it security and assessments - auditor.vermont.gov · objectives ©2018 cliftonlarsonallen llp •...
TRANSCRIPT
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor
©20
18 C
lifto
nLar
sonA
llen
LLP
IT Security and Assessments
©20
18 C
lifto
nLar
sonA
llen
LLP
Objectives• Identify key elements to use in user awareness and related IT
policies regarding IT Security issues and social engineering.
• Communicate and assess key general control provisions and requirements for mitigating IT security risks.
• Review the risks and implications to various organizations broadly related to confidentiality and privacy of key data.
2
©20
18 C
lifto
nLar
sonA
llen
LLP
Information Security defined
Rules – What we expect to occurPeople – Users that are aware…Tools – Support our objectives
ConfidentialityIntegrityAvailability
3
People Rules
`
Tools
©20
18 C
lifto
nLar
sonA
llen
LLP
Data Breach Headlines
©20
18 C
lifto
nLar
sonA
llen
LLP
Other Headlines• California Hospital Pays $17,000 To Hackers In ‘Ransomware’ Attack
– http://sanfrancisco.cbslocal.com/2016/02/18/california-hospital-ransomware-attack-hackers/
• Hacking Attack Woke Up Dallas With Emergency Sirens, Officials Say– https://www.nytimes.com/2017/04/08/us/dallas-emergency-sirens-hacking.html?_r=0
• VCU Reports Breach of Medical Files– http://www.richmond.com/news/virginia/vcu-reports-breach-of-medical-
files/article_866c7c17-1d35-50bb-bfe0-87ad3f4ba82e.html
• Data Breach Hits Mainstreet FCU– http://www.cutimes.com/2015/10/15/data-breach-hits-mainstreet-fcu
• Dangerous W-2 Phishing Scam Evolving; Targeting Schools, Restaurants, Hospitals
– https://www.irs.gov/uac/dangerous-w-2-phishing-scam-evolving-targeting-schools-restaurants-hospitals-tribal-groups-and-others
• Howard County government website restored after it was hacked with pro-Islamic State message
– http://www.baltimoresun.com/news/maryland/bs-md-howard-website-hack-20170625-story.html
©20
18 C
lifto
nLar
sonA
llen
LLP
All Organizations are at Risk!
• University of Maryland– http://www.umd.edu/datasecurity/– http://www.baltimoresun.com/news/maryland/education/bs-md-umd-data-breach-audit-
20141210-story.html– http://www.wusa9.com/story/news/local/2014/03/26/university-of-maryland-congress-data-
breach/6942023/
• State of South Carolina– http://www.pcworld.com/article/2015543/irs-blamed-in-massive-south-carolina-
data-breach.html
©20
18 C
lifto
nLar
sonA
llen
LLP
Sources of Risk• Government organizations are an extensive source
of valuable personal data about tax payers, recipients, and beneficiaries- Social Security numbers - Addresses- Dates of birth - Bank Account Information
• Governments are targets due to the sources of data, number of external and remote access connections/authentications, perceived susceptibility of constituents, and financial access
©20
18 C
lifto
nLar
sonA
llen
LLP
Three Largest Trends
• Ransomware
• IoT vulnerabilities
• Social Engineering– Data breaches– CATO
©20
18 C
lifto
nLar
sonA
llen
LLP
• Social Engineering– The psychological manipulation of people into
performing actions or divulging confidential information◊ Pre-text Calls◊ Email Phishing◊ Manipulation of Physical Security
How do hackers and fraudsters break in?
