In the first half of 2017, we have already seen “viral, state-sponsored ransomware, leaks of spy tools from US intelligence agencies, and full-on campaign hacking.” As cyber criminals continue to probe for the weakest links in corporate cyber security chains, it is safe to say that 2017 will continue to get much worse in the ever-changing tech landscape. In this webinar, discover how to handle cyber threats, see how these threats affect your practice and clients, and learn how the Private Cloud can help overcome these challenges.


Video Transcription

Good afternoon everybody. This is Thomas Schoessow, the VP of Technology with Abacus Data Systems. Welcome to the webinar: Cyber Security 2017: It's a Scary World Out There.

Abacus Data Systems is the largest technology as a service provider for the professional services industry. AbacusNext focuses on the legal and accounting professions to achieve the ultimate success and peace of mind through the delivery of a complete suite of compliance ready technology solutions designed to support and secure cloud enabled practices at the cost that they can afford. Our portfolio of turnkey solutions, including hardware, software and infrastructure on a pay-as-you-go model, including practice management, client resource management, payment processing, email, DAS, desktop as a service and managed IT. We're headquartered in San Diego, California and backed by a private investment with Providence Equity. AbacusNext delivers products and services to over 500,000 businesses throughout the world.

Again, a little bit about me. My name is Thomas Schoessow. I'm the VP of technology here at Abacus Data Systems. I've been in the technology vertical for a little over 17 years, and for the last 10 years focused specifically around cloud management and cloud delivery and cloud security.

The agenda for our webinar today, we're going to talk about types of threats to be aware of, some recent examples in both the accounting profession as well as the law vertical, some ways to mitigate exposures, specifically around networks, web servers, endpoints and email. A few tips at the very end and then we'll try and leave some time for Q and A. If we do not have some time for Q and A, please post your questions into the chat box on the bottom right hand corner and we will capture those and ensure that we get back to you with the answers.

Diving right into types of exposures that are out there, types of infections. I think the one that I always like to start with is Ransomware, specifically because it's the one that we're hearing more and more about. Ransomware, which is often called 'Cryptolocker', 'Cryptodefense', 'Cryptowall' and latest 'Wanna Cry', is a family of malware that takes over the machine and then starts to encrypt the files. Those files can be local to the PC, those files can be on a NAS or network attached file system or a file server. Once those files are encrypted and when access is attempted, you are then presented with a ransom note and a payment option, typically in bitcoin, to receive the key. Ransomware is one of the most widespread and damaging threats out there on the internet today. Since the infamous Cryptolocker first appeared, we've seen a new era of file encrypting ransomware variants delivered through spam messages, exploit kits, et cetera, et cetera.

Industrial IoT hacks will increase. I think the reason that we bring this one up, specifically for myself, is that more and more we're seeing IoT devices in our homes, in our workplaces, in our cars. Really, what is an IoT device? IoT is the interworkings of physical devices, vehicles also referred to as 'Connected devices' or 'Smart devices'. A perfect example is the Nest thermostat or the new home automation kits that are coming out. When I walk into a room, I say, 'Turn lights on'. We would consider those types of devices an 'Internet of Things'.

The attacks have opened up an important conversation around internet security and volatility. Not only has it highlighted the vulnerabilities in the security of IoT devices, with that highlight, we need to address them. The ways that we address those we'll get into a little bit later.

Here's an example from October 21st, 2016. Approximately 11 o'clock, Dyn, who is a large DNS host, they host DNS services for companies that we all know, i.e. Netflix, came under attack by 2 large distributed denial of service attacks, which took down their managed DNS infrastructure, which essentially rendered the services that were using their DNS services inoperable, meaning no longer can stream Netflix, Amazon you were unable to purchase on, et cetera, et cetera.

We're going to talk a little bit about DDoS attacks and the specifics of what they are. Denial of service attack typically accomplished by flooding the targeting machine or resource with superfluous requests in an attempt to overload a system and prevent some or all illegitimate from being fulfilled. What does that mean? They flood the server that's providing the services and therefore rendering those servers and/or applications, whatever it might be, inoperable, meaning they can't communicate out.

The Dyn DNS attack on 10/21/2016, the one we referenced on the slide before, was highly sophisticated. It was distributed across tens of millions of IP addresses. We are conducting, this is from Dyn, but they're conducting a root cause and forensic analysis and they'll report of what happened.

