This talk by John Bambenek, "What Small Businesses and Entrepreneurs Need to Know About Cybercrime" was given at IESBGA 2014 on May 30th, 2014 at Illinois State University.
Hot Sexy call girls in Rajouri Garden🔝 9953056974 🔝 Delhi escort Service
IESBGA 2014 Cybercrime Seminar by John Bambenek
1. What Entrepreneurs & Small
Businesses Need to Know about
Cybercrime
IESBGA 2014
John Bambenek - Bambenek Consulting
2. About Me
●15 Years experience in cybercrime, in IT generally
since I was a toddler
○ My first toy I remember was a TI-99 computer, I programmed
on it when I was 6. I had an unusual childhood.
●Part-time Faculty in Computer Science at the
University of Illinois and own my own firm
●Lecture and teach internationally on
cybersecurity, forensics and threat intelligence.
●This conference’s theme is “Big Dreams for Small
Business…”
3. Spoilers
●Employ Risk Management and Be Skeptical
●Keep Software Up-to-Date
●Have Backups and a Plan When Things go Wrong
●Limit Access to Resources and Information
●Use Strong and Unique Passwords
4. About You
●Small businesses (and those who counsel small
businesses) aren’t flush with cash.
●Many don’t have high-tech operations, most don’t
have in-house IT staff.
●Most don’t know where to start with security and
many operate a component of their business
online.
5. Why this matters...
●Small businesses have real risks.
●You’ve heard about Target or any number of other
major companies that had major breaches…
●Have you heard about Fazio Mechanical Services?
●Small business is less able to weather the liability
of a major breach.
●Good news, the expectations are lower (but not
non-existent) on smaller companies.
6. Why bother?
●For most small businesses, security will only cost
money, it won’t make money.
○ Not as true as you think it is, many companies now require
their vendors to have a standard of security.
●Some industries have more stringent regulatory
requirements.
●You may not be a prime beef target…
○ But you probably have a payroll account worth draining...
●Cryptolocker example.
7. Don’t think you are affected by regulation?
From Illinois Law:
"Personal information" means an individual's first name or first
initial and last name in combination with any one or more of the
following data elements, when either the name or the data
elements are not encrypted or redacted:
(1) Social Security number.
(2) Driver's license number or State identification
(3) Account number or credit or debit card number, or an
account number or credit card number in combination with any
required security code, access code, or password that would
permit access to an individual's financial account.
8. Who pays when fraud happens?
●Generally, fraud against consumers is not liable to
the consumer whether credit or debit cards.
●If funds are taken directly from a bank account,
within reason most banks will protect the
consumer from losses.
●Electronic commerce requires consumers to
“trust” it, so banks and businesses have incentive
to protect them from fraud losses.
9. Who pays when a business is defrauded?
●If a business, large or small, has bank account
emptied, credit cards defrauded the business pays.
○“You have means to protect yourself”
●If consumers are defrauded because of an incident
in your environment, you pay.
○Credit cards cost $40-$50 to reissue.
●If your payroll account is emptied, your bank may
help… by giving you a line of credit to make
payroll.
●Can your business afford to eat that kind of loss?
10. It gets worse...
●If you lose consumer records, the FTC (or other)
penalties can be substantial.
●HIPAA fines can easily get into millions.
●Usually need to pay for credit monitoring for all
victims.
●Intangible costs of bad publicity (though this is
going down)
●But there are things that can be done, which is
why you’re here today
11. Item #1 - Risk Management & Skepticism
●Employ risk management.
●Be skeptical of what you see (e-mail / web).
●What secrets & confidential info do you have?
●What information could someone use for fraud if
stolen?
●What information could a competitor use if stolen?
●You’re not paranoid if they really all are out to get
you.
12. A Brief Note on Who Our Attackers Are
●Generally cybercriminals can be broken down into
these groups:
○Nation States
○Organized Crime
○Disorganized Crime
○Hacktivists
○Disgruntled Insiders
○Your Competitors
●Depending on the group will determine how, why
and when they attack and at what skill level.
14. How Much to Spend on Security?
●If you wanted, you could spend unlimited amounts
of money on security… and you’d still get
breached.
○Just ask the NSA.
