©2012 CliftonLarsonAllen LLP CliftonLarsonAllen ©2012 Summary of the State of Security Tram Jewett, CISA CliftonLarsonAllen LLP Virginia GFOA Annual Spring Conference, 2016 1 1 ©2012 CliftonLarsonAllen LLP Summary of the State of Security Tram Jewett, MS., CISA, 11 years IT audit and Cyber Security in the Federal and State government • Pension • Transportation • Education • Housing 2 ©2012 CliftonLarsonAllen LLP What We Will Cover? • Federal Information Security Modernization Act (FISMA) of 2014 • Cybersecurity Act of 2015 • Breaches • Ransomware • Other tools • How to protect your self • Cloud Computing • IoT 3 ©2012 CliftonLarsonAllen LLP Federal Information Security Modernization Act (FISMA) of 2014 • DHS to administer the FISMA • DHS can issue “binding operational directives” • OMB retains policy/procedure; • Modifies reporting to Congress to be less policy, more threat and incident-oriented • Focus on detecting, reporting and responding to security incidents • Requires OMB to revise Circular A-130 to eliminate “wasteful/inefficient” reporting requirements 4 ©2012 CliftonLarsonAllen LLP Cybersecurity Act of 2015 • Effective until September 30, 2025 • Voluntary sharing of cyber threat information • Permits , Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cybersecurity Threats • Allows networks operators: – Monitor – Operate defensive measures – Share information with others 5 ©2012 CliftonLarsonAllen LLP Why were these Laws necessary? JAN -- Xoom $31 million business email compromise FEB -- Deep Panda Likely cause of breach with 80 million victims MAR -- Premera Data breach affecting 11 million people APR -- Great Cannon DDoS attacks on GitHub, GreatFire MAY -- Healthcare Data breaches cause problems for insurance providers JUN -- OPM breach 21 million victims 6 ©2012 CliftonLarsonAllen LLP Why were these Laws necessary? cont JUL -- Ashley Madison 100 GB of stolen data in high- profile compromise AUG -- Ubiquity $47 million business email compromise SEP -- Blue Termite Chinese cyber-espionage attack on Japanese companies OCT -- Experion Breach affects 15 million customers NOV -- Dridex Banking malwares shows up again DEC -- BlackEnergy Malware causes power outages in Ukraine. 7 ©2012 CliftonLarsonAllen LLP Who performs the Breaches? Hackers: – They are not individual working alone – They are well funded Professionals – Foreign governments and organizations (Chinese and ISIL) Motivation Behind These Attacks – Financial – Political – Espionage 8 ©2012 CliftonLarsonAllen LLP What are the Hacker’s Tools? Ransomware is a serious security threat that has data-kidnapping capabilities. Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. 9 ©2012 CliftonLarsonAllen LLP How do you catch Ransomware? • Viewing compromised websites • Clicking on a Phishing email • Other malware 10 ©2012 CliftonLarsonAllen LLP How do you catch Ransomware? cont 11 ©2012 CliftonLarsonAllen LLP How Ransomware Works • Locks your screen. • Call home to get encryption keys. • Encrypting every file, both on the local device and on your network. 12 ©2012 CliftonLarsonAllen LLP How Ransomware Works cont 13 ©2012 CliftonLarsonAllen LLP Ransomware Note Ransomware demands you to send money in Bitcoin. 14 ©2012 CliftonLarsonAllen LLP Ransomware Note cont • “Your computer has been infected with a virus. Click here to resolve the issue.” • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.” • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.” • Source: https://www.us-cert.gov/ncas/alerts/TA16-091A 15 ©2012 CliftonLarsonAllen LLP CryptoLocker ransom demand 16 ©2012 CliftonLarsonAllen LLP Jigsaw ransomware demand 17 ©2012 CliftonLarsonAllen LLP Jigsaw ransomware demand cont 18 ©2012 CliftonLarsonAllen LLP Ransomware Payment After the attacker receive the Bitcoins and turns into Dollars, he may send you the key to decrypt your files. 