Cybersecurity Concerns for the Roaring 20s

David Trepp, MS/Partner Fast Facts

2 David Trepp Partner, IT Assurance

. US Army veteran

. MS Geochemistry

. Serial tech entrepreneur 30+ years

. Personal interests . Rock climbing . Bicycle touring . Information science . Thermodynamics

3 Today’s Presentation

. I’m not a futurist . We will not discuss things like . Fusion reactors . Expeditions to Mars

. I do track cybersecurity trends though . We will discuss both near and longer term trends . Technical topics will be presented with as little techno-babble as possible

. Housekeeping . Questions and comments are encouraged . Feel free to use Q&A to pose questions

4 Content

. Brief Review of Threat Sources

. Top Cybersecurity Threats of the Roaring 20s

. Safe Computing Tips

5 Brief Review of Threat Sources Threat Sources

Threat Sources Examples Motivation/Impact

• (2016) Panama Papers legal document release Hacktivists • (2019) UK Labor Party DDoS attack Digital vigilante justice • (2019) German politicians dox’ed

• (2010) attack on Iranian uranium centrifuges • (2016) Democratic National Committee espionage Foreign Nation-State • (2016) Electrical grid attack on Ukraine’s power grid Espionage Sponsored Entities • (2017) data breach affecting145M North Disruption of critical services Americans Political influence • (2019) Triton, i.e., Trisis, industrial sabotage attack on Saudi Arabian infrastructure

Corporate fraud • (2008) Heartland Payment Systems Credit card fraud • (2011) Sony PlayStation Accounts Identity theft • (2012) US Office of Personnel Management Tax fraud • (2013) Target Cybercriminals Extortion • (2014) eBay Intellectual property theft • (2016) Uber Records tampering • (2019) Capital One, MS O365, Box

• (2008) City of SF former employee locked out network access • (2008) Former Cox Communications employee shut Employees, Vendors Negligence down service in three states & Contractors Poor training • (2013) Edward Snowden leaked classified NSA Retaliation (i.e., insiders) information Extortion • (2016) Air Force whistleblower leaked classified data on election interference

7 Many Already Practice Social Isolation

8 Worsening Threat Landscape

. Releases of sophisticated, formerly secret ’s tools into the public domain are rampant, e.g. . . . Criminals and hacktivists have figured out that cyber crime is low risk, high reward, so their numbers are growing . Darkweb “storefronts” provide packaged tools and hackers no longer have to be technically savvy, so their numbers are growing . Foreign nation-state sponsored entities have immense resources at their disposal and they’re now targeting all types of US organizations . The Internet of Things continues to increase the Internet’s attack surface area . New vulnerabilities are being released at a dizzying rate

9 Top Cybersecurity Threats of the Roaring 20s Cybersecurity Threats in the Roaring ‘20s

. 2.0 . 2.0 . Attacks Against Critical Infrastructure . Expanded Tax Fraud . Defeating Multi-Factor Authentication (MFA or 2FA) . Cloud & Cross-Boundary Attacks . The Drone Wars . AI Aided Deep Fakes . Other Attacks on Truth & Our Confidence in Institutions . Obsolescence of Modern

11 Ransomware 2.0

. Mobile-device enabled Ransomware . Dormant until no one is around . Sunday morning 1am . Not just denial-of-service anymore, also sensitive data releases . No hacking skills required: ransomware as a service . Encrypt your boss’ drive on the way out the door

12 Typical Ransomware Message

13 Ransomware 2.0

14 Phishing 2.0

. Targeted, with prior reconnaissance for: . Name drops . Business-specific subjects

. “Trusted” banners and security assurances

. Multi-step, email followed by call, text, or email lacking an attachment . Did you receive my important email yesterday?

. Taking advantage of current events

. Multi-media . Phishing (email) . Vishing (Voice) . Smishing (Text)

15 Phishing 2.0: “I’m From A Trusted Source”

. Mobile-device enabled

16 Phishing 2.0: The CEO Needs You…Now!

17 Phishing 2.0: Check Out My Totally Legit Resume

18 Phishing 2.0: The Bank Has Your Back

19 Phishing 2.0: Targeting Tech Firms

20 Phishing 2.0: Targeting CPA Firms

21 Phishing 2.0: Exploiting Current Events

22 Phishing 2.0: Improved Voice and Text Attacks

. Emergency . “It’ll cost you $ to get out of this bind, but I’ll accept a gift card” . Routine . “This is a totally non-malicious request for PII or system access” . Customer Service . “I’m from Customer Service at Acme Company, and I saw the negative Google review you posted. Tell me what went wrong then I’ll send you a gift certificate for your trouble (I’ll just need a little PII first).”

