How NOT To Get Hacked

Similar documents
Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

10 FOCUS AREAS FOR BREACH PREVENTION

Effective Strategies for Managing Cybersecurity Risks

Cyber security tips and self-assessment for business

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

epldt Web Builder Security March 2017

Security Audit What Why

Education Network Security

2017 Annual Meeting of Members and Board of Directors Meeting

Take Risks in Life, Not with Your Security

External Supplier Control Obligations. Cyber Security

ACM Retreat - Today s Topics:

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Protect Your End-of-Life Windows Server 2003 Operating System

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Restech. User Security AVOIDING LOSS GAINING CONFIDENCE IN THE FACE OF TODAY S THREATS

Protect Your End-of-Life Windows Server 2003 Operating System

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Governance Ideas Exchange

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

ANATOMY OF AN ATTACK!

Improving Security in the Application Development Life-cycle

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Cyber Security Stress Test SUMMARY REPORT

How to Build a Culture of Security

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Healthcare HIPAA and Cybersecurity Update

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Best Practices in Securing a Multicloud World

mhealth SECURITY: STATS AND SOLUTIONS

Securing Enterprise or User Brought mobile devices

Staying Safe Online. My Best Internet Safety Tips. and the AgeWell Computer Education Center.

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Technology Security Failures Common security parameters neglected. Presented by: Tod Ferran

1) Are employees required to sign an Acceptable Use Policy (AUP)?

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

IT SECURITY FOR NONPROFITS

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Security Best Practices. For DNN Websites

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Oracle Database Security Assessment Tool

10 Hidden IT Risks That Might Threaten Your Business

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Designing and Building a Cybersecurity Program

Cybersecurity The Evolving Landscape

Integrated Access Management Solutions. Access Televentures

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

GUIDE TO KEEPING YOUR SOCIAL MEDIA ACCOUNTS SECURE

CYBER SECURITY AND MITIGATING RISKS

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Copyright

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

90% of data breaches are caused by software vulnerabilities.

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Security Architecture

GEARS + CounterACT. Advanced Compliance Enforcement for Healthcare. December 16, Presented by:

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

InterCall Virtual Environments and Webcasting

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

A practical guide to IT security

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Tips for Passing an Audit or Assessment

Google Identity Services for work

Risk Intelligence. Quick Start Guide - Data Breach Risk

MIS5206-Section Protecting Information Assets-Exam 1

How Cyber-Criminals Steal and Profit from your Data

CS 356 Operating System Security. Fall 2013

CSWAE Certified Secure Web Application Engineer

IT & DATA SECURITY BREACH PREVENTION

Privacy Implications Guide. for. the CIS Critical Security Controls (Version 6)

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

The State of Privacy in Washington State. August 16, 2016 Alex Alben Chief Privacy Officer Washington

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Defense in Depth Security in the Enterprise

Payment Card Industry (PCI) Data Security Standard

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

3 Ways to Prevent and Protect Your Clients from a Cyber-Attack. George Anderson Product Marketing Director Business October 31 st 2017

Copyright

Art of Performing Risk Assessments

Information Security Controls Policy

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

Best Practices Guide to Electronic Banking

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Transcription:

How NOT To Get Hacked The right things to do so the bad guys can t do the wrong ones Mark Burnette Partner, LBMC -Risk Services October 25, 2016

Today s Agenda Protecting Against A Hack How should I start? 5 Frequent Attack Targets/Vectors What should I consider? Countermeasures & Defenses Summing It Up Wait, what? One more time! Free Bonus - Personal Online Security Because everybody loves free bonuses! 2

What You Are Not Protecting 3

What You ARE Protecting 4

Planning A Cyber Security Strategy In order to implement proper defenses, you must: Identify the potential targets (asset inventory) Data (PII, PHI, CHD, intellectual property, etc.) Systems (End user PC s, servers, etc.) Assess the risk to each target Consider effectiveness of existing controls Likelihood X Impact = Risk Evaluate the organization s risk appetite Many factors can impact risk acceptance or mitigation Manage risk to an acceptable level Deploy defenses to address the biggest risks Fully eliminating risk is unreasonable in most cases August 24, 2016 5

Identify The Target(s) Create or update an inventory of systems and data Seek to know tomorrow what you don t know today Ensure sensitive data and critical systems are properly labeled Consider any compliance obligations (HIPAA, PCI, etc.) This helps users and operators understand their obligations 6

Assess The Risks There are many risk assessment methodologies available to help with this Most important: Do something! Ignorance is not an acceptable defense Ambivalence can be a warning sign Consider your weaknesses Controls can offset some risk exposure Here s a look at some common weaknesses/exploits, and how to defend against them. 7

The Evolution of Attacks Today s threats have evolved as defenses have evolved Firewalls and operating systems are more secure Many organizations have basic protections in place Many targets of attack have moved outside the traditional network perimeter Opportunistic attacks v. Targeted attacks Many hacking tools are freely available Hackers have unlimited time to execute an attack If the low hanging fruit isn t easily accessible, they try new vectors 8

Weakness 1: Endpoint Attacks O/S patching is better, but still often lacking Windows XP Inadequate asset management (remember that asset inventory?) Third party software is often overlooked by IT departments, presenting an attack vector Adobe Reader Java (Active Content) Internet Browsers (Chrome, Firefox, IE, etc.) The attacker may deliver a malicious payload or entice a user to visit a website Code runs with the user s privileges Website can install a hook onto the target computer Windows computers may provide password hash 9

