WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor

©20

18 C

lifto

nLar

sonA

llen

LLP

IT Security and Assessments

©20

18 C

lifto

nLar

sonA

llen

LLP

Objectives• Identify key elements to use in user awareness and related IT

policies regarding IT Security issues and social engineering.

• Communicate and assess key general control provisions and requirements for mitigating IT security risks.

• Review the risks and implications to various organizations broadly related to confidentiality and privacy of key data.

2

©20

18 C

lifto

nLar

sonA

llen

LLP

Information Security defined

Rules – What we expect to occurPeople – Users that are aware…Tools – Support our objectives

ConfidentialityIntegrityAvailability

3

People Rules

`

Tools

©20

18 C

lifto

nLar

sonA

llen

LLP

Data Breach Headlines

©20

18 C

lifto

nLar

sonA

llen

LLP

Other Headlines• California Hospital Pays $17,000 To Hackers In ‘Ransomware’ Attack

– http://sanfrancisco.cbslocal.com/2016/02/18/california-hospital-ransomware-attack-hackers/

• Hacking Attack Woke Up Dallas With Emergency Sirens, Officials Say– https://www.nytimes.com/2017/04/08/us/dallas-emergency-sirens-hacking.html?_r=0

• VCU Reports Breach of Medical Files– http://www.richmond.com/news/virginia/vcu-reports-breach-of-medical-

files/article_866c7c17-1d35-50bb-bfe0-87ad3f4ba82e.html

• Data Breach Hits Mainstreet FCU– http://www.cutimes.com/2015/10/15/data-breach-hits-mainstreet-fcu

• Dangerous W-2 Phishing Scam Evolving; Targeting Schools, Restaurants, Hospitals

– https://www.irs.gov/uac/dangerous-w-2-phishing-scam-evolving-targeting-schools-restaurants-hospitals-tribal-groups-and-others

• Howard County government website restored after it was hacked with pro-Islamic State message

– http://www.baltimoresun.com/news/maryland/bs-md-howard-website-hack-20170625-story.html

©20

18 C

lifto

nLar

sonA

llen

LLP

All Organizations are at Risk!

• University of Maryland– http://www.umd.edu/datasecurity/– http://www.baltimoresun.com/news/maryland/education/bs-md-umd-data-breach-audit-

20141210-story.html– http://www.wusa9.com/story/news/local/2014/03/26/university-of-maryland-congress-data-

breach/6942023/

• State of South Carolina– http://www.pcworld.com/article/2015543/irs-blamed-in-massive-south-carolina-

data-breach.html

©20

18 C

lifto

nLar

sonA

llen

LLP

Sources of Risk• Government organizations are an extensive source

of valuable personal data about tax payers, recipients, and beneficiaries- Social Security numbers - Addresses- Dates of birth - Bank Account Information

• Governments are targets due to the sources of data, number of external and remote access connections/authentications, perceived susceptibility of constituents, and financial access

©20

18 C

lifto

nLar

sonA

llen

LLP

Three Largest Trends

• Ransomware

• IoT vulnerabilities

• Social Engineering– Data breaches– CATO

©20

18 C

lifto

nLar

sonA

llen

LLP

• Social Engineering– The psychological manipulation of people into

performing actions or divulging confidential information◊ Pre-text Calls◊ Email Phishing◊ Manipulation of Physical Security

How do hackers and fraudsters break in?

©20

18 C

lifto

nLar

sonA

llen

LLP

Pre-text Phone calls

• Calling from Comcast Services on behalf of IT

• Calling as an internal employee getting member information

©20

18 C

lifto

nLar

sonA

llen

LLP

Pre-text Phone Calls

• “Hi, this is Jason from Comcast services. I am working with IT, and I need your help…”

–Name dropping–Establish a rapport–Ask for help–Inject some techno-babble–People want to avoid inconvenience–Timing, timing, timing…

©20

18 C

lifto

nLar

sonA

llen

LLP

Ways to protect yourself ...• To prevent a successful pre-text call:

– Apply call back procedures – Request additional verification information

(non-public)– Request approval from caller’s supervisor, if

internal– Reference internal security policies to external

callers, if additional procedures are unsuccessful– Any suspicious calls should be reported to IT

