Security 101 for Brokers
May 10, 2016
Purpose
Increase CSIO member security awareness Explore security audits Key components Benefits
Agenda
Define some key security terms Scan current cyber threat landscape Quick tips - how to protect yourself Going beyond the basics: security audits What are they? Why do one? CSIO example Questions
TSX Webinar Presenters
Sheldon Wasylenko
Hans Gantzkow
General Manager, Rayner Agencies Board Member, CSIO
Senior Architect CSIO
Interesting Security Statistics
According to digital security company Gemalto, at least 59 data breaches involving more than 40 million records occurred in Canadian companies in 2015. Cybercriminals unleash 3.5 new threats targeting small and medium businesses every second. (Canadian Lawyer) In a 2015 Forrester survey, only 55% of Canadians indicated that they think their financial providers are committed to protecting their personal privacy and security.
Malware: It is software that is installed and executes without your knowledge or consent Broad category: includes viruses, Trojans, worms, spyware, ransomware
Malware can damage or disable the computer Affects performance of your system
Spam/Phishing: Anonymously emailed, unsolicited and unwanted by its recipient, typically distributed en masse Phishing is a specific type of spam that poses as a trustworthy organization to solicit personal information
Attackers often take advantage of current events and certain times of year Video: https://www.youtube.com/watch?v=9TRR6lHviQc
Social Engineering: Biggest threat to organizations today. An attacker will use human interaction and/or social skills to obtain information They may be unassuming, respectable, authentic, credible Video: https://www.youtube.com/watch?v=1byRtf2r-B8
Current Cyber Threat Landscape
Malware
Source: Symantec: 2015 INTERNET SECURITY THREAT REPORT KEY FINDINGS
Social Media Scams
In 2014, Symantec observed that 70 percent of social media scams were manually shared, meaning cybercriminals are tricking people into scamming their friends.
Mobile Mobile was also ripe for attack, as many people only associate cyber threats with their PCs and neglect even basic security precautions on their smartphones. In 2014, Symantec found that 17 percent of all Android apps (nearly one million total) were actually malware in disguise. Additionally grayware apps, which aren’t malicious by design but do annoying and inadvertently harmful things like track user behavior, accounted for 36 percent of all mobile apps.
Mobile Users
1 in 4 admitted, they did not know what they agreed to give access to on their phone when downloading an application. 68% of users were willing to trade their privacy for nothing more than a free app.
Zero day vulnerabilities
Heartbleed Heartbleed security bug disclosed in April 2014 affected many businesses, including the Canada Revenue Agency, which revealed that at least 900 social insurance numbers were compromised. The attack exploited a standardized, commonplace security protocol that had not been implemented correctly or maintained with the most current updates and patches. By now, most websites have successfully patched the Heartbleed bug to eliminate the vulnerabilities. But the lesson from Heartbleed is that regular patching of your infrastructure (not just your website) is required – those who do not maintain regular patching remain at risk.
Internet-Enabled Automobiles Patching of vulnerabilities is not limited to basic computer systems anymore; the Internet of Things (IoT) is changing that. Security researchers demonstrated in July 2015 that they could remotely hack a 2014 Jeep Cherokee to disable its transmission and brakes. “When you put technology on items that haven’t had it before, you run into security challenges you haven’t thought about before.” Source: WIRED Url: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
Notable Data Breaches 2015
CareFirst BlueCross BlueShield Breach discovered as part of a security review. All in all, 1.1 million members had their names, birth dates, email addresses and subscriber information compromised, but member password encryption prevented cybercriminals from gaining access to Social Security numbers, medical claims, employment, credit card and financial data.
Army National Guard The July data breach of the Army National Guard was the result of an improperly handled data transfer to a non-accredited data center by a contract employee. The breach possibly exposed the Social Security numbers, home addresses and other personal information of approximately 850,000 current and former National Guard members.. Highlights the importance of having strong security practices for internal threats, including those posed by third-party contractors.
Ashley Madison When the online affair site was breached, hackers released millions of names and email addresses of Ashley Madison users. 37,000,000 affected users.
Root cause: poor password use by developers and users.
NSA (technically this occurred in 2013.) Edward Snowden a former National Security Agency subcontractor who made headlines in 2013 when he leaked top secret information about NSA surveillance activities.
