480 likes | 702 Views
Be More Secure Than Your Competition 5ish Steps. On Monday June 3, 2019:. Who is Art Ocain?. What is MePush?. MSP : Managed Service Provider MSSP : Managed Security Service Provider What we do: Network, server, and workstation management Managed compliance, auditing, and remediation
E N D
Who is Art Ocain? What is MePush? • MSP: • Managed Service Provider • MSSP: • Managed Security Service Provider • What we do: • Network, server, and workstation management • Managed compliance, auditing, and remediation • Firewall and security incident management • Helpdesk and support • Web design and management • Who we are: • 20 people strong! • Most of our techs have 10-20 years of experience. • All techs are Microsoft certified professionals. • Many of our techs also have certifications from Vmware, Veeam, Cisco, Google, and CompTIA. • Current President/COO • Business-minded tech with 20 years of experience • Love designing & architecting solutions • Went to UMD for Math • Married, father of 3 (another on the way), and have a farm • Interested in permaculture, sustainability, environment • Weightlifter and competitor in strength sports
Agenda • Compliance vs security: not same • Scared by statistics • STEP 1: Basic training and awareness • STEP 2: Protecting intellectual property and fraud-proof people • STEP 3: Physical controls • STEP 4: Plan for the inevitable • STEP 5: Basic security controls
Compliance &Security • Compliance and security are NOT the same. • Being PCI, HIPAA or NIST compliant does NOT mean you are secure. • Being secure does NOT mean you are compliant. • Compliance: Conforming to a rule, policy, standard, or law. • Changes periodically with regulations (annually up to every decade) • Checklists and documentation • IT controls (standard countermeasures) • Security: Making sure you don’t get hacked or get viral. • Changes every day • Understanding that there is no such thing as 100% secure/unhackable.
Business Leaders Productivity Compliance &Security Operations Security Compliance Security Nerds Audit Risk Management
Threats: Economic/political instability Market collapse Government regulations Corporate espionage China, costing US companies >$57 billion a year1 Environmental changes/hazards Hurricane, fire, flood, blizzard Previous and current employees Terrorists and vandals Power failure [other supplier failure] Ransomware and other viruses 1 Sullivan, Laura “As China Hacked, U.S. Businesses Turned A Blind Eye.” https://www.npr.org/2019/04/12/711779130/as-china-hacked-u-s-businesses-turned-a-blind-eye (April 2019)
CybersecurityThreats: Attacking Your People (including You): Scare scams Fake antivirus / ‘Microsoft’ scams Phishing Social engineering Attacking Your Computers and Networks: Malware, trojans, rootkits, worms Ransomware Adware and spyware Denial of service attacks Backdoors & advanced persistent threats
CybersecurityThreats: On Ransomware: ~50% of cybersecurity professionals do not believe their organization is prepared to repel a ransomware attack. (Source: Pwnie Express) Ransomware costs businesses more than $75 billion/year. (Source: Datto) 75% of companies infected with ransomware were running up-to-date endpoint protection [antivirus]. (Source: Sophos) Ransomware attacks have increased over 97 percent in the past two years. (Source: Phishme) The average cost of a ransomware attack on a business was $133,000. (Source: Sophos) SCARY STATISTICS SECTION
CybersecurityThreats: On Phishing: 71.4% of targeted attacks involved the use of spear-phishing emails. 2 83% of INFOSEC professionals experienced phishing attacks in 2018, up from 76% in 2017.3 Email-based corporate phishing attacks quadrupled and social engineering attacks jumped 233% vs previous quarter.3 93% of social attacks were phishing related.4 90% of incidences and breaches included a phishing element.4 Finance faced 59% of phishing attacks in the Americas.5 82% of manufacturers have experienced a phishing attack in the past year.6 2 Symantec “Symantec Internet Security Threat Report 2018” https://www.phishingbox.com/assets/files/images/Symantec-Internet-Security-Threat-Report-2018.pdf (April 2018) 3 ProofPoint“Protecting People: A Quarterly Analysis of Highly Targeted Attacks” https://www.proofpoint.com/us/resources/threat-reports/quarterly-threat-analysis (Q3 2018) 4 Verizon “Verizon Data Breach Investigation Report” https://www.phishingbox.com/downloads/Verizon-Data-Breach-Investigations-Report-DBIR-2017.pdf (10th Edition) 5 NTT Security “2018 Global Threat Intelligence Report” https://www.phishingbox.com/assets/files/images/NTT-Security-Global-Threat-Intelligence-Report-2018.pdf (2018) 6 Check Point “Check Point Research 2018 Security Report Summary” https://www.phishingbox.com/news/phishing-news/check-point-research-2018-security-report-summary (2018) SCARY STATISTICS SECTION
