Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014


Published on

Every day we hear more and more about credit cards getting stolen, businesses getting hacked and national secrets being pilfered from our government. In this seminar, you’ll learn:
- what threats small businesses need to be aware of
- what threats are hype
- how small businesses can protect themselves in a cost-effective way
- you’ll walk away with 5 things you can do in your small business to be more secure without having to buy a single piece of software

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014

  1. 1. Cybersecurity Seminar: How to Protect Your Small Business John Bambenek, President, Bambenek Consulting Champaign EDC, March 25, 2014
  2. 2. About me 15 years experience in cyber security, been in IT 30 years. Part-time faculty in Computer Science at UIUC. Started with Ernst & Young as a project manager, then to U of I as professional IT and security staff, then as a consultant and now own my own firm. Lecture and teach internationally on cybersecurity, forensics and threat intelligence.
  3. 3. About you What industry is your company in? Do you process payments electronically? Roughly how many employees? How many computers? What keeps you awake at night from a cybersecurity perspective?
  4. 4. Spoiler Alert Employ risk management and be skeptical Keep your computer operating systems and security software up-to- date Have regular backups and disaster recovery Limit access to resources Use strong and unique passwords
  5. 5. Why bother? For most (or probably all) of you, security will only cost you money, it will likely NOT help you earn money. You may have laws, regulations or contracts that require some measure of security… or maybe not (and this is less and less true). You may not be a “prime beef” target… but you’re still a target. You may not have credit cards but you do have a payroll account. Cryptolocker example.
  6. 6. Don’t think you are affected by regulation? From Illinois Law: "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (1) Social Security number. (2) Driver's license number or State identification (3) Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.
  7. 7. Who pays when fraud happens? Generally, if a consumer has their credit card stolen consumer doesn’t pay Same is true with debit cards (though more hassle) How many people here were affected by Schnuck’s breach? If funds are directly withdrawn from a consumer’s bank account, usually (though not always) bank protects them from losses. Electronic commerce requires consumers “trust” it, so everyone has the incentive to at least protect consumers from losses.
  8. 8. Who pays when a business is defrauded? If your business has its credit card defrauded, bank account emptied, or other fraud against your organization… You pay. General approach is, you have the means to protect yourself because you are a business owner who can just hire someone. If your payroll account is emptied, your bank will likely help you with a nice line of credit. Can you afford to eat those losses? Can you insure against them?
  9. 9. It gets worse... If you lose consumer records, the payout can be substantial. HIPAA fines can easily get into millions depending on records sold. Usually need to pay for credit monitoring for all victims. Banks pay $40-$50 per new card issued, they are starting to sue for their costs. And of course, the bad publicity… But there are things you can do, which is why you are here today.
  10. 10. Item #1 - Risk management Employ risk management and be skeptical… What secrets and confidential information do you have? What are your essential business functions? What information could some use for fraud if they stole? What information could be used for competitive advantage by your competitors? You are not paranoid if they are really all out to get you.
  11. 11. A brief note about who attacks SMBs Generally cybercriminals can be broken down to these groups: Nation states Organized crime Disorganized crime Hacktivists Disgruntled insiders Your competitors Depending on the group will depend on how, why and when they attack and at what skill level.
  12. 12. Hacktivism example
  13. 13. How much to spend on security? If you wanted, you could spend unlimited amounts of money on security your IT resources… and you’d still be breached eventually. Just ask the NSA. Security vendors will happily charge you lots of money to protect you against unknown threats that aren’t reasonable for you to worry about. Example: Nation states However, a lot of ground can be covered by basic (and generally free) steps that follow.
  14. 14. How much to spend on security? Beyond “free” steps, how much should be spent? What are the reasonable threats and what is a reasonable amount to spend to mitigate them? (Mitigate does not mean 100% stop) There is no magic formula. If you can show after a breach has occurred you made reasonable, intelligent decisions, you will often be in a far better place. (Especially if you do the free stuff that follows).
  15. 15. How much to spend on security? What about outsourcing risks? Some risks you need to take, but some you don’t. For instance, do you really need to be in the business of processing and storing credit card information yourself or can that be outsourced to a payment gateway provider? Do you need to maintain your own webserver, email server, etc, or can you find a provider to do that? You still have to make sure the provider is reputable.
