CyberCrime attacks on Small Businesses

Jose L. Quinones, BS

MCP, MCSA, MCT, CEH, CEI, GCIH, GPEN, RHSA

UPR, School of Medicine – IT Director

Obsidis Consortia, Inc. – President & Founder

Security B Sides Puerto Rico – Organizer

Init6 Security User Group – Founder & Mentor

Self Employed - Technical Instructor “The Cleaner”

PRgov - Information Security Council Member “Jedi Master”

60% of small businesses that experience a data breach are out of business within 6 months.

IBM says there were 1.5 Million attacks alone in 2013, and 81% of them happened to small businesses.

Visa reports that 90% of the payment data breaches reported come from small businesses.

Trojans

Botnets (Zombie + C&C)

Some notorious ones areCitadel – Taken down by Microsoft on 2011

Spy eye – Developers were arrested in 2012

Zeus – In 2014, Spamhaus detected 7,182 distinct IP addresses that hosted a botnet controller

Is a type of malware which restricts access to the computer system or files that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed.

Transactions are made with money cards, wire transfers and most recently , bitcoin.

If you get bit by this bug most likely you will have to pay to recover your files.

How to recognize Phishing Legitimate organizations don’t ask for sensitive data over an email.

Is the grammar and lexicon appropriately used? (broken language)

Did you expect a message from that person?

Is the website name spelled correctly (Ex. Amazone.com)

How to respond to Phishing DELETE immediately

Don’t click stuff, enter the link in the browser by hand

Hover over the link to verify the link (still dangerous)

Don't open e-mail attachments …NEVER!

If you fell for it … Change your passwords

Contact any institutions you think its been compromised

Report it to: http://www.ic3.gov

Common Techniques Impersonation Pretext Framing Elicitation

Common attacks Customer Service Tech support Delivery person Phone Email/Phishing

http://www.social-engineer.org/framework/general-discussion/

Owners don’t want to mess with their money machines.

The misconception of “that’s just a cash register”

There is new breed of malware specifically for POS. (ie. Back off PoS)

The reality is that most PoS and Kiosks are fully working computers that run some kind software over a common Operating System (ei. Microsoft Windows) connected to the network.

• (3) copies of your data (local, external drive, cloud)

• (2) different media (external drive, cloud, DVD)

• (1) copy stores offsite (cloud, home, office, storage facility)

Do not use personal information for passwords

Do not use dictionary words as passwords

Use at least 3 of the following: a-z, A-Z, 0-9, !@#$%^&*

At least 16 characters long

Use passphrasesEx. I like cold pizza, 1 Lik3 c0ld Pizz4!

Change regularly (every 90 days)

Use a password manager (LastPass)

Use only when absolutely necessary

Isolate guest network

Authenticate & control access

Limit the number of services available (http, https, dns)

Use WPA2 with a strong password

Control output power *

Turn off beacon broadcasting *

Use MAC filtering ** Not effective against a skilled attacker

1. Use Password protected access control

2. Control application access and permission

3. Keep the OS and firmware current (update)

4. Backup your data

5. Use remote or automatic wipe if stolen or lost

6. Don’t store personal financial data on your device

7. Beware o free apps

8. Try mobile antivirus (Android)

9. Control Wireless connectivity (Wi-Fi, Bluetooth, NFC, RFID)

10. If possible use a Mobile Device Management (MDM) solution

Read carefully the Terms and conditions of service, and the Privacy Policy

You only assurance is a good contract & SLA (get a lawyer)

Encrypt everything before uploading it to the cloud

Not all clouds are the same, understand you needs.

Get the service from a reputable provider.

Cyber criminal use various method to hide their tracks

Tor Onion Router - Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.

Private VPN - individuals can use VPNs to get access to network resources when they're not physically on the same LAN (local area network), or as a method for securing and encrypting their communications when they're using an untrusted public network.

Proxy Servers - In a personal computing context, proxy servers are used to enable user privacy and anonymous surfing.

Spoofing - a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.

Data Breaches http://breachlevelindex.com/#sthash.Whzg9ESf.dpbs

Zeus Tracker https://zeustracker.abuse.ch/monitor.php

Live Attack Maps http://map.ipviking.com/

https://www.fireeye.com/cyber-map/threat-map.html

http://www.sicherheitstacho.eu/

https://cybermap.kaspersky.com/

http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=16434&view=map

https://labs.opendns.com/global-network/

Verizon Data Breach Investigations Report http://www.verizonenterprise.com/DBIR/

Mandiant Reports https://www.mandiant.com/resources/mandiant-reports/

IBM Cost of Breach http://www-935.ibm.com/services/us/en/it-services/security-services/cost-of-data-breach/

Symantec Threat Report http://www.symantec.com/security_response/publications/threatreport.jsp

Kaspersky Security Analysis https://securelist.com/analysis/kaspersky-security-bulletin/67864/kaspersky-security-bulletin-

2014-predictions-2015/

MacAfee Threat Report http://www.mcafee.com/us/apps/view-all/publications.aspx?tf=aaae16480

Blog: http://codefidelio.org

Email: [email protected]

Twitter: @josequinones

G+: https://plus.google.com/u/2/+JoseLQuinonesBorrero