Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014

Cybersecurity Seminar: How to Protect Your Small BusinessJohn Bambenek, President, Bambenek ConsultingChampaign EDC, March 25, 2014

About me15 years experience in cyber security, been in IT 30 years.

Part-time faculty in Computer Science at UIUC.

Started with Ernst & Young as a project manager, then to U of I as professional IT and security staff, then as a consultant and now own my own firm.

Lecture and teach internationally on cybersecurity, forensics and threat intelligence.

About youWhat industry is your company in?

Do you process payments electronically?

Roughly how many employees? How many computers?

What keeps you awake at night from a cybersecurity perspective?

Spoiler AlertEmploy risk management and be skeptical

Keep your computer operating systems and security software up-to-date

Have regular backups and disaster recovery

Limit access to resources

Use strong and unique passwords

Why bother?For most (or probably all) of you, security will only cost you money, it will likely NOT help you earn money.

You may have laws, regulations or contracts that require some measure of security… or maybe not (and this is less and less true).

You may not be a “prime beef” target… but you’re still a target.You may not have credit cards but you do have a payroll account.

Cryptolocker example.

Don’t think you are affected by regulation?From Illinois Law:

"Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (1) Social Security number. (2) Driver's license number or State identification (3) Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Who pays when fraud happens?Generally, if a consumer has their credit card stolen consumer doesn’t pay

Same is true with debit cards (though more hassle)How many people here were affected by Schnuck’s breach?

If funds are directly withdrawn from a consumer’s bank account, usually (though not always) bank protects them from losses.

Electronic commerce requires consumers “trust” it, so everyone has the incentive to at least protect consumers from losses.

Who pays when a business is defrauded?If your business has its credit card defrauded, bank account emptied, or other fraud against your organization…

You pay.

General approach is, you have the means to protect yourself because you are a business owner who can just hire someone.

If your payroll account is emptied, your bank will likely help you with a nice line of credit.

Can you afford to eat those losses? Can you insure against them?

It gets worse...If you lose consumer records, the payout can be substantial.

HIPAA fines can easily get into millions depending on records sold.

Usually need to pay for credit monitoring for all victims.

Banks pay $40-$50 per new card issued, they are starting to sue for their costs.

And of course, the bad publicity…

But there are things you can do, which is why you are here today.

Item #1 - Risk managementEmploy risk management and be skeptical…

What secrets and confidential information do you have?

What are your essential business functions?

What information could some use for fraud if they stole?

What information could be used for competitive advantage by your competitors?

You are not paranoid if they are really all out to get you.

A brief note about who attacks SMBsGenerally cybercriminals can be broken down to these groups:

Nation statesOrganized crimeDisorganized crimeHacktivistsDisgruntled insidersYour competitors

Depending on the group will depend on how, why and when they attack and at what skill level.

Hacktivism example

How much to spend on security?If you wanted, you could spend unlimited amounts of money on security your IT resources… and you’d still be breached eventually.

Just ask the NSA.

Security vendors will happily charge you lots of money to protect you against unknown threats that aren’t reasonable for you to worry about.

Example: Nation states

However, a lot of ground can be covered by basic (and generally free) steps that follow.

How much to spend on security?Beyond “free” steps, how much should be spent?

What are the reasonable threats and what is a reasonable amount to spend to mitigate them? (Mitigate does not mean 100% stop)

There is no magic formula.

If you can show after a breach has occurred you made reasonable, intelligent decisions, you will often be in a far better place.

(Especially if you do the free stuff that follows).

How much to spend on security?What about outsourcing risks?

Some risks you need to take, but some you don’t. For instance, do you really need to be in the business of processing and storing credit card information yourself or can that be outsourced to a payment gateway provider?

Do you need to maintain your own webserver, email server, etc, or can you find a provider to do that?

You still have to make sure the provider is reputable.

Example: nation statesNation states are constantly attacking either for national security related material or for industrial trade secrets to advantage their own economies.

Actors are highly trained, highly funded, and operating with overt (or tacit) state sanction.

