Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Cyber Security for Municipalities

No description
by

Jonathon Coulter

on 1 June 2017

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Cyber Security for Municipalities

Cyber Security
Anatomy of an Attack
Ransomware is in Wyoming
Wyoming Case Studies
Recently a CFO said to me, “That won’t happen in Wyoming, we are small potatoes.”
Industries at Risk
Why is Government a Major Target?
Background
Why is Cyber Security So Important?
Are you sure?
Are you sure your
employees all know
not to click on something that could introduce Malware into your network?
Are you sure all your
terminated employees
can’t get into your network?
Are you sure that all of your workstations and servers have the
latest patches
for software on them?
Are you sure you do not have
legacy software
anywhere in your organization?
Are you sure your customer’s sensitive information is being
encrypted
?
Are you sure an employee isn’t walking around with a
thumb drive
with his/her password on it to your network?
Case Studies
Panicked calls or "made the news" in the last year
Ransomware
Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid.
https://www.trendmicro.com/vinfo/us/security/definition/Ransomware

Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business.
Spear Phishing
https://usa.kaspersky.com/internet-security-center/definitions/spear-phishing#.WNNS-W_yvbg
Exploit Kit
Exploit kits or exploit packs refer to a type of hacking toolkit that cybercriminals use to take advantage of vulnerabilities in systems/devices so they can distribute malware or do other malicious activities. They normally target popular software such as AdobeFlash ®, Java™, Microsoft Silverlight® 
https://www.trendmicro.com/vinfo/us/security/definition/exploit-kit

Taking advantage of known vulnerabilities in:
MS Word (Macros)
JavaScript
Adobe Flash Player
MS Internet Explorer
MS Windows
Any Macros!
Biggest Exploit Kits You Probably Use
Make sure they have the latest patches!
Cyber security consequences impact national defense, businesses, public markets, retailers, consumers, and individuals.
Organized Cyber crime has
escalated
in recent years and is
replacing terrorism
as the largest threat to America, according to the Department of Homeland Security.
Cybercriminals are:
Well organized and financed
Moving from high volume to high yield
Collaborating and sharing information
Adopting better methods for increasing profits and targeting business (Example: Ransomware, SpearPhishing)
Organizations are more at risk than ever due to:
Our increasing reliance on computing power and interconnected networks
Rapidly growing data volumes
More complex IT infrastructures
Data integration between systems
3rd Party vendor relationships
Data Breaches
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Last Year
This Year
In the Last Year
Increased adoption of electronic records

Historically underfunded cyber defense programs

Lots of outside vendors/software programs
Sensitive Data in Agencies:
Mortgage documents
Deeds
Births
Deaths
Ugly divorces
Medical records
Social Security numbers

Personally Identifiable Information
PII
Are you a worthy steward of this information?
A jumble of
departments and regulations
Three Types of Ransomware
Can we avoid this in the future?
SOLUTION:
Layers of security

Defense-in-Depth
Layers of Security
The best practice in cyber security is to use the Defense-in-depth model. Meaning that our data protection should be
like an onion
This will allow all sources of threats to be covered. (Some of the security solutions can cover more than one threat source and can work in more than one layer of the model)
How to Protect Yourself
Email Protection Tools
The impostor email threat (also called business email compromise, or BEC) has affected a wide swatch of businesses around the world and doesn’t show any signs of slowing.

The FBI estimates that this growing problem has already hit more than 22,000 victims and caused more than $3.1 billion in losses around the globe.
- Business E-Mail Compromise: The 3.1 Billion Dollar Scam, June 14, 2016
Gartner Magic Quadrant for Secure Email Gateways
As of June 2015
AFFORDABLE - Just a few dollars per workstation per month.
Use Business Class Anti-Virus
Use a comprehensive endpoint security product and keep the definition file up to date to continuously monitor and protect workstations, server, and mobile devices.
Gartner Magic Quadrant for Endpoint Protection Platforms
As of January 2017

(Sophos, Kaspersky, & Symantec have anti-ransomware products)
Note, even if you choose a product with anti-ransomware options, it is NOT a substitute for point-in-time backups.
Affordable!
Usually just a few dollars per workstation per month.
Point in Time Backups
Be able to RECOVER: Have regular, point-in-time backups for disaster recovery and continuity
Evaluate your risk and determine if offsite backups are needed
Is there a need for full redundancy for your business?
TEST your backups routinely
to make sure you can recover
Email
Backups
Anti-virus
Internet
Use Business Class Firewall and Wireless
SECURE Internet and Wireless Internet:
Business Class Firewall
Business Class Wireless Systems – Guest and Private separated
Policies for BYOD (Bring you own device)
Secure networks don’t have to be expensive.

