Cybersecurity Threats – “What Every Employer Needs to Know”

1/18/2018

Cybersecurity Threats – “What Every Employer Needs To Know”

Connecticut Department of Labor

Bryan Cassidy, VP / Information Security Officer (CISA, CISSP, CFE)

Disclaimers

The opinions expressed in this presentation and on the following slides are solely those of the presenter and not necessarily those of Farmington Bank. Farmington Bank does not guarantee the accuracy or reliability of the information provided herein.

Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Farmington Bank.

1/18/2018 | page 2

1 1/18/2018

Bad Actor Profiles

Organized Nation Hacktivists Fraudsters Crime States

Motivation Skill

1/18/2018 | page 3

Hacktivists

WikiLeaks Anonymous Lulzsec

1/18/2018 | page 4

2 1/18/2018

Fraudsters

Brett Johnson Alexandre Cazes Ross Ulbricht Sanford Wallace (“ GollumFun”) (“ DeSnake”) (“ Dread Pirate Roberts” ) (“ Spam King” ) ShadowCrew AlphaBay Silk Road 1.0 Cyber Promotions

Albert Gonzalez Roman Vega Ercan Findikoglu Yarden Bidani (“ CumbaJohnny”) (“ Boa” ) (“ Segate”) (“ applej4ck” ) ShadowCrew CarderPlanet ATM Cash Out vDOS

1/18/2018 | page 5

Blurring of Organized Crime / Nation States

Equation Group Deep Panda Cozy Bear

Longhorn Black Vine Sofacy

DragonOK Fancy Bear

Hidden Lynx Shadow Brokers

Mofang

Syrian Electronic Army OilRig

1/18/2018 | page 6

3 1/18/2018

Why Are They Not Arrested!?

PARIS MOSCOW HARTFORD

MIAMI DUBAI

LAGOS

DAR ES SALAAM

Geopolitical Challenges Protections Masking Techniques Laws/Regulations Attribution Challenges

1/18/2018 | page 7

Shedding Light On The Dark Web

1/18/2018 | page 8

4 1/18/2018

Surface Web Only 4% of Web content (~8 billion pages) is available via search engines

1 zettabyte

Deep Web Approximately - 250 billion 96% of the digital 7.9 universe is DVDs unsearchable or Zettabytes - 36 million password protected years of HD video

Dark Web A portion of the “deep web” used by criminals to perform illegal activities

1/18/2018 | page 9 Source: The Deep Web: Semantic Search Takes Innovation to New Depths

The Onion Router (TOR)

“…free software for enabling anonymous communication…directs traffic through a free overlay network to conceal a user’s location and usage . TOR’s intended use is to help protect personal privacy of users, as well as their freedom and ability to conduct confidential

communications…” Wikipedia

1/18/2018 | page 10

5 1/18/2018

The Onion Router (TOR)

India Nepal Canada Colorado Vietnam

Ohio Brazil Texas Vermont Malaysia

Hartford Poland Peru Canada Russia Austria Estonia

You Website Spain Utah Russia Yemen Sweden

Maine Canada France China Ukraine

Entry Guards Exit Nodes The TOR Network Encrypted Unencrypted

1/18/2018 | page 11

Structure of a Dark Web Marketplace

Website Payment Methods Parties

Sellers

Buyers

Centralized Vendors

Buyers De-Centralized

1/18/2018 | page 12

6 1/18/2018

Products & Services On the Dark Web

Products Services Account Credentials Spam Rental Services

Drugs & Prescriptions Translation Services

Debit/Credit Cards Money Mules

Crimeware Kits Re-shippers

Human Trafficking Crimeware-as-a-Service DIY Guides “…daily sales were Identification Docs found to fluctuate Exploits between $300,000 and Bank Statements $500,000 per day.” Carnegie Mellon University: “Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem (August 2015).

