Presented by:
Date:
Tom Beaupre Cyber Security Lead PCI - Quebec
November 17th, 2016
RansomwareAn MNP Cyber Security Seminar
Page 2
• What is Cyber Security?
–Threats, Vulnerabilities and Risk
• Ransomware
–How to protect yourself and your
organization
• MNP Cyber Security
Page 3
Cyber Security – Basic Concept
3
Cyber Security’s main purpose is to protect your information (Confidentiality)
ensure that you can trust the information (Integrity), and your ability to use
information to work, play, shop, travel, etc. (Availability)
Page 4
Threats, Vulnerabilities, and Risks
4
Individuals and Organizations implicitly or explicitly assess RISK when thinking of Cyber Security but do not realize
the Threats and Vulnerabilities they face to their Assets (goods, information, money, etc.)
• Over-reliance on personal experience, i.e. compromise of credit cards, media reports
• Systems still operating, only happens to others, only complete outages are reported
• Checkbox - meet regulatory or compliance requirements (SOX, PCI, PIPEDA, SOC2, BASEL, etc.)
Page 5
Threat Communities – 89% of breaches are
for financial gain or espionage
• Nation States: external, human with a high level of sophistication. They have
access to significant resources and are funded by a nation state. Typically, these
groups consist of an organized hacking group being hired by a nation state.
• Organized Hackers: external, human with a high level of sophistication. They
have access to significant resources. For example, organized crime, hacktivist
groups, etc.
• Non-Organized Hacker: external, individual person with a moderate level of
sophistication. They have access to moderate resources.
Page 6
Threat Communities – cont’d
• Destructive Malware: internal, automated with a high degree of sophistication
focused on destruction or denial of service.
• Employee: Technical: internal, human with a high degree of sophistication.
They have access to moderate resources.
• Employee: Business: internal, human with a low degree of sophistication. They
have access to minimal resources.
• Malicious former employee: external, human with a moderate level of
sophistication. They have access to minimal resources
Page 7
VulnerabilitiesVulnerabilities are weaknesses in
software that allow malicious software
and individuals to perform unwanted
actions
• The more programs and
software you have installed
on your laptop or phone, the
more vulnerable you are –
similar to the number of doors
and windows in your
home/office
• There are literally thousands
of vulnerabilities for each type
of device, operating system,
application
• The more closed a system,
generally the more secure
(i.e. iOS, Linux)
Page 8
Vulnerabilities – Cont’dVulnerabilities are continually being
discovered due to new functionality
and are ranked by severity, ease of
exploitation, and eventually corrected
by vendors
• Some vulnerabilities can exist
for several years before being
detected, these are so called
‘zero-day’ vulnerabilities
• Unfortunately, not all
individuals and organizations
apply the fixes
• Important to note that old
vulnerabilities never die,
although their exploitation
may disappear from
widespread use
• Like old classics, their
popularity can resurface
Page 9
Risks vary by industry
9
• Risk is the probability of a loss/attack/compromise and its impact to an asset
• Considerable amount of data exists on breaches, yet many organizations
underestimate the level of risk they face because of the preponderance of
breaches in the retail and financial sectors – assuming they are not a target
Page 10
Breach Statistics and Risks
10
• Statistics by Industry
have been mapped into
categories and Threat
Scenarios
• Higher Risk Industries
normally already have
Cyber programs in
place or have
mandatory compliance
Page 11
Probability of a Breach over the next 24 months
Source: Ponemon
Institute 2016 Report
Page 12
Cost of a Data Breach in Canada >$200 / record
Tech Support, 10%
Damaged Reputation, 29%
Forensics, 12%
Lost Productivity, 21%
Lost Revenue, 19%
Regulatory Compliance, 8%
Page 13
• What is Cyber Security?
–Threats, Vulnerabilities and Risk
• Ransomware
–How to protect yourself and your
organization
• MNP Cyber Security
Page 14
Ransomware
14
* Graphic from Symantec
Page 15* Graphic from Proofpoint
Page 16
• Ransomware Worldwide expected to reach $1B in 2016
• Montreal is in the top 3 cities in Canada for infections
• Multiple Payloads can be installed
– Encryption
– Key logging
– Botnet
• Canadians are more likely to pay ransom
– Less awareness of Ransomware
– Greater propensity to trust
– Limited support from Law Enforcement
Ransomware In Canada
Page 17
• Threats
– Predominantly organized “Spammers” and freelance hackers with a financial motive
– Ransomware ‘kits’ can be purchased on the dark web for a few hundred dollars
• Vulnerabilities
~85% of infections via emails predominantly from established Spammers
~15% from web activity on malicious or infected sites
~95% on Windows workstations
~98% of Mobile infections on Android mobile platform
• Risks
– Banking and other account numbers and passwords (Confidentiality)
– Loss of changes since last backup (Integrity)
– Total loss of data if no backups exist (Availability)
– Payment of Ransom may not result in unlocking of documents (this one just hurts!)
