Call Girl Service in West Tripura 9332606886Call Girls Advance Cash On Deliv...
ย
RandyRomesCyberRisks.pptx
1. WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor
ยฉ2021
CliftonLarsonAllen
LLP
May 2022
Cybersecurity Threats for 2022:
Ransomware, Spear Phishing and
Service Provider Risks
2. The information herein has been provided by
CliftonLarsonAllen LLP for general information purposes
only. The presentation and related materials, if any, do
not implicate any client, advisory, fiduciary, or
professional relationship between you and
CliftonLarsonAllen LLP and neither CliftonLarsonAllen LLP
nor any other person or entity is, in connection with the
presentation and/or materials, engaged in rendering
auditing, accounting, tax, legal, medical, investment,
advisory, consulting, or any other professional service or
advice. Neither the presentation nor the materials, if
any, should be considered a substitute for your
independent investigation and your sound technical
business judgment. You or your entity, if applicable,
should consult with a professional advisor familiar with
your particular factual situation for advice or service
concerning any specific matters.
CliftonLarsonAllen LLP is not licensed to practice law, nor
does it practice law. The presentation and materials, if
any, are for general guidance purposes and not a
substitute for compliance obligations. The presentation
and/or materials may not be applicable to, or suitable
for, your specific circumstances or needs, and may
require consultation with counsel, consultants, or
advisors if any action is to be contemplated. You should
contact your CliftonLarsonAllen LLP or other professional
prior to taking any action based upon the information in
the presentation or materials provided.
CliftonLarsonAllen LLP assumes no obligation to inform
you of any changes in laws or other factors that could
affect the information contained herein.
ยฉ2022 CliftonLarsonAllen LLP
2
3. ยฉ2021
CliftonLarsonAllen
LLP
Cyber Security Services
Information Security offered as specialized service offering for over 25 years
๏Penetration Testing and Vulnerability Assessment
๏Black Box, Red Team, and Collaborative Assessments
๏IT/Cyber security risk assessments
๏IT audit and compliance (HIPPA, CIS, NIST, CMMC, DOL, GLBA/FFIEC, etcโฆ)
๏PCI-DSS Readiness and Compliance Assessments
๏Incident response and forensics
๏Independent security consulting
๏Internal audit support
3
4. ยฉ2021
CliftonLarsonAllen
LLP
โข โProfessional Studentโ
โข Science Teacher / Self Taught Computer Guy
โข IT Consultant - Project Manager ๏ IT Staff/Help Desk ๏ Hacker
โข Assistant Scout Master (Boy Scouts)
โข Boys Scouts Motto: Be Prepared โ Are you prepared?
C:whoami
> m0th_man
4
5. ยฉ2021
CliftonLarsonAllen
LLP
Raise Your Hand if You Work for a Tech Company
โข Security Cameras
โข Motion Sensors
โข Logistics Tracking
โข Print Vendors
โข Smart TV Displays
โข Temperature and Humidity
โข Digital Assistance
โข Cloud Applications & Analytics
โข Bio-Medical Care & Monitoring
๏ โPresenceโ
Security cameras
Garage door
Home thermostat
Cable TV remote
Smart TV
Sleep number bed
Roomba
โHey Siri, whatโs my balance?โ
Apple Watch or FitBit
โPresenceโ
5
6. WEALTH ADVISORY | OUTSOURCING
AUDIT, TAX, AND CONSULTING
Investment advisory services are offered through CliftonLarsonAllen
Wealth Advisors, LLC, an SEC-registered investment advisor
ยฉ2021
CliftonLarsonAllen
LLP
6
Sun Tzu:
โKnow your enemy, know
yourself and you can fight a
hundred battles without
disasterโ
7. ยฉ2021
CliftonLarsonAllen
LLP
Cybercrime and Black-Market Economies
โข Black market economy to support cyber fraud
o Business models and specialization
o Underground Marketplace (The Dark Web)
โข Most common cyber fraud scenarios we see
affecting our clients
o Theft of information
o Credit card information
o PII, PFI, ePHI, account profiles, etcโฆ
o Log-in Credentials