Here we are in 2017, and obviously this attack happened in 2016. What we understand today from the attack is it was IoT devices that had not been updated from a firmware or software perspective, that had malicious code on them and participated in the attack. Meaning, in layman's terms, what does that all that mean? The Nest thermostats became the attacker.

Internal threats will continue to increase. We talk about internal threats here at AbacusNext on a regular basis. What we mean by that are phishing attempts, social engineering attempts, people trying to call in and obtain usernames and passwords from the corporate infrastructure or the corporate enterprise. It's something that we need to be aware of and we need to be speaking about. They're not going to go away. They're going to only continue to happen. The increased targeting of social media and personnel email bypasses many network's defenses. When we're talking about a phone call or somebody calling in to obtain those credentials, typically we're not dealing, there's no scanning in front of that, there's no anti-phone scanning purposes or anything of that nature. We're talking about live bodies trying to do phishing attacks physically on a phone.

Another and a good example of that, and I like to speak about this, years ago I worked alongside of a broker dealer. We had a, somebody sent in an email that was very similar to the email address that the customer that the broker dealer had consistently worked with. That email was a single letter off in email address from the customer's original email. They copied the signature. This attacker was able to have $200,000 transferred out from an account here based in the US to an account overseas. We ended up working with the FBI very closely to uncover this, but in the root of it all it was a single letter difference. The business did not the SOP or their processes to ensure what signatures, things of that nature, whatever it might be, but what it was was an email, looked similar, and the attacker was able to have the money transferred.

Here's a couple of examples of some real life security breaches. I spoke of one very small, local to the market that I was working in at the time, but we've all heard of the US law firms that were hacked. Those law firms were hacked and about $4,000,000 in inside trading took place. How were they hacked? There were web servers that were exposed to the internet as a whole. Those web servers were not secured. Those web servers contained vital information to the firms and the attackers were able to exploit the servers, kept them maintained in position, but were able to extract the data from them.

The second example is 8,000 clients affected by data breach of two Massachusetts accounting firms. If you read the report around that one, it was not an external exposure. It was a piece, it was an application that was placed within the network that continued to spew the data out. The firms did not have the technology that caught the application. It was literally a single file in the network that was able to obtain social security numbers, addresses and names and provide that information to the attackers.

This is the hope, that security will no longer be an afterthought. I think when we all think about security cyber attacks, the first thing that everybody thinks about is: "It's not going to happen to me." We want to change that conversation. 2017 is going to be a critical year for security. It's really starting with how it's built into the technology that we're using today. Dev ops and security will change the way we work together as they realize they need to integrate with each other in order to survive. With IoT on the rise, security will continue to be the primary obstacle, preventing customers from fully welcoming connecting devices into their homes and lifestyle. Consumers and business are getting smarter. Security vendors will be help more accountable in keeping them safe. That is definitely our hope. That is the trend that we're seeing here in 2017, but really what we want to talk about in this slide is that let's put that on the forefront. Let's start talking about security in our businesses. Let's start talking about security at home. How do we ensure that our homes are protected? How do we ensure that the infrastructure and our businesses are protected? We need to start talking about security. It's a very important subject going in 2017 and beyond.

What we're seeing in trends in 2017 is businesses are starting to take security seriously. In 2017, security conversations will continue to intensify, not only securing the data and networks, but also the physical security as well. Here at our corporate offices are headquartered in San Diego, California, we take physical security very seriously. We have camera system, we have a badging system in and out. We can clock and know what's going on within our office, so therefore that we don't have any visitors that we don't want and that are not welcomed. More importantly, it's something we talk about, not only we talk about, but we put it into action here at abacus. Again, from our corporate perspective, we take security very seriously. We approach every situation, every cloud instance or every delivery on premise, whatever it might be. The first thing that we're talking about is security and everything kind of falls under that.

Another way to mitigate cyber security attacks is two factor. Over the last three or four years, two factor has really become a play in the enterprise. We're really starting to seeing it in the, specifically in the cloud. We recommend two factor everything in the cloud, but we're starting to see more and more individuals use two factors. We're a big supporter of Duo for two factor authentication. Some two factor authentications use a token or a text messages. Unfortunately, those can be sniffed and those can be pulled.

