I recently gave a talk or case study on the relationship of poor network and computer security practices. The clients never tested what they had in place or even if the services were ever functioning after installations. They relied on their trusted IT provider to supply the best hardware for their tasks without assessing the risks to the premises. We see that with all the controls in place, they can be easily defeated by one piece of malware that enters via email or a malicious website. The clients were not interested in how the events started but just wanted to get back to work and bring them to the point of re-starting production. The groups that were doing the remediation's were told to get the basics going and not to bother with the non critical systems right away. It may be that the non critical systems may have been the root cause of all this havoc.

1. Presented by Victor Beitner, CISSP
President
Cyber Security Canada

2.  Computer and Network Security Solutions for
Small and Medium Business
 Managed Services, Forensics, Vulnerability
Assessments, Incident Response
 Empowers IT and Protects Valuable Data
 Saves Money

3. Victor Beitner
 Founder and CEO of Cyber Security Canada
 Over 20 years experience in Computer Security
 Certified Information Systems
Security Professional (CISSP)

4. Small and Medium Business
 Easier Targets for Bad Guys
 Usually don’t have a Security Policy
or Posture
 Small or No trained IT staff
 Naive users and vulnerable systems
 “We have nothing anyone
would want to steal or hide…”

5. Case Studies
The following presentation contains actual cases
that Cyber Security Canada has dealt with
 Case 1: Illegal Onsite Entry and Data Loss
 Case 2: Ransomware

6. Case 1:
Poor Security Practices:
Illegal Onsite Entry through
Offsite Hacking

7. The Clues… 1
 Executive noticed webcam light on his laptop
was activating randomly
 No video conferencing software was
running on the computer
 Hacker remote-spying through webcams
Executive’s Webcam Activated Remotely

8.  Executive logged in to security DVR,
camera screens were blank
 Hacker Stopped Security Recordings
The Clues… 2
DVR Security Recording Screens Go Blank

9.  Admin Password on Cisco Router is changed
 Files start disappearing from
the main server
 Phone system stops working
 Hacker Gained Admin Access !!
The Clues… 3
All Hell Breaks Loose ~ Time to Panic !

10. Cyber Security Canada to the
Rescue!
 Installed Next-Gen Firewall Appliance
 Stop on-going external attack
 Block outbound malware traffic
 Capture and report all network activity
Step 1: Diagnosis
X

11. Malicious Software Detected
 Computers and cameras attempting
to connect to outside parties
 Company data being sent to Asia
 Within 24 hours, we discovered 40% of machines -
including server / domain controller - had known
malware installed
 After 48 hours 100% of the machines were
compromised

12. Appropriate Remediation &
Protection
 Installed properly configured & remote-monitored
next-gen firewall
 Identified vulnerable systems to be updated,
patched or replaced
 Designed simple network segmentation plan
 Sophos endpoint installed on all machines
including server
 All systems now protected by Commercial
Grade Anti-Virus product

13. The Heist Discovered
 1 skid of 12 cash machines
disappeared at some unknown point
Physical Assets Stolen

14. Thieves Left No Trace
 No evidence of the physical intrusion
 DVR recordings & logs are blank or have gaps
 No unauthorised entry / exit in
electronic access control system
 Client claims all fobs were accounted for…
 Key Fob Cloned ?

15. Conclusions
 Strong physical defences - cameras, controlled
access systems – can’t compensate for weak
computer & network security
 Good Cyber Security is hard – small businesses do
not have the time, staff or resources to implement it
properly
 An managed solution, designed, implemented &
monitored by security professionals can provide an
appropriate level of security at a reasonable cost

16. Case Study 2: Ransomware

17. Phase 1:
 Precise source of infection unknown:
 Employee received a phishing email ?
 Employee clicked on a link & was re- directed
to a malicious site ?
 Employee visited a news site hosting a third party
advertising system that was hacked ?
Single Workstation Infected With Ransomware

18.  Ransomware scanned mounted Network
drives and shares
 Compromised other Workstations and the Server
 All working files are encrypted
 Last backups are over 2 weeks old
 Never tested
 Business grinds to a complete halt !
Phase 2:
Infection Spreads over the Network

19. CEO Paid The Ransom
 Ransomware key unlocked the data
BUT
 Workstations are still infected – re-encrypt daily
 Ransomware file cannot be located
on workstations

20. Appropriate Remediation &
Protection
 Bare-metal rebuild of all workstations with
latest patched software
 Monitored next-gen firewall to prevent ransomware
‘calling home’ during remediation
 Commercial Grade anti-virus and process-monitoring
system on all workstations and servers
 Recommended Business Continuity System with on-site
and remote cloud backups every 15 minutes

21.  Anti-virus and firewall alone cannot prevent all
ransomware infections
 Spear-phishing campaigns can overcome most defences
 Employee education is a vital part of the Security Program
 Best Defense = Monitored Firewall + AV + Education +
Business Continuity System combining both on-site and
remote cloud backups every 15 minutes with Virtual
Machine instant restore
 Assures minimum downtime, data & financial loss.
Conclusions