o Ransomware and interference w/ operations
๏ To the Hackers, we all look the sameโฆ
7
They will hit you with any or
all of the following:
1. Email Spear Phishing
Attacks
2. Password Guessing and
Business Email Account
Takeovers
3. Payment and Funds
Disbursement Transfer
Fraud
4. Ransomware
5. Extortion to avoid breach
disclosure
8. ยฉ2021
CliftonLarsonAllen
LLP
Average Days to Identify and Contain a Data Breach
8
Source: IBM Security Cost of a Data Breach Report 2020
โข Global average is 280 days
o 207 days to identify a breach
o 73 days to contain the attack
9. ยฉ2021
CliftonLarsonAllen
LLP
Behind the statistics
โข Hackers can do a lot in AND to your network in 236 days
o Learn everything about your group
o Find your crown jewels and take them
o Disable backups and security systems
o Create numerous back doors
โข Public portrayal of ransomware creates a false sense of security
o Ransomware is usually coupled with other acts โ Ransomware is simply the
most visible part of the attack โ it is usually โthe last actโ
o Current ransomware attacks are coupled with data exfiltration
o Resuming operations is just the first step
o Legal and business ramifications of a data breach can persist
๏ Over 80% of breaches have a root cause in some form of Spear Phishing or other
Social Engineering
9
Average cost
$8.4M
10. WEALTH ADVISORY | OUTSOURCING
AUDIT, TAX, AND CONSULTING
Investment advisory services are offered through CliftonLarsonAllen
Wealth Advisors, LLC, an SEC-registered investment advisor
ยฉ2021
CliftonLarsonAllen
LLP
10
Here They Come
We All Look the Same
To the Hackers
12. ยฉ2021
CliftonLarsonAllen
LLP
Business Email
Compromise
โข Fraudsters impersonate
employees, service providers,
or vendors via email in an
attempt toโฆ
o Steal or transfer $$$
o Authorize a distribution
o Impersonate an Executive
asking staff to โbuy gift cardsโ
o Update direct deposit account
12
13. ยฉ2021
CliftonLarsonAllen
LLP
Does Your Organization Already Use a Phishing Service?
โข โWe already use _______โ
o โIT tests our people every ___โ
o โClick through rate is ___โ
o โFailures are required to take
trainingโฆโ
o โWe report results to the
board quarterlyโฆโ
13
โข These services are best
categorized as training and
training effectiveness
measurement tools.
โข They are NOT penetration
testingโฆ
๏There is a โso what factorโ
that you may be missingโฆ
14. WEALTH ADVISORY | OUTSOURCING
AUDIT, TAX, AND CONSULTING
Investment advisory services are offered through CliftonLarsonAllen
Wealth Advisors, LLC, an SEC-registered investment advisor
ยฉ2021
CliftonLarsonAllen
LLP
14
Passwords Are the Keys to the
Kingdomโฆ
16. ยฉ2021
CliftonLarsonAllen
LLP
Passwords
๏Old Rules (NIST)
o Length (8+ characters)
o Complexity (Aa4@)
o Forced expiration (every_____)
๏New Guidance (NIST)
o Password tools
๏ง MFA
๏ง Password managers
16
Password Audit Total
Number of passwords audited 855
Passwords cracked 794
Passwords that were all letters
63
Passwords that were all
numbers
5
Passwords that were an English
word
20
Passwords that were a word
with numbers appended to it
200
Passwords that were the same
as the username
6
Passwords that do not meet
Windows complexity
584
17. ยฉ2021
CliftonLarsonAllen
LLP
Password Strategies:
๏Multi-factor authentication on ALL external systems
๏Password management tools
๏Pass Phrases โ Loooooong natural language
Password21 <------------- Unforgiveable!
Summer21 <------------- Terrible
N*78fm/1 <------------- Painful
Wallet Painting lamp <-- GOOD
The Packers always beat the Bears! ๏ BEST
17
๏Password tools: MFA and Password Managers are needed
18. WEALTH ADVISORY | OUTSOURCING
AUDIT, TAX, AND CONSULTING
Investment advisory services are offered through CliftonLarsonAllen
Wealth Advisors, LLC, an SEC-registered investment advisor
ยฉ2021
CliftonLarsonAllen
LLP
18
Itโs a question you might have to answer if
cybercriminals take your network hostage.
