Danger and Dollars Grow your IT business with the top security threats of 2016
April 6, 2015 Today’s speakers
Jerry Koutavas Ben Yarbrough President CEO The ASCII Group Calyptix Security
#webclinic Today’s agenda
1. Growing threats in 2016
2. What this means for your IT business
3. How Calyptix and AccessEnforcer can help
#webclinic Growing threats in 2016
#webclinic #1. Mobile malware • 3x more malicious mobile apps discovered in 2015 vs 2014 (Kaspersky) • 5x increase in users attacked by mobile ransomware in 2015 vs 2014 (Kaspersky)
#webclinic Mobile malware
Source: Nokia Threat Intelligence Report – H2 2015
#webclinic Mobile malware
Source: Nokia Threat Intelligence Report – H2 2015
#webclinic Mobile malware
Source: Nokia Threat Intelligence Report – H2 2015
#webclinic Tips to avoid mobile malware • Separate high-value assets from untrusted devices via network segmentation • Set and enforce BYOD policies • Block connections to malicious hosts via outbound traffic filtering
#webclinic Tips to avoid mobile malware • Educate users: ‒ Keep the OS and apps patched ‒ If you’re not looking for it, don’t install it ‒ Remove unneeded apps ‒ Do not use third-party app sources (only use Google Play and App Store) ‒ Do not root or jailbreak ‒ Consider a security app
#webclinic #2. Ransomware • Explosion in ransomware variants
• Ransomware-as-a-service packages now available in hacker forums
#webclinic Ransomware • More than 1.2 million new samples in Q2 2015
#webclinic Ransomware
#webclinic Tips to avoid ransomware • Patch – automatically update when possible • Filter spam and malicious email • Filter outbound traffic • Set group policies for Windows to deny access to common directories used by ransomware • Limit access to network shares • Back up files • Do not let users browse the web with administrator accounts
#webclinic Tips to avoid ransomware • Educate users
‒ Suspicious emails ‒ Suspicious sites ‒ Software and network hygiene ‒ Segregate personal and business web use ‒ Explain the rational of restricting business networks
#webclinic Ransomware • Download the Ransomware Prevention Kit from ThirdTier • Make a donation of any size to support Women in IT • http://www.thirdtier.net/ransomware- prevention-kit/
#webclinic #3. Malvertising • Online ads with hidden malware • Present on legitimate sites and ad networks • Can force install malware without any interaction • 260% increase in bad ads in 1H 2015 vs same period 2014 (via RiskIQ)
#webclinic Malvertising Attack Sources
Source: Bromium Labs: Endpoint Exploitation Trends 1H 2015
#webclinic Malvertising Number of exploits
Source: Bromium Labs: Endpoint Exploitation Trends 1H 2015
#webclinic Tips to avoid malvertising • Do not browse the web as admin • Disable Flash • Disable Java • Block ads with plugins • Filter websites • Segment the network • Patch, anti-virus, etc.
#webclinic #4. Growing SMB network • More devices than ever joining (BYOD, IoT) • Increase in cloud service adoption • Admins have less control
#webclinic Tips to manage growing networks • Establish a process and controls ‒ Know what joins the network ‒ Set a formal approval process • Network segmentation • Outbound traffic filtering
#webclinic Tips to manage growing networks • Document all cloud services client uses • Document accounts and users • Document appropriate strategy to keep the systems secure • Verify what data is being transferred • Understand the client’s requirements for a third-party system
#webclinic #5. Regulation rising • Regs in constant motion • Expect more requirements in more industries • New vulnerabilities may force shifts in established guidelines
#webclinic Enforcement rising • FTC filing charges: - Oracle for deceiving consumers on Java updates - settled Dec 2015 - Windham Resorts for not protecting consumers on its networks – settled Dec 2015 - ASUS for poor security in its routers – ASUS settled Feb 2016
#webclinic Enforcement rising • DHS Office of Civil Rights (OCR) announces second phase of HIPAA audits –March 2016 • Securities and Exchange Comm. (SEC) brings first-ever cybersecurity enforcement action against an investment adviser –Sept 2015 • Consumer Financial Protection Bureau (CFPB) brings first-ever data security enforcement action against online payments provider –March 2016
#webclinic Tips for compliance • Top-notch standard to follow: NIST 800-171 ‒ Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ‒ Department of Defense contractors have until Dec. 31, 2017 to comply • CIS Critical Security Controls ‒ Formerly “SANS 20”
