IESBGA 2014 Cybercrime Seminar by John Bambenek

What Entrepreneurs & Small Businesses Need to Know about CybercrimeIESBGA 2014John Bambenek - Bambenek Consulting

About Me

●15 Years experience in cybercrime, in IT generally since I was a toddler○ My first toy I remember was a TI-99 computer, I programmed

on it when I was 6. I had an unusual childhood. ●Part-time Faculty in Computer Science at the

University of Illinois and own my own firm

●Lecture and teach internationally on cybersecurity, forensics and threat intelligence.

●This conference’s theme is “Big Dreams for Small Business…”

Spoilers

●Employ Risk Management and Be Skeptical

●Keep Software Up-to-Date

●Have Backups and a Plan When Things go Wrong

●Limit Access to Resources and Information

●Use Strong and Unique Passwords

About You

●Small businesses (and those who counsel small businesses) aren’t flush with cash.

●Many don’t have high-tech operations, most don’t have in-house IT staff.

●Most don’t know where to start with security and many operate a component of their business online.

Why this matters...

●Small businesses have real risks.

●You’ve heard about Target or any number of other major companies that had major breaches…

●Have you heard about Fazio Mechanical Services?

●Small business is less able to weather the liability of a major breach.

●Good news, the expectations are lower (but not non-existent) on smaller companies.

Why bother?

●For most small businesses, security will only cost money, it won’t make money.○Not as true as you think it is, many companies now require

their vendors to have a standard of security.

●Some industries have more stringent regulatory requirements.

●You may not be a prime beef target…○But you probably have a payroll account worth draining...

●Cryptolocker example.

Don’t think you are affected by regulation?

From Illinois Law:

"Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

(1) Social Security number. (2) Driver's license number or State identification

(3) Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Who pays when fraud happens?

●Generally, fraud against consumers is not liable to the consumer whether credit or debit cards.

● If funds are taken directly from a bank account, within reason most banks will protect the consumer from losses.

●Electronic commerce requires consumers to “trust” it, so banks and businesses have incentive to protect them from fraud losses.

Who pays when a business is defrauded?

● If a business, large or small, has bank account emptied, credit cards defrauded the business pays.○“You have means to protect yourself”

● If consumers are defrauded because of an incident in your environment, you pay.○Credit cards cost $40-$50 to reissue.

● If your payroll account is emptied, your bank may help… by giving you a line of credit to make payroll.

●Can your business afford to eat that kind of loss?

It gets worse...

● If you lose consumer records, the FTC (or other) penalties can be substantial.

●HIPAA fines can easily get into millions.

●Usually need to pay for credit monitoring for all victims.

● Intangible costs of bad publicity (though this is going down)

●But there are things that can be done, which is why you’re here today

Item #1 - Risk Management & Skepticism

●Employ risk management.

●Be skeptical of what you see (e-mail / web).

●What secrets & confidential info do you have?

●What information could someone use for fraud if stolen?

●What information could a competitor use if stolen?

●You’re not paranoid if they really all are out to get you.

A Brief Note on Who Our Attackers Are

●Generally cybercriminals can be broken down into these groups:○Nation States○Organized Crime○Disorganized Crime○Hacktivists○Disgruntled Insiders○Your Competitors

●Depending on the group will determine how, why and when they attack and at what skill level.

Hacktivism example

How Much to Spend on Security?

● If you wanted, you could spend unlimited amounts of money on security… and you’d still get breached.○Just ask the NSA.

●Security vendors will happily charge you lots of money to protect you against unknown threats that aren’t reasonable for you to worry about.○Example: Nation states

●However, lots of ground can be covered by basic (and generally free) steps that follow.

What is “reasonable” security?

● If laws or regulations require you to do it, it’s reasonable.○The more laws and regulations, the harder it is

for a small business to continue to exist.

● If contracts or other written agreements require you to do it, it’s reasonable.

