Cybersecurity ThreatscapeQuick Information Security Tips for Business and Individuals

Joshua S. Moulin, MSISA – ACE,CAWFE,CCENT,CEECS,CEH,CFCE,CHFI,DFCP,GCFA,GSEC

• 2+ years in federal cybersecurity for federal agency focusing on national security

• 18 years of public safety experience, 11 years were in law enforcement (patrol, detectives, sergeant, lieutenant)

• The last 7 years in law enforcement were spent as the commander of a Cyber Crimes Task Force. Sworn in by both the FBI and the US Marshal’s Service

• Handled hundreds of investigations and forensic cases including murder, terrorism, cybercrime, hacking, child pornography, extortion, human trafficking, intellectual property, fraud, misconduct, etc. and performed thousands of forensic examinations

• Have been qualified as an expert witness in state and federal court• Multiple certifications in law enforcement, cybersecurity, and forensics • Graduated Summa Cum Laude with a Bachelor’s degree and hold a Master’s

degree in Information Security and Assurance• Adjunct Instructor for college teaching computer security

Background

The Adversaries are Real

Source: Mandiant M-Trends 2012

InfoSec for you and your Business• Passwords and multifactor authentication• Encryption of data and devices• Enforced policies and procedures (especially an AUP)• Disaster Recovery and Continuity Plans• Employee Training and Awareness• Social Engineering Attacks and Recon• Wireless Networking• Least Privileged Access• Endpoint Security, Patching, and Security Controls

Security costs…you can pay now, or you can pay later – but if you pay later, you always pay more.

Passwords and Multifactor Authentication

• Want at least two factor authentication (2FA):– Something you have– Something you know– Something you are

• Website to locate compatibles sites: https://twofactorauth.org/

Passwords and Multifactor Authentication• Strong passwords should include uppercase,

lowercase, numbers, and special characters• Password attacks are extremely common

(Brute force, dictionary, or hybrid)• Simple passwords can be cracked in seconds• Consider a password management tool (e.g.,

KeyPass, LastPass, etc.)• Consider passphrases• Never reuse passwords

Encryption

• Encryption should be mandatory on all portable devices (tablets, phones, laptops, USB devices, etc.)

• Encryption should also be used to transmit sensitive data via email (especially PII and IP)

• Many free and inexpensive encryption programs available

Policies and Procedures• Policies are a must, especially if you are in any

type of regulated business (HIPAA, SOX, GLBA, PCI-DSS,etc.)

• Polices are only good if they are enforced• If nothing else, have a well written Acceptable

Use Policy (AUP) and have all employees sign it (preferably annually)

• The AUP should discuss several items, particularly that there is no expectation of privacy on the business network

Disaster Recovery / Continuity• 93% of companies that lost their data for 10

days or more filed for bankruptcy within one year

• 50% of companies that lost their data for 10 days or more filed for bankruptcy immediately

• Every week 140,000 hard drives crash in the United States

• Have a backup plan for home and work• Consider offsite backup solutions as well and

geographic location is importanthttp://www.concertonenetworks.com/files/DriveSavers_Industry%20Facts_stats.pdf

Employee Awareness Training• The most common security violations

include:– Failing to encrypt data and devices– Clicking on links within phishing email

messages– Downloading unauthorized software

(p2p, malware)– Misuse of company IT assets– Plugging in unauthorized devices such

as USB devices or home computers to company assets

Social Engineering Attacks & Recon• Phishing, Vishing, Smishing, Spear Phishing,

Whaling, pharming…the list goes on and on• Be aware of what is on the Internet about you

and your company (OPSEC)• Social engineering also includes dumpster

diving, tailgating, diversion, etc.

Wireless Networking• NEVER use public open Wi-Fi access points for anything

sensitive (or maybe at all)• If accessing work, make sure you use a Virtual Private

Network (VPN) solution• SMS messages sent over Wi-Fi are all plaintext• At home take the following precautions on your

wireless router:– Don’t broadcast the SSID– Change the default username/password for the router– Enable WPA2 encryption (Not WEP)– Use MAC address filtering

Least Privileged Access• Usually a culture change and

not popular (but absolutely essential)

• Limit who has administrative privileges

• No one should ever use an admin account for their day-to-day work

• Admin account should never be used to check email or surf the Internet

Endpoint Security, Patching & Security Controls

• Endpoint Security is essential – on everything including mobile devices

• Have up to date anti-malware software• Use host firewalls• Keep operating system and third-party

software patched from security vulnerabilities• Make sure your business network is secure

and you have an incident response plan

The Life Cycle of a Cyber-attack

Source: Mandiant M-Trends 2012

Questions?

Email: Josh@JoshMoulin.com

@JoshMoulin

https://www.linkedin.com/in/joshmoulin