Hacking, malware, phishing, ransomware, and viruses are used by attackers looking to make a living off of your data. Thomas Schoessow, VP of Technology Infrastructure at AbacusNext, has been battling these attacks for 15 years. In this webinar, our in-house cybersecurity expert explains tools to use, and how to keep your data safe.
About Free Training Friday: For nearly two months, we have been holding these free, 30-minute training hosted by our industry-leading experts and innovators who will teach you about AbacusLaw, Amicus Attorney, the Abacus Private Cloud, and everything in between. If you would like to request a topic, please email firstname.lastname@example.org
Welcome, everybody, and good afternoon. My name is Thomas Schoessow, T.J. I am the VP of technology here at Abacus Data Systems, and one of my tasks is to ensure that we are securing our cloud and all endpoints then and throughout. So just jumping right into our subject, cybersecurity 2017 is a scary world out there.
Here's a basic agenda of what we're gonna go over today. Types of threats to be aware of in 2017. Recent examples of attacks. Some mitigation efforts for networks, web servers, and emails. Some basic tips to keep you safe. And a Q and A session.
Attacks are on the rise. The more and more we're seeing ransomware and extortion attacks, we're hearing about them on the news. Ransomware, which is often called CryptoLocker, CryptoDefense, or CryptoWall, is a family of malware that takes files on a PC or network storage, encrypts them, and then extorts money to unlock those files. We've seen more and more of this exposure in the news, people ... happening to businesses and/or personal, and what we're seeing today is that the antivirus companies are now coming up with mitigation efforts to stop those in the beginning. There is no way once the files have been encrypted to decrypt them without paying the ransom.
Industrial IOT ... more and more, we're seeing more internet of things. And what do we mean by that, is we have more and more devices connected in the internet. We're talking Nest, if you have a Nest thermostat control, or a smart home controller, we're seeing more and more of that. Those things are not kept up to date, that they become a part of the attack surface.
DDOS attacks, the denial of service attacks, typically are accomplished by flooding the target machine or resources with superfluous requests in an attempt to overload a system. A DDOS attack is an attack where a group of infected machines and/or devices will then focus on a attack surface, or a machine, or an IP address. Flood the machine so that all services that machine was trying to serve would be then denied any service. A good example of that, if you have a web server sitting out on the internet somewhere, and you are not doing any web applications, firewalling in between that, and that web server is a ... happens to have a DDOS attack happen against it, then what we would see is that web server quits performing and quits providing those web services to the internet as a whole.
Internal threats will increase. I think this is one that we all don't take very seriously, and something that we want to highlight here. Internal threats, social engineering, whatever it might be, are on the rise. If people are calling in, if you're running a call center, or a small home office and someone's calling in and saying they're there to support you, they're there to help you, but they need this information to do that with. Some of that might be a social security number, some of that could be the password into the system that you're working on. What we're seeing is more and more of these types of threats are increasing, especially in the SMB business space, because no one's talking about it. No one's educating our employees to understand what a social engineering attack could look like and/or feel like. Those are not just phone calls, but those can also be email requests coming in from spoofed email addresses that do appear to look like your CEO's sending you the request, but in turn is actually a social engineering attack.
So a perfect example of an attack that happened ... this made the national news, but four million dollars in insider trading profits were gained when two servers in two large law firms that were focused on M and A activity were hacked and then monitored. I think the big thing to notice is that they were monitored for an extended period of time. This was not a hack where someone jumped in, extracted some data, and then moved on. These hacks were open. They were exploited for a period of time, and with that information, there's about four million dollars of insider trading that profited from this specific attack.
Our hope is in 2017 that security is no longer an afterthought. Our hope is that security is a conversation that we're having in businesses, that we're having at any time, and that it's on the forefront. That we have a plan that businesses are thinking about what happens, because it's not gonna be what if, it's gonna be when. And in that it's really something we want to highlight here, looking in 2017, is that we want businesses to start thinking about how to create a cybersecurity plan when the attack happens.
Looking at our slide here, the DevOps and security will change the way they work together as they realize they need to integrate with each other in order to survive. With IOT on the rise, security will continue to be the primary obstacle preventing consumers from fully welcoming connected devices into their homes and lifestyles. Consumers and businesses are getting smarter, and security vendors will be held more accountable in keeping them safe.
The example that I like to highlight here is Nest. Nest is a thermostat that can be connected to your home and that can ... you can work with that over wifi, etc. The goal is, is that those devices are secured. One of the examples that we spoke about earlier, DDOS attack ... I don't know. Late last year, there was an attack that happened, made the national news, and it was from IOT devices that were not secured, did not have the latest firmware on them, and were able to participate in the attack and became a bot, therefore flooding the destination.
