online security for our customers · what is information security? •physical security –the...
TRANSCRIPT
www.parmenion.co.uk
Online security for our customers
Agenda
• Introduction• What is information security
• What is the scale of the problem
• How does an attack work?
• Consequences
• What can I do?
Introduction
Introduction
What is Information Security?
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).
• Protecting confidentiality
• Ensuring integrity
• Maintaining availability
What is information security?
• Physical Security – the protection of property, e.g. using fences and locks
• Personal Security – e.g. using background checks;
• Contingency Planning and Disaster Recovery –how to resume normal operations after an incident, also known as Business Continuity Planning;
• Operational Security – protecting business plans and processes, and
• Privacy – protecting personal information
http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
Cyber security
Privacy
Physical Security
Contingency planning and
Disaster recovery
Operational Security
Personnel Security
Increasing press profile
Scary news stories about information security breaches have been making headlines more frequently than ever and is increasingly on the minds of people in the UK:
Size of breaches
Threat landscape – how does this apply to me?
• 90% of large organisations had a security breach
• 74% of small organisations had a breach
• £75k - £311k is the average cost to a small business
• Median number of breaches for large organisation was 14
• 81% of breaches leveraged either stolen or weak passwords
?
?
?
? ?
?
Threat landscape – how does this apply to me?
• 90% of large organisations had a security breach
• 74% of small organisations had a breach
• £75k - £311k is the average cost to a small business
• Median number of breaches for large organisation was 14
• 81% of breaches leveraged either stolen or weak passwords
Threat landscape
Phishing emails and repeated use passwords were the most common methods used to get into systems. 55% of users in the UK use the same password for most, if not all, websites they use (Ofcom 2015)
22,000 phishing emails came to Parmenion addresses last month. Most were blocked but a few still get through.
4.7 billion usernames and passwords have been stolen from other systems. Check here if yours have been: https://haveibeenpwned.com
Everyone is under attack all the time
Motivation
• Fame
• Challenge
• Boredom
• Revenge
• Corporate/political gain
• Money
Marketplace
“Customer service is the motto. Hackers are now extending their service hours, guaranteeing their work, and expanding their offerings to keep customers coming back.”
Dell SecureWorks
Marketplace
Item Recent Prices (2016)
Angler Exploit Kit $100 – $135
UK ‘Fullz’ $25
Physical Counterfeit Driver’s License (U.S., U.K., Germany, Israel, International Driver’s Permit)
$173
Popular U.S. Online “Business” Payment Account Credentials $20 – $149
Bank Account Credentials (UK) $700 for an account with abalance of $10,000
High Quality Bank Accounts with Verified, Large Balancesof $70,000 – $150,000
6% of the balance of the account
How does an attack work?
How does an attack work?
“Don’t assume a crack isn’t too small to be noticed or too small to be exploited. If you do a pen test and you say ‘We look great on these 97 things, but these 3 things over here are kind of esoteric and probably don’t matter that much’ –that’s all we need. […]We’re going to look for that esoteric edge case to break in.”
Chief of ‘Tailored Access Operations’, NSA
How does an attack work?
• Initially gain entry
• Establish persistance to allow repeat entry
• Lateral movement to other systems
• Exfiltration to exploit
https://blogs.sophos.com/2014/04/11/how-do-apts-work-the-lifecycle-of-advanced-persistent-threats-infographic/
http://www.uidaho.edu
Phishing
• Fraudsters impersonate a legitimate company and attempt to steal people’s personal information, login credentials or install malware.
• For example, PayPal scammers might send out an attack email that instructs them to click on a link in order to rectify a discrepancy with their account.
• The link can then perform a number of actions:
• A fake PayPal login page that collects a user’s login credentials and delivers them to the attackers.
• A site that installs malware on the users machine
• Phishing could be generic and untargeted or customized with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender. These more targeted attacks are referred to as spear phishing.
Phishing email – Spot the difference
6 ways to spot a phish
1. Unusual sender address (hover over the From: email address to check)
2. Fraudulent / fake website addresses that are similar to but not the same as the real thing (hover over the web link in the email to check the real website address)
3. Forceful / fake urgency to get you to respond before you think
4. Requests for passwords or other confidential information
5. Poor spelling and grammar
6. Usually sounds too good or bad to be true or just unexpected
Phishing
Malware – What is it?
• Short for 'Malicious Software'
• A program that does something you do not want it to do
• Types of Malware include• Ransomware
• Spyware
• Adware
• Viruses
Malware – What does it do?
