1

Cyber Security

January 20, 2020

August NevermanChief Information Officer &

Chief Information Security OfficerBrown County, Technology Services

August joined Brown County Technology Services as the Chief Information Officer and Chief Information Security Officer in May of 2014 and has been an active leader in the Information Technology industry since 1986. He leads the Brown County Information Security public awareness campaign. Previously, he worked for the Medical College of Wisconsin and the Hospital Sisters Health System, at St. Vincent Hospital. He earned his MIS degree from the University of Wisconsin – Superior and served in the Air Force and Air National Guard.

3

Copy of this Presentation available online

• This presentation is located at the Brown County Website https://www.browncountywi.gov

• Select Departments Technology Services• Select Cyber Security on the left• Click on the Cyber Security Presentation• Share the presentation with family and friends

4

Is this Real? Unfortunately YES

Real-time attacks https://threatmap.fortiguard.com

5

1 in 5 will be hacked

this year

6

62% of businesses saw phishing and social engineering attacks in 2018

7

Bad guys use

automated tools to

attack over 100,000 x per hour

8

Example Headlines Jan 13-17, 20201. Georgia Election Server Showed Signs of Tampering

https://www.securityweek.com/expert-georgia-election-server-showed-signs-tampering

2. Renewed Emotet phishing targets UN, government and military users

• https://www.scmagazine.com/home/security-news/phishing/renewed-emotet-phishing-activity-targets-un-government-and-military-users/

• https://www.infosecurity-magazine.com/news/emotet-locked-onto-us-military-and/

3. Critical WordPress Bug Leaves 320,000 Sites Open to Attack https://threatpost.com/wordpress-bug-leaves-sites-open-to-attack/151911/

4. Texas School District Loses $2.3 Million In BEC Scam• https://blog.knowbe4.com/bec-scam-heists-2.3-million-from-texas-school-district• https://www.foxnews.com/tech/texas-school-district-falls-for-email-scam-loses-2-3m

5. Hackers Earn $275,000 for Vulnerabilities in U.S. Army Systems https://www.securityweek.com/hackers-earn-275000-vulnerabilities-us-army-systems

6. Bill for New Orleans Cyber-Attack $7m and Rising https://www.infosecurity-magazine.com/news/bill-for-new-orleans-cyberattack/

7. City of Las Vegas said it successfully avoided devastating cyber-attack https://www.zdnet.com/article/city-of-las-vegas-said-it-successfully-avoided-devastating-cyber-attack/

9

Data Breach Bad News1. In 2018 hackers stole half a billion personal records2. In 2016 hackers stole 57 million Uber riders and

drivers’ information. Uber tried to pay the hackers to delete the stolen data and keep the breach quite.

3. 3 billion Yahoo accounts were stolen in 2016 4. There were 8,854 recorded major data breaches

between January 1, 2005 and April 18, 20185. Over 3 million IP addresses are known to be involved

in Cyber Crime attacks.6. Symantec reports that 73% of Americans have been a

victim of cyber crime.

10

Compromise Timelines Source: Verizon

11

On Average It Takes 206 Days to Detect a Data Breach

Uncommon Hacking Targets Source: FireEye

12

Who is attacking?The ratios change over time but there are basically 3 types of cyber attackers:

• Cyber Criminals is roughly 70% of cyber attacks with intent to get cash or information to sell for cash.

• Espionage is roughly 25% of cyber attacks. (Countries and Businesses)

• Hacktivists & Cyber Warfare are roughly 5% of cyber attacks. This is hacking for social or political reasons. (Governments and Social Groups)

13

Cyber Attack Motivation Source: Verizon

14

Industry Impacts Source: NTTSecurity

15

Where are we vulnerable?

16

PUBLIC

HOME

WORK

Everywhere

How and Why are we Targets?95% of cybersecurity breaches are due to human error• Even if we aren’t “online” we are targets for financial

theft and identity theft.• We are dependent on our technology, so we need to

protect it & we are too trusting.• Credit Cards, Bank Accounts, Taxes and Social Security

are common financial targets• Children are at risk also, so speak with family and

friends about Cyber risk!It is estimated that hackers stole $19B from consumers and $172 billion in total in 2017

7

Why is this my problem?We have hired guns, limited law and limited to no

emergency response. We are basically living in the Digital Wild Wild West.