Snowden "may have persuaded between 20 and 25 fellow workers" to give him their logins and passwords "by telling them they were needed for him to do his job as a computer systems administrator Lessons learned: Grant user entitlements appropriately and keep them updated.
Managing and monitoring privileged users is necessary.
Targets and Threats Targets
Threats
Customer names, addresses, credit cards numbers
Hackers/cyber criminals
IP, strategies, financial data
Competitors
Employee names, salary, roles
Disgruntled customers
Strategies, project plans, IP
Terrorists
Assets computers, laptops, files
Rogue states/gov’t
Reputation attacks
Organized crime Employees/business partners
Quick tips - how to protect yourself
Protection
Malware: Don’t download content from dubious or unknown websites. Avoid or keep a close eye on downloads made over P2P networks. Do not use P2P networks at work. Keep antivirus programs up-to-date
Protection
Spam/phishing: Be wary of emails asking for confidential information especially financial information. Legitimate organisations will never request sensitive information via email. Don't get pressured into providing sensitive information. Phishers like to use scare tactics, and may threaten to disable an account or delay services until you update certain information. Be sure to contact the merchant directly to confirm the authenticity of their request.
Protection
Spam/phishing: Watch out for generic-looking requests for information. Fraudulent emails are often not personalised, while authentic emails from your bank often reference an account you have with them. Many phishing emails begin with "Dear Sir/Madam", and some come from a bank with which you don't even have an account.
Protection
Social Engineering: Be wary of emails, instant messages and phone calls for unsolicited people such as service providers. Verify the source of message before giving out any information. Go slow and pay keen attention to fine details in emails and messages. Never let the urgency in attacker’s message cloud your judgment.
Protection
Additional tips: Reject requests for online tech support from strangers no matter how legitimate they may appear. Secure your computer space with a strong firewall, up to date antivirus software and set your spam filters to high. Patch up software and operating systems for Zero day vulnerabilities. Follow up on patch releases from your software providers and patch-up as soon as humanly possible.
Protection
Ad blocking: Ads are 182 times more likely to give you a virus than visiting an adult website, according to Cisco. Surf faster: Block online advertising that slows down your web browsing Save bandwidth: Ad blockers saves bandwidth by not downloading intrusive ads
Show Ghostery example
Security audits - going beyond the basics
Why do a security audit • The only way to truly know how secure your organization is, is to test. o Measure the efficiency current defenses. o Identify gaps in your existing defenses. o Input to help quantify your organization's risk exposure.
• Having a second set of eyes check out a critical computer system is a good security practice.
Key questions asked during a security audit 1.
2. 3. 4. 5.
What processes do we have in place to identify and repair system vulnerabilities? How are we protecting the data we have stored in the cloud? Do we have an information security strategy and policy? How can we improve upon our cyber governance and controls? Do we have a response protocol to mitigate damage in the event of a cyber-attack?
Source: Grant Thornton LLP
Typical components of a security audit • Scope o Governance/policy review (paper) o Penetration testing (hardware/software) o Social engineering (humans)
• Output o Audit report
Key policies to be aware of Policy
Short description
Password Management
Guidelines such as the number and type of characters that each password must include, how often a password must be changed, etc.
Clean desk policy
Set guidelines to reduce the risk of a security breach, fraud, and information theft caused by documents being left unattended.
Credit Card Processing
Outline the acceptable handling and processing of cardholder data used at CSIO.
Vulnerability Management
Policy and procedures for managing patches.
System Acquisition, Development and Maintenance Policy
Helps drive security planning efforts when starting a new IT • Password Management project. • Bring your own device
•
•
5 key policies: Clean Desk
*Credit Card Handling Security
Risk Management •
The identification, assessment, and prioritization of risks. See Cisco: http://www.cisco.com/web/about/security/intelligence/mysdn-social-engineering.html Involves attributing Likelihood and Impact.
Incident Management
Policy to identify, analyze, and correct hazards to prevent a future re-occurrence.
Penetration Testing • Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access. • Testing the ability of network defenders to successfully detect and respond to the attacks.
Social Engineering Testing • Used as a way to test an organization's so-called "human network." • Social Engineering Testing helps answer the following questions o How susceptible is our company to social engineering attacks? o Are our physical security controls working against an onsite attacker? o Are our email filters catching targeted phishing emails? o How effective is our security awareness training?