●Security vendors will happily charge you lots of
money to protect you against unknown threats that
aren’t reasonable for you to worry about.
○Example: Nation states
●However, lots of ground can be covered by basic
(and generally free) steps that follow.
15. What is “reasonable” security?
●If laws or regulations require you to do it, it’s
reasonable.
○The more laws and regulations, the harder it is
for a small business to continue to exist.
●If contracts or other written agreements require
you to do it, it’s reasonable.
●Beyond that, reasonable is what your peer
companies do and what is reasonable based on
“what bad could happen” if certain data got lost.
○Can vary wildly.
16. Example: Nation States
●Nation states are constantly attacking either for
national security-related material or industrial
trade secrets.
●Actors are highly-trained, highly-funded and
operative with overt (or tacit) state sanction.
●If they want to get in, they will have a plan and all
the resources they need at their disposal to do so.
●Is it reasonable for a small business to fend off an
entire industrialized nation?
17. Example: Nation States
●Nation states are constantly attacking either for
national security-related material or industrial
trade secrets.
●Actors are highly-trained, highly-funded and
operative with overt (or tacit) state sanction.
●If they want to get in, they will have a plan and all
the resources they need at their disposal to do so.
●Is it reasonable for a small business to fend off an
entire industrialized nation?
18. Example: Disorganized Crime
●People send spam constantly that claims all sorts of
dubious and outrageous things. Usually uses same
content or infrastructure.
○Heard the one about the Nigerian general...
●Anti-spam solutions exist to prevent those
messages from getting to you in the first place,
some are even free.
●Commodity attacks are easily handled by
commodity off-the-shelf tools.
●Is a $50 anti-virus package reasonable?
19. Be Skeptical
●Most computer attacks rely on end-users doing
something that puts them at risk. Usually this
works by abusing their trust.
●E-mail, social media, text messages, webpages,
and robocalls can be easily spoofed.
●Avoid blindly trusting what your technology is
telling you.
●If something seems odd, verify it out-of-band (i.e.
not using the same medium you just got message
on).
21. Be Skeptical
●Don’t give passwords on request to those who ask.
●Avoid clicking on links for sensitive transactions (i.
e. type full URL instead).
●Be careful of typos when typing URLs (Whitehouse
example).
●The more something seems to require immediate
action, the more you should verify its authenticity.
●No legitimate person will object to you attempting
to verify they are who they say they are.
22. Takeaways
●Have some understanding of the threats you face.
●Make reasonable decision about protecting yourself
without going broke.
●Take advantage of free things you can do.
●Be skeptical of what your technology tells you and
verify when needed.
●Limit (or eliminate) the sensitive information you
give someone on request.
23. Item #2 - Stay Up-to-date
●Almost all modern major software has means to
update itself for bugs and security vulnerabilities.
●Microsoft, for instance, releases updates on second
Tuesday of every month (and occasionally at other
times)
●Adobe Reader, Flash, Java all have their own
updates.
●Anti-virus and security tools also need to be
updated frequently to protect against the latest
threats.
25. Microsoft Updates - Key Points
●Update automatically.
●Include other Microsoft products in updates (i.e.
Office)
●This doesn’t include other non-Microsoft products.
Some may have pop-up reminders but make sure
you know what the real one looks like.
●This is the one, single best thing you can do to
prevent breaches. Don’t put it off.
26. Old Versions
●Anyone still using Windows XP?
●After a product is out there long enough, software
publishers will no longer support it with updates.
●Find a way to fit version updates into routine
technology refreshes. Systems won’t tell you they
are too old.
●What about applications that don’t tell you they
need an update?
○Smartphones, for instance.
27. Security Software
●Are you using a comprehensive security software
solution on every machine? (Many banks and ISPs
will give you this for free)
●They do more than block malware and are
generally updated automatically.
○If this stops, you have a problem.
●Limitation: will only protect against already-known
threats.
●If you have it make sure it’s updating. If you don’t
have it see if someone will give it to you for free.
28. One final point...
●Sometimes good computer hygiene can prevent
headlines like this:
“Russia Takes Cyber-Swipe at Illini”
News-Gazette, 3/17/2014
●Do to vulnerable and misconfigured servers,
someone was able to reflect an attack on Russian
infrastructure off of University servers.