Basic Training & Awareness • Includes: • Business Impact Analysis • Action Management • Asset Management • Policy Management NIST’s
Basic Training & Awareness Business Impact Analysis Identifies the operational and financial impacts resulting from disruption of business or a business process. (ready.gov) • 1 Week: What If? • You can’t ship goods • You can’t see patients • Your credit card processor refuses to work with you • Your sales software stops working • You can’t email or place phone calls • Your supplier orders never go through • You can’t access any data on your server NIST’s
Basic Training & Awareness Threat & Vulnerability Assessment Considers the business impact analysis, identifies the business processes of your particular business,and inspects those business processes for vulnerabilities and threats. • Do you have daily backups? Weekly? Hourly? (RPO/RTO) • Who is responsible for ordering materials? (separation of powers/fraud control) • Who has the ability to install software? (pride vs security) • Are all computers current and patched? (basic hygiene: don’t be throw your company away to save a buck)
Basic Training & Awareness Whoa! Backups… What are RTO and RPO?!? RTO: Restore Time Objective > How long should it take to get your systems running again? RPO: Restore Point Objective > When is the most current point in time we can restore from? People often back up their QuickBooks company file to a thumbdrive once a quarter. If their hard drive fails, that means we can restore to up to 3 months ago. Do you think the rest of the last 3 months were important to that company?
Basic Training & Awareness Whoa! Backups… We are serious. Backups are THE way to recover you from ransomware. Aside from paying a ransom, there IS NO OTHER WAY. Back up your critical data DAILY at worst case. Best is every 15 minutes. • SCARY BACKUP STATS • 140,000 hard drives fail in the US every week (source Small Business Trends) • Data loss is up 400% since 2012 (source Iron Mountain) • 68% of small and medium-sized businesses don’t have a discovery plan (source Nationwide Insurance) • 60% of companies who experience data loss shut down within six months (source Boston Computing) • 58% of businesses have no backups (source Small Business Trends)
Basic Training & Awareness Risk Treatment Remediation plan and remediation action steps to put security controls in place.
Basic Training & Awareness • Continuous Monitoring • Monitor the effectiveness of your security controls and re-assess and adjust as necessary. • For instance: • Buying AVG Internet Security or Symantec Endpoint Security and then calling yourself “secure” without monitoring its effectiveness is foolish. • Implementing a control (like a firewall) that does not address the threat (like phishing) might not be recognized without monitoring. • Also, threats change: • Without monitoring, you might not see that controls are no longer effective.
Basic Training & Awareness • Security Assessment • Based on the previous steps, how secure are you right now? What is your real risk? • For instance: • Threat Assessment identified: • Machines are not being patched regularly. • Important data is stored on workstations without being backed up. • Risk Treatment actions taken: • Implemented a patch management solution. • Published a policy that mandates that users save all data on the server, not on workstations. • Continuous Monitoring noticed: • You check a sales laptop and see that all recent quotes, sales orders, and proposal data is on their laptop and not on the server. • Security Assessment determined: • Your security controls are inadequate.
Basic Training & Awareness Action Management Corrective actions from security assessment.
Basic Training & Awareness Reports If they are important to you. What is more important to ME is documentation every step of the way.
Basic Training & Awareness NIST Cyber Security Framework
Break! Following break: Phishing and more!
Basic Training and Awareness People are your biggest vulnerability People are easy to trick. People have common weaknesses. Send an email with a link looking like a Facebook share, saying “Saw your kid’s school had a bomb scare!” and most parents will click it. Send an email looking like an invoice, important shipping statement, or important voicemail, and most people will open it. Technology changes faster than people can keep up with, so the tricks becoming trickier. As a leader or business owner, YOU are a target. All of your money handlers and purchasers are targets. If you are in manufacturing, your engineers are targets.
