Summary of the State of Security

Tram Jewett, CISA CliftonLarsonAllen LLP Virginia GFOA Annual Spring Conference, 2016

Tram Jewett, MS., CISA, 11 years IT audit and Cyber Security in the Federal and State government

• Pension • Transportation • Education • Housing

• Federal Information Security Modernization Act (FISMA) of 2014 • Cybersecurity Act of 2015 • Breaches • Ransomware • Other tools • How to protect your self • Cloud Computing • IoT

3 ©2012 CliftonLarsonAllen LLP Federal Information Security Modernization Act (FISMA) of 2014 • DHS to administer the FISMA • DHS can issue “binding operational directives” • OMB retains policy/procedure; • Modifies reporting to Congress to be less policy, more threat and incident-oriented • Focus on detecting, reporting and responding to security incidents • Requires OMB to revise Circular A-130 to eliminate “wasteful/inefficient” reporting requirements

• Effective until September 30, 2025 • Voluntary sharing of cyber threat information • Permits , Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cybersecurity Threats • Allows networks operators: – Monitor – Operate defensive measures – Share information with others

JAN -- Xoom $31 million business email compromise

FEB -- Deep Panda Likely cause of breach with 80 million victims

MAR -- Premera Data breach affecting 11 million people

APR -- Great Cannon DDoS attacks on GitHub, GreatFire

MAY -- Healthcare Data breaches cause problems for insurance providers JUN -- OPM breach 21 million victims

JUL -- Ashley Madison 100 GB of stolen data in high- profile compromise

AUG -- Ubiquity $47 million business email compromise

SEP -- Blue Termite Chinese cyber-espionage attack on Japanese companies

OCT -- Experion Breach affects 15 million customers

NOV -- Dridex Banking malwares shows up again

DEC -- BlackEnergy Malware causes power outages in Ukraine.

7 ©2012 CliftonLarsonAllen LLP Who performs the Breaches? Hackers: – They are not individual working alone – They are well funded Professionals – Foreign governments and organizations (Chinese and ISIL)

Motivation Behind These Attacks – Financial – Political – Espionage

Ransomware is a serious security threat that has data-kidnapping capabilities. Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction.

• Viewing compromised websites

• Clicking on a Phishing email

• Other malware

• Locks your screen.

• Call home to get encryption keys.

• Encrypting every file, both on the local device and on your network.

Ransomware demands you to send money in Bitcoin.

• “Your computer has been infected with a virus. Click here to resolve the issue.” • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.” • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

• Source: https://www.us-cert.gov/ncas/alerts/TA16-091A

After the attacker receive the Bitcoins and turns into Dollars, he may send you the key to decrypt your files.

19 ©2012 CliftonLarsonAllen LLP Effect of Ransomware • Ransomware infections can lead to: – loss of your information, – Disruption your operations, – financial losses incurred to restore systems and files, and – potential harm to an organization’s reputation.

• Paying the ransom does not guarantee the encrypted files will be released;

• In addition, decrypting files does not mean the malware infection itself has been removed.

• Hollywood Presbyterian Medical Center • MedStar Health in the Washington, D.C. area • Methodist Hospital in Henderson, KY • Chino Valley Medical Center in Chino, CA • Desert Valley Hospital in Victorville, CA

23 ©2012 CliftonLarsonAllen LLP Ransomware Preventative Measures • Data backup and recovery plan for all critical information. • Use application whitelisting • Keep your operating system and software up-to-date with the latest patches. • Maintain up-to-date anti-virus software

24 ©2012 CliftonLarsonAllen LLP Ransomware Preventative Measures cont • Restrict users’ ability (permissions) to install and run their own software. • Principle of “Least Privilege” to all systems and services. • Avoid enabling macros from email attachments.

• Train users: – How to safely handle email attachments, see Recognizing and Avoiding Email Scams (https://www.us- cert.gov/sites/default/files/publications/emailscams_0905 .pdf). – Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks (https://www.us-cert.gov/ncas/tips/ST04- 014) for more information. – Follow safe practices when browsing the Web. See Good Security Habits (https://www.us-cert.gov/ncas/tips/ST04- 003) and Safeguarding Your Data (https://www.us- cert.gov/ncas/tips/ST06-008) for additional details.

Root kit • The Dark Web is like a candy store for hackers

• Exploits vulnerabilities for: – Microsoft – 2002 servers… – Oracle … – Adobe … – Java ….

Other Hacker’s tool cont

• No passwords or blank passwords • Username is the same as the password • The username or the username concatenated with itself • Passwords such as “password,”“passcode,” “admin” • Service or vendor accounts (backups) • Built your servers securely from the start

Cloud Security Alliance (CSA) Treacherous 12 – Data Breaches – APT parasite – Compromised credentials and – Permanent data loss broken authentication – Inadequate diligence – Hacked interfaces and APIs – Cloud service abuses – Exploited system – DoS attacks vulnerabilities – Shared technology, shared – Account hijacking dangers – Malicious insiders