Ransomware – Threats / Vulnerabilities / Risks
Page 18
Email – How did Spammers obtain my address?
How do spammers obtain email
addresses:
• Leaked account databases.
E.g. Adobe, LinkedIn,
eHarmony, Gawker, Last.fm,
Yahoo!, Snapchat and Sony
• Guessing email format from
other examples based on first
and last name E.g.
• How to check if your email has
been hacked
• Have I been pwned.com?
Outlook
Gmail,etc
Where is mnp.ca?
mnp.ca = 162.249.91.252
TO: tom.beaupre
Outlook
MS Exchange
Registry and Records
Page 19
Email – Is my email address compromised?
Page 20
• First step is the receipt of an email
which is not blocked by either the
ISP, email provider, or the
Corporate Firewall / Spam filter
• Email may be generic or
personalized
• Most successful large scale
campaigns are targeted and
coincide with events such as
elections, natural disasters
• May also use a lure such as a
special offer, discount, etc.
• For extra success, using the email
address of a trusted colleague,
superior
Page 21
• The attachment has a malicious
payload or Web link
• ‘Enable Content’ results in Macros
being executed which exploit
vulnerabilities in Word, Excel
Malicious Document [Read-Only][Compatibility Mode] – Microsoft Word
Page 22
• Macro downloads malicious code
which contains Encryption software
• The software creates Encryption
Keys which are sent back to a
central Server
• Software begins to Encrypt either
the Master Boot Record or will start
to Encrypt individual files with all
the common extensions (*.doc,
*.xls, *.ppt, *.pdf)
• Once Encryption is complete the
software will present a Ransom
note with instructions for payment
Page 23
Encryption – Some Basics• Encryption provides
security by substituting
and transposing
information
• Substitution can be done
at the character level
using a similar technique
to the Caesar Cipher
• Transposition will
introduce randomness
by re-organizing the
location of the character
• Modern techniques are
applied at the bit level,
utilize several iterations
and also ensure that no
frequency analysis can
be performed
• AES-128 uses 128 bit
blocks and provides a
work factor of several
billion years to break
Caesar Cipher Example:
BIRD = ZGPB
Transposition Example
Page 24
• Depending on the Ransomware
variant recovery may be possible:
• Some require a reboot to fully
activate
• Some use common
Encryption keys
• Technical Solutions can help:
• Will scan the attached
documents prior to forwarding
• Will capture the keys before
they are sent out
• Will prevent the execution of
any unknown code based on
whitelisting
• Will prevent the execution of
code based on ‘heuristics’
and other behavior common
to Ransomware
• Training and Awareness
• Any spelling error, unusual
request in email
Page 25
Web – How does a computer get infected?
• Web based attacks
will either be initiated
from an email with an
embedded convenient
link (URL) or direct
access to a malicious
or compromised Web
site
• Compromised
websites may appear
normal
• Certain categories of
Website are much
riskier (gambling, etc.)
• Web attacks exploit
vulnerabilities in your
Browser such as Java
Script
Page 26
Web – Modern Webpage
• Most Websites are composed of information
from multiple sources including other Websites
• Your Browser software interprets or processes
the information (elements) and displays it
• A compromise of any of these sources can
result in compromise of your workstation /
laptop
• The infected workstation then either exploits a
vulnerability directly or downloads other
variants of malware which may or may not
require user interaction
Page 27
Web – Is a Website Safe if it has the Lock?
