©2012 CliftonLarsonAllen LLP CliftonLarsonAllen ©2012
Summary of the State of Security
Tram Jewett, CISA CliftonLarsonAllen LLP Virginia GFOA Annual Spring Conference, 2016
1 1 ©2012 CliftonLarsonAllen LLP Summary of the State of Security
Tram Jewett, MS., CISA, 11 years IT audit and Cyber Security in the Federal and State government
• Pension • Transportation • Education • Housing
2 ©2012 CliftonLarsonAllen LLP What We Will Cover?
• Federal Information Security Modernization Act (FISMA) of 2014 • Cybersecurity Act of 2015 • Breaches • Ransomware • Other tools • How to protect your self • Cloud Computing • IoT
3 ©2012 CliftonLarsonAllen LLP Federal Information Security Modernization Act (FISMA) of 2014 • DHS to administer the FISMA • DHS can issue “binding operational directives” • OMB retains policy/procedure; • Modifies reporting to Congress to be less policy, more threat and incident-oriented • Focus on detecting, reporting and responding to security incidents • Requires OMB to revise Circular A-130 to eliminate “wasteful/inefficient” reporting requirements
4 ©2012 CliftonLarsonAllen LLP Cybersecurity Act of 2015
• Effective until September 30, 2025 • Voluntary sharing of cyber threat information • Permits , Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cybersecurity Threats • Allows networks operators: – Monitor – Operate defensive measures – Share information with others
5 ©2012 CliftonLarsonAllen LLP Why were these Laws necessary?
JAN -- Xoom $31 million business email compromise
FEB -- Deep Panda Likely cause of breach with 80 million victims
MAR -- Premera Data breach affecting 11 million people
APR -- Great Cannon DDoS attacks on GitHub, GreatFire
MAY -- Healthcare Data breaches cause problems for insurance providers JUN -- OPM breach 21 million victims
6 ©2012 CliftonLarsonAllen LLP Why were these Laws necessary? cont
JUL -- Ashley Madison 100 GB of stolen data in high- profile compromise
AUG -- Ubiquity $47 million business email compromise
SEP -- Blue Termite Chinese cyber-espionage attack on Japanese companies
OCT -- Experion Breach affects 15 million customers
NOV -- Dridex Banking malwares shows up again
DEC -- BlackEnergy Malware causes power outages in Ukraine.
7 ©2012 CliftonLarsonAllen LLP Who performs the Breaches? Hackers: – They are not individual working alone – They are well funded Professionals – Foreign governments and organizations (Chinese and ISIL)
Motivation Behind These Attacks – Financial – Political – Espionage
8 ©2012 CliftonLarsonAllen LLP What are the Hacker’s Tools?
Ransomware is a serious security threat that has data-kidnapping capabilities. Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction.
9 ©2012 CliftonLarsonAllen LLP How do you catch Ransomware?
• Viewing compromised websites
• Clicking on a Phishing email
• Other malware
10 ©2012 CliftonLarsonAllen LLP How do you catch Ransomware? cont
11 ©2012 CliftonLarsonAllen LLP How Ransomware Works
• Locks your screen.
• Call home to get encryption keys.
• Encrypting every file, both on the local device and on your network.
12 ©2012 CliftonLarsonAllen LLP How Ransomware Works cont
13 ©2012 CliftonLarsonAllen LLP Ransomware Note
Ransomware demands you to send money in Bitcoin.
14 ©2012 CliftonLarsonAllen LLP Ransomware Note cont
• “Your computer has been infected with a virus. Click here to resolve the issue.” • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.” • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”
• Source: https://www.us-cert.gov/ncas/alerts/TA16-091A
15 ©2012 CliftonLarsonAllen LLP CryptoLocker ransom demand
16 ©2012 CliftonLarsonAllen LLP Jigsaw ransomware demand
17 ©2012 CliftonLarsonAllen LLP Jigsaw ransomware demand cont
18 ©2012 CliftonLarsonAllen LLP Ransomware Payment
After the attacker receive the Bitcoins and turns into Dollars, he may send you the key to decrypt your files.