  16. 16. Example: nation states Nation states are constantly attacking either for national security related material or for industrial trade secrets to advantage their own economies. Actors are highly trained, highly funded, and operating with overt (or tacit) state sanction. If they want to get in, they will get in and it is unreasonable to expect a small business to stand against the collective cyberpower of another nation. We don’t have to make it easy for them but there is no point in starting with this as the point of reference.
  17. 17. Example: disorganized crime People send spam all the time claiming all sorts of outrageous things usually using similar content or similar infrastructure. Anti-spam solutions exist to prevent those messages from getting to your inbox (and some are even free). If you never see malicious messages, they cannot infect your machine. Commodity attacks are easily handled by off-the-shelf commodity tools (anti- virus, anti-spam, simple firewalls, etc).
  18. 18. Be skeptical Most computer attacks rely on the end-user to do something, usually by abusing their trust. E-mail, social media, SMS messages, webpages and robo-calls can be easily spoofed. (How many of you have gotten those fake Busey phone calls?) Avoid blindly trusting what your technology is telling you. Emergency text messaging example. If something seems odd, verify out-of-band (i.e. not using the same medium that you just got the message on).
  19. 19. Example: fake subpoena
  20. 20. Be skeptical Don’t give passwords on request to those who call or e-mail. Avoid clicking on links for sensitive transactions (i.e. type full URL instead). Be careful of typos when typing URLs. (Whitehouse example) The more something seems to require immediate action, the more you should verify its authenticity. No legitimate person will object to you attempting to verify they are who they say they are.
  21. 21. Takeaways Have some understanding of the kinds of threats you will face. Make reasonable decisions about protecting yourself without breaking the bank. Take advantage of free things you can do (to follow). Be skeptical of what your technology tells you and be willing to verify out-of- band if something appears off. Limit (or eliminate) the sensitive information you give someone on request.
  22. 22. Item #2 - Stay up-to-date Almost all modern major software has means to update itself for bugs and vulnerabilities on a routine basis. Microsoft, for instance, releases updates on the second Tuesday of every month (and occasionally at other times). Adobe Reader, Flash, Java, all have their own updates. Anti-virus also needs to be updated daily to retrieve the latest signatures to detect threats.
  23. 23. Microsoft Updates
  24. 24. Microsoft updates key points Update automatically (for most people, this is the best option and it takes away the need for you to spend time on it). Make sure to include other Microsoft products in updates (for instance, Office). This does not include other non-Microsoft products you may have. Some of these have their own ability to update automatically, others will pop-up and let you “click to upgrade”. Please, take these seriously. Don’t have to drop what you are doing immediately, but before you go home for the day get all those updates installed. This is one of the single, biggest causes of security breaches.
  25. 25. Old versions Anyone still use Windows XP? After a product has been out there long enough, software publishers no longer support it (i.e. no more updates for vulnerabilities). Find a way to fit version upgrades into routine costs to make sure you don’t have orphan software out there. Often systems will not necessarily tell you they are “too old”. And what about those applications that don’t tell you they need an update? Anyone have an iPhone?
  26. 26. Security software Do you have a comprehensive security software solution on every machine in your company? (e.g. McAfee Complete Endpoint Protection, Norton Internet Security, etc.) These do more than block viruses and they are generally auto-updated and auto-managed… as long as you keep your subscription up to date. Limitation: they only block against already-known threats. Small cost, high return and you don’t have to think about it. You could try to manage it to do more secure and neat things with it if you wanted to.
  27. 27. One point on security Sometimes good computer hygiene can prevent headlines like this: “Russia Takes Cyber-Swipe at Illini” - News-Gazette, 3/17/2014 Due to vulnerable and misconfigured servers, someone was able to reflect an attack off UIUC servers and point it at Russia. It’s all fun and games until someone causes an international incident with your network...
  28. 28. Takeaways Have updates applied automatically where possible. When pop-ups ask for updates, make sure to apply them within that day. Be aware of when old software is no longer supported and/or make sure to update major versions on a routine basis. Install and make sure security software is updated on a nightly basis.