Figure out what you need, first, and then research products.
Don’t have a server and only a few workstations? You probably just need business class wireless.
Have a couple of servers and some networking gear? When you upgrade consider getting a next generation firewall.
What is Next Generation?
(Wikipedia definition)
A Next-Generation Firewall (NGFW) is an integrated network platform that is a part of the third generation of firewall technology, combining a traditional firewall with other network device filtering functionalities, such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS). Other techniques might also be employed, such as TLS/SSL encrypted traffic inspection, website filtering, bandwidth management, antivirus inspection and third-party identity management integration (i.e. LDAP, RADIUS, Active Directory).[1]
Business Class Doesn't Have to be Expensive
Sophos $300 XG85
5506X ASA - $700
Meraki MR 33 $400
Sophos AP 55 $300
When purchasing be sure to ask about ongoing licensing costs.
Gartner Magic Quadrant for Enterprise Network Firewalls
As of May 2016
No one is going to be fired for purchasing a firewall within their network family of products, ie. Cisco or Barracuda. Just be sure when you upgrade it is NextGen.
Use SECURE CONFIGURATIONS:
Compare network device (firewalls, routers, switches, wireless AP’s) configurations against standards, document and approve any deviations.
Limit ports, protocols and services.
Physical security of your network is important,
put network jacks behind closed doors
Guard your business’s private wireless network by
changing the password
often
Add
filters to your guest wireless network
Be AWARE: Have analytics and monitoring to recognize and respond to threats
If you install monitoring or scanning software, carve out the time to work the reports each month.
Online credit card processing companies are requiring scans of networks before they will allow you to do business with them.
Monitoring
Know what you HAVE: Maintain inventory of authorized users, devices, software
Often accounting inventory lists and IT inventory lists do not sync because of the fast moving environment. Make time to reconcile on a quarterly basis.
Inventory
Use Encryption
If you have encryption layered on your data, sensitive emails, and mobile devices criminals may get a user name, or password, perhaps a social security number, but the full record is encrypted. ($1 of data vs. $50)
Password protect
Excel worksheets and Word documents with sensitive data
Buy
encrypted thumb drives
for your employees and use an inventory system to check them out
Encrypt your laptops
Secure
email with encryption
(email protection tools)
Encryption
Only collect what you need
, keep as long as it is required and/or has a legit business need
Perform scans on your network looking for sensitive number formats
such as SSN, residing in shared departmental drives
Review user access routinely
KNOW your data: Know what data you have, where it is, who has access
Maintain Hardware and Software
Use BUSINESS CLASS hardware/software:
Home OS and non-business class/home edition hardware prone to incompatibilities and risk
Maintain PATCHES:
Apply proactive upgrades/patching of hardware and software
Upgrade before
END-OF-LIFE
MS Server 2003 reached ‘end of life’ July 2015
Windows XP reached ‘end of life’ April 8, 2014.
McAfee email protection tools will be ‘end of life’ December 31, 2016
Microsoft Windows Vista reached ‘end of life’ on April 11, 2017.
Maintain
Training
Train Staff
Employees can be one of the biggest threats to security (accidentally and intentionally), map training to skills required for each job, implement, and test
Free Employee Training Toolkit from Sophos
https://www.sophos.com/en-us/security-news-trends
/it-security-dos-and-donts/training-tools.aspx
Train employees to be suspicious!
Top Training Packages
At the recent Gro-Biz Conference in Casper, Tory Smith, FBI Cyber Crimes Agent said, “I’ve been fooled too.”
KnowBe4
Cyber Aces
PhishMe
PhishThreat
Free Online Test
https://insights.parkbankonline.com/fraud/are-you-a-cyber-savvy-super-hero/?utm_source=content&utm_medium=BizTimes&utm_campaign=BizInsights
Policies
Have POLICIES and Procedures in Place
Password policies – complexity, renewals, and physical protection (no passwords under keyboards)
User access policies
– how fast can employee be locked out of your network in case of turnover?
Personal laptops
are an unknown. Do not allow them on your network.
Computer time out
policy
Encryption
policies
Plan & Review
Plan & Review
Plan for a Breach
Have a PLAN: Know how to respond to incidents, have trained team in place
Business continuity ~ Disaster recovery ~ Ransomware Attacks
Continuously Review
Security is an on-going process. Proactively identify and repair vulnerabilities to mitigate to an acceptable risk level.
Periodically validate through neutral 3rd party via
penetration testing
and
red team exercises

