Malware. Hackers. Ransomware. We are obsessed with making sure you not only know about the threats that are lurking in the shadows, but how to protect yourself and your firm from being the next victims. So we’ve enlisted our cybersecurity expert Tomas (TJ) Schoessow to give you the information you need in today’s Free Training Friday, hosted with the ABA.
If you would like personalized webinar session for you or your firm, please contact our Professional Services department at (800) 726-3339 or click here.
Good morning and good afternoon, everybody. My name's Thomas Schoessow, Vice President of Technology Infrastructure here at AbacusNext.
Here’s the agenda for today: First, we're going to talk about the types of threats that we're seeing in 2017. We're going to talk about recent examples that have come out. We're also going to talk about mitigation efforts for local networks, web servers, and email servers. And then we're going to talk about some tips to keep you safe.
2017 Cybersecurity: What You Need to Know
Let’s jump in: In 2017, ransomware and extortion will increase. We've all been aware of ransomware since 2013, when we saw CryptoDefense, CryptoWall, and CryptoLocker come out. The effects of these have been tremendous. There has been situations when a customer has been attacked, and not only is the local machine encrypted, but also the networking resources are encrypted as well. The delivery of the virus or the infection is usually via email. More times than not, we have seen this infection come through a link to a public Dropbox, box.com, whatever it might be. The end user executes, thinking that the infection has come from someone they know (or from someone that they do not know). They click on the link because it says to, they do so, and then the virus or the malware infection will start to attack. The only way around this is to pay the ransom.
Ransomware is one of the most widespread and damaging threats that the Internet faces today. Since the infamous CryptoLocker first appeared, as I stated, in 2013, we've seen new eras of this life-encrypting ransomware variants delivered through spam messaging, called Exploit Kits, extorting money from users and businesses alike.
IoT (Internet of Things) hacks will also increase. As technology advances, there are more devices connected to the Internet today than ever anticipated. We've exhausted IPv4 (Internet Protocol version 4) and have have now moved on to IPv6.
What does that mean? That means we have more devices connected to the internet, and those devices include the smart devices we have at home, the Nest, our watches, our phones, etc. I can go down the list. Again, there are more and more devices that are connected to the Internet today that are bleeding out data. I do not want to say that it's spewing. I want to say that it's bleeding out data. That data that those (often-overlooked) devices are putting out thousands and thousands of terabytes of data.
A good example of an attack with an IoT device is a DynDNS that we experienced last year. Botnets were installed on unsecured devices. If it is the home Nest device or if it's a camera (or whatever the device might be), these bots were installed. And when the attack happened, the bots are what attacked the DynDNS servers.
What does that mean to the Internet as a whole? DynDNS is a very large public DNS company. They host DNS servers for multiple businesses in multiple domains. When that attack happened, we saw companies go down, or their presence on the Internet go down. That's what that attack happened. That's a clear example of a DoS attack, and we'll get into the details of how those work in a couple other slides.
Again, we are seeing that IoT hacks are increasing. We are seeing that more devices have access to the Internet. They are a “computer” in some ways, and can have virus and infections. This is why I remind everyone to keep the devices up to date with manufacturer!
Another piece we need to talk about are internal threats. The increase of social media targeting bypasses many network defenses, unlike email scans and URL filters. The most dangerous aspect is how attackers manipulate victims, offer or threats that they would not want to present to an employer, like employment offers or illicit content.
I have a clear example: I had this happen to me last night. I was driving home and I went to check my voicemail. There was a message from, “the IRS”, that I was in legal trouble, and that I needed to call this phone number. I immediately went to search the phone number to understand what it was, and it was a social engineering attack. Here I am driving home, I have a voicemail that's telling me that I'm in legal trouble with the IRS, I do a search on the Internet and I find out that it's an IRS scam. It's a perfect example of a threat coming from an external source.
In past experience, when working as a consultant, I was working with a broker/dealer here in San Diego, and we had a social engineering attack. We had an email address that was created by an attacker. It had a single letter that was different from the originator's email (for example, firstname.lastname@example.org vs. email@example.com). The request came through just as the customer would have requested the money: same verbiage, same amount. Unfortunately, the money was transferred to an account that was not the customer's. The broker/dealer transferred out about $900,000.00 to the hacker’s accounts, who transferred it to another accounts until it was lost. We worked closely with the FBI and were able to uncover how this happened, but we were not able to stop the attack or get the money back, really. It's unfortunate, but these are the things that happen.
DoS Will Crash the Internet
We also need to take the denial-of-service (DoS) attacks seriously. They will crash the Internet again. There’s not a question about it.
In other words, it's a flood of the attacks through an open door. If you have a door and you're trying to stick 100 people through it, obviously, it's going to happen single file. That's what the attack looks like. Again, reference the Dyn Attack that happened last year in October, it was a denial-of-service attack using IoT devices that took down, on two different occasions, on the same day, up to four hours of outages.