We like to use Duo, because it uses a push notification to an application registered on a device. What does all that mean in layman's terms? That means that before you can enact a two factor authentication, you need to register your device, your mobile device, either it be a Windows Phone, an Android and/or an iPhone or an iOS device. Once that is registered, you are then sent to a site to download an application. Now, the communication doesn't happen over SMS. It doesn't happen over cell. It is a push notification from the Duo system to the phone, asking, 'Are you meaning to log into this? Yes or no.' It does put a layer of security between yourself and the endpoint or the device or the application that you're trying to log into. We use Duo or two factor specifically, Duo being the product that we choose across everything. Me personally, I use it for bank's logins, I use it to access my Go Daddy site. Anywhere and everywhere that I can use two factor or it is enabled or offered as service, I choose to use it. It just keeps me protected.

Mitigation efforts. I'm going to have a lot of acronyms here. I will answer the questions of the acronyms, but really, let's talk about some mitigation efforts. Local area protection and next generation firewalls. The evolution of firewalls over the last 10 years have come a long way. What we used to see is we had a firewall in front of the internet and then behind that we had lots of security security services baked into it, or I'm sorry, baked outside of it, so it could watch the traffic coming from the firewall. What we've seen over the last 10 years is truly next generation firewalls. We call them 'NGFs'.

What does that mean? The firewalls today are taking those security principles that we had behind them 10 years ago and putting it all in one device. Your firewall is also your DPI scan, your deep packet inspection. Your firewall is also providing you intrusion prevention systems, IPS. Your firewall is offering secure VPN access. Where 10 plus years ago we had VPN devices, now that's baked into the firewall. Obviously, self service user portals, so when a user needs to invoke a VPN, an SSL VPN, user initiated, they have a self service portal, mitigating the level of support put on IT teams, two factor authentication and then the final piece for us. We choose to use Sophos as a vendor. We are very happy with their line. The UTM line, the unified threat management line that we choose for corporate deployments, on premise deployments for customers that we're supporting as well as our clouds are all backed by the Sophos next generation firewall.

We bring up web servers specifically around the attack for the law offices that we spoke about earlier. Protecting web servers, having a web server out on the internet is, everybody does it. We have to do it. How do we service our websites? How do we search Google and get the responses?

Those are all web servers, but a few ways of going about handling those web servers to ensure that they're secure, most importantly is going to be the WAF, the web applications firewall. It is a product that is baked into a next generation firewall that protects the web server and monitors and secures all communication between external and the server in itself. Obviously, server hardening is a technique that has been around for years that includes patching, maintaining a patch schedule and things of that nature. Antivirus on anytime, antivirus on the files when they're uploading those files is important, because if I'm sending a file from my computer and it's infected and you are accepting files for your customers or for your clients or you are sending a file, the ability to scan that file on the intake is going to be very important. That will allow or that ensures that there is no infection that's going to be distributed through the network that it's being delivered to.

Finally, really when providing web services, if it's not a publicly facing site, we always recommend using what we call 'ACLs', access control lists. That means locking down the application or the entry point to the application from specific networks throughout the world.

Email and endpoint protection, one of my more favorite topics, email. Anti-spam solutions are now baked into next generation firewalls. There are lots of hosted solutions out there. We always recommend that customers are looking at spam solutions. Office 365 has it a part of their product line. We're a big proponent of Office 365. We use lots and lots and lots of those services and they have the spam services baked in, but we believe and we know that this is a must have. This isn't not if I need to or not. You must have a spam solution. For one, the content that's coming through without a spam solution is dirty at best. I think that's a nice word to say to it. We're talking viruses infection, we're talking types of images that we should not be seeing, et cetera, et cetera.

Antiviruses for your endpoints is another piece for that. If we're talking about mail coming in, awesome, it's getting spam filtered. Not all spam filters are up to date. Not all spam filters are able to get in to the attachment and see what's in that attachment. When spam filtering, a message gets past the spam filter and we go to open an attachment, we need something at the end point to ensure that that infection does not get distributed. That's where we start to talk about end point protection or antivirus. Antivirus to clean viruses and malware infections. Self service quarantines, so users, if there is a false positive with the spam filter, can go to a self service quarantine, select the message and say, 'Please deliver that.' Also, standards for sending mail, TLS encryption, Open BGP, PGP encryption as well. Lots of ideas around this, but really what we want to take away from this is ensuring that all mail has some spam filtering in front of it and all end points are protected with some type of application. Yes, we can use the free ones. They do work. Just remember, sometimes you get what you pay for when it comes to a solution. We always encourage customers to engage with a vendor to actually pay for that.