Audit Report • Executive summary stating the security posture of the organization. • Summary of gaps o Source of threat o Probability of exploitation o Impact of the exposure o Recommended actions/fixes • Cyber liability insurance: typical CGL policy covers liability for physical damage to tangible rather than electronic property, like buildings, vehicles and equipment. For intangible property like data, a separate cyber liability policy or an endorsement to the CGL would come into play.
Learn More: Create a CSIO Member Account Free Member Resources: Broker Corner
Advisory Hub
White papers & videos
Twitter: @CSIO Email: info@csio.com
Thank you for attending our Talk, Share, eXchange!
A link to the recorded webinar will be emailed to all participants shortly. Stay tuned for the next TSX! Visit CSIO.com
Appendix – Malware examples Rootkits These are programs designed to hide objects, such as processes, files or Windows Registry entries. This type of software is not malicious in itself, but is used by malware creators to cover their tracks in infected systems. There are types of malware that use rootkits to hide their presence on a system. Similarly, these programs go hand-in-glove with the new cyber-crime malware dynamic: for malware to be exploited for financial gain, stealth is vitally important. Rootkits enable malware to remain hidden on a computer for much longer without being detected.
Appendix – Malware examples continued
Exploits This is a technique or program that exploits a security flaw -a vulnerabilityin a certain communication protocol, operating system or IT tool.
This flaw allows operations that can cause abnormal functioning of the application and can be caused intentionally by malicious users, allowing them to execute code remotely, launch denial of service attacks, disclose information or escalate privileges.
Appendix – Malware examples continued
Adware Adware programs display advertisements associated to the products or services offered by the creator of the program or third-parties. Adware can be installed in a number of ways, in some occasions without users’ consent, and either with or without users’ knowledge of its function. The classification of this type of program is controversial, as there are those who consider it a type of spyware. While this may be true to a certain extent, adware programs, as such, are not used with criminal intent, but to advertise products and services, and the information collected does not include users’ bank details, but web pages visited or favorites, etc.
Appendix – Malware examples continued
Dialers Generally, a dialer tries to establish a phone connection with a premiumrate number.
However, dialers only affect computers that use a modem to connect to the Internet, as it modifies the phone and modem configuration, changing the number provided by the ISP (Internet Service provider), which is normally charged at local rates, for a toll-rate number. This type of malware is gradually disappearing as the number of users with modem connections decreases.
Appendix – Malware examples continued
Cookies Cookies are small text files stored on a computer by the Internet browser when visiting web pages. The information stored by cookies has a number of objectives: it can be used to personalize web pages, to collect demographic information about visitors to a page or to monitor statistics of banners displayed, etc.
For example, in the case of a user that frequently visits a certain web page, the cookie could remember the user name and password used to log in to the page. Though cookies do not pose a risk by themselves, malicious use by other software could threaten affected users’ privacy, as cookies can be used to create user profiles with information that the user is unaware of, and sent to third parties.
Appendix – Educational Links
Security videos – about 3-5mins each Phishing https://www.youtube.com/watch?v=9TRR6lHviQc Creating Passwords https://www.youtube.com/watch?v=aEmF3Iylvr4 Social Engineering https://www.youtube.com/watch?v=1byRtf2r-B8
Appendix – Educational Links
Security videos – about 3-5mins each From Lynda.com http://www.lynda.com/Security-tutorials/Evaluating-risks-threats-vulnerabilities/410329/430046-4.html http://www.lynda.com/Security-tutorials/Adhering-principle-least-privilege/410329/430047-4.html http://www.lynda.com/Security-tutorials/Recognizing-social-engineering/410329/430048-4.html http://www.lynda.com/Security-tutorials/Minimizing-attack-surface/410329/430049-4.html http://www.lynda.com/Security-tutorials/Avoiding-worms-viruses/410329/430052-4.html http://www.lynda.com/Security-tutorials/Understanding-Trojans/410329/430053-4.html http://www.lynda.com/Security-tutorials/Protecting-your-system-from-spyware/410329/430054-4.html http://www.lynda.com/Security-tutorials/Recognizing-secure-websites/410329/430058-4.html