19 ©2012 CliftonLarsonAllen LLP Effect of Ransomware • Ransomware infections can lead to: – loss of your information, – Disruption your operations, – financial losses incurred to restore systems and files, and – potential harm to an organization’s reputation.
20 ©2012 CliftonLarsonAllen LLP Effect of Ransomware cont
• Paying the ransom does not guarantee the encrypted files will be released;
• In addition, decrypting files does not mean the malware infection itself has been removed.
21 ©2012 CliftonLarsonAllen LLP Ransomware in the news
• Hollywood Presbyterian Medical Center • MedStar Health in the Washington, D.C. area • Methodist Hospital in Henderson, KY • Chino Valley Medical Center in Chino, CA • Desert Valley Hospital in Victorville, CA
22 ©2012 CliftonLarsonAllen LLP Popularity of Ransomware • Ransomware exists because it is: – Profitable – Low-budget – Low stakes – Does not require much skill to pull off
23 ©2012 CliftonLarsonAllen LLP Ransomware Preventative Measures • Data backup and recovery plan for all critical information. • Use application whitelisting • Keep your operating system and software up-to-date with the latest patches. • Maintain up-to-date anti-virus software
24 ©2012 CliftonLarsonAllen LLP Ransomware Preventative Measures cont • Restrict users’ ability (permissions) to install and run their own software. • Principle of “Least Privilege” to all systems and services. • Avoid enabling macros from email attachments.
25 ©2012 CliftonLarsonAllen LLP Ransomware Preventative Measures cont
• Train users: – How to safely handle email attachments, see Recognizing and Avoiding Email Scams (https://www.us- cert.gov/sites/default/files/publications/emailscams_0905 .pdf). – Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks (https://www.us-cert.gov/ncas/tips/ST04- 014) for more information. – Follow safe practices when browsing the Web. See Good Security Habits (https://www.us-cert.gov/ncas/tips/ST04- 003) and Safeguarding Your Data (https://www.us- cert.gov/ncas/tips/ST06-008) for additional details.
26 ©2012 CliftonLarsonAllen LLP Other Hacker’s tool
Root kit • The Dark Web is like a candy store for hackers
• Exploits vulnerabilities for: – Microsoft – 2002 servers… – Oracle … – Adobe … – Java ….
27 ©2012 CliftonLarsonAllen LLP
Other Hacker’s tool cont
28 ©2012 CliftonLarsonAllen LLP Things you can do to prevent on getting Hacked
• No passwords or blank passwords • Username is the same as the password • The username or the username concatenated with itself • Passwords such as “password,”“passcode,” “admin” • Service or vendor accounts (backups) • Built your servers securely from the start
29 ©2012 CliftonLarsonAllen LLP Cloud Computing
Cloud Security Alliance (CSA) Treacherous 12 – Data Breaches – APT parasite – Compromised credentials and – Permanent data loss broken authentication – Inadequate diligence – Hacked interfaces and APIs – Cloud service abuses – Exploited system – DoS attacks vulnerabilities – Shared technology, shared – Account hijacking dangers – Malicious insiders
30 ©2012 CliftonLarsonAllen LLP 2015 IoT Vulnerabilities
31 ©2012 CliftonLarsonAllen LLP 2015 IoT Vulnerabilities cont
32 ©2012 CliftonLarsonAllen LLP 2015 IoT Vulnerabilities cont
33 ©2012 CliftonLarsonAllen LLP 2015 IoT Vulnerabilities cont
34 ©2012 CliftonLarsonAllen LLP 2015 IoT Vulnerabilities cont
35 ©2012 CliftonLarsonAllen LLP 2015 IoT Vulnerabilities cont
36 ©2012 CliftonLarsonAllen LLP 2015 IoT Vulnerabilities cont
37 ©2012 CliftonLarsonAllen LLP Questions?
38 ©2012 CliftonLarsonAllen LLP