Five tips to keep you safe. I think the number one tip is the most important tip: Think before you act. I almost changed this slide this morning and said, 'Think before you click', because how many times have we done a Google search, we're now on page nine or page ten and we're still clicking. We're not knowing where we're clicking and we end up somewhere we shouldn't have been. Prior to opening an email attachment, prior to providing someone on the phone the information that they're asking for, think before you act. Does this feel right? Is this normal? Is this something that happens in my business on a regular basis, at my house?

When I was first putting this slide deck together, I got a call from an odd number. That odd number left me a voicemail and was "The IRS". They wanted me to call this number in Texas because I had lots of money to them and there shortly thereafter I got a text message from that same number. When I went to call that number back, it was a voice recorded system. It was not the IRS and it was just a scamming attack. It was an attack against me personally. I actually chuckled, because going through these slide decks and putting these things together, it's not very often that as you're going through that process that it actually happens to you. It was in the weeks that I'd been putting this together that it happened and I thought it was quite amusing at the time.

Businesses, they need to create a plan for attack. You don't want to be on the side of responding you attack. You want to be on the side of having a plan on how to respond to the attack. It's not 'If', it is 'When'. There will be an attack. The hope is that we catch it at that next generation firewall and there is no adverse affects throughout the corporate culture and/or the business as a whole, but really understanding why an attack occurred and what was compromised is crucial to recovery and successfully protecting the business in the future. That's great.

My point in all of this is have a plan up front. Don't react without having a plan. We always encourage businesses to be thinking about security, what's going to happen if we do have a attack, what's going to happen if something does get deleted maliciously, et cetera.

Obviously, confirm that your computer and browsers are up to date. Microsoft delivers those patches every month. We call it 'Patch Tuesday' around here. Please ensure that those machines are up to date, and then check to see if your email has been compromised. I think it's a good one there. Google Apps and Office 365, we have a couple links here. There were some other links from the slide. We're providing the slide deck as a whole when we're done here, but check to see when the last time the account was logged into. I had logged into my Gmail account from a new device. It was really nice. I got a text message and I got an email notification that a new device had accessed my Gmail account within seconds. I think we should all go through that exercise.

Finally, use a password manager. Please quit using your kid's name 1, 2, 3 and an exclamation point. Please stop using 'P@SSW0RD'. We know all those. If we know them all, so do the attackers. More importantly, use a password manager. We're a big supporter of LastPass. I can't tell you how many hundreds of thousands of records we have in there, but use a password management tool. It will allow for you to have unique passwords and not have to have the same password across all your bank accounts, across all of your credit cards, so if a attacker gets one password, they have them all.

Finally, put cyber security on the agenda before it becomes the agenda. I was speaking about that earlier. Get a plan in place. Start talking in your business. Start talking about what's going to happen when, because I'm telling you it's not 'If', it is 'When'. We see it on a regular basis. I've been in this industry like I said for a little over 17 years. We're seeing more and more and more of these attacks. The nice thing is they're now being reported on. 10, 15 years ago you didn't hear them being reported on, but at the same time, 10, 15 years ago, we weren't as connected as we were today. Put cyber security on the agenda before it becomes the agenda.

I'm just going to cite this slide because I think it does make sense. A major cyber attack may feel like the stop of popular culture. It's not. Although many never hit the headlines, such attacks are increasing in prevalence and scale at all times. We can only encourage you to make that a part of your agenda.

Thank you very much. We also are offering a free cyber security check if anybody would like. This is the URL to visit to schedule: AbacusNext would do that for you. We will also be providing the slide deck to all attendees at the conclusion of this. At this time I will open to see if there are any questions.

It doesn't look like we have any questions. That's great. I appreciate everybody's time this afternoon. Thank you and have a wonderful day.

Schedule your free Cybersecurity Assessment today!