©20

18 C

lifto

nLar

sonA

llen

LLP

Email Phishing – “Spear” Phishing

• Technique of fraudulently obtaining sensitive information– “Spoof” the email to appear that it

comes from someone in authority– Create a customized text that

combines with the spoofing to create pressure to act quickly (without thinking)

©20

18 C

lifto

nLar

sonA

llen

LLP

Ransomware• Malware encrypts

everything it can interact with– i.e. anything the infected user

has access to

• Zip file is preferred delivery method– Helps evade virus protection

• Working (tested) backups are key

©20

18 C

lifto

nLar

sonA

llen

LLP

Ransomware - WannaCry Attack

15

• A "critical" patch was issued by Microsoft in March 2017 to remove a vulnerability for supported systems; however, many organizations had not yet applied the patch.

• 150 different countries and over 200,000 victims

• Hackers locked files for these 200k computers and asked for Bitcoin ransom payment starting at $300 to unlock each computer.

©20

18 C

lifto

nLar

sonA

llen

LLP

Ways to protect yourself ...• To prevent a successful phish:

– Never respond to email requesting sensitive information– Check who is the sender of the email. An internal email does not

show the full email address after the name. – Hover over links within emails, this will tell you the true destination

of where that link is going◊ Never click on links within emails that appear suspicious or

cannot be verified – Never enter credentials into a site without verifying the information

first– Understand internal policies – When in doubt, ask!

©20

18 C

lifto

nLar

sonA

llen

LLP

©20

13Cl

ifton

Lars

onAl

len

LLP

Physical (Facility) Security

17

• Piggy-backing/Tailgating - gaining access to a physical access facility by means of coercion or manipulation or simple entry

• Vendor Impersonation- attempting to gain access by posing as a trusted source– Used to gain trusted access to restricted areas– Typically uses a pre-text (Call or email)– Fake identification is often provided on first contact

©20

18 C

lifto

nLar

sonA

llen

LLP

Physical (Facility) Security• Once access is gained ...

– Find empty conference rooms, offices, unlocked workstations

– Plant devices - keystroke loggers, wireless access point, thumb drives

– Find sensitive information (passwords, member information, personal financial information, etc..)

©20

18 C

lifto

nLar

sonA

llen

LLP

• To preserve physical security:– Do not allow unauthorized access to your work area– Escort all visitors if they need access to a sensitive area– Do not let anyone borrow your keys or security badge– Question anyone without a badge – visitor controls are in

place for a reason– Lock workstations/offices before you walk away– Secure all sensitive information in locked file cabinets– Do not leave your laptop or other mobile device

unattended, particularly in public spaces.– Protect your password! Keep it in your head, not paper!

Ways to protect yourself ...

©20

18 C

lifto

nLar

sonA

llen

LLP

For Mobile Workers: Be Careful With Your ConnectionsWireless Networks, Virtual Private Networks, etc.. • Stop: Do not connect to a public wireless access point

without VPN. • Think: When you are prompted to connect to a public

wireless node, know what you are connecting to and assume it is public.

• Click: Only proceed if you are confident in the connection and are using VPN.

Telework Threats

©20

18 C

lifto

nLar

sonA

llen

LLP

Key Defensive Measures

©20

18 C

lifto

nLar

sonA

llen

LLP

IT Security Policies: Devices and Files

• Only devices owned or approved by your organization may be connected to CU systems

• PC’s must be manually locked when unattended

• PC’s must automatically lock after a period of inactivity

• PC’s must require a password to re-activate• Files must be stored and backed up on your

server– Not on the desktop or C:\ drive

©20

18 C

lifto

nLar

sonA

llen

LLP

Control Activities (cont)

23

This represents raw brute forcing the entire keyspace (no wordlists) a single Windows password in NTLM hash format. This is based on our password cracking server which has 8 GPUs (can crack 1.75 billion NTLM hashes per second).