1/18/2018 | page 13

Cybercrime Pricelist

Attack Tools Data

• $400 Remote Access Trojan • $3 SSN and DOB Verification • $100 Remote Desktop Control • $150 Credit Report 750+ Score • $400 1 Million Spam Emails • $5 Credit/Debit Card (Online) Services • $10 Credit/Debit Card (Cloned) • $100 Email Account • $5 Bank Account Login • $150 Bulletproof Hosting ( China, • $1 Existing PayPal Account Eastern Europe, etc .) • $100 Email Account • $20 Virtual Private Network • $1 Proxy • $25 Malicious File Encryption • $25 Fake Driver’s License • $25 Digital Copy of Fake Utility Bill or Social Security Card

Source: Recorded Future

1/18/2018 | page 14

7 1/18/2018

Carding Shops

1/18/2018 | page 15

Dark Web Distrust – Scammers & Law Enforcement

A dark web marketplace owner can perform an ‘ exit scam ’ and take all the digital currency with him/her.

A vendor can steal a buyer’s digital currency by never providing a service or shipping a product but risks negative feedback.

A vendor can sell fake services/products to a buyer but risks negative feedback.

Law enforcement can be impersonating a vendor/buyer in an attempt to identify dark web marketplace owners, vendors, and/or buyers.

Law enforcement may have taken full control over a dark web marketplace by possessing the servers, in an attempt to identify vendors and/or buyers.

1/18/2018 | page 16

8 1/18/2018

Law Enforcement Takedown

1/18/2018 | page 17

Law Enforcement Monitoring

1/18/2018 | page 18

9 1/18/2018

Spoofing, Compromise, and Account Takeover

1/18/2018 | page 19

FBI Public Service Announcements

January 22, 2015 I-012215-PSA There have been 2,126 victims with an exposed loss amount of $0.2 billion from October 2013 to December 2014. August 27, 2015 I-082715a-PSA There have been 8,179 victims with an exposed loss amount of $0.8 billion from October 2013 to August 2015. June 14, 2016 I-061416-PSA There have been 22,143 victims with an exposed loss amount of $3.1 billion from October 2013 to May 2016.

May 4, 2017 I-050417-PSA There have been 40,203 victims with an exposed loss amount of $5.3 billion from October 2013 to December 2016.

1/18/2018 | page 20

10 1/18/2018

Headlines (March 2016 – August 2017)

1/18/2018 | page 21

Wire Fraud Example

From : [email protected] Sent : April 2, 2017 10:02am To : [email protected]

Hi Sasha, We have to make a payment to Def Company for $123,000 today. Do you have time to process a wire?

Thank you, Bryan AB Company

1/18/2018 | page 22

11 1/18/2018

Wire Fraud Example

From : [email protected] Sent : April 2, 2017 10:40am To : [email protected]

Bryan, I’ll process the wire after lunch and send you the confirmation tomorrow as I’m out of the office.

Regards, Sasha AB Company

1/18/2018 | page 23

Wire Fraud Example

From : [email protected] Sent : April 2, 2017 10:51am To : [email protected]

Great! Please pay them as soon as possible as it is urgent. This is the bank account information for them; BANK NAME: Global Bank BANK ADDRESS: 1 Farm Glen Blvd., Farmington, CT 06032 ACCT NO: 123456789 ROUTING NO: 9515710 BENEFICIARY: ABC Company BENEFICIARY ADDRESS: 32 Main Street, Farmington, CT 06032

Thank you, Bryan AB Company

1/18/2018 | page 24

12 1/18/2018

Wire Fraud Example

From : [email protected] Sent : April 3, 2017 8:01am To : [email protected]

Hi Bryan, I’ve paid the vendor as requested.

Regards, Sasha AB Company

1/18/2018 | page 25

Wire Fraud Example

From : [email protected] Sent : April 5, 2017 9:15am To : [email protected]

Hi Bryan, We still haven’t received payment yet for the $123,000. Please pay as soon as possible to avoid any late charges.

Thanks, Lauren Def Company

1/18/2018 | page 26

13 1/18/2018

Common Phishing/Email Spoofing Fraud Red Flags

Poor spelling and/or grammar .

Requests for instructions on processing wire/ACH payments.

Last minute changes in wire/ACH instructions.

Elements of urgency . -“This needs to be completed by today !”

Elements of secrecy . -“Don’t tell anyone !” -“This needs to remain confidential !”