●Beyond that, reasonable is what your peer companies do and what is reasonable based on “what bad could happen” if certain data got lost.○Can vary wildly.

Example: Nation States

●Nation states are constantly attacking either for national security-related material or industrial trade secrets.

●Actors are highly-trained, highly-funded and operative with overt (or tacit) state sanction.

● If they want to get in, they will have a plan and all the resources they need at their disposal to do so.

● Is it reasonable for a small business to fend off an entire industrialized nation?

Example: Nation States

●Nation states are constantly attacking either for national security-related material or industrial trade secrets.

●Actors are highly-trained, highly-funded and operative with overt (or tacit) state sanction.

● If they want to get in, they will have a plan and all the resources they need at their disposal to do so.

● Is it reasonable for a small business to fend off an entire industrialized nation?

Example: Disorganized Crime

●People send spam constantly that claims all sorts of dubious and outrageous things. Usually uses same content or infrastructure.○Heard the one about the Nigerian general...

●Anti-spam solutions exist to prevent those messages from getting to you in the first place, some are even free.

●Commodity attacks are easily handled by commodity off-the-shelf tools.

● Is a $50 anti-virus package reasonable?

Be Skeptical

●Most computer attacks rely on end-users doing something that puts them at risk. Usually this works by abusing their trust.

●E-mail, social media, text messages, webpages, and robocalls can be easily spoofed.

●Avoid blindly trusting what your technology is telling you.

● If something seems odd, verify it out-of-band (i.e. not using the same medium you just got message on).

Example: Fake Subpoena

Be Skeptical

●Don’t give passwords on request to those who ask.

●Avoid clicking on links for sensitive transactions (i.e. type full URL instead).

●Be careful of typos when typing URLs (Whitehouse example).

●The more something seems to require immediate action, the more you should verify its authenticity.

●No legitimate person will object to you attempting to verify they are who they say they are.

Takeaways

●Have some understanding of the threats you face.

●Make reasonable decision about protecting yourself without going broke.

●Take advantage of free things you can do.

●Be skeptical of what your technology tells you and verify when needed.

●Limit (or eliminate) the sensitive information you give someone on request.

Item #2 - Stay Up-to-date

●Almost all modern major software has means to update itself for bugs and security vulnerabilities.

●Microsoft, for instance, releases updates on second Tuesday of every month (and occasionally at other times)

●Adobe Reader, Flash, Java all have their own updates.

●Anti-virus and security tools also need to be updated frequently to protect against the latest threats.

Microsoft Updates

●

Microsoft Updates - Key Points

●Update automatically.

● Include other Microsoft products in updates (i.e. Office)

●This doesn’t include other non-Microsoft products. Some may have pop-up reminders but make sure you know what the real one looks like.

●This is the one, single best thing you can do to prevent breaches. Don’t put it off.

Old Versions

●Anyone still using Windows XP?

●After a product is out there long enough, software publishers will no longer support it with updates.

●Find a way to fit version updates into routine technology refreshes. Systems won’t tell you they are too old.

●What about applications that don’t tell you they need an update?○Smartphones, for instance.

Security Software

●Are you using a comprehensive security software solution on every machine? (Many banks and ISPs will give you this for free)

●They do more than block malware and are generally updated automatically.○ If this stops, you have a problem.

●Limitation: will only protect against already-known threats.

● If you have it make sure it’s updating. If you don’t have it see if someone will give it to you for free.

One final point...

●Sometimes good computer hygiene can prevent headlines like this:“Russia Takes Cyber-Swipe at Illini”News-Gazette, 3/17/2014

●Do to vulnerable and misconfigured servers, someone was able to reflect an attack on Russian infrastructure off of University servers.

● It’s all fun and games until someone causes an international incident with your network...

Takeaways

●Have updates applied automatically where possible (and make sure it stays that way).

●When pop-ups ask for updates, make sure you apply them that day…○But know what the real pop-up looks like.