●It’s all fun and games until someone causes an
international incident with your network...
29. Takeaways
●Have updates applied automatically where possible
(and make sure it stays that way).
●When pop-ups ask for updates, make sure you
apply them that day…
○But know what the real pop-up looks like.
●Be aware when old versions of software are no
longer supported and replace them.
●Make sure security software is updated on a nightly
basis.
30. Item #3 - Regular Backups
●Remember cryptolocker?
●Sometimes computer failures happen, would you
be able to recover your data?
○Forensic work is my high hourly billing item.
●What happens if your computer or server fails?
●What is critical for your business to run? What
things are nice to have but you could live without?
●Some viruses will destroy a system or be
impossible to remove without a full reinstall.
31. Backups
●What is critical data?
○Your financial records?
○Your customer records?
○Your employee records?
○Your email address book?
●Any piece of data that if you lost forever would
cause irreparable and significant harm.
●Just enumerating this is a useful business exercise.
32. Backups
●A commercial solution is best (i.e. tapes) but there
are free software packages out there and you can
always just backup to external hard drives.
○Most important thing is to keep multiple backups
and some of those off-site from the company.
●You could backup to cloud storage (Google Drive /
OneDrive) but be sure to encrypt sensitive
information.
○What if the cloud provider goes out of business?
33. Disaster Recovery
●It is very easy to spend lots of money on this to
protect against a wide variety of situations that
aren’t relevant to you.
●Obvious situation is what to do if your systems fail
and that failure can be malicious.
●If you have a server hosted by a third-party
provider, what do you do if they fail?
○Hosting provider example.
●Best way to deal with an infected machine is to
wipe and reinstall.
34. Takeaways
●Failures happen, the difference between
recovering and going out of business is planning
and preparing.
●All critical information for a business should be
identified and backed up with at least one backup
being off-site (i.e. safe in home).
●Have a plan for system failures.
35. Item #4 - Limit Access
●Sometimes basic attacks succeed, people make
mistakes, someone’s kid uses the employee’s
laptop to play games…
●That mistake shouldn’t give immediate and full
access to everything.
●Sometimes disgruntled employees retaliate.
●Sometimes people just make a mistake and didn’t
intend to erase an entire disk.
●Limit the foothold an attacker can get.
36. Limiting File Access
●People tend to always want more access than they
need. General practice should be to grant access
based on need-to-know.
●Avoid giving people administrator access on their
computers.
●If you have a server, does everybody need access
to everything? (Answer: no)
●Cryptolocker example again.
37. Limiting Stored Data
●First rule: create no evidence...
●Avoid storing passwords in your web browser.
●Avoid creating files with sensitive information.
●Absolutely limit what you put online that could be
useful to attackers.
●Be careful with what you e-mail (it goes across the
Internet in the clear).
○A simple press release from White House
exposed the CIA’s Station Chief in Afghanistan
40. Limiting Access to Systems
●Do your employees have laptops they bring home?
Do you?
○Avoid familial use
○Practice good physical security
●Recreational use of systems can lead to infections
(i.e. malvertising).
●All machines should require logging in with a
password to use and should lock after 15 minutes
of inactivity.
●Control who has access to the building.
41. Limiting Access to your Network
●Do you have a “guest” wireless network? Make it
separate from internal business network.
●Wireless networks can be monitored from miles
away, make sure yours is using WPA2 and
passphrases at a minimum.
●Avoid having machines with direct internet access.
Have them behind a firewall or router (most cable
ISPs provide devices to do this already).
42. Sensitive Systems
●Consider having separate computers for use ONLY for
sensitive business transactions like payroll or high-
dollar transfers.
●Recreational use of a computer can lead to
infections. If that system processes payroll too now
bad guys have your payroll...
●Those systems need to be updated and secured too.
Access should be limited to those who need access to
execute those functions.
●If relevant, consider throwaway computers for
guests.
43. Takeaways
●Limit access of employees to only what they need to
know.
●Limit access to information from outside entities.
●Avoid familial use of computers.
●Have separate computers for sensitive business
functions.
44. Item #5 - Use Strong Passwords
●Usually, your password is the key to your digital
identity. If that is captures, now that person is you.