The Angler exploit kit is a popular choice. It can be bought for $100-$135. It can be used by a relatively low technically skilled person and if users hit is infected the typical actions are:
• Install other malware (financial – designed to transfer money from bank accounts, ransomware – encrypt files and require money to decrypt)
• Collect confidential data (usernames, passwords, card details, etc.) and upload it to the servers they control
• or tie the infected system into a botnet (a “zombie army” of computers used to deliver additional attacks).
Repeated email / password attack
According to Shape, compromised credentials from these massive data breaches were used to target websites in the retail, finance, travel, and government industries.
Their report also noted that the success rate for credential stuffing attacks was between 0.1 percent and 2 percent.
That means, if 1 million credentials were stolen from a website like LinkedIn and then used in a credential stuffing attack on Amazon.com, then a hacker would be able to access between 1,000 to 20,000 accounts.
This number grows exponentially if those same credentials can be used to access other websites and applications.
http://info.shapesecurity.com/rs/935-ZAM-778/images/Shape-2017-Credential-Spill-Report.pdf
Social engineering
Social engineering is a way that cybercriminals use human-to-human interaction in order get the user to divulge sensitive information.
Consequences
ConsequencesRegulator fines
• Zurich UK fined £2.275 million by FSA for losing details of 46,000 customers• HSBC Life fined £1.61 million by FSA for repeated transmission of unencrypted data• The Money Shop fined £180,000 for failing to take steps to address risks of loss of client data after servers
were stolen, even though there was no evidence of any harm to individuals, or that the data had been accessed.
• HCA International Ltd fined £200,000 when an Indian company they were using for transcription had their unsecure server hacked, revealing their client’s personal details.
Financial loss
• Several SWIFT banks have been hit for over $100m in total so far this year
As well as:
• Reputational damage / loss of goodwill• Impairment of business performance• Disruption to business activities
Where does that leave us?
HackersCybercriminals
HacktivistsCrackers
Disgruntled staff
FCA
ICO
Rock Hard place
YouScript kiddies
Untrained staff
What can I do?
Where can I do?
Cyber focus
• This presentation is focused on immediate protections for the cyber side of information security
• This is only a starting point, it is not a comprehensive list
• The order is not an implementation order or importance
Risk
A comprehensive solution for cyber attacks is not possible, the key is to understand your risks and make a conscious decision on how much to accept.
Skill Level Example Quantity of Attacks Cost to defend
Very low Script kiddies Very high Low
Low Untargeted Phishing Very high Low
Medium Targeted Phishing High Low
High Disgruntled Ex-Employee Medium Medium
Very High Motivated hacker Low High
Extreme State level attack Very low Extreme
Layers
Organizations need to widen their security nets to protect and defend against opportunistic attacks and infections. The term layered security describes a defensive strategy featuring multiple defensivelayers that are designed to slow down an attacker. The military calls this deep defense or defense in depth.
Essentially no one defense is a silver bullet.
https://uk.sans.org/reading-room/whitepapers/analyst/layered-security-works-34805
POLICIES, PROCEDURES & AWARENESS
PHYSICAL
PERIMETER
NETWORK
HOST
APP
DATA
Training
Staff are a first line of defence for:
• Preventing social engineering attacks
• Preventing phishing attacks
• Detecting attacks / infiltrations
Action, talk to Your employees about:
• Keeping a clean machine – what needs to be installed
• Following good password practices –complexity and reuse
• When in doubt, throw it out –suspicious emails, websites
• Backing up their work
• Staying watchful and speaking up
FirewallsFirewalls are designed to prevent only allow specific communications in and out of a network. Different types of Internet communication use different ports, e.g. web traffic flows on ports 80 and 443. Firewalls can close down these channels where they are not needed to prevent any malicious use.
Some malware needs to communicate out/in for instructions and firewalls can prevent this.
Actions:
• Ensure you have a firewall to control access
• Use a whitelist mode rather than blacklist
Web and spam filtering
This is really an extension on firewalls. Some firewalls as well as blocking specific channels can perform deeper inspection and look at the specific traffic going through and block that. Many attacks are delivered from malicious websites or by adverts. By blocking these there are less vectors for attacks.
Lists of categorised sites can be subscribed to that are updated continually. These categories include malicious and advert as well as other categories such as social (e.g. Facebook), files (e.g. dropbox), news, email, etc.