• Valid Certificate
• The lock appears when your
Browser interprets the
certificate as coming from a
legitimate source and with a
currently valid expiry date
• A site with a lock can be
assumed to be legitimate, but
this does not guarantee it is
safe
• Invalid Certificate
• An internal site may not have
a valid Security Certificate but
most likely is safe
• An external site should NOT
be accessed if it has an
invalid certificate
Page 28
• Training and Awareness
• Always type the Web address
directly in your Browser or
carefully inspect the web
address
• Always use a Corporate VPN
when working remotely or
from home
• Banking and other secure
sites will always use https and
a lock will appear
• Technical Solutions can help:
• Will prevent malicious URLs
from being reached
• Will analyse and block traffic
and files transferred to your
Web browser
Web – Is a Website Safe if it has the Lock?
Page 29
Web – Is the web page compromised?
• If you’ve ever received
a link that looks
legitimate but that
you’ve never accessed
before, you should only
access it from a trusted
network such as your
corporate network or
from a protected
workstation
• If you’re not sure you
can use a free service
to analyse the link or a
file• http://csi.websense.com/
Page 30
• Perform regular backups
• Always test that backups are
working by verifying their
contents
• Backup frequency should be
driven by the amount of changes
and cost to restore missing
information
• Regularly update your software and
install CRITICAL updates as soon as
possible
• This includes Windows, Android
• Office products (Word, Excel)
• Browser (Explorer, Chrome)
• Adobe Acrobat Reader
Ransomware Prevention Steps - Individuals
Page 31
• Restrict Network Drive access
• Limit drives to only those with a
business need
• Limit access to Read only when
possible
• Monitor Drive utilisation and i/o
activity - encryption is CPU
intensive and will typically
increase the size of the files
• Implement Technical Controls
• At the perimeter
• On the email server
• On the web filter/proxy
• On the endpoint
• Monitor all activity
Ransomware Prevention Steps - Enterprise
Page 32
• Small and Medium
Businesses are the
most vulnerable
• Downtime is extremely
costly – much higher
than the actual
Ransom cost
• A small percentage
cannot ever recover
the missing information
• Insufficient testing of
ability to recover from
an incident
Ransomware Prevention Steps – Enterprise Data Backup
Page 33
• The 3-2-1 rule is a best practice for backup and
recovery.
• The chances of having two failures of the same
storage type are much higher than for two
completely different types of storage. Therefore,
if you have data stored on an internal hard drive,
make sure you have a secondary storage type,
such as external or removable storage, or the
cloud. A local disaster could wipe out both of
them. Keep a third copy in an offsite location, like
the cloud.
• The 3-2-1 backup rule is a best practice because
it ensures that you’ll have a copy of your data no
matter what happens. Multiple copies prevent
you from losing the only copy of your data.
Multiple locations ensure that there is no single
point of failure and that your data is safe from
disasters such as fires and floods.
• RAID already includes a mechanism to recover
for single/multiple drive failures and is usually
blended with multiple physical locations to
provide the 3-2-1 concept
• Cloud storage can be very expensive and require
significantly more Internet bandwidth
Ransomware Prevention Steps – Enterprise Data Backup
Page 34
• Isolate your Computer
• Disconnect and/or disable
Ethernet and Internet cables and
disable Wi-Fi
• Disconnect any USB drives or
USB memory cards
• Prevents the spread to additional
drives
• Restore from backup
• Ideally start with a clean system
(Windows OS)
• Reinstall only known software
(Microsoft Office, anti-virus)
• Run complete virus scan
• Restore documents and other
files from known good backup
• Change all passwords
How to Recover
Page 35
• Ransom payment is to be avoided
• Further promotes criminal
behavior and funding
• To be used as a last resort
• Be Prepared to move quickly
• Interac or Cash required to
obtain Bitcoins
• Some brokers and exchanges
will limit how many Bitcoins can
be purchased at any one time,
making the accumulation of
Bitcoins for larger ransoms
(>$10K) difficult
Should you pay the Ransom?
Page 36
• Training and Awareness
• Yearly awareness on proper
usage of workstations when
travelling, or working at home
• Email phishing campaign with
employees
• Hotline for reporting suspicious
emails and activity on
workstations
• Provide information on what to
do if suspected infection occurs
(i.e. disconnect from network)
• Cybersecurity risk assessment (Grey
Team)
• Data Backup and Recovery
• Defensive Controls (Blue Team)
• Web Access
• Penetration Testing (Red Team)
After an attack
Page 37
• Over the coming year it is expected
that more malwave variants will
continue to be developed for other
operating systems
• MacOS
• iOS
• Phishing will continue to be the
privileged method of infection
• Integrity of data is expected to be a
target in the future, making it much
more difficult
Ransomware will continue to evolve
* Graphic from Acronis
Page 38
• What is Cyber Security?