How Much is Operational
Uptime Worth to Your
Organization?
20. ยฉ2021
CliftonLarsonAllen
LLP
Late Last Yearโฆ
Who will they set their sights on next?
20
https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/
Last Monthโฆ
Everyone has business operations at risk of
denial of service and extortion.
21. ยฉ2021
CliftonLarsonAllen
LLP
Ransomware Attacks Continue to Evolve
โข Earliest versions attack consumer availability
โข 2nd generation attacked business availability & confidentiality
โข Newest versions
โข Successful against all operating systems
โข Include Internet banking trojans (Zeus Sphinx Trojan)
โข Search for and encrypt back ups first
๏ FINISH with threat of data disclosure (DR is not enoughโฆ)
๏ If you have not tested your susceptibility to Ransomwareโฆ???
๏ If you have not tested your recovery capabilities, from bare
metal upโฆ???
Ransomware
21
22. WEALTH ADVISORY | OUTSOURCING
AUDIT, TAX, AND CONSULTING
Investment advisory services are offered through CliftonLarsonAllen
Wealth Advisors, LLC, an SEC-registered investment advisor
ยฉ2021
CliftonLarsonAllen
LLP
SolarWinds Orion
Attacking the Supply
Chain
22
24. ยฉ2021
CliftonLarsonAllen
LLP
Picture in Your Minds Eye โ SolarWinds Orion Compromise
24
1
All images are from Bing search with free for commercial use filter set.
Command and Control Server
1st C2
Threat Actor
Software Update Server
ABC Organization
2
3
4
5 ?
4
Cloud hosted services
and
connected 3rd party
business partners
Second C2
Third C2
25. ยฉ2021
CliftonLarsonAllen
LLP
Summary of SolarWinds Orion
25
5. Some organizations are subject to
additional attack activity
โ Lateral movement/pivoting
โ Privilege escalation
โ Creation of additional/secondary
persistence mechanisms
6. Objectives?
โ Espionage?
โ Gather and steal information?
โ Launch point for attack into other trusted
systems?
๏ Office 365?
๏ Other trusted applications/systems?
๏ Other trusted organizations?
1. SolarWinds (SW) development/update
process is compromised
โ Malware added to plug in component
2. Customers download and install SW
update with back door malware
โ Legitimate appearing malware installed
3. Sophisticated malware โscansโ location
โ Gathers information (โwhere am Iโ)
โ Attacks/disables security tools
4. Malware โphones homeโ
โ Connects to Command and Control Server (C2)
โ Provides recon information and accepts
instructions
26. ยฉ2021
CliftonLarsonAllen
LLP
Take-Aways and To-Dos (ie. IR)
26
5. What Indicators of Compromise
(IOCโs) have we searched for?
โ What resources/references have we used to
identify known and potential IOCโs?
โ Use 3 and 4 to search for IOCโs
6. Do we have any third-party service
providers with trusted access?
โ Who has remote access into our
environment?
โ Who do we push our data out to?
โ Are there any persistent open connections to
or from third parties?
7. Repeat 1-5 for those identified in 6
1. Do we use SolarWinds Orion?
โ If NO ๏ Go to 6
โ If YES ๏ What version?
2. Is our version the affected version
(see SW advisory)?
โ If NO ๏ Go to 6
โ If YES ๏ Continue
3. Have we created a timeline of
potential exposure?
4. What logs do we have and how
far back in time do they go?
27. ยฉ2021
CliftonLarsonAllen
LLP
Take-Aways and To-Dos (ie. IR)
27
8. โKnow What Normal Looks likeโ
โ Easy to sayโฆ challenging to execute
โ Server communication to the outside and
โ DNS logs
9. In-house threat hunting for IOCโs
โ In-house changes
โ Privileged accounts and service accounts
โ Critical files and system settings
10. Threat hunting in cloud Infrastructure
โ Mandiant Azure AD Investigator
โ CISA Sparrow
โ MS Azure Security Compass
New information was being
released regularlyโฆ
28. ยฉ2021
CliftonLarsonAllen
LLP
Software Vendor/Supply Chain Risk Management
โข All software products have bugs/vulnerabilities
โข Key questions:
o What does this software application have access to?
o What user account/privileges are given to it?
o What is the software vendor doing to provide us a level of comfort that
they have done their due diligence?
o What do we need to do for our due diligence?