  29. 29. Item #3 - Regular backups Remember cryptolocker? Sometimes computer failures happen, are you able to recover your data? What happens if your computer fails or your server? What would it take to get back online? What is critical for your business to run? What are things that are nice to have but you could live without? Some viruses will destroy systems or malicious attacks will require a full reinstall of a system.
  30. 30. Backups What is critical data? Your financial records? Your customer records? Your employee records? Your e-mail address book? Any piece of data that if you lost forever would cause irreparable harm. A commercial solution is best (i.e. tape) but you can do simple forms of backups to external drives… but it’s important to keep more than one and keep some off site. You could backup to the cloud, but make sure its encrypted.
  31. 31. Disaster Recovery It is very easy to spend a lot of money on this to protect against a wide variety of situations. But many of those situations might be overkill for you. Obvious situation is what to do if your systems fail. Failures can be spawned by malicious activity (and not unusual to be insider activity). If you have your webserver, e-mail server, etc hosted by a third-party provider, what do you do if they fail? Hosting provider example. Usually the best way to deal with an infected computer is to wipe it and reinstall.
  32. 32. Takeaways Failures happen, the difference between recovering and going out of business is planning. All critical information for your business should be identified and backed up with some being stored off site (e.g. safe at home). Have a plan for system failures and have a plan if your third-party providers fail.
  33. 33. Item #4 - Limit access Sometimes basic attacks will be successful, people will make mistakes, someone’s kid uses the employee’s laptop to play games… That mistake should not immediately give an attacker full access to everything. Sometimes disgruntled employees (or ex-employees) will retaliate. Sometimes people just make mistakes and didn’t mean to erase an entire disk. Important to limit what foothold an attacker can get, what damage a disgruntled employee can do and what damage an accident can cause.
  34. 34. Limiting file access People tend to always want more access than they need. General practice is to grant access based on need-to-know. Avoid giving people administrator privileges on their computers. Upside: makes attacks harder to execute. Downside: usually means someone has to maintain their computer. If you have a server, does everybody need access to everything. Answer: no Back to cryptolocker.
  35. 35. Limiting stored data The first rule: create no evidence. Avoid storing passwords in your web browser. Avoid creating files with sensitive information. Limit what you put online that could be useful to an attackers. Be careful what you email out (secretary at UIUC sent out spreadsheet that included SSNs of every engineering student).
  36. 36. Now to pick on the NSA
  37. 37. Still picking on the NSA
  38. 38. Limiting access to systems Do your employees have laptops they bring home? Do you? Avoid familial use of those systems (kids games often have malware) Practice good physical security (avoid leaving unattended) Recreational use can lead to infections (e.g. malvertising). Have all machines protected by a password required to login. Have all machines lock after 15 minutes of inactivity. Control who has keys to the building. Do you have a “guest” wireless network? Make sure it is separate from your internal business network.
  39. 39. Sensitive systems Consider having a separate computer for use ONLY for sensitive transactions like payroll or large dollar transfers. Recreational use of a computer can lead to infections through no fault of your own. If you use the same system to process payroll, now malicious individuals can process ghost payroll too. Those systems need to be updated and secured too. Access should be limited to only those who need to execute those functions. By converse, if you have employees who bring kids in and you’re ok with it, get a throwaway computer for recreational use and that’s all its for.
  40. 40. Takeaways Limit access of employees to only what they need to know. Avoid familial use of computers by yourself and employees. If relevant, have a separate computer for sensitive business functions that is only used for sensitive business functions.
  41. 41. Item #5 - Use Strong Passwords Usually, your password is the key to your digital identity. If someone has that, they now ARE you. Simple passwords can be cracked easily, even 8 character passwords can be cracked without too much effort. Secure passwords should be at least 12 characters and include upper-case, lower-case, numbers and special characters. And you should never reuse passwords between sites. Or at least not between “meaningless” sites and critical accounts.
