Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 1
2017AnnualGovernmentalAccounting&AuditingUpdateConference
RutgersBusinessSchoolByMarcPfeiffer,AssistantDirectorBlousteinLocalGovernmentResearchCenter
RutgersUniversity
Recognizing,DetectingandPreventingCyberSecurityThreats
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 2
BOTTOMLINE▪ Criminalstrytomanipulatepeopleinto
divulgingpersonalorbusinessinformationortrickthemintoschemestodefraud
▪ Criminalscanbeindividualsorpartofindustrialized,cybercrimebusinesses
Nosinglefixsincethethreatskeepchanging;It’saperpetutalbattle
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 3
WHYSHOULDICARE?
•60%ofemployeeswillclickaphishinglink
•30%ofthemwillactuallygiveuporganizationcredentials
•20%statedtheywouldselltheirorganizationalpassword
REALITY:thebulkofsuccessfulattackscomebecauseanemployeeclickedon
somethingtheyshouldn’thave
TypesofAttacksandThreats• TargetedAttacks– Governmentagenciesaregenerallytargets– Italsohappensifsomethinggoeswrong
• MassAttacks– Thisstemsfromsuccessfulemailphishing,socialengineering,plus“bruteforce”attacksonnetworks
• Man-in-the-MiddleAttack:– Alinktoalog-insitethatlookslegit,butisfraudulentandwillstealyourcredentials
• Unsecurehumans– Clickingonthewronglink/openingthewrongfile– Anemployeewhostealsdataforresaleorillegaluse
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 4
SomeCommonTerms
Malware
Destructiveformofcomputersoftwaretransmittedbyemailandwebsitelinks
Viruses,Trojans.Rootkits.Worms.Spyware.Crimeware. Adware
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 5
Phishingaformofsocialengineeringthatappearsasemailoratextmessagethatattackersusetogainlogincredentialsoraccountinformation
Anditsevilcousin,thetargetedSpear-PhishorVish,usingvoicetofoolyou
PHISHINGEMAILSEXAMPLES
Phishingemailposesasanimportantemailfromatrustedorganization
– Anotificationfromthepostoffice,UPS,FedExshippinginformingtherecipientofadelivery
– Amessagefromautilityproviderorretaileraboutanoverduebill
– Analertabouttherecipient’staxreturn– Invoicesornoticesforgoodsandservices(Amazon,Costco)
– Fakecreditcardrewardschemes– Directionfromyouremployer,i.e.,needtolog-inbecauseyoulostsomepermission
Eachvariationreliesonourinstincttoactonmessagesthatappeartobeurgent
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 6
• Clickingonanattachmentoralinkembeddedinasuspiciousemaillaunchesaprogramthatencrypts(orrewrites)yourfiles.
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 7
THISISRANSOMWARE!SOWHATHAPPENS?
• Thefilesareheldforransom;thehackerwhosenttheemailwillrequireapaymentfromyoubeforetheywill(hopefully)sendyouthekey(alineofcomputercode)thatdecryptsthefilesandrestorethem.
• Hopeyouhavebackupstorestoreyoursystem;otherwiseyoupay!
• Nowknowntohackersasavictimandwillbesubjecttofutureattacks
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 8
WHEN EMAIL TURNS EVIL!!!
EMAILASSOURCEOFMALWARE?
- Embedded,butfakelinksenticeyoutoopenharmfulwebsites
- Spoofed“from”addresses
- Attachmentscanhaveembeddedvirusesormalware;MSOfficedocumentscanhavemaliciousmacrosinthemorrequeststolinktootherfilesfromafileyoudownloaded.Otherattachmentsincludehtmlandzip.
- Couponsandadvertisementswith“hiddenagendas”
- Alwayswithsuggestionthatyouneedsomething,orcouldgetsomethingforabargain.
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 9
PROTECTYOURSELFFROMEVILEMAIL
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 10
• Learntohoverandreadlinks!
• Besuspiciousofunexpectedemails
• Donotdownloadoropenattachmentsyouarenotexpecting:• Confirmfirstwiththesenderifitlooksimportant• Orjustdeleteit
• Alwaysbesuspicious(donotletyourguarddown)
• Ifitdoesn’tlookright,it’snotright
• Donotlogintoanaccountfromanemaillinkunlessyouverifyit’salegitemailandsite
• Neverunsubscribefromagroupthatyouareunfamiliarwithordidnotsubscribeto
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 11
• Usestrongpasswordsorbetteryetpass-phrases; donotusenames,dateofbirths,oranythingknownaboutyou.Andvarythem.– Particularlyforfinancialsites,siteswithyourcreditcardinformation,andemail.