©20
18 C
lifto
nLar
sonA
llen
LLP
Pre-text Phone calls
• Calling from Comcast Services on behalf of IT
• Calling as an internal employee getting member information
©20
18 C
lifto
nLar
sonA
llen
LLP
Pre-text Phone Calls
• “Hi, this is Jason from Comcast services. I am working with IT, and I need your help…”
–Name dropping–Establish a rapport–Ask for help–Inject some techno-babble–People want to avoid inconvenience–Timing, timing, timing…
©20
18 C
lifto
nLar
sonA
llen
LLP
Ways to protect yourself ...• To prevent a successful pre-text call:
– Apply call back procedures – Request additional verification information
(non-public)– Request approval from caller’s supervisor, if
internal– Reference internal security policies to external
callers, if additional procedures are unsuccessful– Any suspicious calls should be reported to IT
©20
18 C
lifto
nLar
sonA
llen
LLP
Email Phishing – “Spear” Phishing
• Technique of fraudulently obtaining sensitive information– “Spoof” the email to appear that it
comes from someone in authority– Create a customized text that
combines with the spoofing to create pressure to act quickly (without thinking)
©20
18 C
lifto
nLar
sonA
llen
LLP
Ransomware• Malware encrypts
everything it can interact with– i.e. anything the infected user
has access to
• Zip file is preferred delivery method– Helps evade virus protection
• Working (tested) backups are key
©20
18 C
lifto
nLar
sonA
llen
LLP
Ransomware - WannaCry Attack
15
• A "critical" patch was issued by Microsoft in March 2017 to remove a vulnerability for supported systems; however, many organizations had not yet applied the patch.
• 150 different countries and over 200,000 victims
• Hackers locked files for these 200k computers and asked for Bitcoin ransom payment starting at $300 to unlock each computer.
©20
18 C
lifto
nLar
sonA
llen
LLP
Ways to protect yourself ...• To prevent a successful phish:
– Never respond to email requesting sensitive information– Check who is the sender of the email. An internal email does not
show the full email address after the name. – Hover over links within emails, this will tell you the true destination
of where that link is going◊ Never click on links within emails that appear suspicious or
cannot be verified – Never enter credentials into a site without verifying the information
first– Understand internal policies – When in doubt, ask!
©20
18 C
lifto
nLar
sonA
llen
LLP
©20
13Cl
ifton
Lars
onAl
len
LLP
Physical (Facility) Security
17
• Piggy-backing/Tailgating - gaining access to a physical access facility by means of coercion or manipulation or simple entry
• Vendor Impersonation- attempting to gain access by posing as a trusted source– Used to gain trusted access to restricted areas– Typically uses a pre-text (Call or email)– Fake identification is often provided on first contact
©20
18 C
lifto
nLar
sonA
llen
LLP
Physical (Facility) Security• Once access is gained ...
– Find empty conference rooms, offices, unlocked workstations
– Plant devices - keystroke loggers, wireless access point, thumb drives
– Find sensitive information (passwords, member information, personal financial information, etc..)
©20
18 C
lifto
nLar
sonA
llen
LLP
• To preserve physical security:– Do not allow unauthorized access to your work area– Escort all visitors if they need access to a sensitive area– Do not let anyone borrow your keys or security badge– Question anyone without a badge – visitor controls are in
place for a reason– Lock workstations/offices before you walk away– Secure all sensitive information in locked file cabinets– Do not leave your laptop or other mobile device
unattended, particularly in public spaces.– Protect your password! Keep it in your head, not paper!
Ways to protect yourself ...
©20
18 C
lifto
nLar
sonA
llen
LLP
For Mobile Workers: Be Careful With Your ConnectionsWireless Networks, Virtual Private Networks, etc.. • Stop: Do not connect to a public wireless access point
without VPN. • Think: When you are prompted to connect to a public
wireless node, know what you are connecting to and assume it is public.
• Click: Only proceed if you are confident in the connection and are using VPN.
Telework Threats
©20
18 C
lifto
nLar
sonA
llen
LLP
Key Defensive Measures
©20
18 C
lifto
nLar
sonA
llen
LLP
IT Security Policies: Devices and Files
• Only devices owned or approved by your organization may be connected to CU systems
• PC’s must be manually locked when unattended
• PC’s must automatically lock after a period of inactivity
• PC’s must require a password to re-activate• Files must be stored and backed up on your
server– Not on the desktop or C:\ drive
©20
18 C
lifto
nLar
sonA
llen
LLP
Control Activities (cont)
23
This represents raw brute forcing the entire keyspace (no wordlists) a single Windows password in NTLM hash format. This is based on our password cracking server which has 8 GPUs (can crack 1.75 billion NTLM hashes per second).