If they want to get in, they will get in and it is unreasonable to expect a small business to stand against the collective cyberpower of another nation.

We don’t have to make it easy for them but there is no point in starting with this as the point of reference.

Example: disorganized crimePeople send spam all the time claiming all sorts of outrageous things usually using similar content or similar infrastructure.

Anti-spam solutions exist to prevent those messages from getting to your inbox (and some are even free). If you never see malicious messages, they cannot infect your machine.

Commodity attacks are easily handled by off-the-shelf commodity tools (anti-virus, anti-spam, simple firewalls, etc).

Be skepticalMost computer attacks rely on the end-user to do something, usually by abusing their trust.

E-mail, social media, SMS messages, webpages and robo-calls can be easily spoofed. (How many of you have gotten those fake Busey phone calls?)

Avoid blindly trusting what your technology is telling you.

Emergency text messaging example.

If something seems odd, verify out-of-band (i.e. not using the same medium that you just got the message on).

Example: fake subpoena

Be skepticalDon’t give passwords on request to those who call or e-mail.

Avoid clicking on links for sensitive transactions (i.e. type full URL instead).

Be careful of typos when typing URLs. (Whitehouse example)

The more something seems to require immediate action, the more you should verify its authenticity.

No legitimate person will object to you attempting to verify they are who they say they are.

TakeawaysHave some understanding of the kinds of threats you will face.

Make reasonable decisions about protecting yourself without breaking the bank.

Take advantage of free things you can do (to follow).

Be skeptical of what your technology tells you and be willing to verify out-of-band if something appears off.

Limit (or eliminate) the sensitive information you give someone on request.

Item #2 - Stay up-to-dateAlmost all modern major software has means to update itself for bugs and vulnerabilities on a routine basis.

Microsoft, for instance, releases updates on the second Tuesday of every month (and occasionally at other times).

Adobe Reader, Flash, Java, all have their own updates.

Anti-virus also needs to be updated daily to retrieve the latest signatures to detect threats.

Microsoft Updates

Microsoft updates key pointsUpdate automatically (for most people, this is the best option and it takes away the need for you to spend time on it).

Make sure to include other Microsoft products in updates (for instance, Office).

This does not include other non-Microsoft products you may have. Some of these have their own ability to update automatically, others will pop-up and let you “click to upgrade”.

Please, take these seriously. Don’t have to drop what you are doing immediately, but before you go home for the day get all those updates installed.

This is one of the single, biggest causes of security breaches.

Old versionsAnyone still use Windows XP?

After a product has been out there long enough, software publishers no longer support it (i.e. no more updates for vulnerabilities).

Find a way to fit version upgrades into routine costs to make sure you don’t have orphan software out there.

Often systems will not necessarily tell you they are “too old”.

And what about those applications that don’t tell you they need an update?Anyone have an iPhone?

Security softwareDo you have a comprehensive security software solution on every machine in your company? (e.g. McAfee Complete Endpoint Protection, Norton Internet Security, etc.)

These do more than block viruses and they are generally auto-updated and auto-managed… as long as you keep your subscription up to date.

Limitation: they only block against already-known threats.

Small cost, high return and you don’t have to think about it.You could try to manage it to do more secure and neat things with it if youwanted to.

One point on securitySometimes good computer hygiene can prevent headlines like this:

“Russia Takes Cyber-Swipe at Illini” - News-Gazette, 3/17/2014

Due to vulnerable and misconfigured servers, someone was able to reflect an attack off UIUC servers and point it at Russia.

It’s all fun and games until someone causes an international incident with your network...

TakeawaysHave updates applied automatically where possible.

When pop-ups ask for updates, make sure to apply them within that day.

Be aware of when old software is no longer supported and/or make sure to update major versions on a routine basis.

Install and make sure security software is updated on a nightly basis.

Item #3 - Regular backupsRemember cryptolocker?

Sometimes computer failures happen, are you able to recover your data?