– Changethemperiodically(annuallyforkeyones)• Donotsharepasswords!– Anythingthathappensonthataccountgetstreatedasifyoudidit.
– Ifyoudoshareapasswordchangeittosomethinggenericbeforeandbacktosomethingcomplexafter;orchangeitafterit’suse
• Useapersonalpasswordmanager
MakingandManagingStrongPasswords
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 12
SAFEWEBBROWSING
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 13
HTTP
HTTPS
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 14
http://masterupdate.net/.....
Ifyouareunsureaboutthistypeofpop-up,searchfor“flashupdate”andgotoanadobe.com sitetocheck.Don’tdownloadfromapop-upthat’snotfromtheadobe.comwebsite.
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 15
• DONOTCLICKONsuspiciouspop-upsorunexpectedmessageswhenbrowsing!– Ifatwork,callIT;ifathome,closethewindowor,disconnect
fromnetwork
– Workiswork,nothome!
– Rememberyourwebbrowsingactivitiesaretracked(evenifyouclearthebrowserhistory)!
– DON’TCLICKonthatpop-up!
– DON’TCALLthenumberonthescreen
SafeBrowsing:@Workand@Home
• Thingsthataretoogoodtobetrue,aren’ttrue.Don’tclickonthemordeletethem
• Caughtinaloop?Shutdownandreboot
• StaySafe:Browsetrusted sites:• Knowtheaddress:HTTPvs.HTTPS,andnopasswordsonnon-https sites
• Usetwo-factorauthenticationwhenoffered• Don’tdownload“toolbars”orcleaners,unlessknownorcheckedout.Youprobablydon’tneedthem
KEEPYOURCOMPUTERUPTODATEKeepwindows,antivirus,andbrowser
updatedwithlatestversions
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 16
FormsofSocialEngineering
• In-person• Phone• Digital
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 17
BEWAREOF……phonecallersaskingforconfidentialemployeror
personalinformation,eveniftheyclaimtobefromIToravendor.ReferthemtoITsupportorhangup.
'Canyouhearme?'phonescamAdangerousnewphonescamisspreadingacrossthecountry,withfauxtelemarketersaskingunwillingvictimstorespondwithasinglewordto"Canyouhearme?"
{ }
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 18
UNFORGETTABLES
• Donotlogonandoffacomputerwhenaskedbyanotheremployeeoroutsideperson–unlessidentityisverified
• CallerIDcanbe“spoofed”• Usetwo-factorauthenticationtransactionswheneveritsavailable
• FiscalandHRpeople:POSTIVELYconfirmallemaileddirectionsforanything(especiallyforpersonnelinformationandpaymentdirection)
• Usepasscodeonmobiledevices35
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 19
• Nosystemis100%perfect- sincethreatsarealwayschanging
• Stayaware:stop,think,thenconnect• CallyourITsupportpersonwhenindoubt• Athome:www.malwarebytes.com ifyougetinfected
UH,NOPE
PUTTINGITALLTOGETHER
• Don’tbecurious– justdon’tclick• Online;freeisneverfree• Besuspicious– hoverfirstandcheckitout• Ifyoudidn’taskforit,youdon’tneedit• Never openattachmentsfromunknownpeople• Don’tinstinctivelyopenfilesfrompeopleyouknowbutwerenotexpecting;checkwiththemfirst
• LockyourPCwhenawayfromyourdesk– “Ctrl+Alt+Del>Enter”or“Windows+L”
• Testyourself:searchfor“PewCybersecurityQuiz”• www.pewinternet.org/quiz/cybersecurity-knowledge/
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 20
Youknowwhattheysay…
Formoreinformationforworkorhomeorschool:www.stopthinkconnect.org
CyberHygienePractices 11/30/17
Bloustein Local Government ResearchCenter 21
Forfurtherdiscussionandcomments
MarcPfeiffer,AssistantDirectorBloustein LocalGovernmentResearchCenterBloustein SchoolofPlanningandPublicPolicyRutgersUniversityMarc.Pfeiffer@rutgers.edu
• SeetheTechnologyRiskManagementPapersbysearchingfor“Bloustein TechnologyRisk”