  42. 42. The 25 worst passwords in the world according to PCWorld 123456 iloveyou monkey password adobe123 shadow 12345678 123123 sunshine qwerty admin 12345 abc123 1234567890 password1 123456789 letmein princess 111111 photoshop azerty 1234567 1234 trustno1 000000
  43. 43. Weak passwords There are plenty more weak passwords than this, but those show up the most frequently. Anything that is a dictionary word. Anything that is all numbers (say your birthday). Anything that can be easily derived from you. Anything that can be easily derived from your business. Anything that’s less than 8 characters. Anything not changed within 90 days.
  44. 44. Password reuse One of the biggest causes of people having their accounts accessed is password re-use. Scenario: You have one central e-mail account, you have facebook, you have credit card logins, bank logins, logins for your commercial bank account and you are a commenter on the News-Gazette website. All have the same password. Compromising the News-Gazette would be the easiest and weakest link. Most people wouldn’t think twice about it. But if I have your e-mail address and your password, I can get everything else.
  45. 45. Password reset features Almost everything has a password reset feature to recover a lost password. The questions, however, I not hard to guess if you know something about the person and some of it may be public record. Make sure password resets either e-mail your primary e-mail address, send you a text message or do some other out-of-band notification or verification. If that isn’t an option, consider putting in fake information for those questions… but fake enough so you can remember. Sarah Palin example.
  46. 46. How to make a strong password Passwords should be long (more than 12 characters) and contain upper & lower case, numbers and special characters. Microsoft’s Advice: Create an acronym from an easy-to-remember piece of information. For example, pick a phrase that is meaningful to you, such as My son's birthday is 12 December, 2004. Using that phrase as your guide, you might use Msbi12/Dec,4 for your password. Substitute numbers, symbols, and misspellings for letters or words in an easy-to-remember phrase. For example, My son's birthday is 12 December, 2004 could become Mi$un's Brthd8iz 12124 (it's OK to use spaces in your password). Relate your password to a favorite hobby or sport. For example, I love to play badminton could become ILuv2PlayB@dm1nt()n.
  47. 47. Use unique passwords If you don’t use the same password for everything then one compromised password would infect the rest of your digital identity. If the ideal is too much, try to have at least three passwords you change regularly: One for your sensitive business logins One for e-mail / computer logins and general business use One throwaway for blogs, fantasy sports, games… stuff that doesn’t matter How to make strong, unique passwords: Msbi12/Dec,4### (where ### is some unique identifier for the login, e.g. EDC for here)
  48. 48. Never share your password Avoid situations where you share your password with anyone, even coworkers. Try to always have unique logins for individuals if they really need access. How did Edward Snowden steal so much information from the NSA that he was able to later publish? He asked his coworkers for their passwords and used their accounts to access information he was otherwise not entitled to. Avoid shared accounts and if you must use them, escrow passwords in a safe.
  49. 49. Two-factor Authentication Where possible for sensitive applications, use two-factor authentication. This requires something you physically have, not an additional piece of info. Most banks for commercial accounts will require or at least permit you to select two-factor authentication to access the account (or send money). Usually in the form of sending you a text message. Many other services (like GMail) will also send you a text message before letting you fully log in. Some applications can be configured to use your phone to give you a unique code to log in. Example.
  50. 50. Takeaways Your password and often your primary e-mail is the key to your entire digital identity. If someone gets that, they can get everything. Use long and strong passwords and try to use unique passwords for each site. At the least have 3 passwords which includes a throwaway password for inconsequential stuff. For the really important stuff, try to use two-factor authentication that requires you to physically possess something (like your cell phone) to fully login to do things. Seems basic, but even defense contractors have fallen to password reuse problems.
  51. 51. Last point Basic computer maintenance goes a long way towards security. If someone isn’t assigned in your office to maintain computers (or you aren’t doing it yourself), having general tech support handy can help security. Or having someone in the office with some basic computer support skills can work too (and giving them freedom to get some training/knowledge to do the job). May or may not make sense for your given situation.
  52. 52. Remember these 5 things Employ risk management and be skeptical (they really all are out to get you) Keep your computer operating systems and security software up-to- date Have regular backups and disaster recovery Limit access to resources Use strong and unique passwords
  53. 53. Questions? John Bambenek Bambenek Consulting, Ltd. 217.493.0760