19 ©2012 CliftonLarsonAllen LLP Effect of Ransomware • Ransomware infections can lead to: – loss of your information, – Disruption your operations, – financial losses incurred to restore systems and files, and – potential harm to an organization’s reputation. 20 ©2012 CliftonLarsonAllen LLP Effect of Ransomware cont • Paying the ransom does not guarantee the encrypted files will be released; • In addition, decrypting files does not mean the malware infection itself has been removed. 21 ©2012 CliftonLarsonAllen LLP Ransomware in the news • Hollywood Presbyterian Medical Center • MedStar Health in the Washington, D.C. area • Methodist Hospital in Henderson, KY • Chino Valley Medical Center in Chino, CA • Desert Valley Hospital in Victorville, CA 22 ©2012 CliftonLarsonAllen LLP Popularity of Ransomware • Ransomware exists because it is: – Profitable – Low-budget – Low stakes – Does not require much skill to pull off 23 ©2012 CliftonLarsonAllen LLP Ransomware Preventative Measures • Data backup and recovery plan for all critical information. • Use application whitelisting • Keep your operating system and software up-to-date with the latest patches. • Maintain up-to-date anti-virus software 24 ©2012 CliftonLarsonAllen LLP Ransomware Preventative Measures cont • Restrict users’ ability (permissions) to install and run their own software. • Principle of “Least Privilege” to all systems and services. • Avoid enabling macros from email attachments. 25 ©2012 CliftonLarsonAllen LLP Ransomware Preventative Measures cont • Train users: – How to safely handle email attachments, see Recognizing and Avoiding Email Scams (https://www.us- cert.gov/sites/default/files/publications/emailscams_0905 .pdf). – Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks (https://www.us-cert.gov/ncas/tips/ST04- 014) for more information. – Follow safe practices when browsing the Web. See Good Security Habits (https://www.us-cert.gov/ncas/tips/ST04- 003) and Safeguarding Your Data (https://www.us- cert.gov/ncas/tips/ST06-008) for additional details. 26 ©2012 CliftonLarsonAllen LLP Other Hacker’s tool Root kit • The Dark Web is like a candy store for hackers • Exploits vulnerabilities for: – Microsoft – 2002 servers… – Oracle … – Adobe … – Java …. 27 ©2012 CliftonLarsonAllen LLP Other Hacker’s tool cont 28 ©2012 CliftonLarsonAllen LLP Things you can do to prevent on getting Hacked • No passwords or blank passwords • Username is the same as the password • The username or the username concatenated with itself • Passwords such as “password,”“passcode,” “admin” • Service or vendor accounts (backups) • Built your servers securely from the start 29 ©2012 CliftonLarsonAllen LLP Cloud Computing Cloud Security Alliance (CSA) Treacherous 12 – Data Breaches – APT parasite – Compromised credentials and – Permanent data loss broken authentication – Inadequate diligence – Hacked interfaces and APIs – Cloud service abuses – Exploited system – DoS attacks vulnerabilities – Shared technology, shared – Account hijacking dangers – Malicious insiders 30 ©2012 CliftonLarsonAllen LLP 2015 IoT Vulnerabilities 31 ©2012 CliftonLarsonAllen LLP 2015 IoT Vulnerabilities cont 32 ©2012 CliftonLarsonAllen LLP 2015 IoT Vulnerabilities cont 33 ©2012 CliftonLarsonAllen LLP 2015 IoT Vulnerabilities cont 34 ©2012 CliftonLarsonAllen LLP 2015 IoT Vulnerabilities cont 35 ©2012 CliftonLarsonAllen LLP 2015 IoT Vulnerabilities cont 36 ©2012 CliftonLarsonAllen LLP 2015 IoT Vulnerabilities cont 37 ©2012 CliftonLarsonAllen LLP Questions? 38 ©2012 CliftonLarsonAllen LLP .