What happens if your computer fails or your server? What would it take to get back online?

What is critical for your business to run? What are things that are nice to have but you could live without?

Some viruses will destroy systems or malicious attacks will require a full reinstall of a system.

BackupsWhat is critical data?

Your financial records?Your customer records?Your employee records?Your e-mail address book?

Any piece of data that if you lost forever would cause irreparable harm.

A commercial solution is best (i.e. tape) but you can do simple forms of backups to external drives… but it’s important to keep more than one and keep some off site.

You could backup to the cloud, but make sure its encrypted.

Disaster RecoveryIt is very easy to spend a lot of money on this to protect against a wide variety of situations. But many of those situations might be overkill for you.

Obvious situation is what to do if your systems fail. Failures can be spawned by malicious activity (and not unusual to be insider activity).

If you have your webserver, e-mail server, etc hosted by a third-party provider, what do you do if they fail?

Hosting provider example.

Usually the best way to deal with an infected computer is to wipe it and reinstall.

TakeawaysFailures happen, the difference between recovering and going out of business is planning.

All critical information for your business should be identified and backed up with some being stored off site (e.g. safe at home).

Have a plan for system failures and have a plan if your third-party providers fail.

Item #4 - Limit accessSometimes basic attacks will be successful, people will make mistakes, someone’s kid uses the employee’s laptop to play games…

That mistake should not immediately give an attacker full access to everything.

Sometimes disgruntled employees (or ex-employees) will retaliate.

Sometimes people just make mistakes and didn’t mean to erase an entire disk.

Important to limit what foothold an attacker can get, what damage a disgruntled employee can do and what damage an accident can cause.

Limiting file accessPeople tend to always want more access than they need. General practice is to grant access based on need-to-know.

Avoid giving people administrator privileges on their computers. Upside: makes attacks harder to execute. Downside: usually means someone has to maintain their computer.

If you have a server, does everybody need access to everything. Answer: no

Back to cryptolocker.

Limiting stored dataThe first rule: create no evidence.

Avoid storing passwords in your web browser.

Avoid creating files with sensitive information.

Limit what you put online that could be useful to an attackers.

Be careful what you email out (secretary at UIUC sent out spreadsheet that included SSNs of every engineering student).

Now to pick on the NSA

Still picking on the NSA

Limiting access to systemsDo your employees have laptops they bring home? Do you?

Avoid familial use of those systems (kids games often have malware)Practice good physical security (avoid leaving unattended)

Recreational use can lead to infections (e.g. malvertising).

Have all machines protected by a password required to login. Have all machines lock after 15 minutes of inactivity.

Control who has keys to the building.

Do you have a “guest” wireless network? Make sure it is separate from your internal business network.

Sensitive systemsConsider having a separate computer for use ONLY for sensitive transactions like payroll or large dollar transfers.

Recreational use of a computer can lead to infections through no fault of your own. If you use the same system to process payroll, now malicious individuals can process ghost payroll too.

Those systems need to be updated and secured too. Access should be limited to only those who need to execute those functions.

By converse, if you have employees who bring kids in and you’re ok with it, get a throwaway computer for recreational use and that’s all its for.

TakeawaysLimit access of employees to only what they need to know.

Avoid familial use of computers by yourself and employees.

If relevant, have a separate computer for sensitive business functions that is only used for sensitive business functions.

Item #5 - Use Strong PasswordsUsually, your password is the key to your digital identity. If someone has that, they now ARE you.

Simple passwords can be cracked easily, even 8 character passwords can be cracked without too much effort.

Secure passwords should be at least 12 characters and include upper-case, lower-case, numbers and special characters.

And you should never reuse passwords between sites.Or at least not between “meaningless” sites and critical accounts.

The 25 worst passwords in the world according to PCWorld 123456 iloveyou monkey

password adobe123 shadow

12345678 123123 sunshine

qwerty admin 12345

abc123 1234567890 password1

123456789 letmein princess

111111 photoshop azerty

1234567 1234 trustno1

000000

Weak passwordsThere are plenty more weak passwords than this, but those show up the most frequently.

