I recently gave a talk or case study on the relationship of poor network and computer security practices.
The clients never tested what they had in place or even if the services were ever functioning after installations.
They relied on their trusted IT provider to supply the best hardware for their tasks without assessing the risks to the premises.
We see that with all the controls in place, they can be easily defeated by one piece of malware that enters via email or a malicious website.
The clients were not interested in how the events started but just wanted to get back to work and bring them to the point of re-starting production.
The groups that were doing the remediation's were told to get the basics going and not to bother with the non critical systems right away.
It may be that the non critical systems may have been the root cause of all this havoc.
2. Computer and Network Security Solutions for
Small and Medium Business
Managed Services, Forensics, Vulnerability
Assessments, Incident Response
Empowers IT and Protects Valuable Data
Saves Money
3. Victor Beitner
Founder and CEO of Cyber Security Canada
Over 20 years experience in Computer Security
Certified Information Systems
Security Professional (CISSP)
4. Small and Medium Business
Easier Targets for Bad Guys
Usually don’t have a Security Policy
or Posture
Small or No trained IT staff
Naive users and vulnerable systems
“We have nothing anyone
would want to steal or hide…”
5. Case Studies
The following presentation contains actual cases
that Cyber Security Canada has dealt with
Case 1: Illegal Onsite Entry and Data Loss
Case 2: Ransomware
7. The Clues… 1
Executive noticed webcam light on his laptop
was activating randomly
No video conferencing software was
running on the computer
Hacker remote-spying through webcams
Executive’s Webcam Activated Remotely
8. Executive logged in to security DVR,
camera screens were blank
Hacker Stopped Security Recordings
The Clues… 2
DVR Security Recording Screens Go Blank
9. Admin Password on Cisco Router is changed
Files start disappearing from
the main server
Phone system stops working
Hacker Gained Admin Access !!
The Clues… 3
All Hell Breaks Loose ~ Time to Panic !
10. Cyber Security Canada to the
Rescue!
Installed Next-Gen Firewall Appliance
Stop on-going external attack
Block outbound malware traffic
Capture and report all network activity
Step 1: Diagnosis
X
11. Malicious Software Detected
Computers and cameras attempting
to connect to outside parties
Company data being sent to Asia
Within 24 hours, we discovered 40% of machines -
including server / domain controller - had known
malware installed
After 48 hours 100% of the machines were
compromised
12. Appropriate Remediation &
Protection
Installed properly configured & remote-monitored
next-gen firewall
Identified vulnerable systems to be updated,
patched or replaced
Designed simple network segmentation plan
Sophos endpoint installed on all machines
including server
All systems now protected by Commercial
Grade Anti-Virus product
13. The Heist Discovered
1 skid of 12 cash machines
disappeared at some unknown point
Physical Assets Stolen
14. Thieves Left No Trace
No evidence of the physical intrusion
DVR recordings & logs are blank or have gaps
No unauthorised entry / exit in
electronic access control system
Client claims all fobs were accounted for…
Key Fob Cloned ?
15. Conclusions
Strong physical defences - cameras, controlled
access systems – can’t compensate for weak
computer & network security
Good Cyber Security is hard – small businesses do
not have the time, staff or resources to implement it
properly
An managed solution, designed, implemented &
monitored by security professionals can provide an
appropriate level of security at a reasonable cost
17. Phase 1:
Precise source of infection unknown:
Employee received a phishing email ?
Employee clicked on a link & was re- directed
to a malicious site ?
Employee visited a news site hosting a third party
advertising system that was hacked ?
Single Workstation Infected With Ransomware
18. Ransomware scanned mounted Network
drives and shares
Compromised other Workstations and the Server
All working files are encrypted
Last backups are over 2 weeks old
Never tested
Business grinds to a complete halt !
Phase 2:
Infection Spreads over the Network
19. CEO Paid The Ransom
Ransomware key unlocked the data
BUT
Workstations are still infected – re-encrypt daily
Ransomware file cannot be located
on workstations
20. Appropriate Remediation &
Protection
Bare-metal rebuild of all workstations with
latest patched software
Monitored next-gen firewall to prevent ransomware
‘calling home’ during remediation
Commercial Grade anti-virus and process-monitoring
system on all workstations and servers
Recommended Business Continuity System with on-site
and remote cloud backups every 15 minutes
21. Anti-virus and firewall alone cannot prevent all
ransomware infections
Spear-phishing campaigns can overcome most defences
Employee education is a vital part of the Security Program
Best Defense = Monitored Firewall + AV + Education +
Business Continuity System combining both on-site and
remote cloud backups every 15 minutes with Virtual
Machine instant restore
Assures minimum downtime, data & financial loss.
Conclusions