28
30. WEALTH ADVISORY | OUTSOURCING
AUDIT, TAX, AND CONSULTING
Investment advisory services are offered through CliftonLarsonAllen
Wealth Advisors, LLC, an SEC-registered investment advisor
ยฉ2021
CliftonLarsonAllen
LLP
30
Is Cybersecurity Built Into Your
Operational DNA?
31. ยฉ2021
CliftonLarsonAllen
LLP
Policies and Standards
๏Security is not a product
๏People, Rules and Tools
o What do we expect to occur?
o How do we conduct business?
o Who is responsible for what?
๏Standards based operations from a
governance or compliance framework:
o GLBA, FFIEC, HIPAA, DOL,
o PCI โ DSS, CMMC
o CIS Critical Controls, NIST
31
People Rules
`
Tools
๏Disciplined Exception
Management
34. ยฉ2021
CliftonLarsonAllen
LLP
34
Secure
Office 365
NOT fully secure by default
โข Needs to be secured:
๏ Enable/Turn On security features
๏ Harden (email) security
๏ Fine tune logging, monitoring
and alerting
๏ Enforce retention periods
๏ Security configurations need to
be periodically assessed.
35. ยฉ2021
CliftonLarsonAllen
LLP
โข Staff should not have local administrator
rights to their workstations
โข Administrators use two sets of
credentials (general use and elevated
privileges).
โข No email, browsing, or general
computer use as administrator.
โข Implement a policy to reinforce practice
Privileged Account Discipline and Hygiene
35
36. WEALTH ADVISORY | OUTSOURCING
AUDIT, TAX, AND CONSULTING
Investment advisory services are offered through CliftonLarsonAllen
Wealth Advisors, LLC, an SEC-registered investment advisor
ยฉ2021
CliftonLarsonAllen
LLP
36
Itโs a question you might have to answer if
cybercriminals take your network hostage.
How Much Would You Pay to
Restore Access to Your Data?
The Boy Scouts Motto:
โBe Preparedโ
37. ยฉ2021
CliftonLarsonAllen
LLP
Incident Response Preparedness
โข Unfortunately, data breach can still occur despite
implementing all the best security precautions
Think WHENโฆ NOT IF
โข Have a Plan โ Implement the Plan โ Practice the Plan
โข Develop an incident response program and plan
o Include the appropriate procedures
o Ensure points of contact are included
o Keep the plan update to date
โข Establish relationships with key incident responders
o Breach Counsel
o Forensic provider
o Public relations
37
Are you prepared to respond to any
(or all) of the following:
1. Email Spear Phishing Attacks
2. Password Guessing and Business
Email Account Takeovers
3. Payment and Funds Transfer Fraud
4. Ransomware
5. Extortion to avoid breach
disclosure
Practice and
Test the Plan
38. ยฉ2021
CliftonLarsonAllen
LLP
โข Tabletop exercises- simulations where
participants walk through the incident
and response procedures
โข Two types of tabletop exercises
o Technical
o Management
๏ Both types should be conducted
annually
โข Spear phishing tests and other social
engineering tests
โข Red Team penetration testing
Practice the Plan
38
40. ยฉ2021
CliftonLarsonAllen
LLP
โข Are you confident youโve done enough to
secure your systems and data?
โข Are exceptions well defined, understood, and
managed?
โข Do you have appropriate governance and
visibility into your service providers
(are they doing enough of the right thing?)
โข Are you prepared forโฆ???