#webclinic #6. Vulnerabilities will continue • Drown – TLS attack – March 2016 • SSL v3.0 – deprecated June 2015 • Logjam – TLS downgrade attack – May 2015 • Old vulnerabilities continue to pay dividends for thieves
#webclinic Top 10 vendors in 2016 Ordered by ‘distinct’ CVE
Source: CVEDetails.com
#webclinic Top 10 vendors in 2015 Ordered by ‘distinct’ CVE
Source: CVEDetails.com
#webclinic Top 10 vendors all time Ordered by ‘distinct’ CVE
Source: CVEDetails.com
#webclinic Old vulnerabilities • 99.9% vulnerabilities that were exploited in 2014 were disclosed more than a year prior
• 10 vulnerabilities responsible for 97% of exploits
Source: Verizon 2015 Data Breach Investigations Report
#webclinic #7. Phishing emails • Old trick that works ‒ 23% of users open phishing emails and 11% click on attachments (Verizon 2015 DBIR)
• 52% of spear phishing attacks in Dec 2015 were on SMEs (Symantec)
#webclinic Successful phishing • Seagate –W-2 database stolen – March 2016 • Moneytree –payroll database stolen –March 2016 • Anthem –78 million records compromised –Feb 2015 • White House –President’s schedule stolen – April 2015
#webclinic Tips to avoid phishing emails • Filter emails for spam and malicious code
• Educate users
• Use an email quarantine
#webclinic Email quarantine
#webclinic Email quarantine
#webclinic Quarantine - message
#webclinic Quarantine – raw header
#webclinic Quarantine – show reason
#webclinic #8. DDoS Attacks Grow (Again) • Size and frequency of large attacks continues to grow • More than 200 reported attacks reached 100 Gbps in 2015 • Some reached 500 Gbps
Source: Arbor Networks: Worldwide Infrastructure Security Report Vol. 11
#webclinic DDoS Attacks
#webclinic DDoS Attacks
#webclinic DDoS Attacks
#webclinic Tips to avoid DDoS attacks • Filter traffic by region • Filter traffic by protocol • Detect flow anomalies • Deploy dedicated DDoS mitigation • Update the disaster recovery plan
#webclinic What this all means • Customers are more willing to invest in security • Their resistance is softening to sales pitches
#webclinic What to tell prospects • Offer an on-going service, not a product. • Use an educational and consultative sales process. • There is no silver bullet. There is no cure-all.
#webclinic What to tell prospects • Solution rises out of: • Focus on what the customer cares about • Balance convenience and budgets ‒ Work within their budget ‒ Gauge their tolerance for inconvenience
#webclinic Network security for small business made easy
#webclinic AccessEnforcer Unified Threat Management Firewall
#webclinic New AccessEnforcer models AE2400 AE3400 AE4400
Recommended max. users 100 250 350 Operating system OpenBSD 64-bit OpenBSD 64-bit OpenBSD 64-bit
CPU Intel Celeron G1850 Intel i3-4330 Intel i7-4770S (2.9 GHz) (3.5 GHz) (3.9 GHz)
RAM 4 GB 8 GB 16 GB
Storage 320 GB HDD 320 GB HDD 320 GB HDD
Throughput 300 Mbps 500 Mbps 700 Mbps
NIC 8 x GbE 8 x GbE 8 x GbE
Form factor 1U 1U 1U
#webclinic New feature Network troubleshooter • Quickly diagnose and fix problems on the network • One click runs over 70 tests • Can show detailed tests results on each service - Web filter - External hostname - IDS/IPS - QoS resolution - DNS resolution - Email filter - DHCP - Much more - NICs - VPN
#webclinic AccessEnforcer Updates • Security Updates - URL database - Spam patterns - Anti-virus signatures - IDS/IPS signatures - Bad IPs • Firmware Updates - New features - Enhancements - Bug fixes - Patches (code maintenance)
#webclinic Update Rollout Process • Reboots usually not • Goal: 3 to 5 releases required per year - If required, notice at top of GUI on log in • Update FAQs • Email notifications
• SPS “Next Update”
• Scheduling practices
#webclinic Automatic updates • Heartbleed vulnerability - 2014 ‒ Migrated from OpenSSL to LibreSSL – 2014
• Poodle vulnerability – 2014 ‒ Removed support of SSL v3.0 for the Online Partner Portal and AccessEnforcer GUI
#webclinic Automatic updates • PCI DSS new version 3.1 – released April 2015 ‒ Removed support of TLS 1.0 connections on AccessEnforcer web interface • Logjam vulnerability – May 2015 ‒ Upgraded to unique 4096-bit Diffie-Hellman groups for key exchange on AccessEnforcer web interface and CalyptixVPN
#webclinic Automatic updates • SHA-1 deprecated – Oct 2015 ‒ SHA-1 replaced by SHA-256 for generated SSL certificates and CSRs
#webclinic How many hours? • AccessEnforcer updated hands-free
• How much time does it take to update network hardware?
• How many firewalls do you have?
• How many hours can you save with Calyptix?
#webclinic Want to learn more about Calyptix partnership?
Contact: Adam Sutton, Marketing Director [email protected] 704-971-8989
#webclinic