18

WHAT CAN WE DO?

19

BE AWARE*

BE SUSPICIOUS

*TRUST BUT

VERIFY

20

When in Doubt

GET HELP!

Find Someone you Trust 21

Disconnect a compromised device to stop

data loss & further

compromise

22

22

Never Share Your Passwords. If you must share it, RESET it immediately!

23

Long Passwords Pass Phrases

Use long passwords (sentences) “I like rock & roll!” is a good one, it’s long and easy to remember.

Use different passwords for different systems. One way is to use a prefix relative to the system “XYZBank.Ilike2hunt&fish”

24

Demonstration of why long passwords Matter HowSecureIsMyPassword

25

https://howsecureismypassword.net/

Password ManagementUse password management tools like • Lastpass

• DashLane• 1Password• Keepass (free - local)

Some have “family plan”

26

Never keep an unsecured list of userid’s and passwords anywhere (MSWord/Excel are bad places to keep passwords).

Never Share Your Credit

Card, Bank or Social Security Card Numbers

27

27

Be Careful buying online?Debit CardCredit CardPayPaleCheckCash Card

28

Losses may be passed to you, and there may be no loss limits

Limited or no lossOnly buy from websites you trust and even then be careful!

29

There were 3 million identity

theft and fraud reports received in 2018!

Consider $1mil in identity INSURANCE such as:

• Lifelock• IdentityGuard• IdentityDefence• CompletedID (CostCo)

or any other well reviewed service. Some have family plans.

Note: Some homeowner/renter policies may have optional riders.

30

HAVE A PLAN!

• Who would you call?• Who can help? • What do you do if

you suspect you have been hacked?

Email is your #1 Risk!

1) Be suspicious of poor spelling and wording

2) Don’t Click on ANY Attachments or Links

3) Be suspicious of threatening content

4) Check the FROM address

5) When in doubt DON’T OPEN, JUST DELETE (or at least call the sender to confirm)

31

http://www.albany.edu/its/images/SocialEngineeringRedFlags.pdf

32Source: https://www.myalignedit.com/2019/09/tips-for-detecting-a-phishing-email/

33

34

What else can I do?1. Never share your password or UserID

with anyone via email or phone.

4. Consider a secure password management tool – a tool like LastPass, 1Password, Dashlane or KeePass - never keep an unsecured list of userid’s and passwords anywhere (MSWord/Excel are bad places to keep passwords).

5. Use two factor authentication (two-step authentication) Google, Microsoft, LastPass, Facebook, and Authy provide free two factor services. Apps are more secure but even SMS is more secure than just a password.

6. Change Default Passwords. Cameras, TVs, firewalls etc.

Over 50% cyber theft uses a STOLEN userid and password.

35

Use two factor (multi factor / two step) login wherever you can.

Free with:Google MailHotmailYahoo MailFacebookTwitterEtc…

36

Watch out for Unsecure WiFi

37

Avoid unsecure wireless & Never use unsecure WiFi for bankingLook for “lock symbol” and check for WPA2 Enterprise.

Android iPhone Windows10

Be Safe Online

1. Create a separate email for junk, a separate email for social (your main one) and a separate one for financial activity.

2. Watch for fake versions of “friends/family” on Facebook, Twitter and Instagram

3. Don’t put too much information on social media. Telling everyone you are going on vacation might feel good, but it tells potential thieves also. If you put too much out there, the bad guys will know your “challenge questions”. Where were you born? What is your mother’s maiden name?

38

Update EVERYTHING! Shodan is a SCADA database of known vulnerable systems – ANYONE can use it. https://icsmap.shodan.io/So UPDATE your devices and CHANGE DEFAULT PASSWORDS

39

Secure Your DNS (Domain Name Service)

40

OpenDNS https://www.opendns.com/ or

Quad9 https://www.quad9.net/Provide FREE DNS security gateway on your router. Its Free and it will block known bad domains.

BACK UP YOUR DATA!