Work the
scanning and monitoring reports
on a monthly basis
Create a
process for reviewing employee access
on a routine basis
Walk through the office
looking for passwords
under keyboards and sensitive data left on desks
Make sure
software updates ran
(did not fail)
Are you sure the hackers actually care about your address?

Because they only care that they can get in.
What We Have Seen in Wyoming
Password1 for every workstation
Sharing of passwords & user IDs



Everyone in the company has administrative access


Mobile Devices without Passwords
Passwords under the keyboard
Prevalent Password and User Access Security Problems in Wyoming Organizations
Lack of Encryption or Data Protection
Password Needed
Not Secure
$24.99 on Amazon
Sensitive info on shared drives
Physical Security Problems
Network jacks in public waiting rooms that are active.
Screens pointed in a direction that the public can see them.






Sign in lists where you can see who signed in before you.
Good security practices are a selling point to your customers.
I choose companies I know have good security practices and if I suspect they don’t, then I will not give out my personal information.
Reactive security practices are a huge liability.
Questions?
Laura Baker
Director of Sales Operations & Outreach Programs
www.medbowtech.com
1-866-455-1978
You do a lot.
You serve a large variety of people.
You are subject to multiple regulations.
You have natural silos.
And you share a technology infrastructure often designed for the
lowest common denominator of security
rather than the highest.
Silos Like...
County judges and their staff members refusing to sign and abide by acceptable use policies.
County sheriffs refusing to cooperate with an IT security audit, claiming their security policies and processes are “secret.”
Social services commissioners unilaterally declaring that HIPAA regulations don’t apply to their operations.
When multiple parties are responsible for security, no one is responsible.
Silos create gaps in security!
http://www.cio.com/article/3184618/government-use-of-it/county-and-municipal-cybersecurity-part-1.html
Small, low budget agencies can build excellent security programs
Perseverence
Top down guidance with consistency of purpose
Training
Expecting a breach and preparing for it
Culture and Attitude
How many of your agencies have an interdisciplinary team that manages information with executive support to break down the natural silos?
Manage Information:
know what you are protecting and why

1. Establish a long term, inter-disciplinary information governance committee.
2. Discover and map your information universe.
3. Establish your information security framework and security policy.
4. Develop and implement a cyber security plan based on #1-3.
5. Continuously monitor and improve your plan - information changes, change with it.
- Jeffrey Morgan, CIO Magazine
Culture
Campbell County Health
An example of planning for a breach, being prepared, immediate action, and executing the plan effectively.

- Andy Fitzgerald, CEO
- Karen Clarke, Community Relations Director
Encryption
Lock Screen
Master Boot Record
Hackers and the Dark Web
Is this your typical hacker?
the Dark Web
Ransomware as a Service
The reality of it all...
WannaCry in its various forms
What was WannaCry...
An encryption based Ransomware which used a more unusual, but very effective method of gaining infection and then propagating itself.
Let's look at some of the information we know
Utilized a big vulnerability in Microsoft Operating Systems, which was uncovered by the NSA and leaked with 3000 other secrets
Was a buggy Ransomware that employed 2 types of encryption
Asked for a relatively low ransom (100, then 300, then 600 based on a time delay)
Over 300,000 infections in the first 72 hours
Patch
What is a patch or an update?
Backup
Prior to an attack, 4 out of 5 organizations are confident backup can provide them with complete recovery

Less than half of ransomware victims fully recover their data, even with backup

Only 5 percent ever consider paying the ransom an option
https://blog.barkly.com/ransomware-statistics-2016#0
Secure
Full transcript