TUESDAY MAY 23,2017 2:00-3:15 PM Too Little Too Late: Top Reasons Why You Got Hacked MODERATOR SPEAKERS John Gross Director of Financial Management, City of Long Beach, CA Chad Alvarado Supervisory Special Agent, Denver FBI Cyber Task Force Robert Miller Manager - Corporate Security, Sierra-Cedar, Inc. #GFOA2017
SSA Chad Alvarado Denver Field Office May 23, 2017
Agenda UNCLASSIFIED A brief overview of the FBI mission and structure; and its role in Cybercrime Current trends, including common criminal schemes and national security threats When to report an incident, how to report and what to expect from law enforcement Review of best practices and overview of benefits of partnerships with FBI Denver FBI Cyber Task Force
Agenda About Me What s the latest trends Denial of Service Privilege Misuse Crimeware / Ransomware Takeaways 4
About Me Robert Miller Sierra-Cedar, Inc. One of the largest independent North American IT services companies Provider of PeopleSoft hosting services with over 50 hosted clients including State of Kansas, Ramsey County in Minnesota, City of Milwaukee, Harvard University, and Arizona State University. Currently supports more than 700 PeopleSoft, Hyperion, and E-Business Suite environments I am currently the Corporate Security Manager and support security and compliance activities for both US and overseas operations Over 12 years experience working in the Information Security industry Manage a 7 person multinational team from the US, Canada, and India CISSP, GIAC GCFA, Carbon Black s Response Analyst, and Guidance Software's EnCE. 5
Latest trends - 2017 Verizon DBIR 6
Denial of Service 7
Denial of Service Two types: Distributed Denial of Service (DDoS) Telephone Denial of Service (TDoS) 98% targeted at larger organizations Normally only last a couple of days 8
Detection and Prevention Does your Network team have alerts setup to identify a DDos/TDos? Do the firewalls block packets based on rate limits? How much traffic can your network handle before its impacted? Does your current devices (i.e. firewalls, IDS/IPS, Load balancers, etc.) provide any protection? Do you have an agreement in place with a vendor in the event your company is impacted? Weigh the cost with having a solution in place vs acquiring when under attack 9
Privilege Misuse 10
Privilege Misuse Threat actors 81.6% - Internal 8.3% - Collusion 7.2% - External 2.9% - Partner Why? Money Snooping Insider trading Starting new company / new job Detection can take years 11
Detection and Prevention Limit account access Confirm logging is enabled to identify this activity Configure alerts to be triggered for activity out of the ordinary Surge in emails to personal accounts with attachments Large transfer of files to external devices (USB) Enable two-factor 12
Crimeware / Ransomware 13
What is it? Ransomware is a type of malicious software, or malware, which encrypts the data on a computer to prevent it from being accessed until a ransom is paid. Typically paid in Bitcoins Most commonly spread through: spam emails targeted phishing attacks drive-by downloads malware already on your computer Most common on Windows workstations Servers are affected indirectly when a user on their workstation has mapped drives or has an automated process to copy files from their machine to a server. 14
How does it work? Cybercriminal sends spam email with malicious document User receives spam email with malicious attachment and opens it Attachment is downloader malware that connects to URLs hosting the cryptoransomware Victims must use Tor browser to pay using Bitcoins A ransom message is displayed, stating the deadline and amount Files in the affected computer are encrypted The crypto-ransomware is downloaded onto the computer 15
Ransomware on the rise 16
17 99% sent by either email or web server
18 Takeaways
What You Can Do Educate users Is your organization performing social engineering exercises on a regular basis? Does your security program require employees to attend and/or watch security awareness videos? Network defenses Is your Network team auditing the firewall rules on a consistent basis? Is your network segmented? Are you performing penetration tests against your network? Are you performing vulnerability scans on a regular basis? Is your IDS/IPS appliance configured to automatically block attacks? Is your Security team monitoring IDS/IPS alerts and taking action? 19
Continued Administration rights Limit local admin rights on workstations Restrict write permissions on file servers where applicable Has your organization disabled macro-enabled Office documents? Enable two-factor Email Review current email filtering rules Is your organization blocking and/or inspecting executables at the mail gateway? Software patching What is your patch cycle? How does your organization handle newly released critical vulnerabilities? 20
Continued Application whitelisting Do you have a software application that will prevent unwanted applications from running? Logging Do you have a SIEM that correlates all of your logs? 21
Further Reading and Resources Verizon s yearly analysis of global security incidents http://www.verizonenterprise.com/verizon-insightslab/dbir/2017/ 22