1 / 61

Understanding the First Line of Defense in Cyber Security

Understanding the First Line of Defense in Cyber Security. Troy Wilkinson CEO – Axiom Cyber Solutions. Just being connected to the internet makes any company interesting to cyber criminals.

dstott
Download Presentation

Understanding the First Line of Defense in Cyber Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Understanding the First Line of Defense in Cyber Security Troy Wilkinson CEO – Axiom Cyber Solutions

  2. Just being connected to the internet makes any company interesting to cyber criminals. Any company connected to the internet is a resource that can be exploited by criminals because of the data it holds. Phil Huggins, VP of Security Science - Stroz Friedberg

  3. Emerging Threats • Ransomware • Internet of Medical Things (IoMT) • Phishing / Business Email Compromise • Distributed Denial of Service (DDoS) Attacks

  4. Emerging Threats

  5. Emerging Threats – Ransomware In 2016 there was a 6000% spike in Ransomware Attacks December 2016 - IBM Security

  6. WannaCry • Leveraged a Microsoft Vulnerability • Patch was released in March but many organizations hadn’t updated yet. • 200,000 infected computers in 1 week • $4 Billion in damages so far.

  7. Emerging Threats – Ransomware Hollywood Presbyterian Medical Center in Southern California acknowledged paying a $17,000 ransom in February 2016 to regain control of its systems after an attack after two-weeks of having critical systems offline. “You have just 7 days to send us the Bitcoin or we will remove your private keys and it’s impossible to recover your files.” Leaders of the L.A. Community College decided to pay the $28,000 ransom.

  8. Ransomware Delivery Mechanisms

  9. Ransomware code is getting more complex: • Most ransomware targets user files such as: • Text documents • Spreadsheets • Pictures • User files • Leaves system files intact.

  10. Ransomware Prevention is a Layered Approach • Backup technology is crucial to protecting critical data. • On site, off site, and hybrid cloud solutions. • Endpoint protection. • Antivirus / Antimalware • Endpoint Detection and Response (white list / black list) • Network Monitoring and SIEM • The enterprise immune system. • Behavioral analytics and correlation. • Next Generation Firewall with layered integration. • Looking for ransomware communication protocols. • Behaviors, Heuristics, Signatures, Rules, Protocols, etc.

  11. Emerging Threats: IoMT

  12. What is the IoT, and why should I care? • Smart, connected devices in homes, businesses and cars. • Everything from lightbulbs, access doors, printers, CCTV, RFID cards, scopes, infusion pumps, pacemakers and so on. • Present unique challenges to security and BC/DR. • Typically can’t protect with traditional means. (Agentless) • Can be the entry point for access to your organization. • Security was a second thought in the design phase. (go to market)

  13. Devices Everywhere! • Frost and Sullivan estimate that the IoMT market will grow to $72 Billion by 2021. • IoMT is the new battlefield for cybersecurity. Hackers are racing to find zero days while security professionals are racing to patch against them. • There is no security standard for development.

  14. Boundaries disappear, everything is connected.

  15. IoMT Security Requires Multi-tiered Approach • Assume out of the box, the device is not secure. If there is a way to change default username and/or password, change it. (sometimes there isn’t) • Keep an accurate inventory of all devices on your network. Through software tools, constantly scan for new devices. • A constantly updated NGFW is required to prevent hackers leveraging IoT vulnerabilities to gain access to your network. • The enterprise immune system. Network monitoring and behavioral analysis to detect IoT compromises early.

  16. Case Study: Abbot (St. Jude) Cardiac Devices • FDA confirmed vulnerability that would allow hackers access to pacemakers and defibrillators. • Once inside, hackers could deplete the battery, could administer incorrect pacing, or even shocks. • The hackers were able to gain access to the devices through a compromised transmitter.

  17. Emerging Threats – DDoS

  18. 71% Increase in DDoS attacks since Q3 2015 State of the Internet Security Report 2016 DDoS attacks greater than 100 Gbps increased 140% from Q4 2015. State of the Internet Security Report 2016 Longest DDoS attack of 2016 lasted 292 hours (12.2 days) Kaspersky 2016

  19. SYN/ ACK Flood

  20. DNS Amplification Attack EDNS0 and DNSSEC = 70:1 Amplification

  21. Command & Control

  22. Botnets.

  23. DDoS Mitigation • Depends on business case. • e-Retail and web based (application) mitigation will require cloud based and carrier upstream mitigation. • If you have a 10Gb circuit and are hit with 11Gb attack, no on-premise solution can help. • Corporate enterprises are deploying a hybrid approach. Leveraging cloud based technologies along with on-premise appliances. • Appliances must be able to defend the attack for failover to work. Redundant circuits won’t work if primary can’t failover. • DDoS is a precursor to other attacks, or a smoke screen. • Ransomware, network mapping, payload injection, etc.

  24. Case Study: Boston Children’s Hospital • Days long attack in 2014. • Was waged by a hacktivist group who opposed a patient that was being held at the hospital against her parent’s wishes. • Reached 30GB per second of attack traffic. • Interrupted the hospitals ability to use the internet, phone system and electronic health record system.

  25. Emerging Threats: Sophisticated Phishing Schemes

  26. Today’s phishing schemes have a much higher success rate.

  27. More targeted, more sophistication, more success. • Very few, if any spelling errors. • Highly targeted. Generally an assistant or administrator. • Sense of urgency. Repercussions if not handled quickly. • Looks and feels legitimate. • Hackers have canvassed the situation carefully to coincide with real world events.