23 Phishing 2.0: Exploiting Current Events

24 Phishing 2.0: Attacks Targeting Organizations

. Detailed Reconnaissance . Annual Reports . Press Releases . Tech Support Forums . LinkedIn & Lead Sites . Calls to Reception & Others . Sophisticated Scripts . Name Drops . Relevant Topics . Multiple Attack Vectors . Email, text, phone, in person . Significant Impact . Persistence . Escalation

25 Attacks Against Critical Infrastructure

. Systems that Provide . Electricity . Water . Sewage . Communications . Etc.

. Attacks . Reconnaissance . Find Weaknesses . Lie Dormant . Coordinated Future Attacks

26 Expanded Tax Fraud

. Attacking accounting firms . Impersonate clients to harvest sensitive information, . Commandeer accounting firm websites, document portals, and mail systems to impersonate the firms

. Attacking individuals who are filing . Target consistent high-earners and file fraudulent returns early, with large refunds . Impersonate accounting firms (see above) to get clients to download fraudulent documents or mobile applications. These attacks can be very effective, as the malicious payloads are often industry-standard remote access tools (which pass muster with anti-virus) or sophisticated mobile banking malware

. Attacking firms that distribute key tax documents e.g. W2s & 1099s . Impersonate these firms and send out emails contain fraudulent forms purporting to be legitimate W2s or 1099s, or links to portals to login and access such documents

27 Defeating Multi-Factor Authentication (MFA or 2FA)

. Help desk attacks . Convince them to switch the phone #

. Backdoor access that doesn’t require MFA . Exchange Web Services (EWS) . Exchange modern encryption

. Ask the user for their one-time code . “We’re from the bank’s security department, and there’s been some suspicious activity with your account; but before we go any further, we need you to verify it’s you. Please read me the code you were just sent.” . The code was sent by your legitimate financial institution, who sent it to you because the fraudster just entered your (stolen) username and password. Now the fraudster is calling you to request the MFA one-time code.

. SIM card swaps . If your phone suddenly tells you it has “No Service” or provides you an “access code” you weren’t anticipating, contact your cell provider right away and ask them if there’s been any activity on your account, e.g. a SIM swap

28 Defeating MFA: Continued

. Password Guessing

. Hijacking Home/Mobile Devices . Logging all your keystrokes . Viewing your screen

. Intercepting cookies/session IDs . Necrobrowser . Modlishka

. Impersonating Tech Support to Teleworkers . “IT has me calling everyone to make sure all our company teleworks have the critical new Adobe patch.”

29 Cloud & Cross-Boundary Attacks

Typical Information Systems Have Various Levels of Connectivity with Numerous “Integrated Entities”

. Internal Departments & Devices . HR, Finance, Ops, etc. . Shadow IT . BYOD . IoT

. Internal (Segmented) Subnets . DMZs . Industrial Control Systems/SCADA . Cardholder Data Environment (CDE) . WiFi Networks . Remote Branches/Offices/Employees 30 Cloud & Cross-Boundary Attacks Continued

Typical Information Systems Have Various Levels of Connectivity with Numerous “Integrated Entities”

. Vendors . Product/Application Vendors . Support Vendors . Hosting/Cloud Vendors

. Government/Industry Agencies . Reporting . Data Sharing Consortiums . Councils of Government . Emergency Response Groups

31 Cross-Boundary Attack Example: Target Breach 2013

. HVAC Vendor Identified & Breached . Via Phish . Target Provided Remote Access For Vendors . Billing, Contract Submission, and Project Management . Alleged Attack Steps (After Compromising HVAC Vendor) . Exploit vulnerable (unpatched) php instance in vendor web app “document upload” feature and establish local host admin . Pull NTLM password hashes from LSASS . Exploit “pass-the-hash” for DA account privileges . Use DA privileges to ransack PoS systems & steal 40 million credit cards . Deliver them across the Internet to criminal hosts via DNS exfiltration . Target Network Lacked Sufficient Controls . No multi-factor authentication . Inadequate patch management . Inadequate vendor server segmentation . No Cardholder Data Environment (CDE) segmentation . No SMB (digital) signing controls . Inadequate information flow controls, specifically network egress controls 32 Cross-Boundary Target Breach, continued

Source: Breaking the Target: An Analysis of Target Data Breach and Lessons Learned https://arxiv.org/pdf/1701.04940.pdf 33 The Drone Wars

Drones used for both law enforcement & attackers:

. Wifi . War flying . Hi-Res video . Capture phone pin . Upper story office windows . Sensitive audio . Phone purchase credit card # . Movement Habits/Favorites . Spend your $ at the same places you do, so no fraud alerts triggered . Disabling GPS & overcoming geofencing to trespass . Government and research concern 34 AI Aided Deep Fakes - Both Audio & Video

35 Other Attacks on Truth & Confidence in Institutions

. Nation-state attacks

. Voting System Attacks . If machines are unavailable or results are unreliable, our democracy fails

36 Other Attacks on Truth & Confidence in Institutions

. Cesspool of unvetted disinformation in media and social media . Political echo chambers . Loss of mediating effects of local news results in extremism . Anti-Intellectualism . “I don’t believe in science.” Mike Hughes