Actions:
• Determine if your network can support filtering
• Determine what you would like to block (minimum malicious)
• Implement blocking and whitelist and legitimate sites needed for business but blocked
Patching
Defects in operating systems and clients like web browsers, email programs, image viewers, instant messaging software, and media players may allow malicious websites, etc. to infect or compromise your computer with no action on your part or simply viewing or listening to the website, message, or media.
Many attacks are ‘zero day’, i.e. attacking previously unknown vulnerabilities however patching will prevent follow up attacks.
Actions:
• Turn on automatic updates where possible
• Do not forget Adobe Flash and Java
• Centralised monitoring where appropriate
Virus protection
Anti-virus software and malicious code detection tools are commonly used to protect information systems from malicious attacks.
As with patching, many attacks are ‘zero day’, i.e. the virus’ and malware are designed to get past anti-virus software however patching will prevent follow up attacks.
Actions:
• Ensure you have anti-virus software
• Ensure it is up to date and auto updates
• Centralised reporting where appropriate
Restrict administration access
Computers generally have different levels of access with administrative access being the most comprehensive/powerful. Administrative access is not needed for most day to day use and is typically reserve for installing programs and changing settings.
Some malware requires administrative access to install.
Actions:
• Users should not have administrative access by default
• Only specific designated users should be administrators
Appropriate Access
Do all employees need access to all files? There may be sensitive information such as HR files and salaries or client data that not everyone needs access to do their job. The less information that can be seen the less information exposed during a breech. Information does not have to be sensitive, a breach could be ransomware encrypting files and if the user cannot access the files they cannot be encrypted.
Actions:• Map who needs access to what within your organisation
• Revisit this frequently as it soon goes out of date
• Try to think about roles rather than people
• Use this information to grant access to files
• No access should be the default
Password re-use / password managers
55% of net users use the same password for most, if not all, websites. (2013)
Websites attacks can reveal lists usernames and passwords. The more websites a user uses the more change they will be part of a leaked set. If the password is not unique there is risk that their other services could be compromised.
If you have been included on a leaked set you can find out from https://haveibeenpwned.com which has an index of 4.7 billion accounts.
Actions:
• Do not use the same password for multiple sites / services
• If needed update historic accounts
• Consider a password manager to keep track of accounts and passwords
Use multi-factor authentication
There are generally considered to be three types/factors of authentication:
• Something you know – e.g. a password
• Something you have – e.g. your phone
• Something you are – e.g. your fingerprint
Multi-factor authentication uses more than one factor and gives a much higher assurance that the correct user is accessing the service. With just a password anyone from around the world could access your account, also linking it to your phone restricts it to just you.
Actions:
• Where available use enable multi-factor authentication
Encryption
A study on the total economic impact of lost laptops over 329 participating companies was $2.1B, or on average $6.4M per organization. Although 46% of the lost systems contained confidential data only 30% of laptops lost had disc encryption.
Disk encryption is more accessible than ever. Bitlocker on Windows is now included in Pro editions.
Actions
• Ensure laptops have disk encryption
• Make sure you securely store the decryption key
• Consider disk encryption for desktops / servers as well
ftp://download.intel.com/technology/product/cost_of_a_lost_laptop.pdf
Tested backupsInformation security includes data availability and data integrity. These can be compromised by equipment failures, accidental deletion or ransomware encryption.
A defence against all of these is backups. These can be on premise or to the cloud but a couple of key requirements are:
• Tested – Don’t wait until you need them to test
• Versions / point in time – There is no point in only having a backup of your ransomware encrypted data
Actions:
• Ensure you have backups
• Test your backups
In summary
• Training and awareness is the first line of defence
• Use a firewall, whitelist mode is best
• Web and spam filtering can restrict access to illegitimate content
• Restrict access to systems based on roles and responsibilities
• Use strong, unique passwords for each service and use a password manager for extra security and convenience
• Use multifactor authentication where possible
• Encrypt your data
• Back up your data and test regularly
www.parmenion.co.uk
Thank YouParmenion Capital Partners LLP2 College Square, Anchor Road, Bristol, BS1 5UE.
T: 0345 519 0100E: [email protected]: www.parmenion.co.uk
Parmenion Capital Partners LLP is authorised and regulated by the Financial Conduct Authority. FCA Number 462085.Registered in England and Wales OC322243.Wholly owned subsidiary of Aberdeen Asset Management PLC and Aberdeen Investments Limited.