Basic Training and Awareness • Too Good To Be True- Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention immediately. • Sense of Urgency - A favorite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes to respond. • Hyperlinks - A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different or it could be a popular website with a misspelling, for instance www.bankofarnerica.com - the 'm' is actually an 'r' and an 'n', so look carefully. • Attachments - If you see an attachment in an email you weren't expecting or that doesn't make sense, don't open it! • Unusual Sender- Whether it looks like it's from someone you don't know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in general don't click on it! People are your biggest vulnerability
Basic Training and Awareness People are easy to trick. As a leader or business owner, YOU are a target. Hello, As you may have noticed, I sent this email from your email account (if you didn't see, check the from email id). In other words, I have full access to your email account. In fact, I can tell you that your password is SuperSBDC1 I infected you with a malware a few months back when you visited an adult site, and since then, I have been observing your actions. The malware gave me full access and control over your system, meaning, I can see everything on your screen, turn on your camera or microphone and you won't even notice about it. I also have access to all your contacts. People are your biggest vulnerability
Basic Training and Awareness People are easy to trick. As a leader or business owner, YOU are a target. Why your antivirus did not detect malware? It's simple. My malware updates its signature every 10 minutes, and there is nothing your antivirus can do about it. I made a video showing both you (through your webcam) and the video you were watching (on the screen) while satisfying yourself. With one click, I can send this video to all your contacts (email, social network, and messengers you use). You can prevent me from doing this. To stop me, transfer $969 to my bitcoin address. If you do not know how to do this, Google - "Buy Bitcoin". My bitcoin address (BTC Wallet) is 19nRhxeBxZekzsfVRyLH5TzQgg1doLkruz ……..continues on about deleting the video upon payment People are your biggest vulnerability
Basic Training and Awareness People are easy to trick. As a leader or business owner, YOU are a target. • “So, malware signatures can be changed, so antivirus is useless? Why bother with AV?” • Yes, even though you get vaccinated as a child, you still get sick as you grow older with other illnesses. • Yes, flu vaccines are ineffective against new strains. • But they ARE effective vaccinations against known prevalent strains and existing crippling illnesses. • Computer viruses can be programmed to evolve, and the code can be changed. Please keep your antivirus up to date and continue to use it. It will protect against all known variations of a virus. • AV is not foolproof, but DOES offer good protection. People are your biggest vulnerability
Basic Training and Awareness People are easy to trick. As a leader or business owner, YOU are a target. You have been phished AND/OR your information was found in a breach dump from a major breach: People are your biggest vulnerability
Basic Training and Awareness People are easy to trick. As a leader or business owner, YOU are a target. There are a TON of tools out there. Some are expensive and some are even free. • Antivirus brands endorsed by Art™: • Cylance • BitDefender • ESET • Panda • Vipre • Webroot Antivirus will NOT keep you from getting phished. Training and some email filtering like Advanced Threat Protection (Office 365) or Mimecast are your best protection against email threats. People are your biggest vulnerability
Basic Training and Awareness People are easy to trick. As a leader or business owner, YOU are a target. Haveibeenpwned.com People are your biggest vulnerability
Basic Training and Awareness People are easy to trick. As a leader or business owner, YOU are a target. Cofense.com/free People are your biggest vulnerability
Basic Training and Awareness People are easy to trick. As a leader or business owner, YOU are a target. Phishinsight.trendmicro.com Free phishing campaigns to test/train your employees. People are your biggest vulnerability
Protect Intellectual Property & Fraud-Proof People Don’t believe your caller ID. Scammers are calling from local numbers now. Don’t trust someone to be ‘real’ when they text you. Don’t pay upfront for a promise. Don’t give information over the phone. Whether debt relief, loan offers, etc, they are often a scam. Don’t pay people that call you over the phone. Consider how you pay. Use a credit card that has significant fraud protection built in. Talk to someone and do research before giving someone money or personal information over the phone or by text. Hang up on robocalls. Be skeptical about anything that is a free trial. https://www.consumer.ftc.gov/articles/0060-10-things-you-can-do-avoid-fraud People are your biggest vulnerability Blockchain technologies are inherently fraud-proof due to the tracking and validation in the technology… …but you aren’t using blockchain yet.
Protect Intellectual Property & Fraud-Proof People • Never get someone that calls you remotely connected into your computer. • Microsoft will never call you and have you get them connected in. • HP will never call you and have you get them connected in. • Dell will never call you and have you get them connected in. • 100% of the time it is a hacker/scammer trying to gain access to your system. People are your biggest vulnerability Blockchain technologies are inherently fraud-proof due to the tracking and validation in the technology… …but you aren’t using blockchain yet.
Protect Intellectual Property & Fraud-Proof People Never call a number from a pop up and get them remotely connected into your computer. 100% of the time it is a hacker/scammer trying to gain access to your system. People are your biggest vulnerability Blockchain technologies are inherently fraud-proof due to the tracking and validation in the technology… …but you aren’t using blockchain yet.