–Threats, Vulnerabilities and Risk
• Ransomware
–How to protect yourself and your
organization
• MNP Cyber Security
Page 39
• Professionals across the Country offering services in English/French.
• Our team of Cybersecurity specialists hold extensive industry specific
certifications including: CISSP, CISA, OSCP (Penetration testing), GPEN,
CEH, Payment Card Industry (PCI QSA and PCI ASV), CCSK (Cloud
Security), OpenFAIR (risk analysis), Critical Security Controls (CSC).
• Strong niche/vertical orientation – Public Companies, Municipalities,
Public Safety, Health Services, Financial Services, Resource Sector,
Education, Communications/Media, Retail, Public Sector, Real-estate, etc.
• We’re comfortable in every environment – IT Data Center, Administration,
Executive Suite, Boardrooms.
MNP Cyber Security Team
39
Page 40
Our team uses Social
Engineering techniques to look
for vulnerabilities. They are
seasoned professionals who
typically discover vulnerabilities
other organizations have
overlooked.
MNP provides a structured approach
to the 20 Critical Security Controls
framework to help you understand
your business’ ‘Cyber Security
Maturity’. The Executive Road Map
will help guide allocation of resources
and budget for CyberSecurity.
Our dedicated team will build
appropriate risk controls
through technology solutions
and/or managed services
MNP has one of the largest QSA
(Qualified Security Assessor)
benches in Canada. PCI (Payment
Card Industry) requires any
organization that uses credit card
information to be compliant.
Offensive Security (Red Team) Risk Assessment (Grey Team)
Defensive Security (Blue Team) PCI (Black and White Team)
Cyber Security Services
Page 41
Page 42
• Next Generation Firewalls
• Content Filtering
• SSL VPN
• Data Loss Prevention
• Web Application Firewalls
• Network Access Control
• EndPoint Protection
• Encryption
• Two-Factor
Authentication
• Log Management
• Wireless
Networking
• Acceleration
• Load Balancing
Network System Connectivity
Defensive Security Solutions (Blue Team)
Page 43
Managed Security Services are an extension to
your team, with dedicated CyberSecurity Admin’s
& VCISO’s, we know your network inside & out.
Complete Suite of Services
Preventative Cybersecurity
Detect and Respond to
Cybersecurity Threats
Leverage 100% Canadian
Security call centre in
Ontario and Alberta
Defensive Security - Managed Services (Blue Team)
Page 44
Risk Assessment (Grey Team)
Page 45
PCI and Compliance (Black and White Team)
Page 46
Cyber Security Clients
Communications Government & MunicipalitiesEducation Public Safety
Health & Wellness Financial Services
Legal
Media & Retail
Mining & Resources
Page 47
Accounting / Consulting / Tax (Green Team)
Page 48
Source: UK Centre for the
Protection of National
Infrastructure
Cyber Security
Program
Example
Page 49
Personal Cyber Security Check List - Bonus
• Strong password – use a minimum of 8 characters (uppercase, numbers, special characters, or better yet a long passphrase and multi-factor authentication)
• Keep your systems updated with latest software (patched)
• Run Anti-Virus, Anti-Malware, Firewall, Website blocking/filtering
• Back Up your systems (local storage drive, cloud..)
• Have your computer or mobile set to auto time-out and lock
• Never click on something you don’t know (phishing attacks)
• Instead of clicking on links in emails, start from the web page (i.e. LinkedIn, Facebook, Bank page)
• Don’t add people to your profiles that you don’t know
• Sensitive browsing should only be done from a trusted device and Wi-Fi network
• Keep 2 credit cards – one for recurring payments only with trusted merchants one for e-commerce
Page 50
Page 51
Contact Us:
Tel: 905.607.9777
Toll Free: 866.370.8575
Email: [email protected]
Website:
www.nci.ca
www.mnp.ca
Danny Timmins
National Leader
CyberSecurity
DIRECT 905.607.9777 ext.230CELL 647.202.6243
95 Topflight Drive
Mississauga, ON
L5S 1Y1
Tom Beaupre
Lead - Quebec
CyberSecurity
DIRECT 514.228.7844CELL 514.451.0578
1155, boul. René- Lévesque O.
23é étage
Montréal, QC
H3B 2K2