Avoiding communication - “I can’t talk right now .” - “I’m in a meeting !”

1/18/2018 | page 27

Steps To Help Prevent Becoming a Victim

Append a disclaimer for all external emails coming into your network (e.g., “ The below email is from an external source. Please be careful with open attachments or clicking on links .”)

Use out of band methods for confirming out of the ordinary requests instead of solely relying on email.

Create a culture of cybersecurity awareness to help employees understand threats and red flags.

Block foreign IP addresses (if possible ) to prevent attempts from low skilled fraudsters/criminals.

Know who to immediately contact at your financial institution to begin the process to recover funds.

1/18/2018 | page 28

14 1/18/2018

Cybersecurity Awareness Training Vendors

1/18/2018 | page 29

Ransomware

1/18/2018 | page 30

15 1/18/2018

What is “Ransomware”?

A malware variant that encrypts important file types (.docx, .xlsx, etc.) and demands a “ ransom ” via digital currency to obtain the private key that unlocks your data.

of respondents say negligent employees put 58% their company at risk for a ransomware attack. Source: Ponemon Institution: Rise of Ransomware 2017

Common Digital Currencies

1/18/2018 | page 31

FBI - Public Service Announcement

“…the FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data ; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to September 15, target other victims for profit, and could 2016 provide incentive for other criminals to I-091516-PSA engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers .”

1/18/2018 | page 32

16 1/18/2018

Recent High Profile Victims

Target Industry Demand Negotiated Payment San Francisco Light Trail Transportation Did Not Pay Transit $73,000 Hollywood Presbyterian Healthcare $17,000 Medical Center $3,600,000 University of Calgary Education $16,000 $16,000 City of Detroit Government $800,000 Did Not Pay Moses Afonso Ryan Ltd. Legal $25,000 Paid (Undisclosed) Carroll County Sheriff's Office Law Enforcement $2,400 (Arkansas) $2,400

1/18/2018 | page 33

Ransomware Timeline (2005 to 1Q2016)

2005-2013 2014 2014 2015 2016 (Q1)

Gpcoder Urausy Linkup TeslaCrypt Locky Reveton Kovter Slocker Cryptolocker2015 Nanolocker Nymaim Onion BandarChor Paycrypt Cryptowall CTB-Locker/Citron Cryptvault Hi Buddy Browlock TorrentLocker Simplocker Job Cryptor Zerolocker Pacman HydraCrypt Synolocker Pclock Umbrecrypt Coinvault Threat Finder Ransom32 Virlock Hidden Tear CryptoJocker ORX-Locker Magic Tox LeChiffre Troldesh Ginx “...emails containing Encryptor RaaS Jigsaw CryptoApp Lockdroid ransomware XRTN VaultCrypt Radamant increased 6,000% LowLevel404 Dumb from FY15.” Power Worm DMA-Locker IBM “Ransomware: How Consumers and Business Value Their Chimera-Locker Data ” Satan Source: Symantec

1/18/2018 | page 34

17 1/18/2018

Phishing/Social Engineering (Example)

1/18/2018 | page 35

TeslaCrypt (Crypto-Locker)

1/18/2018 | page 36

18 1/18/2018

Jigsaw (Crypto-Locker)

1/18/2018 | page 37

Tox (RaaS)

1/18/2018 | page 38

19 1/18/2018

Steps To Help Prevent Ransomware/Malware

Apply latest operating system security & software patches to prevent vulnerabilities from being exploited. Avoid using obsolete / end-of-life software within your network (e.g., Windows XP, Adobe, Java, etc.) Create a culture of cybersecurity awareness to help employees understand threats and red flags. Avoid clicking on links or opening attachments in suspicious emails. Configure settings to block higher risk file types in file attachments, such as; .exe, .js, .jar, .bat, .msi, .html, .scr, and .rar. Implement website filtering software to prevent employees from visiting risky website categories (e.g., social media, personal email, online gambling, pornography, etc.). Implement anti-virus software and ensure that data definition files are being updated periodically. Perform regular backups of critical data so you can restore operations with minimal impact.