●Simple passwords are cracked easily. Even 8
character passwords of random characters can be
cracked without too much effort.
●Secure passwords should be at least 12 characters
and include uppercase, lowercase, numbers and
special characters.
●Avoid password reuse between sites.
45. The 25 Worst Passwords of 2013
according to PCWorld
123456 iloveyou monkey
password adobe123 shadow
12345678 123123 sunshine
qwerty admin 12345
abc123 1234567890 password1
123456789 letmein princess
111111 photoshop azerty
1234567 1234 trustno1
000000
46. Weak Passwords
●There are plenty of other weak passwords than what
was on last slide.
●Anything that is a dictionary word (or similar to one)
●Anything that is all numbers
●Anything that can be easily derived from you
●Anything that can be easily derived from the business
●Anything that’s less than 12 characters
●Anything not changed within 90 days
47. Password Re-Use
●One of the biggests causes of people having their
accounts accessed is password re-use.
●Let’s say you comment on a blog, you register with
your e-mail address and the password you use for
everything.
●If a blog gets hacked, no one cares. But now they
have your e-mail and a password, they try the
password and are now in your e-mail.
●Your e-mail has everything you’ve signed up for,
online banking, social media, perhaps work e-mail...
48. Password Reset Features
●Almost everything has a password reset feature to
recover lost passwords automatically.
●The questions can usually be easy to guess if you
know the person.
○Sarah Palin example.
●Make sure password resets send some notification,
hopefully out-of-band (i.e. text message).
●Consider putting fake information in for password
recovery questions.
49. How to Make a Strong Password
Passwords should be long (more than 12 characters) and contain
upper & lower case, numbers and special characters.
Microsoft’s Advice:
Create an acronym from an easy-to-remember piece of information.
For example, pick a phrase that is meaningful to you, such as My
son's birthday is 12 December, 2004. Using that phrase as your guide,
you might use Msbi12/Dec,4 for your password.
Substitute numbers, symbols, and misspellings for letters or words in
an easy-to-remember phrase. For example, My son's birthday is 12
December, 2004 could become Mi$un's Brthd8iz 12124 (it's OK to use
spaces in your password).
Relate your password to a favorite hobby or sport. For example, I love
to play badminton could become ILuv2PlayB@dm1nt()n.
50. Use Unique Passwords
●If you don’t use the same password everywhere, one
compromised account doesn’t compromise your
entire digital identity.
●If ideal of unique password for everything in
unmanageable, at least have 3:
○One for sensitive business use (i.e. payroll)
○One for general business use
○One as a throwaway (i.e. blogs, fantasy sports…)
●How to make strong, unique passwords:
○Msbi12/Dec,4### (where ### is some unique site
identified)
51. Never Share Your Password
●Avoid situations where you share your password with
anyone, even coworkers.
●Try to have unique logins for each individual (can
later be used to track if needed).
●How did Edward Snowder steal so much information?
○He asked coworkers for their passwords and used
their access.
●Avoid shared accounts and escrow sensitive
passwords in a safe.
52. Two-Factor Authentication
●Where possible, sensitive applications should use
two-factor authentication.
○Something you have (i.e. cell phone) and
something you know (i.e. password)
●Most banks offer this for commercial accounts.
●Many other services (like Gmail, Twitter and
Facebook) will send text messages before letting you
fully log in.
●This notifies you that your password is stolen while
still limiting what an attacker can access.
53. Takeaways
●Have unique strong passwords for each application or
site you use.
●Avoid password re-use and weak passwords.
●Everyone should have their own login.
●Use two-factor authentication for all sensitive
business applications where possible.
54. Last Point
●Basic computer maintenance goes a long way towards
security.
●If someone isn’t assigned in your office to maintain
computers, having general tech support handy can
help security.
●Having someone in office with basic computer
support skills can work, better to invest in people
than technology when it comes to security.
55. Remember these 5 things
●Employ Risk Management and Be Skeptical
●Keep Software Up-to-Date
●Have Backups and a Plan When Things go Wrong
●Limit Access to Resources and Information
●Use Strong and Unique Passwords
56. These slides available at:
http://tinyurl.com/jcbiesbga
Questions?
John Bambenek
jcb@bambenekconsulting.com
217.493.0760