  28. Phishing prevention. • Educate employees, train them, test them. • Software and cloud services companies. • Use updated anti-spam filters for the company email. • Use blacklist technology to block URLs (links)

  29. Case Study: Augusta University Medical Center Phishing Compromise • Multiple facility members were fooled by authentic looking email that delivered a malicious payload • 6100 patient records were affected • Notification protocols ensued • Costly forensic investigation launched. • They were not able to fully determine the scope of PII access.

  30. Cyber Attack Response • Preparation • Monitor & Detect & Analyze • Containment/Eradication & Recovery • Post Incident Analysis/Documentation

  31. Visible Impacts of Cyber Attacks • Attorney Fees • Breach Notification • Regulatory Fees • Technical Investigations

  32. 95% of the impacts of cyberattacks are “below the surface” or hidden Deloitte

  33. Hidden Impacts of Cyber Attacks • Insurance Premium Increase • Operational Disruption • Recovery Effort • Post Incident Cybersecurity Investment • Loss of Customer Relationships • Loss of reputation • Loss of Intellectual Property

  34. Impact Timeline • Immediate Impact • Customer Notification • Impact 1-2 years • Customer complaints & credit monitoring • Impact 3-5 years • Recovering lost customer relationships • Loss of investment and/or potential revenues

  35. Cybersecurity Fundamentals • Endpoint Protection – Updated, Monitored, Managed • Edge Protection – Updated, Monitored, Managed • Network Monitoring • Backup, Backup, Backup • Redundancy – Eliminating Single Points of Failure

  36. How are Cyber Security issues plaguing the healthcare industry? • Data breaches • Patient or employee information requiring disclosure and monitoring. • Intellectual property. Patents or trade secrets. • Rogue employees. Looking or revenge or monetization. • Operational impact • Shutdown of operations. • Loss of productivity and profits. • Ransomware • Holding your data hostage for money.

  37. Cybersecurity protection is like insurance. • We must understand that prevention is the only way to protect against threats. • Most organizations don’t believe they are a target, when in fact nearly every business in the world has been scanned or targeted by hackers. (Online scanners map the world) • Some organizations do not see the value of assessments but we must understand the true cost of not being prepared.

  38. The true cost of not being prepared • Code Spaces, Nirvanix, and MyBizHomePage are three $100M+ companies that went out of business after a major cyber attack. • Just like the Equifax hack, complacency cost these companies. • We can no longer have a head in the sand approach to cyber protections.

  39. What can be done? • Most executives and stakeholders don’t know where to start. • Assessments, compliance, remediation and strategic planning is the cornerstone of a solid cybersecurity strategy. • We must start somewhere. Generally assessments are the first step. • Ensure we have the fundamentals covered. Antivirus, Firewall, Backups and Network Monitoring.

  40. Why assessments first before hardware and software?

  41. Why assessments first before hardware and software? • Most hackers make their way in undetected. • Average time inside the organization before detection is 6 months. (Dwell Time) • Without monitoring the right information, hackers can remain undetected. • There is generally no outward indication of intrusion.

  42. IT is not Security. They are the biggest risk to your organization’s cybersecurity. • 9 times out of 10, our clients say “We have an IT department” as a means of conveying cyber protections. • IT staffers are generalists often with little or no cybersecurity knowledge or experience. • They are not trained on how to hunt threats within an organization nor how to actively monitor for intruders. • IT staff are presenting organizations with a false sense of security. • IT departments are the root cause of the global pandemic of cyber attacks, through willful ignorance & in order to protect their jobs. (WannaCry)

  43. Independent, outside analysis. • Just like in financial auditing, you would not trust your on-staff accountants to audit your annual report. • IT teams work to cover up vulnerabilities, single points of failure, and incidents to protect their job. • Until now, they have worked unobserved and have been allowed to make policy and manage technology systems with no oversight. • Because executives are likely not technologically inclined, they trust the IT staff to honestly assess, implement, and review protections in place.

  44. Trusting the fox with the hen house.

  45. Assessments - Compliance • Compliance audits and assessments match criteria set by compliance body with results from your assessments. • Reports reflect degree to which the organization is compliant with compliance requirement. • Perpetual assessments are generally necessary to prove ongoing compliance. • Any deficiencies must be documented and remediation steps must progress towards compliance.

  46. Assessments – Vulnerability and Penetration Testing • Generally used synonymously, but are very different. • Vulnerability assessments are used to start the path of understanding your infrastructure. (Network Mapping) • Vulnerability assessments show deficiencies and provide a road map to fix them. • Penetration testing is a real world hacking exercise to determine how susceptible the organization is to exploits. • Annual vulnerability testing and penetration testing is good cyber hygiene and can keep an organization on track with their cyber protections.

  47. Assessments – Vulnerability • Vulnerability assessments begin with an accurate inventory of technology assets. • Most organizations are generally unaware of the number of assets currently on their network. • A topology map is designed showing the flow of information within the organization. This can be quite complex if the organization is multi-location, multi-national, etc. • Every item of technology will be assessed for vulnerabilities.

  48. Assessments – Vulnerability • Every item of technology will be assessed for vulnerabilities. • Computers, workstations, laptops, tablets. • Servers, Linux / Windows / MAC / UNIX, etc. • WiFi controllers and access points. • Storage arrays. SAN, DAS, SAS, etc. • Switches and Routers. • Firewalls and Network Security Devices. • Cloud infrastructure and the connection to it. • IoT devices will be mapped and documented.

More Related