsthataretoogoodtobetrue,aren’ttrue.Don’tclickonthemordeletethem

• Caughtinaloop?Shutdownandreboot

• StaySafe:Browsetrusted sites:• Knowtheaddress:HTTPvs.HTTPS,andnopasswordsonnon-https sites

• Usetwo-factorauthenticationwhenoffered• Don’tdownload“toolbars”orcleaners,unlessknownorcheckedout.Youprobablydon’tneedthem

KEEPYOURCOMPUTERUPTODATEKeepwindows,antivirus,andbrowser

updatedwithlatestversions



FormsofSocialEngineering

• In-person• Phone• Digital



BEWAREOF……phonecallersaskingforconfidentialemployeror

personalinformation,eveniftheyclaimtobefromIToravendor.ReferthemtoITsupportorhangup.

'Canyouhearme?'phonescamFauxtelemarketersaskingunwillingvictimstorespondwithasinglewordto"Canyouhearme?“Donotreplywith“yes”

Don’tclinkontextmessagelinksfromsomeoneyoudon’tknow

{ }



UNFORGETTABLES

• Donotlogonandoffacomputerwhenaskedbyanotheremployeeoroutsideperson–unlessidentityisverified

• CallerIDcanbe“spoofed”• Usetwo-factorauthenticationtransactionswheneveritsavailable

• FiscalandHRpeople:POSTIVELYconfirmallemaileddirectionsforanything(especiallyforpersonnelinformationandpaymentdirection)

• Usepasscodeonmobiledevices43



•Nosystemis100%perfect- sincethreatsarealwayschanging

•Stayaware:stop,think,thenconnect•CallyourITsupportpersonwhenindoubt•Athome:www.malwarebytes.org ifyougetinfected

UH,NOPE

PUTTINGITALLTOGETHER

• Don’tbecurious– justdon’tclick• Online;freeisneverfree• Besuspicious– hoverfirstandcheckitout• Ifyoudidn’taskforit,youdon’tneedit• Never openattachmentsfromunknownpeople• Don’tinstinctivelyopenfilesfrompeopleyouknowbutwerenotexpecting;checkwiththemfirst

• LockyourPCwhenawayfromyourdesk– “Ctrl+Alt+Del>Enter”or“Windows+L”

• Testyourself:searchfor“PewCybersecurityQuiz”• www.pewinternet.org/quiz/cybersecurity-knowledge/



Formoreinformationforworkorhomeorschool:www.stopthinkconnect.org



FORFURTHERDISCUSSION&COMMENTS

MarcPfeiffer,AssistantDirectorBlousteinLocalGovernmentResearchCenterBlousteinSchoolofPlanningandPublicPolicyRutgersUniversityMarc.Pfeiffer@rutgers.edu

• TechnologyRiskManagementPapersat:– http://blousteinlocal.rutgers.edu/managing-technology-risk/

• Orsearchfor“BlousteinTechnologyRisk”

ANDNOW…SOMEWORDSABOUTTECHNOLOGY

RISKSANDPROFICIENCY



Categoriesof

TechnologyRisk

Cyber-security

Financial

Opera-tional

Legal

Reputa-tional

Societal

THREEELEMENTSOFPROFICIENCY

Technology Management

Cyber Hygiene

Technical Competency

• Governance- decisions• Planning– whattodo• Budgeting– howtofund

• Employeetraining• Adoptedpolicies• EncryptionofPIIandPHI

• Meetsminimumstandards• Accesstoexpertise• Incidentresponseplans



MINIMUMACCEPTABLELEVELS:TECHNICALCOMPETENCY

MinimumBackupPractices

TimelySoftwarePatching

StrongDefensiveSoftware

ServerPhysicalSecurity

AccessPrivilegeControls

TechnologySupport

MINIMUMACCEPTABLELEVEL:SOUNDCYBERHYGIENE

Employeetraining

Policies:Email,Internet,Password

ProtectPIIandPHI

Passwordstrength



MINIMUMACCEPTABLELEVEL:TECHNOLOGYMANAGEMENT

Leadershiphasaccesstotechexpertise

Incidentresponseplans

SAFE CYBER HYGIENE FOR WORK AND AT HOME August 2017 Cyber Hygiene...GRC 2017 Cyber Hygiene...

Documents

Transcript of SAFE CYBER HYGIENE FOR WORK AND AT HOME August 2017 Cyber Hygiene...GRC 2017 Cyber Hygiene...