●Be aware when old versions of software are no longer supported and replace them.

●Make sure security software is updated on a nightly basis.

Item #3 - Regular Backups

●Remember cryptolocker?

●Sometimes computer failures happen, would you be able to recover your data?○Forensic work is my high hourly billing item.

●What happens if your computer or server fails?

●What is critical for your business to run? What things are nice to have but you could live without?

●Some viruses will destroy a system or be impossible to remove without a full reinstall.

Backups

●What is critical data?○Your financial records?○Your customer records?○Your employee records?○Your email address book?

●Any piece of data that if you lost forever would cause irreparable and significant harm.

●Just enumerating this is a useful business exercise.

Backups

●A commercial solution is best (i.e. tapes) but there are free software packages out there and you can always just backup to external hard drives.○Most important thing is to keep multiple backups

and some of those off-site from the company.

●You could backup to cloud storage (Google Drive / OneDrive) but be sure to encrypt sensitive information.○What if the cloud provider goes out of business?

Disaster Recovery

● It is very easy to spend lots of money on this to protect against a wide variety of situations that aren’t relevant to you.

●Obvious situation is what to do if your systems fail and that failure can be malicious.

● If you have a server hosted by a third-party provider, what do you do if they fail?○Hosting provider example.

●Best way to deal with an infected machine is to wipe and reinstall.

Takeaways

●Failures happen, the difference between recovering and going out of business is planning and preparing.

●All critical information for a business should be identified and backed up with at least one backup being off-site (i.e. safe in home).

●Have a plan for system failures.

Item #4 - Limit Access

●Sometimes basic attacks succeed, people make mistakes, someone’s kid uses the employee’s laptop to play games…

●That mistake shouldn’t give immediate and full access to everything.

●Sometimes disgruntled employees retaliate.

●Sometimes people just make a mistake and didn’t intend to erase an entire disk.

●Limit the foothold an attacker can get.

Limiting File Access

●People tend to always want more access than they need. General practice should be to grant access based on need-to-know.

●Avoid giving people administrator access on their computers.

● If you have a server, does everybody need access to everything? (Answer: no)

●Cryptolocker example again.

Limiting Stored Data

●First rule: create no evidence...

●Avoid storing passwords in your web browser.

●Avoid creating files with sensitive information.

●Absolutely limit what you put online that could be useful to attackers.

●Be careful with what you e-mail (it goes across the Internet in the clear).○A simple press release from White House

exposed the CIA’s Station Chief in Afghanistan

Now to Pick on the NSA

Still Picking on the NSA

Limiting Access to Systems

●Do your employees have laptops they bring home? Do you?○Avoid familial use○Practice good physical security

●Recreational use of systems can lead to infections (i.e. malvertising).

●All machines should require logging in with a password to use and should lock after 15 minutes of inactivity.

●Control who has access to the building.

Limiting Access to your Network

●Do you have a “guest” wireless network? Make it separate from internal business network.

●Wireless networks can be monitored from miles away, make sure yours is using WPA2 and passphrases at a minimum.

●Avoid having machines with direct internet access. Have them behind a firewall or router (most cable ISPs provide devices to do this already).

Sensitive Systems

●Consider having separate computers for use ONLY for sensitive business transactions like payroll or high-dollar transfers.

●Recreational use of a computer can lead to infections. If that system processes payroll too now bad guys have your payroll...

●Those systems need to be updated and secured too. Access should be limited to those who need access to execute those functions.

● If relevant, consider throwaway computers for guests.

Takeaways

●Limit access of employees to only what they need to know.

●Limit access to information from outside entities.

●Avoid familial use of computers.

●Have separate computers for sensitive business functions.

Item #5 - Use Strong Passwords

●Usually, your password is the key to your digital identity. If that is captures, now that person is you.

●Simple passwords are cracked easily. Even 8 character passwords of random characters can be cracked without too much effort.