41 41

Back up your Data!

A USB Drive is a good manual choice because it is physically isolated.

Consider cloud backup services like:Acronis, iDrive, Backblaze, Carboniteor any other well reviewed service. Some have family plans.

Note: Some homeowner/renter policies may have optional riders.

Back up your smartphone and computers. Ransomware, a virus or a fire can take away your access, but a

restore can avoid paying rasom.

Don’t give away your data. Destroy the device or at least WIPE it.

42

NO YES

Secure Your Smartphone

1. Add a Pin or password

2. Get Anti-Virus 3. Choose mobile

apps carefully!4. Remember

CallerID can be FAKED

5. Turn off Geotagging

• iPhone disable location services under privacy

• Android under camera settings disable Geo Tags

43

Smartphones have personal information, passwords, email and banking information on them. Protect them!!

Watch out for Malicious SMS/MMS 44

Reduce Unwanted Calls

45

You can use Google Voice to filter spam calls. 1.Get a new number through Google Voice. 2.Have Google Voice forward calls to your NEW cellphone number. Or any other phone.3.Only share the Google Voice phone number with businesses and other people.

Google will block (quarantine) all at least some telemarketers and phone-spammers.

If you don’t want to use Google Voice (or Google Phone) – Here are some spam phone filtering apps for your smartphone

HiyaTruecallerMr. NumberShould I Answer?

Social Scams (social hacking)

• Spring Break Scam: uses publicly accessible information to get loved ones to give out credit card info.

• Fake “Microsoft” Call Center: sounds like a call center because it is. Claims your computer is infected and asks for access and eventually credit card info.

• Fake Purchase orders and Fake Invoices

• Fake IRS, FBI, Red Cross, and Sheriff calls

• Cyber Stalkers – Cyber assisted physical crime46

Spring Break Scam1. Track down public info on a college student going on spring

break. Using social media (Facebook, Instagram, 2. Track down cellphone # and confirm it.3. Call cell to confirm name.4. Track down Grand Parents of person (home phone) confirm

relationship5. Watch to confirm student is in Mexico or Cancun or other

location.6. Call grandma at 2am using spoofed students cellphone number.7. Identify as a friend (not the person) and claim the person is

injured and unconscious. 8. Claim you will be bringing the person to hospital and all is ok.9. Then have someone slam car doors for effect and have a

person who can fake an accent ask for credit card.10. Then ask grandma for her credit card number to get the

student to the hospital with 80% success rate.ACTION: Tell them you will call the cellphone back in just a minute.

47

12 Step Cyber Cheat Sheet

48

1. Think before you act, think before you click, be suspicious of emails, links, attachments, phone calls & websites

2. Back up your data preferably in multiple locations (USB and/or cloud)3. Use LONG passwords and Never Share your Passwords – use unique passwords for

individual systems, Turn on Two-Step (2 factor) authentication – consider password vault such as LastPass or others

4. Secure your smartphone – add a pin/password and anti-virus, turn off geotagging, only use secure wifi

5. Install Anti-Virus/Anti-Malware on Android devices and PCs6. Protect your Identity – consider $1mil Identity Insurance7. Secure your IRS and Social Security Accounts8. Update & Patch EVERYTHING (TV, cameras, PCs, alexa, phones, refrig etc)9. Don’t trust public WiFi look for WPA210. Avoid sharing personal information- bad guys will use it against you11. Create dedicated email accounts JUST for password resets.12. Destroy or wipe old computers, USB drives, disks & smartphones

Have a plan but don’t wait, start today!

Educate – yourself, your community, your family, friends and business partners.