Again, the business that were using those services from Dyn, their presence on the Internet was down. In today's world, how do we find information? Our first thought is to search online. Our first thought is to go try to find somebody's website, whatever the case might be. Those businesses no longer had a presence during those times.
This attack just came out. The US Law Firm has been hacked by the Chinese nationals for $4 million in insider trading profits. We understand how this happened now. Two web servers for each of the firms were hacked. The attackers watched mergers and acquisitions, information going across, were able to understand where mergers and acquisitions were going to take place, and has been trading insider information. The news is saying they profited $4 million in insider trading. I can't stress enough, when we're looking at the Internet, when we're talking about things, it is a dirty world out there. It's a scary world. There are people on the Internet, there are attackers on the Internet at all times, trying to be malicious and steal information. This is a good example, especially in the case that we're speaking on here, of it happening to large firms, but small firms are just as at risk. There's just as much information in a small firm as there is in a large firm that can be compromised and used against.
Business security spending will increase. This is our hope moving forward. In 2017, security conversations will continue to intensify about securing the data in network, and physical security. Think about the building, the people, and the assets. Really, what we're talking about here is not just the security of it all, but actually investing in that security, not just the cameras or the network security, or the badge system when people enter the building, or whatever the case might be. We're talking about businesses investing in the security and not letting security be an afterthought, but truly being on the forefront of what you're thinking about in your day-to-day when running that business.
That leads right into my next slide, security will no longer be an afterthought. In 2017, it will be a critical year for security, starting with how it's built into technology. DevOps and security will change the way they work together as they need to integrate with each other in order to survive. What's the takeaway from that? I think I said it previous. We need to have security always on the forefront. We need to be thinking about ways to secure the environments that we're in. We can talk about physical security. We can talk about network security. We can talk about firewalls. We can talk about two factor. We can talk about web servers. There's lots of it out there, but really, what we need to be thinking about is, we need to invest in the securing of the IT environments.
I think it's important that if we talk about cybersecurity, we talk about threats, we talk about hacks, and we have some examples of is how do we mitigate those efforts. Here at Abacus, we have adopted for our Abacus private cloud a technology called Duo, which is a two-factor authentication. There are many two-factor authentication options out there. We chose Duo simply for the fact that it is not a text message and/or a token when it came to the issuing of the two-factor authentication. It is a push notification using a secure application provided by Duo to our devices when logging into our cloud. We use that for ourselves as well as offer it as a service for our customers.
For those that don't know what two factor authentication is, it is when you're credentialing in with a username and password, you get another factor of authentication. As I stated before, there's multiple options out there. We chose Duo as our two-factor authentication because it uses a push notification. It is not a text message, which means it cannot be intercepted. Most online system including QuickBooks, Dropbox, and most practice management systems today are offering the two-factor authentication. If you have a chance, please review Duo's site. It is on the screen, duo.com. They integrate with so much. If it's an remote desktop session, if it's logging into a website, there are so many different ways that you can incorporate Duo into your day-to-day lives.
Securing a local area network with NGFs, is what we like to call this, the next generation firewalls. We've had firewalls for years. What is the NGF? When we think about the next generation firewall, we think about a few things. One, IPS (intrusion detection system) and IDS (intrusion detection systems). Those are going to be the intrusion prevention systems and intrusion detection system baked into the firewall. Not a separate appliance, not a separate service, but something that is baked into the firewall in its initial offering. Obviously, having secure VPN (virtual private network) access, SSL (secure sockets layer) and/or user-initiated, which ever works for that business, but the ability to have secure VPN access is eminent. We are all out in this workforce, traveling, doing what we will. We need the ability to connect back to our local network, but we need to ensure that it's secured.
Site-to-site VPN, especially when multiple offices are involved, is obviously a better way to go about it than just having user-initiated VPNs. Site-to-site VPNs are hardware-to-hardware, firewall-to-firewall. Those allow for all traffic passing between the two offices and/or between the two sites if that's a data center in an office, whatever it might be, allows for all of that traffic to be encrypted so that it cannot be sniffed, it cannot be checked from the wide open Internet.
Obviously, a self-service portal for looking at quarantine items, VPN configurations, etc., is a part of those next generation firewalls. That just allows for the user to, exactly what I said, act with some self-servicing. Advanced threat protection, the ability for the firewall to identify an anomaly in traffic and/or a threat in the traffic is key. It is key. If a firewall can find the threat and mitigate that threat, that threat never makes it to the end point, meaning the desktop, the laptop, the phone, etc. Because they are out there now, we always encourage our customers, or when working with anybody, to make sure that they're investing in next generation firewalls.
We touched on two-factor authentication with Duo. The next generation firewalls also have two-factor authentication. That's really going to be for when issuing an SSL VPN into an environment using an SSL client, whatever a case might be. Those are going to be similar to what we used to see, I don't know, maybe eight or nine years ago with the RSA keys and tokens that change every 30 seconds. Those keys are changing every 30 seconds.