●Secure passwords should be at least 12 characters and include uppercase, lowercase, numbers and special characters.

●Avoid password reuse between sites.

The 25 Worst Passwords of 2013 according to PCWorld

123456 iloveyou monkey

password adobe123 shadow

12345678 123123 sunshine

qwerty admin 12345

abc123 1234567890 password1

123456789 letmein princess

111111 photoshop azerty

1234567 1234 trustno1

000000

Weak Passwords

●There are plenty of other weak passwords than what was on last slide.

●Anything that is a dictionary word (or similar to one)●Anything that is all numbers●Anything that can be easily derived from you●Anything that can be easily derived from the business●Anything that’s less than 12 characters●Anything not changed within 90 days

Password Re-Use

●One of the biggests causes of people having their accounts accessed is password re-use.

●Let’s say you comment on a blog, you register with your e-mail address and the password you use for everything.

● If a blog gets hacked, no one cares. But now they have your e-mail and a password, they try the password and are now in your e-mail.

●Your e-mail has everything you’ve signed up for, online banking, social media, perhaps work e-mail...

Password Reset Features

●Almost everything has a password reset feature to recover lost passwords automatically.

●The questions can usually be easy to guess if you know the person.○Sarah Palin example.

●Make sure password resets send some notification, hopefully out-of-band (i.e. text message).

●Consider putting fake information in for password recovery questions.

How to Make a Strong Password

Passwords should be long (more than 12 characters) and contain upper & lower case, numbers and special characters.

Microsoft’s Advice:Create an acronym from an easy-to-remember piece of information. For example, pick a phrase that is meaningful to you, such as My son's birthday is 12 December, 2004. Using that phrase as your guide, you might use Msbi12/Dec,4 for your password.

Substitute numbers, symbols, and misspellings for letters or words in an easy-to-remember phrase. For example, My son's birthday is 12 December, 2004 could become Mi$un's Brthd8iz 12124 (it's OK to use spaces in your password).

Relate your password to a favorite hobby or sport. For example, I love to play badminton could become ILuv2PlayB@dm1nt()n.

Use Unique Passwords

● If you don’t use the same password everywhere, one compromised account doesn’t compromise your entire digital identity.

● If ideal of unique password for everything in unmanageable, at least have 3:○One for sensitive business use (i.e. payroll)○One for general business use○One as a throwaway (i.e. blogs, fantasy sports…)

●How to make strong, unique passwords:○Msbi12/Dec,4### (where ### is some unique site

identified)

Never Share Your Password

●Avoid situations where you share your password with anyone, even coworkers.

●Try to have unique logins for each individual (can later be used to track if needed).

●How did Edward Snowder steal so much information?○He asked coworkers for their passwords and used

their access.

●Avoid shared accounts and escrow sensitive passwords in a safe.

Two-Factor Authentication

●Where possible, sensitive applications should use two-factor authentication.○Something you have (i.e. cell phone) and

something you know (i.e. password)

●Most banks offer this for commercial accounts.

●Many other services (like Gmail, Twitter and Facebook) will send text messages before letting you fully log in.

●This notifies you that your password is stolen while still limiting what an attacker can access.

Takeaways

●Have unique strong passwords for each application or site you use.

●Avoid password re-use and weak passwords.

●Everyone should have their own login.

●Use two-factor authentication for all sensitive business applications where possible.

Last Point

●Basic computer maintenance goes a long way towards security.

● If someone isn’t assigned in your office to maintain computers, having general tech support handy can help security.

●Having someone in office with basic computer support skills can work, better to invest in people than technology when it comes to security.

Remember these 5 things

●Employ Risk Management and Be Skeptical

●Keep Software Up-to-Date

●Have Backups and a Plan When Things go Wrong

●Limit Access to Resources and Information

●Use Strong and Unique Passwords

These slides available at:http://tinyurl.com/jcbiesbga

Questions?

John [email protected]