. Disinformation for Sale

37 Obsolescence of Modern Encryption

. The promise of quantum computing: . In traditional computing, a bit has a single value (zero or one) . Quantum bits (qubits) can take on a superposition of both values . Quantum networks could be un-crackable . Quantum computers would be wonderful for solving problems like medical research . Building models of viruses . Quantum computers would also be also render modern encryption algorithms obsolete . Performing trillions of cracking operations per millisecond . Challenges still facing quantum computing . Decoherence . Vibrations, temperature fluctuations, magnetic fields, and even observations destroy qubit properties of quantum computers . Error handling performed with non-binary qubits . In binary math, there are only two possible answers to each operation . A parity bit, which is the 0 or 1 representing the sum of the previous bits in the string, can help reconstruct lost bits . If bit one = 0 and bit two = 0, their sum (or the parity bit) = 0 . If bit one = 1 and bit two = 1, their sum (or the parity bit) = 0 . If bit one = 1 and bit two = 0, their sum (or the parity bit) = 1 . If any single bit gets lost in transmission, the value of the parity bit tells us how to back-calculate the missing bit

38 Safe Computing Safe Computing Tools & Techniques

Password Management . Use strong passwords . Length is the most important criterion for a strong password . But there must also be substitutions (use a repeatable substitution pattern) . Store them in password vault applications . KeePass, RoboForm . Or at least password protect that Excel file you’re using… . Put up with the hassle of multi-factor authentication . Google Authenticator Email . Don’t use email for sensitive information! . Many message platforms use end-to-end encryption, e.g. Slack, WhatsApp . Password protect attachments . Sanitize the contents of your inbox, sent, trash, etc. . Use inbound mail filter tools to pre-examine attachments and links . For personal email, see apps like Hushmail . If you must use email for sensitive data, use encryption tools . PGP . Zixmail

40 Safe Computing Tools & Techniques

Browsing . Before logging in, confirm the word immediately preceding the .com, .org, .net, etc. and the .com itself . https://www.chase.com vs. https://www.chase.bank.com . https://www.chase.com vs. https://www.chase.net . Logout when you’re done . Secure your browser settings, e.g. . Firefox with . No-Script (prohibits a startling number of scripts running in the background) . Privacy Badger (restricts ads, cookies, tracking) . Foxy Proxy (hides your point of origin) . Limit sharing & post anonymously, whenever possible . Yelp & Google Review Scams . Be suspicious of all pop-ups & dialog boxes A common online banking attack toolkit asks the user to install a malicious root certificate 41 Mobile Device Security Considerations

. Be an aware mobile device user . Disable or use privacy screens on web cams when not in use . Make sure your phone/speaker/TV is not activated when discussing sensitive information . “Texas” & “Lexus” sound a lot like “Alexa” . “Leery” & “Serious” sound a lot like “Siri” . Practice safe application storefront protocols . Be cognizant of QR code dangers . Inspect all links before clicking . Apply the concept of “Least Functionality” to all mobile devices . Turn off location services, Bluetooth, & Wifi when not in use . Do not use public Wifi if not fully trusted (stick to the LTE network)

42 A Few More Telework Security Considerations . Understand your company’s telework policies & procedures

. Set up a secure workspace at home

. Consider banning phones from sensitive conversation areas or using a specialized camera/mic cover . See Law Enforcement and DoD restrictions on phones in meetings

. Consider having different computers/tablets/phones for different uses . One “unsecure” for normal browsing, e.g. news, Facebook, LinkedIn, etc. . One “secure” for sensitive activities only, e.g. work, online banking, 401k/IRA, etc.

. Make sure your home Wifi is configured securely . No WEP or WPA1 (WPA 2 or 3 is better)

. Use a VPN for communications with office systems . Either company provided, or your own

43 Conclusions

. Cybersecurity concerns will evolve in the 2020s . Attacks will become more targeted . Attacks will become more technically sophisticated . New attack methods will continue to appear

. Practice Safe Computing Habits . Create long passwords and store them securely . Avoid email for confidential communications . Use MFA whenever possible . Encrypt communications and storage . Browse the web cautiously

. Let’s All Be Extra Nice to Each Other! . Thank a farmer, truck diver, clerk, healthcare worker, first responder, et al . Help someone having trouble coping . Be patient with family

44 Recommended Reading

. BPM COVID-19 Page . bpmcpa.com/COVID-19

. NIST Special Publication 800-46: Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security . https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf

. Bloomberg Cybersecurity . https://www.bloomberg.com/topics/cybersecurity

. Krebs on Security . https://krebsonsecurity.com/

. The Art Of Deception by Kevin Mitnick

. Microsoft TechNet . password entropy = log(C)/log(2) * L . C = the character set (94) and . L = password length . https://blogs.technet.microsoft.com/msftcam/2015/05/19/password-complexity-versus-password-entropy/

45 Thank You!

Questions or Comments?

bpmcpa.com