©20

18 C

lifto

nLar

sonA

llen

LLP

IT Security Policies: Logons/Passwords

• Passwords must comply with security standards– Minimum of 10 characters

– Password Requirement (Strong): Upper case alpha, lower case alpha, numeric (0-9) non-alphabetic characters (~!#$%^&*)

• Passwords must be changed every 120 days

• 5 unsuccessful attempts will lock your account

• Users may NEVER share passwords for any reason

• Don’t allow others to use your system while you are logged in

• Consider using a passphrase for your password – “I like to eat oreos at night” = “I like 2 eat oreos @ night”

©20

18 C

lifto

nLar

sonA

llen

LLP

IT Security Policies: Security Updates/Patches• Operating system must be protected by applying automatic

security updates and patches

• Applications must be configured for automatic security updates and patches

– For example, Microsoft Office Word, Excel, PowerPoint

– Adobe Reader /Acrobat

• Security Software must be up to date and configured for regular scans

– For example, McAfee, Norton, Kaspersky, Sophos will be set to check for updates and scan at startup and shut down

• Security software should be set to scan Internet pages, email, attachments, and downloads

©20

18 C

lifto

nLar

sonA

llen

LLP

IT Security Policies: Physical Security• Lock your workstation when you leave your desk or leave

your laptop/mobile device unattended– Press the Windows Key and “L” (at the same time)

– Press Ctrl-Alt-Del and “Lock Computer”

• Lock sensitive documents and materials in a file cabinet

• Dispose of sensitive materials appropriately

• Never share your access key, card or fob

• Always question unescorted strangers

• Always report incidents and suspicious activities

©20

18 C

lifto

nLar

sonA

llen

LLP

Defined user access roles and permissions

Principal of minimum access and least privilege• Users should NOT have system administrator

rights• “Local Admin” in Windows should be removed

(if practical)• NO email or internet browsing with Admin

credentials

©20

18 C

lifto

nLar

sonA

llen

LLP

Vulnerability Management

• What scans are currently performed? How are the results assessed, communicated, and coordinated?

• Are both external and internal vulnerabilities analyzed?

• Do vendors provide their PCI, Security, SOC, or other types of reports for review?

• Key steps• Conduct routine scans and assessments for operating

system patch application patch vulnerabilities• Testing to validate effectiveness• Evaluate vendor reports and metrics• How normalized are systems and environments?

Vulnerability Management Process

©20

18 C

lifto

nLar

sonA

llen

LLP

Technical Tools

Well defined perimeter security layers:• Network segments• Email gateway/filter• Firewall – “Proxy” integration for traffic in AND out• Intrusion Detection/Prevention for network traffic, Internet

facing hosts, AND workstations (end points)

Centralized audit logging, analysis, and automated alerting capabilities

• Routing infrastructure• Network authentication• Servers• Applications

©20

18 C

lifto

nLar

sonA

llen

LLP

Preparedness• What does this entail?• Focus on education and awareness

Incudes employee awareness & training Must also include constituents and other stakeholders How about vendors? How do we communicate and

coordinate on concerns with vendors? Are we proactive with communications? What metrics, governance, and reporting go into the

assessment of areas for education, focus, etc.?

Incident Response

©20

18 C

lifto

nLar

sonA

llen

LLP

Incident Response Plan• Are specific metrics, monitoring procedures, alerts,

and configurations in place?• What is the organizations strategy?

• Forensic approach?• Shutdown• Hybrid - legal

• Key steps• Identify critical systems and DATA

• Do data owners exist?• Define incident team and communication plan• Document policies, considerations, scenarios, etc.• Identify vendors• What tools and technologies will be utilized/deployed?• Communicate and test the plan

Incident Response (Cont.)

©20

18 C

lifto

nLar

sonA

llen

LLP

Closing Thoughts...

• Understand your responsibilities to safeguard the information at the credit union

• Be accountable for your actions• Understand and follow policies• Report anything suspicious• When in doubt, ask!

©20

18 C

lifto

nLar

sonA

llen

LLP

“The secret to enforcement is prevention, and the key to prevention is education.”

-R. Wallace Hale

CliftonLarsonAllenPhillip Del Bello, CPA, CISA

Phillip.DelBello@CLAconnect.com***

(410) 308-8181