We here at Abacus believe in trying to mitigate those efforts upfront. One of the technologies that we choose to use is two factor authentication. Our two factor authentication is not a token, is not a text notification. It's a push notification using a mobile application, that the second factor authentication is pushed to the mobile device upon entering or logging into the requested system.
This is extremely important that we understand the difference between a push notification and a text notification. We have seen that other two factor authentication systems where the text can be hacked and/or compromised, which is why we choose to use Duo's two factor authentication because it is a push notification to a specified device that must have the application installed and previously authenticated against. If anybody would like information, we can give the link straight to Duo, but this is something that we live and breathe in, day in and day out.
We push this technology. We try to encourage our customers to adopt the technology so that we can mitigate any type of brute force attack where someone's trying to guess passwords or things of that nature, and that's not just for logging into the AbacusNext private cloud or Abacus Data Systems private cloud, but also when logging into URLs or your email system if it's Office 365, or Gmail, or whatever the case might be.
Securing your local area networks with next generation firewalls, NGF is what we like to call them. The next generation firewalls provide a comprehensive suite of services that are baked into the firewall themselves. So first I'd like to highlight the IPS, the intrusion prevention system. That's a system that's watching the perimeter of the firewall and ensuring that traffic that's coming across it is intended and deliberate. Beyond that, having a device or a firewall that has the ability to handle VPN connections, if it's over IPSec, SSL, HTML5, etc. Also when having two or more offices, connecting those offices over a site to site VPN, so ensuring that that traffic is encrypted and protected at all times as data moves between the offices.
Having a self service user portal is always a nice to have, not all the NGF firewalls have it. We like the self service portal because it does allow for our users to have more self service and not rely as much on IT for spam filtering, etc. They can go in and manage those themselves.
The two factor again comes into here. We have two factor on all of our NGF devices, and what we do with that is that when logging in, those two factor codes change every 30 to 60 seconds, so therefore it's a new generation of code each time.
Protecting a web server. As I highlighted in my example, the two servers that were compromised in these M and A law firms were web servers. So protecting a web server with a web application firewall is a newer technology that's been out probably over the last five years ... five to seven, I would say.
And really taking that to heart, right? Truly understanding that if a web server is sitting out there on the internet, that we need to protect, we need to have some type of mechanism in front of it protecting the traffic that's coming to it. Server hardening ... what we think about when we talk about server hardening is ensuring that the server, if it's a Linux, Apache, if it's a Microsoft server technology, whatever it might be, that all updates and security patches have been applied so the server has the most ... the latest and greatest protection built in from the operating system.
Antivirus and scanning of uploads, I think that's pretty self explanatory. When you're transacting data over a web server, having the ability to scan that data before it lands on the server is gonna be imperative, right? So that we can ensure that any files that are sitting on the web server are clean and don't contain any type of virus and/or ransomware, etc.
Email protection. Going back years, we've heard about spam, we heard about how do we protect from getting all these messages that we never subscribed to. But really when we talk about email protection, it's not about spam filtering. This is truly about protecting the email server as well as the contents being delivered across it. So antispam is absolutely a part of that, but antivirus to stop the spam and phishing attacks I think is a little bit bigger. I think it's a more broader point to make, that yes, we want to protect the spam and the things that we haven't subscribed to, but more importantly, ensure that there are not viruses coming across our email server and being delivered to the end user. And if there are, having a self service quarantine where somebody can go in and inspect the file to ensure that those files are not infected and then proceed with downloading and/or not.
Standards are based TLS, encryption open DGP are ... I'm sorry, PGP, are standards out there, and those are really for sending. So when, I'll give Office 365 for an example. When you send a message through Office 365, the first line of communication that it will take is try to send that message over TLS encrypted link. If the receiving server or the recipient server does not have TLS enabled, it will fail back and then send the message using a typical SMTP protocol. With that said, the first try is always using TLS, which is protecting the data in itself. Obviously Outlook's ... Outlook addins to force encryption, things of that nature, when sending sensitive information across, we always encourage customers or anybody that we're working with to send that data through an encryption system. Office 365 has one, there are some other vendors that we work with that have those as well.
And then the last piece there right, live antivirus protection. Having a live scanner, and on the email server as well as potentially in front of that using a next generation firewall, will always ensure the health of those email servers ... will assist in ensuring the health, I don't want to give a default answer there.
So a few tips to keep you safe. I think the top one is the most important, right? Think before you act. Prior to opening an attachment in an email, providing someone over the phone a password, browsing to ... that site, take a moment and think. Do I know who I'm talking to? Do I know who this came from? Have I transacted with this individual before? Take a moment.