• Share this document. Help others.• Good Cyber Security Information: https://www.us-

cert.gov/ncas/tips (Email & Communication, Mobile Devices, Privacy, Safe Browsing and Software & Applications)

• Phishing Cheat Sheet: https://cdn2.hubspot.net/hubfs/241394/Knowbe4-May2015-PDF/SocialEngineeringRedFlags.pdf

49

References 1: More Reading• https://www.dhs.gov/publication/stopthinkconnect-older-american-

resources

• https://staysafeonline.org/

• https://www.fbi.gov/news/stories/simple-steps-for-internet-safety?utm_campaign=email-Immediate&utm_medium=email&utm_source=fbi-top-stories&utm_content=591509

• https://www.stopthinkconnect.org/

• FTC Fraud:• http://www.consumer.ftc.gov/articles/0275-place-fraud-alert• http://www.consumer.ftc.gov/articles/0279-extended-fraud-alerts-

and-credit-freezes• Set up your IRS Transcript email before hackers do:

http://www.irs.gov/Individuals/Get-Transcript50

References 2: Tools• Password Management

• Lastpass https://lastpass.com/• 1Password https://1password.com/

• Two Step (Two Factor Authentication) • Google https://www.google.com/landing/2step/• Hotmail http://lifehacker.com/add-two-factor-authentication-to-your-microsoft-account-

474939951• Yahoo https://help.yahoo.com/kb/SLN15241.html

• WiFi Security• SecurityKISS, CyberGhost, Disconnect.me & Secure Wireless (apps)• https://securitygladiators.com/2015/03/25/secure-wireless-network/

• Other Tools• Microsoft Security Essentials http://windows.microsoft.com/en-us/windows/security-essentials-

download• OpenDNS https://www.opendns.com/home-internet-security/opendns-ip-addresses/• Virtual encryption http://saferweb.com

• Dashlane https://www.dashlane.com/• Keepass (free) http://keepass.info/

51

References 3: Protect Your Identity• IRS Identity Protection PIN (IP PIN)

• Create an IP PIN so the bad guys can file taxes as you• https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-

protection-pin

• https://www.identitytheft.gov/• Social Security Administration Resources

• https://blog.ssa.gov/protecting-your-social-security/

• Identity Insurance Select any well rated vendor that provides $1million in identity Insurance such as (prices are estimates):

• Vendors• IdenityGuard https://www.identityguard.com/ $5 to 10/mo• Lifelock https://www.lifelock.com/ $30 to $50/mo• IdentityForce https://secure.identityforce.com/ $20/mo

• Make sure you are getting $1mil in Identity Insurance not just Identity Protection • Some of the vendors have plans that will cover an entire family.• Check your homeowners insurance – it may have an option for Identity Insurance

52

How Bad Guys Make Money Part 1

53

Full Identity (Fullz Data). Includes a person's: full name, date of birth, address, phone number, mother's maiden name, Social Security number, and driver's license number. Prices: $30-40 U.S. data, $35-$50 U.K. data, $15-$20 Asia

Malware PPI (Pay per Install). The raw compromised computers are used for: botnets, spam hosts, host malvertising, DDOS, relay use, brute force attacks or other attacks. Price: $60 per 1,000 systems worldwide, $400 per 1,000 U.S.-only

Ransomware as a Service (RaaS) offers up wares to criminals using the same model. Price: As low as $120/month (every 14 seconds)

ATM & PoS Skimmers are hardware and software to steal ATM and Credit Card Info. Price: $700-$1,500 each

Account Checkers. Rented services and software that checks to see if stolen credentials will work on other websites. Price: $60/month for checking 1,000 valid accounts

How Bad Guys Make Money Part 2

54

Stolen Credit Card or Bank Account. The hacker resells the accounts. Price: 10% of the total credit available in stolen account.

Money Mules. A "trusted" criminal who accept funds stolen from hacked accounts into their bank account. The money can then be accessed by the crooked "customer," with the mule taking a percentage cut for providing an account to make the handover. Price: 10% to 20% of the take

EIN and Articles of Incorporation. Money mules use shell corporations as a front to open business bank accounts that can be used to shift around fraudulently acquired funds. Price: $800-$1,600 per “entity”

Laundering Service. Full-service money laundering operation that steals from the compromised accounts and then transfers the “take” to PayPal, a bank account or Western Union. Price: 10% to 12% of “take”.

DDoS Attack Services. Botnets rented out to attack anyone. These rentals can be done by the hour, the day, the week, and even the month for longer-term campaigns. Price: $60/hour, $280/day, $479-$679/week, $2,000/month (varies)

QUESTIONS?

55