©20
18 C
lifto
nLar
sonA
llen
LLP
IT Security Policies: Logons/Passwords
• Passwords must comply with security standards– Minimum of 10 characters
– Password Requirement (Strong): Upper case alpha, lower case alpha, numeric (0-9) non-alphabetic characters (~!#$%^&*)
• Passwords must be changed every 120 days
• 5 unsuccessful attempts will lock your account
• Users may NEVER share passwords for any reason
• Don’t allow others to use your system while you are logged in
• Consider using a passphrase for your password – “I like to eat oreos at night” = “I like 2 eat oreos @ night”
©20
18 C
lifto
nLar
sonA
llen
LLP
IT Security Policies: Security Updates/Patches• Operating system must be protected by applying automatic
security updates and patches
• Applications must be configured for automatic security updates and patches
– For example, Microsoft Office Word, Excel, PowerPoint
– Adobe Reader /Acrobat
• Security Software must be up to date and configured for regular scans
– For example, McAfee, Norton, Kaspersky, Sophos will be set to check for updates and scan at startup and shut down
• Security software should be set to scan Internet pages, email, attachments, and downloads
©20
18 C
lifto
nLar
sonA
llen
LLP
IT Security Policies: Physical Security• Lock your workstation when you leave your desk or leave
your laptop/mobile device unattended– Press the Windows Key and “L” (at the same time)
– Press Ctrl-Alt-Del and “Lock Computer”
• Lock sensitive documents and materials in a file cabinet
• Dispose of sensitive materials appropriately
• Never share your access key, card or fob
• Always question unescorted strangers
• Always report incidents and suspicious activities
©20
18 C
lifto
nLar
sonA
llen
LLP
Defined user access roles and permissions
Principal of minimum access and least privilege• Users should NOT have system administrator
rights• “Local Admin” in Windows should be removed
(if practical)• NO email or internet browsing with Admin
credentials
©20
18 C
lifto
nLar
sonA
llen
LLP
Vulnerability Management
• What scans are currently performed? How are the results assessed, communicated, and coordinated?
• Are both external and internal vulnerabilities analyzed?
• Do vendors provide their PCI, Security, SOC, or other types of reports for review?
• Key steps• Conduct routine scans and assessments for operating
system patch application patch vulnerabilities• Testing to validate effectiveness• Evaluate vendor reports and metrics• How normalized are systems and environments?
Vulnerability Management Process
©20
18 C
lifto
nLar
sonA
llen
LLP
Technical Tools
Well defined perimeter security layers:• Network segments• Email gateway/filter• Firewall – “Proxy” integration for traffic in AND out• Intrusion Detection/Prevention for network traffic, Internet
facing hosts, AND workstations (end points)
Centralized audit logging, analysis, and automated alerting capabilities
• Routing infrastructure• Network authentication• Servers• Applications
©20
18 C
lifto
nLar
sonA
llen
LLP
Preparedness• What does this entail?• Focus on education and awareness
Incudes employee awareness & training Must also include constituents and other stakeholders How about vendors? How do we communicate and
coordinate on concerns with vendors? Are we proactive with communications? What metrics, governance, and reporting go into the
assessment of areas for education, focus, etc.?
Incident Response
©20
18 C
lifto
nLar
sonA
llen
LLP
Incident Response Plan• Are specific metrics, monitoring procedures, alerts,
and configurations in place?• What is the organizations strategy?
• Forensic approach?• Shutdown• Hybrid - legal
• Key steps• Identify critical systems and DATA
• Do data owners exist?• Define incident team and communication plan• Document policies, considerations, scenarios, etc.• Identify vendors• What tools and technologies will be utilized/deployed?• Communicate and test the plan
Incident Response (Cont.)
©20
18 C
lifto
nLar
sonA
llen
LLP
Closing Thoughts...
• Understand your responsibilities to safeguard the information at the credit union
• Be accountable for your actions• Understand and follow policies• Report anything suspicious• When in doubt, ask!
©20
18 C
lifto
nLar
sonA
llen
LLP
“The secret to enforcement is prevention, and the key to prevention is education.”
-R. Wallace Hale
CliftonLarsonAllenPhillip Del Bello, CPA, CISA
(410) 308-8181