โChance Favors the Prepared Mindโ
40
41. ยฉ2021
CliftonLarsonAllen
LLP
๏ Standards Based Operations and Exception
Management โ Daily Operational DNA
๏ PCI Compliance is good cybersecurity hygiene
๏ Monitor and fine tune (continuous improvement)
๏ Practice and Test
๏ง Audit your operations controls (against a framework)
๏ง Review Office 365 (O365) security (periodically)
๏ง Schedule IR Tabletop and Disaster Recovery exercises
๏ง Perform application testing
๏ง Test new systems and after significant change
๏ง Engage independent penetration testing and
vulnerability assessment (prove it)
Boy Scouts Motto: Be Preparedโฆ
Prepare
Operate
Test
41
42. WEALTH ADVISORY | OUTSOURCING
AUDIT, TAX, AND CONSULTING
Investment advisory services are offered through CliftonLarsonAllen
Wealth Advisors, LLC, an SEC-registered investment advisor
ยฉ2021
CliftonLarsonAllen
LLP
Randy Romes, CISSP, CRISC, CISA, MPC, PCI-QSA
Principal โ Cybersecurity Services
612-397-3114
Randy.Romes@claconnect.com
Thank You!
Heading is Polling question. Two answer/responses should be
NO
YES
In that order please
This is analogous to EBPs with multiple/overlapping TPAs and (IT) Service Providers
Randy to ASK in passing: โI wonder how many of you could operate with your technology for two weeks?โ
- This is foreshadowing โ NOT a polling querstion
Hackers can do a lot in and to your network in 231 days (public average)
Learn everything about your CU
Find you crown jewels and take them
Disable backups and security systems
Create numerous back doors
Plant Ransomware (AFTER they are done with everything elseโฆ)
Labeling ransomware as the top threat creates a false narrative
Ransomware is usually coupled with other acts and just the most visible part of the attack
These days, ransomware is coupled with data exfiltration
Resuming operations is just the first step
Legal and business ramifications of a data breach can persist
Make this a polling question?
Exceptionsโฆ 5% failure rateโฆ so what factor
Exceptionsโฆ 10% / 33% failure rateโฆ so what factor
Length more important than complexity
Pass phrase/natural language
Last Pass
KeePass
Google Authenticator
Most applications have this
Training and auditing
Describe Imperial County.
- Ransomeware demand of $1.2M
Estimate to recover on own and fix was over $3M
WOULD NEED TO DO THIS ANYWAYโฆ
Did NOT pay
More than 8 months laterโฆ still not done fixing and cost has soared past $3M
POLLING QUESTION at the end.
Answers/responses
Yes
NO
NOWโฆ STAND UP if your company would be in a lot of trouble if you could not use your technology for TWO WEEKS
What do you do? Test your susceptibility to Ransomware
Unpatched vulneravbilites
Susceptaiblity to spear phishing
Poor control of administrative privliges
File sharesโฆ
RANDY ~20 minutes
Sophistication
Opsec
Timeline
Obfuscation
Customization
~18,000 downloaded
Somewhere between 50 and 100 were subject to additional/secondary attacks
Privilege escalation
Additional persistence mechanisms
Talk about SAML???
SUPPLY chain
Sophistication
Opsec
Timeline
Obfuscation
Customization
~18,000 downloaded
Somewhere between 50 and 100 were subject to additional/secondary attacks
Privilege escalation
Additional persistence mechanisms
Talk about SAML???
Overall an emphasis on visibility, own-network understanding, and being able to correlate events together to identify suspicious patterns of activity can succeed in identifying even the most complex supply chain attacks post-breach. Although attackers may still gain initial footholds within networks, being able to dramatically reduce adversary dwell time is a significant improvement over what many organizations impacted by this SolarWinds event will experience in the coming weeks.
Capture information about a newly-seen, unfamiliar domain in network traffic.ย
Leverage internal data sources and continuous DNS monitoring.
Monitoring for new, unique, or abnormal network connections can identify C2 communication schema.
Proper asset classification which identifies specific hosts or host-type (e.g., โserverโ instead of โend-user clientโ) can further differentiate communication to identify items of concern.
Similar classification can also work to identify unusual authentication activity, where servers (such as a SolarWinds Orion device) initiate logons to other clients instead of the reverse.
Example from UNM and sw dev team.
Building application/data ware house
Already have functions/features and controls mapped for CMMC
New version has more focus and emphasis on internet based/cloud based systems and processesโฆ
Like all emergency procedures, they need to be practiced
$8.64m โ Average cost of a data breach in the United States
$2.64M โ Average global total cost of a breach for organizations under 500 employees; $5.52m at enterprises over 25K employees
Polling question:
Are you confident youโve done enough to secure your employee benefit plan?
NO
YES
(in this order)