Protect Intellectual Property & Fraud-Proof People • Separate powers whenever possible. • Separate accounts payable and accounts receivable into different people with different permissions to QuickBooks (or Sage, etc). • Separate the purchasing person from the person who is handling the bookkeeping. • Use a third-party accountant to verify bookkeeping and watch for discrepancies. • Track inventory and shrinkage/loss. Keep in mind that a person stealing inventory may also do an inventory adjustment. • Limit the number of people who can write checks and purchase materials. People are your biggest vulnerability Blockchain technologies are inherently fraud-proof due to the tracking and validation in the technology… …but you aren’t using blockchain yet.
Protect Intellectual Property & Fraud-Proof People Ego Alert • Lock down permissions whenever possible. • Implement least-privileged permissions for everyone to prevent possible loss of IP, fraud, and spread of malware. • for example: • If the VP of Sales doesn’t need access to the HR folder and the Engineering folder for their role, they should be locked out of it regardless of their title. • Likewise, someone in HR should have no access to Finance, Engineering, or Sales data. • Someone in Finance should have no access to Engineering data. • Nobody, including the CEO and IT manager, should be administrators on their PCs nor the domain. People are your biggest vulnerability Blockchain technologies are inherently fraud-proof due to the tracking and validation in the technology… …but you aren’t using blockchain yet.
Physical Controls • Everything: • Create an asset spreadsheet of all of your computers, mobile devices, network equipment, iPads, etc. and verify that nothing goes missing. • Server: • Get the server out of the breakroom and into a locked network closet (with cooling, please). • Control the key to the server room and server enclosure. • Have a paper log, electronic access control system, or camera system monitoring access to the network closet. • Building: • Have a policy that does not allow USB media. • Do not let anyone plug anything unauthorized into computers or ethernet jacks. • Closely monitor any visitor or stranger in your space. The easiest ‘hack’ is to plug a keylogger into a computer or an access point onto a network and walk out of the building.
You’ve Been HackedPrepare for the Inevitable • Everyone is a victim at some point of • A breach • A phishing attack • Ransomware • Financial theft malware • Statistically, you will in the two years. • Make sure that you are prepared for the inevitable.
You’ve Been HackedPrepare for the Inevitable Make sure that your backup and recovery plans are solid. We always recommends at least 2 local backup methods and 1 cloud backup method: and do your backups often!!!
You’ve Been HackedPrepare for the Inevitable • Have contingency plans for your core business processes. • Have a disaster recovery plan. • Have an incident response plan, including a breach notification plan. • Practice disaster recovery/incident response annually. • If you need help coming up with a DR plan for your business, get a consultant rather than flying through an emergency by the seat of your pants.
You’ve Been HackedPrepare for the Inevitable Get “Cybersecurity Insurance” or a “cyber rider” on your General Liability. Every company has significant insurable risk regarding cyber that is not covered by their General Liability insurance. It is worth investing in cyber insurance.
Basic Security Controls • Implement least-privileged permissions and role-based access for everyone, giving them access to ONLY what they need access to do their jobs. • Maintain a list of all of your servers, computers, phones, printers, and other networked assets, as well as your software assets. • Implement an updating/patching strategy for every device on your network (from your laptops to your camera system/DVR). • Make sure that every PC and server has endpoint protection antivirus. • Implement content filtering (like OpenDNS or Webroot) to protect you and your employees from infected sites. • Implement backups and monitor them. • Implement security logging and monitor it (not easy for layperson, not cheap to outsource). • Install a good firewall (Cisco, SonicWall, Palo Alto, etc) at your router.
Basic Security Controls • Encrypt your computers (free with BitLocker on Windows 10) and encrypt all of your phones. • Put someone in charge of monitoring the health of your systems and network, as well as the security risks involved. • Create a budget and a plan to lifecycle out old, insecure gear. • Create policies for Acceptable Internet Use for your employees. • MePush has one here for you: https://mepush.com/acceptable-use-policy-place/ • Perform quarterly phishing tests and have employees complete short trainings. • Make sure that all employees have their own unique username and password. Do NOT allow all of your clerks to sign in with username “frontdesk” and password “frontdesk” anymore! • Create an encryption policy that ensures that all sensitive data is emailed using encryption.
Basic Security Controls • IMPLEMENT Multi-factor Authentication (MFA/2FA)! This is your biggest control against phishing! • Implement any additional controls as needed per compliance or type of business • Screen timeouts and password locking after 10 minutes • Disabling USB storage devices on computers • Geo-IP filtering, blocking traffic from certain countries