Anything that is a dictionary word.Anything that is all numbers (say your birthday).Anything that can be easily derived from you.Anything that can be easily derived from your business.Anything that’s less than 8 characters.Anything not changed within 90 days.

Password reuseOne of the biggest causes of people having their accounts accessed is password re-use.

Scenario: You have one central e-mail account, you have facebook, you have credit card logins, bank logins, logins for your commercial bank account and you are a commenter on the News-Gazette website. All have the same password.

Compromising the News-Gazette would be the easiest and weakest link. Most people wouldn’t think twice about it. But if I have your e-mail address and your password, I can get everything else.

Password reset featuresAlmost everything has a password reset feature to recover a lost password.

The questions, however, I not hard to guess if you know something about the person and some of it may be public record.

Make sure password resets either e-mail your primary e-mail address, send you a text message or do some other out-of-band notification or verification.

If that isn’t an option, consider putting in fake information for those questions… but fake enough so you can remember.

Sarah Palin example.

How to make a strong passwordPasswords should be long (more than 12 characters) and contain upper & lower case, numbers and special characters.

Microsoft’s Advice:Create an acronym from an easy-to-remember piece of information. For example, pick a phrase that is meaningful to you, such as My son's birthday is 12 December, 2004. Using that phrase as your guide, you might use Msbi12/Dec,4 for your password.

Substitute numbers, symbols, and misspellings for letters or words in an easy-to-remember phrase. For example, My son's birthday is 12 December, 2004 could become Mi$un's Brthd8iz 12124 (it's OK to use spaces in your password).

Relate your password to a favorite hobby or sport. For example, I love to play badminton could become ILuv2PlayB@dm1nt()n.

Use unique passwordsIf you don’t use the same password for everything then one compromised password would infect the rest of your digital identity.

If the ideal is too much, try to have at least three passwords you change regularly:

One for your sensitive business loginsOne for e-mail / computer logins and general business useOne throwaway for blogs, fantasy sports, games… stuff that doesn’t matter

How to make strong, unique passwords:Msbi12/Dec,4### (where ### is some unique identifier for the login, e.g. EDC for here)

Never share your passwordAvoid situations where you share your password with anyone, even coworkers.

Try to always have unique logins for individuals if they really need access.

How did Edward Snowden steal so much information from the NSA that he was able to later publish?

He asked his coworkers for their passwords and used their accounts toaccess information he was otherwise not entitled to.

Avoid shared accounts and if you must use them, escrow passwords in a safe.

Two-factor AuthenticationWhere possible for sensitive applications, use two-factor authentication.

This requires something you physically have, not an additional piece ofinfo.

Most banks for commercial accounts will require or at least permit you to select two-factor authentication to access the account (or send money). Usually in the form of sending you a text message.

Many other services (like GMail) will also send you a text message before letting you fully log in.

Some applications can be configured to use your phone to give you a unique code to log in. Example.

TakeawaysYour password and often your primary e-mail is the key to your entire digital identity. If someone gets that, they can get everything.

Use long and strong passwords and try to use unique passwords for each site. At the least have 3 passwords which includes a throwaway password for inconsequential stuff.

For the really important stuff, try to use two-factor authentication that requires you to physically possess something (like your cell phone) to fully login to do things.

Seems basic, but even defense contractors have fallen to password reuse problems.

Last pointBasic computer maintenance goes a long way towards security.

If someone isn’t assigned in your office to maintain computers (or you aren’t doing it yourself), having general tech support handy can help security.

Or having someone in the office with some basic computer support skills can work too (and giving them freedom to get some training/knowledge to do the job).

May or may not make sense for your given situation.

Remember these 5 thingsEmploy risk management and be skeptical (they really all are out to get you)

Keep your computer operating systems and security software up-to-date

Have regular backups and disaster recovery

Limit access to resources

Use strong and unique passwords

Questions?John BambenekBambenek Consulting, [email protected]