Heath and Human Services Secure One RFP RFP Number: HHSP2332009OCISO

Cybersecurity: Addressing Threats and Securing Data

Presented by Eric BeasleyInformation Security ConsultantMBL Technologies

Why does this matter to you?

Commercial entities are targeted with increasing frequency (Sony, Home Depot, Target, Anthem).Besides causing direct damage by exposing sensitive information, there is indirect damage.Every company has some sort of sensitive information, regardless of the quantity of digital records.

Agenda

Computer Based Attacks and MitigationHuman Based Attacks and MitigationContinuity of Operations PlanningAttack PreventionData Breach Response

Computer Based AttacksDenial of Service (DoS)Structured Query Language (SQL) InjectionCross Site Scripting (XSS)

Denial of ServiceSimple attack that shuts down a website serverNo threat to company dataLoss of business during downtimeLoss of consumer confidenceDistributed Denial of ServiceLarge network of computers try to access a single site (100,000+)No threat to company dataLoss of business during downtimeLoss of consumer confidenceOften used by low-skill activists

SQL InjectionAttacker can log into a website without the correct username or passwordCommon attack vector; consistently top three Attacker types something like blah or x=x into the password fieldCompany data can be stolen from the website if administrative access is gained

Image created by XKCD

Cross Site Scripting (XSS)Attacker adds unauthorized code to a server, which is distributed to any other person who visits the siteCommon attack vector, consistently top threeSuccessful attack allows user credentials to be intercepted, browser history and cookies to be read, and malware to be installed

Image from: http://www.chmag.in/article/aug2010/advance-xss-attacks-dom-based

Mitigation(Distributed) Denial of ServiceLoad balanced web serversUpdate web servers weeklyAnti-(D)DoS software utilities

SQL Injection/XSSSanitize your input! Prevent users from typing special characters into forms like username and password (? = [] {} * $ %)Ensure web designer knows best coding practices

Conduct security scans to check for vulnerabilitiesPort scansNessusWASA

Questions?

Social EngineeringClip from the film Hackers, property of United Artists/MGM

10

The Human ElementFormerly known as con-artists, grifters, swindlers, hustlers, scammers, or charlatans.

Modern hackers have incorporated the lessons learned from all of the above to increase the effectiveness of computer-based attacks.

Templeton Face PeckKevin MitnickExamples:Windows Support CenterIRS Tax Return ScamsNigerian Prince 419 Phishing Your account has been deactivatedFake Mobile Applications

VishingAttacker calls pretending to be someone they are not, feigning a position of authority.Common scams involve Government agencies, Microsoft, financial institutions.May include realistic threats.Victims are targeted based on demographic data.Businesses and private individuals can be targeted.

Anatomy of a Tech Support Scam:Attacker convinces victim there is a virus on their computer. Victim allows attacker to remotely access computer. Attacker then installs malware and asks for $ to fix computer.

Phishing

Source: http://www.it.cornell.edu/security/phish.cfm?doc=578Fake e-mail that directs user to a method of stealing credentials.Can be generic or targeted (Spearphishing).First step of large-scale data breach, opens door to corporate network.Software utilities to mitigate do exist, but only reliable prevention is employee training.

Physical SecurityJust as important as antivirus protections.Physical access to any computer system will always lead to a data breach.A Windows account password does not protect the hard driveSecurity requires a layered approach. Physical security is the outer ring.Locked doors and fences merely delay an attacker, they do not prevent the attack.

A thorough security plan utilizes a ring structure for defense. Like a medieval castle, you create multiple layers for an attacker to penetrate.

Questions?

Weve been Hacked!

What to do?Refer to your companys Continuity of Operations Plan (COOP), which should cover data breaches, system inaccessibility, and the processes your company has developed to mitigate any damage.

Or did your company Continuity of Operations Plan forget to include computer-based disasters?

Continuity of Operations Plan

Mitigating the damage from a computer based attacker starts when designing the company IT infrastructure.

Did you follow best practices for system design?Did you use encryption to store sensitive information?Did you create a password standard to prevent birthday/dictionary attacks?Did you backup all data to an off-site location?Did you document the backup restore procedures?Did you analyze your business needs and decide between a hot, warm, or cold backup site?Does your IT support (in-house or outsourced) have 24/7 support to enact your COOP plan and restart your business?

Attack PreventionAntivirus Including Mac.Firewall On each individual computer and at your network boundary.Updates Install at least once a week. Or for standard desktops, have updates installed automatically.Best Coding Practices Dont hire the bosss 2nd year Computer Science Major to create an online storefront.Least Required Privileges Make sure employees only have access to the computer data and resources they need to do their job.

Its called a critical update for a reason!Image created by XKCD

Multi-Factor Authentication Something you know, something you are, something you have.Password Standards Minimum 8 characters, upper case, lower case, number, and symbol.Encryption Can be used on entire hard drive or individual files. Only as secure as the password.Shredders Shred and destroy all paper containing company information.Wipe Old Hard Drives Shredder for data. Have IT destroy the drives. Can be software overwrite, degausser, or physical destruction.Attack Prevention (contd)

Image created by XKCD

You will be hackedNo matter how much you invest in security, you will experience a data breach (Snowden).The only people that can give away sensitive information are the people who have access to it.Public relations and marketing can change the narrative by saying the glass is half-full.Offering credit monitoring to people whose data was stolen is good for public image.Most companies do not publicly acknowledge data breaches until long after the breach, if ever. Unless the hacker takes public credit, years can pass before official acknowledgement.

It only takes one pesky vulnerability for a system to crash

Questions?

No knowledge is a detriment.A little knowledge is dangerous.One hour presentations do not make you a cybersecurity expert.Security audits are like financial audits, they check for solid business footing.The more reliant on computers your business is, the more necessary effective security measures are.How much is your company data worth?

Bottom line: Consults the experts!

Further Information:MBL Technologiesinfo@mbltechnologies.com703-224-8265http://www.mbltechnologies.com/

Eric BeasleyInformation Security ConsultantEric.Beasley@mbltechnologies.com