Endpoint Attack Countermeasures While nothing can be done to completely prevent these types of attacks, there are several things that can reduce an organization s susceptibility, including: Spam filter, with sensitivity turned up Strong egress filters on the network Up to date anti-virus/malware on EVERY endpoint Network intrusion prevention capabilities (with threat intelligence) Remove local administrator rights on workstations Require IT admins to use separate accounts for supporting servers Security awareness training for all personnel Multi-factor authentication is one of the most effective defenses against remote user account attacks. 10

Weakness 2: Application Based Attacks As organizations have gotten better at hardening networks and operating systems, attackers have turned to applications for new attack vectors Error handling Cross-site scripting Buffer overflows SQL Injection 11

Application Security Countermeasures Develop application coding standards that include security considerations OWASP, SafeCode Principles, security API Integrate secure coding requirements into SDLC Include security checks/testing in QA process Peer reviews if necessary Train developers in secure coding techniques Hold third party developers accountable for secure coding techniques Contract provisions, independent validation reports Conduct routine application security testing and remediate Dynamic Static 12

Weakness 3: Third Party Security Third parties are a very common vector of attack and vulnerability They do not necessarily enforce the same level of security on your data that you do Many third party agreements are codified between business people with minimal security acumen or awareness Data that is stored in the Internet on service provider s systems must be secured Salesforce.com, Amazon AWS, Dropbox, Box.com, Sugar Sync, etc. Users may be using these services today to store sensitive data Once data leaves your control, it is difficult to protect it Many regulations require companies to enforce security measures on third party providers 13

Third Party Security Countermeasures Create a policy governing the use of cloud-based services ID & label sensitive data, and encrypt before uploading if possible Train users to understand their responsibilities and acceptable use Develop and maintain an inventory of third party providers Seek to know tomorrow what you don t know today Where possible, use contract language to require adequate security measures be enforced by the service provider and include penalties for non-compliance Require a security sign-off in project management process & legal review Require third parties to provide or cooperate with a security assessment annually Periodically re-assess risks related to third party providers and adjust program accordingly 14

Weakness 4: Mobile Device Security The capabilities of today s mobile devices and the lack of robust built-in protections makes them a common target The issue is much greater than the device just being lost or stolen Mobile devices are typically outside the network s secure perimeter Sensitive data on the devices is the target E-mail, accessible cloud services, side loaded data, or corporate apps may all have interesting data Current mobile device attacks are difficult to detect Users may be using devices not approved or provisioned by the company OWA may allow connections Users may sync sensitive data without organization s knowledge 15

Mobile Device Countermeasures Create a mobile device security policy Address stance on BYOD Require PIN/password, encryption, device locking Train users on their responsibilities Enforce restrictions on mobile device connections whenever possible OWA lockdown Create a separate wireless network for guests and devices Maintain a list of approved mobile devices (hello, asset inventory!) Third party software tools can also help enforce restrictions Restrict downloading of non-approved apps to devices that have sensitive data Even App Store apps may steal data 16

Weakness 5: Passwords Passwords remain the most widely-used authentication mechanism to a private computer environment Provides user accountability Proves that the user is who she says she is Protects the user and the company Provides access to the company s sensitive information Authorization As long as passwords are the primary method of authentication to an IT system, companies will struggle to effectively protect data. 17

The Key To Security: Passwords Multi factor authentication is the single best way to defend against bad passwords 18

Password Security Countermeasures Require regular password changes (at least every 90 days) Use at least 8 character minimum length Require strong passwords (letter, number, spec. char.) Train users in good password selection techniques Easy to remember, difficult to guess Consider a passphrase Enforce account lockouts after 5 bad login attempts Change default passwords on all systems Harden computer systems using industry standards Microsoft Windows legacy authentication is easy to crack Educate users to use unique passwords for each online site When possible, use strong (multi-factor) authentication 19

How Can A Company Reduce Security Breaches? Identify, inventory, and label sensitive data and systems Know what you have Develop and implement system hardening guidelines Change default passwords, restrict running services Patch ALL computer systems (Don t forget third-party patches) Develop & implement robust security policies & standards Secure coding standards Educate employees on security risks Awareness training Monitor the environment Intrusion detection, log review, FIM, etc. Periodically evaluate controls and security Risk assessments, penetration testing, current state assessments Vulnerability Management Program 20

Bonus: Tips for personal online security Use different password for all online accounts Use a password vault (LastPass, OnePassword, Dashlane) Configure key accounts for two-step verification (Apple, Google, PayPal, FaceBook, LinkedIn, Dropbox) Don't provide personal information to social media sites (online birthday) Don't store sensitive information in free cloud accounts (Dropbox) 21

Bonus: Tips for personal online security Don't send sensitive information via email (home refinances are worst!) Use an up-to-date operating system on your personal computer and patch it monthly (or more) Choose strong passwords (randomly generated, or pass phrase) See if you have been hacked: www.haveibeenpwned.com Expect to be phished be vigilant 22

Mark Burnette mburnette@lbmc.com (615) 309-2447 Thanks, and Stay Secure!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback