Cybersecurity ThreatscapeQuick Information Security Tips for Business and Individuals
Joshua S. Moulin, MSISA – ACE,CAWFE,CCENT,CEECS,CEH,CFCE,CHFI,DFCP,GCFA,GSEC
• 2+ years in federal cybersecurity for federal agency focusing on national security
• 18 years of public safety experience, 11 years were in law enforcement (patrol, detectives, sergeant, lieutenant)
• The last 7 years in law enforcement were spent as the commander of a Cyber Crimes Task Force. Sworn in by both the FBI and the US Marshal’s Service
• Handled hundreds of investigations and forensic cases including murder, terrorism, cybercrime, hacking, child pornography, extortion, human trafficking, intellectual property, fraud, misconduct, etc. and performed thousands of forensic examinations
• Have been qualified as an expert witness in state and federal court• Multiple certifications in law enforcement, cybersecurity, and forensics • Graduated Summa Cum Laude with a Bachelor’s degree and hold a Master’s
degree in Information Security and Assurance• Adjunct Instructor for college teaching computer security
Background
The Adversaries are Real
Source: Mandiant M-Trends 2012
InfoSec for you and your Business• Passwords and multifactor authentication• Encryption of data and devices• Enforced policies and procedures (especially an AUP)• Disaster Recovery and Continuity Plans• Employee Training and Awareness• Social Engineering Attacks and Recon• Wireless Networking• Least Privileged Access• Endpoint Security, Patching, and Security Controls
Security costs…you can pay now, or you can pay later – but if you pay later, you always pay more.
Passwords and Multifactor Authentication
• Want at least two factor authentication (2FA):– Something you have– Something you know– Something you are
• Website to locate compatibles sites: https://twofactorauth.org/
Passwords and Multifactor Authentication• Strong passwords should include uppercase,
lowercase, numbers, and special characters• Password attacks are extremely common
(Brute force, dictionary, or hybrid)• Simple passwords can be cracked in seconds• Consider a password management tool (e.g.,
KeyPass, LastPass, etc.)• Consider passphrases• Never reuse passwords
Encryption
• Encryption should be mandatory on all portable devices (tablets, phones, laptops, USB devices, etc.)
• Encryption should also be used to transmit sensitive data via email (especially PII and IP)
• Many free and inexpensive encryption programs available
Policies and Procedures• Policies are a must, especially if you are in any
type of regulated business (HIPAA, SOX, GLBA, PCI-DSS,etc.)
• Polices are only good if they are enforced• If nothing else, have a well written Acceptable
Use Policy (AUP) and have all employees sign it (preferably annually)
• The AUP should discuss several items, particularly that there is no expectation of privacy on the business network
Disaster Recovery / Continuity• 93% of companies that lost their data for 10
days or more filed for bankruptcy within one year
• 50% of companies that lost their data for 10 days or more filed for bankruptcy immediately
• Every week 140,000 hard drives crash in the United States
• Have a backup plan for home and work• Consider offsite backup solutions as well and
geographic location is importanthttp://www.concertonenetworks.com/files/DriveSavers_Industry%20Facts_stats.pdf
Employee Awareness Training• The most common security violations
include:– Failing to encrypt data and devices– Clicking on links within phishing email
messages– Downloading unauthorized software
(p2p, malware)– Misuse of company IT assets– Plugging in unauthorized devices such
as USB devices or home computers to company assets
Social Engineering Attacks & Recon• Phishing, Vishing, Smishing, Spear Phishing,
Whaling, pharming…the list goes on and on• Be aware of what is on the Internet about you
and your company (OPSEC)• Social engineering also includes dumpster
diving, tailgating, diversion, etc.
Wireless Networking• NEVER use public open Wi-Fi access points for anything
sensitive (or maybe at all)• If accessing work, make sure you use a Virtual Private
Network (VPN) solution• SMS messages sent over Wi-Fi are all plaintext• At home take the following precautions on your
wireless router:– Don’t broadcast the SSID– Change the default username/password for the router– Enable WPA2 encryption (Not WEP)– Use MAC address filtering
Least Privileged Access• Usually a culture change and
not popular (but absolutely essential)
• Limit who has administrative privileges
• No one should ever use an admin account for their day-to-day work
• Admin account should never be used to check email or surf the Internet
Endpoint Security, Patching & Security Controls
• Endpoint Security is essential – on everything including mobile devices
• Have up to date anti-malware software• Use host firewalls• Keep operating system and third-party
software patched from security vulnerabilities• Make sure your business network is secure
and you have an incident response plan
The Life Cycle of a Cyber-attack
Source: Mandiant M-Trends 2012