Securing web servers. The reason I put this up as its own piece, is because with the US Law Firm that were hacked here back, I believe, late last year, we want to talk about WAF, web application firewalls, protecting those web servers the way they need to be protected. We have clear examples happen late last year, of two web servers in 2014 and 2015 being compromised. That data was used to generate $4 million worth of profit for individuals who compromised those.
Web application firewalls, protect the web servers and the applications alike. Server Hardening with deep link protection from hardening, that's really looking at the core OS that's running for those web servers. We're going to have a core operating system and then we're going to have our web services on top of that. We need to harden the core operating system to ensure that it's patched, to ensure that any exploits that have been identified have been mitigated via the manufacturer, etc.
Anti-virus and scanning on file uploads, obviously, that is key. We would anticipate that most users would have anti-virus at the desktop or at their endpoint, whichever that is, if that's a desktop, a laptop, whatever the case might be. Also, yes. If you have a web server that is accepting data from a customer or from a client, having the ability to scan that file before it is solidified and said, "Yes, it's available," is key. That way, you're ensuring that that CryptoLocker virus is not coming into your environment via a unknown source. Sometimes the client doesn't even know they're infected so they move the file. They don't understand what's happened there. Going back to the main point, web application firewalls, they are available.
You must have email protection, I can't stress it enough. Spam filters, anti-virus filters at the edge, all of those are key elements to protecting your email. Self-service quarantines, we spoke about those in those next generation firewalls. A part of the NGF set that Abacus utilizes is a spam and quarantine already baked into the solution. Our next generation firewalls that we have subscribed to have the spam and anti-virus filtering already baked into them, and we get quarantine lists everyday to let us know who has tried to submit in or email in an infected file and/or methods containing infection. Yes, there are false positive, but I will tell you, the stricter is better. Everybody wants just the white list and move forward and say, "Hey, I know who these people are," or, "I know who this distribution list is from," etc. I would encourage you to always be mindful of where those messages are coming from, looking at the header or looking at the email addresses in detail to ensure that it is the email address that you expect, prior to executing anything within a message.
Outlook add-ins are great. If the anti-virus company that you use today has an Outlook plug-in so that you can mark something as spam or a message can be checked for a virus prior to opening, that is key. We have seen a lot of great things happen with Outlook plug-ins.
A few tips to keep you safe:
- I think the glaring one for me is, think before you act. Pause. Take a moment. Look at the attachment. Understand who it's from. Is it something that you knew was coming and you were expecting? Is the sender someone that you knew you traded emails with before, etc.? Really, taking a moment, pausing and thinking before we act. If we're going a Google search, if we get into the seventh, eighth, ninth, tenth page, should we be clicking on all those links and continuing on or should we refine our search to try and be more specific to the use gate that we're trying to use? I can't stress it enough. We talk about it internally. We talk about it with our customers. Think before you act. Take a moment. Pause. 30 seconds isn't going to kill us.
- Second tip, businesses need to start creating a plan for an attack. What happens if you are attacked? What are you going to do? What is your mitigation plan? How are you going to understand what's happened, what was compromised, what's been removed from the environment, and now secure? How are you going to go through that? Having a mitigation plan or a plan of attack is key.
- I think this goes without saying, number three, but I'm going to say it anyway. Confirm that your computers and browsers are always up to date with the latest from the operating system manufacturer. I don't think we can say anything more than that. If you're a Windows shop, Windows updates. If you're a Mac OS shop, yes we used to all hear that Macs would not be infected with viruses, that is not true. They can be infected, so keeping those devices up to date is key.
- From an email perspective, if you're using Office 365 or if you are using Gmail, I included a link in here to check if your accounts have been compromised. The beauty of Office 365 and Gmail alike is that they have these features baked into the solutions, so that you can actually login and check the last time that someone tried to access your account, where that account was tried to access from. Gmail actually does a great job of sending a notification if accessed from a different IP address than something that it has known in the past. If you're using Gmail and/or Office 365 as an email solution, I would encourage you to take a peek. See when the last time your accounts were accessed or somebody tried to use your password or attempt to test your password and/or tried to login as you.
- Finally, when it comes to passwords, using a password management tool is key. LastPass is what we utilize here internally. Key Pass is another one that's available. These are online services that are free to an end user. To an end user, these services are free. They can be accessed from anywhere, from a web browser, a mobile device for a paid account, etc. It's a secure place to store your passwords so that you don't have to remember them. More importantly, it allows for you to create encrypted passwords, so that we're no longer seeing password123 or capital P-@-s-s-w-0-r-d for passwords. Those are known. If you are using them, people know about them,
Put cyber security on the agenda before it becomes the agenda. Make it your agenda for 2017 before it becomes your agenda for 2017. Many people feel like it will not happen to them. Many people feel like, "We're too small. We have security already in mind." I would encourage everybody to have an agenda before it becomes your agenda. The impact of not recognizing and preempting cyber risk can be long term. They can be business shattering. They can be business closing. Ensuring that you have a plan, you have an agenda, on how to react if an attack occurs, and how to ensure that your mitigation plan is in place and protecting those assets within the environment.
Want more Free Training Friday? Register for upcoming webinars here!