1/18/2018 | page 39

Multi-Factor Authentication

1/18/2018 | page 40

20 1/18/2018

Single Factor Authentication

You are at… trying to access;

“Something You Know”

Username

Password

Knowledge Based Answers

1/18/2018 | page 41

Multi Factor Authentication

You are at… trying to access;

“Something You Know”

Username

Password

Knowledge Based Answers

“Something You Have” One Time Token

“Something You Are”

Biometrics

1/18/2018 | page 42

21 1/18/2018

Disabling Call Forwarding

A fraudster/criminal uses your stolen personal information to gain access to your mobile or landline account and adds call forwarding for either every call or specific phone numbers (e.g., financial institutions, etc.); thus, all calls would be directed to a phone number owned by the fraudster/criminal.

This allows the fraudster/criminal to receive call-back verifications

Call your mobile phone service provider ( e.g., Verizon, T- Mobile, etc .) and request that they disable call forwarding from your account.

Call your landline service provider ( e.g., Xfinity, Charter, etc. etc .) and request that they disable call forwarding from your account.

1/18/2018 | page 43

Carrier Freeze

A fraudster/criminal uses your stolen personal information to trick your mobile service provider to ‘port ’ your mobile number to a different service provider ; thus, all calls would be directed to the criminal’s phone but with your mobile number.

This allows the fraudster/criminal to receive call-back verifications and SMS tokens, reset passwords, or gain access to other platforms (e.g., email, online banking, etc.)

Call your mobile phone service provider ( e.g., Verizon, T- Mobile, etc .) and request that they add a ‘carrier freeze’.

1/18/2018 | page 44

22 1/18/2018

Steps To Help Prevent Account Takeovers

Use encrypted communications and implement multi-factor authentication on critical systems (e.g., email, banking, etc.) Apply latest operating system security & software patches to prevent vulnerabilities from being exploited. Avoid using obsolete / end-of-life software within your network (e.g., Windows XP, Adobe, Java, etc.). Create a culture of cybersecurity awareness to help employees understand threats and red flags. Implement website filtering software to prevent employees from visiting risky website categories (e.g., social media, personal email, online gambling, pornography, etc.). Implement anti-virus software and ensure that data definition files are being updated periodically. Resist connecting to public wireless access points (e.g., airports, restaurants, etc.) as unencrypted data could be read by others on the same access point.

1/18/2018 | page 45

Incident Response Planning

1/18/2018 | page 46

23 1/18/2018

Incident Response Planning

What immediate actions will you take to contain the Contain incident? Disconnect Internet connection but never power down!

What vendor will you contact to perform forensics and/or remove malware? Remediate If not using a vendor, what tools/services will you run to clean an infected device?

Who would you contact at your financial institution(s) to let them know? What law enforcement agencies would you contact for assistance? Notify When would you report a data breach to customers and the Attorney General ? Should you report the incident to the Internet Crime Compliant Center (ic3.gov)?

1/18/2018 | page 47

Incident Response Planning (www.IC3.gov)

Complaint Referral Form Internet Crime Complaint Center

Financial Transaction Details Other Information – Account Numbers – Obtaining Full Email Message Headers – Routing Numbers – Witnesses or Other Victims? – Bank Names – Reported to Other Law Enforcement – Addresses Agencies? – Names Name – Phone Numbers Phone Number Email Address Date Reported Subject Details Report/Case Number – Personal / Business Name – Address – Email Address – Phone Numbers – Websites – IP Addresses

1/18/2018 | page 48

24 1/18/2018

Contact Information & Resources

www.linkedin.com/in/bryancassidy

Internet Crime Complaint Center ( ic3.gov ) – For reporting incidents to the FBI.

US Computer Emergency Readiness Team ( us-cert.gov ) – For learning of new cyber threats and tips to help prevent them.

Federal Trade Commission ( consumer.ftc.gov ) – For learning about new online scams and how to help prevent identity theft.

Department of Homeland Security ( dhs.gov/stopthinkclick ) – For helpful training materials on creating a cybersecurity awareness culture.

1/18/2018 | page 49