We see it all the time, especially in email where a recipient will receive a message that appears to be from somebody within their organization, gives them a link that says, "go download this file here." The recipient doesn't even think about it, clicks the link, they go get the file, and at that point what they fail to realize is now they've executed a ransomware attack. So every file starting at the local operating system and working its way through will start to be encrypted. This is when we talk about the ransomwares and CryptoLockers and the things of that nature. If we don't catch that immediately and disconnect and get that stopped, the fear is, and what can happen, is the entire operating system and then down into the network shares can be encrypted, and we lose access to that data. So the goal is to take a moment and think, right? Take a moment and question. Who am I working with? Is this something that I've received before? And where is this gonna take me?
Number two, businesses need to create a plan for attacks. I spoke about this in the very beginning. What we need to do, what we need to be thinking about is when, not if. When the attack is gonna happen. What are we gonna do? Do we have an SOP, a standard operating procedure for something like this happening? Yes, everyone thinks that no, it's not gonna happen to me. I would never lead with that premise. What I would lead with is, yes, it's gonna happen, and what am I gonna do when it happens? In what ways am I being proactive to protect the data that's either living on my local workstation and/or living on the servers that pertain to my business?
Number three, confirm that your computer and browsers are up to date with the latest updates and virus protection. I think that's pretty self explanatory, right? Running Windows updates, keeping our antivirus clients up to date, ensuring that we're using antivirus clients that are receiving constant updates. That risk profile changes every day. There's new viruses, new versions of viruses that are exposed and have been delivered to the internet as a whole today, so ensuring that our antivirus clients are always up to date and that our operating systems are following a patch management cycle.
Number four is a good place to go check to see if you're a Google subscriber or an Office 365 subscriber, to see if there have been any attempts to hack your email. I've provided a couple of links in here just to make sure ... if you wanted to check, I think it's a great place to start, to understand if there have been any attempts against your email accounts.
And then number five, use a password manager. LastPass ... excuse me, KeepPassx to help remember, update, and secure passwords. There's a lot of them out there, and really what we encourage our users, our customers, our employees, whatever might have you, we encourage them to maintain those because those passwords can be contained from a web browser. They can be accessed on a mobile device, whatever it might be. It's definitely a technology that we push, and it takes us out of the game of trying to remember that as well as create those passwords. Some of these password managers have the ability to create the password for you and use a long ... capitals, couple numbers, etc.
Again, I can't speak about this more, let's put cybersecurity on the agenda before it becomes the agenda. And I think I spoke about this in my previous slide, and I'm gonna speak about it one more time. It's not when ... it's not if, it's when. Major cyberattacks may feel like stuff of the popular culture. It's not. Although many never hit the headlines, such attacks are increasingly in prevalence and scale all the time.
What does that mean to somebody like myself, is that we always need to be thinking about ways to protect the environments that we're working in, protect the environments we're working with, always ensuring that we have a plan that if there is a ... as I mentioned for, an SOP, a standard operating procedure, that if an attack is recognized, how are we gonna respond to that? What are we gonna do about it? How are we gonna ensure that we stop the attack? How are we gonna ensure that we protect against a future attack? And how do we inform our customers that there has been an attack, and what needs to happen afterwards?
Perfect. Well, I thank you all for spending a few minutes with me today to kind of review cybersecurity in 2017. I hope this has been an opportunity to learn, and we'll open it up for questions and answers at this time.
Q & A
I have APC. How can I go about getting Duo?
Duo, you can sign up on their site. If you're looking to secure just your local workstation, they have a client that you can install on that workstation, and you can install the client and then it will add that push notification. But really, I would refer you to the Duo link and/or someone here at Abacus Next that can help you out with that.
Where would my data physically be located with Abacus?
That's a great question. So your data is your data. Where is it physically located? We have five facilities throughout the U.S. I'm sorry, four facilities throughout the U.S. and one facility in London. Depending on where the instance lives or the dedicated private cloud lives, depends on the facility that you would be in. So again, if you ... we have facilities in California, we have facilities in Las Vegas, we have facilities in Phoenix. We also have facilities in Texas, and then pushing out into London. So it depends on where the deployment is, and we base that on geographically disperse. So if you are in Nevada and your business is in Nevada, typically we would provision that dedicated environment in our Las Vegas facility. But again, it's really based on wherever the geographic business is, and then we try to land those as close as possible.
Okay, and the last question is from Erin. She says, "What antivirus software do you use? Would I be able to use my own antivirus software in addition?
Great question. So on the dedicated private clouds, we use Sophos antivirus, and we deploy that ... not even as a courtesy, we deploy that standard, I'm sorry. We deploy that as a standard. We do not allow for other antiviruses to be installed for one simple reason. They don't play well together. One antivirus might see the other one as an attack and therefore will block it, and vice versa. So we use Sophos. They have a leading product. We also use another product from them called Interceptor X, which has the ability to catch a ransomware or CryptoLocker virus prior to execution, so as soon as it senses that, it will lock that file down. So again, we use Sophos, and we've been extremely happy and very successful with that product.
Want more Free Training Friday? Register for upcoming webinars here!