This talk by John Bambenek, "What Small Businesses and Entrepreneurs Need to Know About Cybercrime" was given at IESBGA 2014 on May 30th, 2014 at Illinois State University.
EV Electric Vehicle Startup Pitch Deck- StartupSprouts.in
Â
IESBGA 2014 Cybercrime Seminar by John Bambenek
1. What Entrepreneurs & Small
Businesses Need to Know about
Cybercrime
IESBGA 2014
John Bambenek - Bambenek Consulting
2. About Me
â15 Years experience in cybercrime, in IT generally
since I was a toddler
â My first toy I remember was a TI-99 computer, I programmed
on it when I was 6. I had an unusual childhood.
âPart-time Faculty in Computer Science at the
University of Illinois and own my own firm
âLecture and teach internationally on
cybersecurity, forensics and threat intelligence.
âThis conferenceâs theme is âBig Dreams for Small
BusinessâŠâ
3. Spoilers
âEmploy Risk Management and Be Skeptical
âKeep Software Up-to-Date
âHave Backups and a Plan When Things go Wrong
âLimit Access to Resources and Information
âUse Strong and Unique Passwords
4. About You
âSmall businesses (and those who counsel small
businesses) arenât flush with cash.
âMany donât have high-tech operations, most donât
have in-house IT staff.
âMost donât know where to start with security and
many operate a component of their business
online.
5. Why this matters...
âSmall businesses have real risks.
âYouâve heard about Target or any number of other
major companies that had major breachesâŠ
âHave you heard about Fazio Mechanical Services?
âSmall business is less able to weather the liability
of a major breach.
âGood news, the expectations are lower (but not
non-existent) on smaller companies.
6. Why bother?
âFor most small businesses, security will only cost
money, it wonât make money.
â Not as true as you think it is, many companies now require
their vendors to have a standard of security.
âSome industries have more stringent regulatory
requirements.
âYou may not be a prime beef targetâŠ
â But you probably have a payroll account worth draining...
âCryptolocker example.
7. Donât think you are affected by regulation?
From Illinois Law:
"Personal information" means an individual's first name or first
initial and last name in combination with any one or more of the
following data elements, when either the name or the data
elements are not encrypted or redacted:
(1) Social Security number.
(2) Driver's license number or State identification
(3) Account number or credit or debit card number, or an
account number or credit card number in combination with any
required security code, access code, or password that would
permit access to an individual's financial account.
8. Who pays when fraud happens?
âGenerally, fraud against consumers is not liable to
the consumer whether credit or debit cards.
âIf funds are taken directly from a bank account,
within reason most banks will protect the
consumer from losses.
âElectronic commerce requires consumers to
âtrustâ it, so banks and businesses have incentive
to protect them from fraud losses.
9. Who pays when a business is defrauded?
âIf a business, large or small, has bank account
emptied, credit cards defrauded the business pays.
ââYou have means to protect yourselfâ
âIf consumers are defrauded because of an incident
in your environment, you pay.
âCredit cards cost $40-$50 to reissue.
âIf your payroll account is emptied, your bank may
help⊠by giving you a line of credit to make
payroll.
âCan your business afford to eat that kind of loss?
10. It gets worse...
âIf you lose consumer records, the FTC (or other)
penalties can be substantial.
âHIPAA fines can easily get into millions.
âUsually need to pay for credit monitoring for all
victims.
âIntangible costs of bad publicity (though this is
going down)
âBut there are things that can be done, which is
why youâre here today
11. Item #1 - Risk Management & Skepticism
âEmploy risk management.
âBe skeptical of what you see (e-mail / web).
âWhat secrets & confidential info do you have?
âWhat information could someone use for fraud if
stolen?
âWhat information could a competitor use if stolen?
âYouâre not paranoid if they really all are out to get
you.
12. A Brief Note on Who Our Attackers Are
âGenerally cybercriminals can be broken down into
these groups:
âNation States
âOrganized Crime
âDisorganized Crime
âHacktivists
âDisgruntled Insiders
âYour Competitors
âDepending on the group will determine how, why
and when they attack and at what skill level.
14. How Much to Spend on Security?
âIf you wanted, you could spend unlimited amounts
of money on security⊠and youâd still get
breached.
âJust ask the NSA.
âSecurity vendors will happily charge you lots of
money to protect you against unknown threats that
arenât reasonable for you to worry about.
âExample: Nation states
âHowever, lots of ground can be covered by basic
(and generally free) steps that follow.
15. What is âreasonableâ security?
âIf laws or regulations require you to do it, itâs
reasonable.
âThe more laws and regulations, the harder it is
for a small business to continue to exist.
âIf contracts or other written agreements require
you to do it, itâs reasonable.
âBeyond that, reasonable is what your peer
companies do and what is reasonable based on
âwhat bad could happenâ if certain data got lost.
âCan vary wildly.
16. Example: Nation States
âNation states are constantly attacking either for
national security-related material or industrial
trade secrets.
âActors are highly-trained, highly-funded and
operative with overt (or tacit) state sanction.
âIf they want to get in, they will have a plan and all
the resources they need at their disposal to do so.
âIs it reasonable for a small business to fend off an
entire industrialized nation?
17. Example: Nation States
âNation states are constantly attacking either for
national security-related material or industrial
trade secrets.
âActors are highly-trained, highly-funded and
operative with overt (or tacit) state sanction.
âIf they want to get in, they will have a plan and all
the resources they need at their disposal to do so.
âIs it reasonable for a small business to fend off an
entire industrialized nation?
18. Example: Disorganized Crime
âPeople send spam constantly that claims all sorts of
dubious and outrageous things. Usually uses same
content or infrastructure.
âHeard the one about the Nigerian general...
âAnti-spam solutions exist to prevent those
messages from getting to you in the first place,
some are even free.
âCommodity attacks are easily handled by
commodity off-the-shelf tools.
âIs a $50 anti-virus package reasonable?
19. Be Skeptical
âMost computer attacks rely on end-users doing
something that puts them at risk. Usually this
works by abusing their trust.
âE-mail, social media, text messages, webpages,
and robocalls can be easily spoofed.
âAvoid blindly trusting what your technology is
telling you.
âIf something seems odd, verify it out-of-band (i.e.
not using the same medium you just got message
on).
21. Be Skeptical
âDonât give passwords on request to those who ask.
âAvoid clicking on links for sensitive transactions (i.
e. type full URL instead).
âBe careful of typos when typing URLs (Whitehouse
example).
âThe more something seems to require immediate
action, the more you should verify its authenticity.
âNo legitimate person will object to you attempting
to verify they are who they say they are.
22. Takeaways
âHave some understanding of the threats you face.
âMake reasonable decision about protecting yourself
without going broke.
âTake advantage of free things you can do.
âBe skeptical of what your technology tells you and
verify when needed.
âLimit (or eliminate) the sensitive information you
give someone on request.
23. Item #2 - Stay Up-to-date
âAlmost all modern major software has means to
update itself for bugs and security vulnerabilities.
âMicrosoft, for instance, releases updates on second
Tuesday of every month (and occasionally at other
times)
âAdobe Reader, Flash, Java all have their own
updates.
âAnti-virus and security tools also need to be
updated frequently to protect against the latest
threats.
25. Microsoft Updates - Key Points
âUpdate automatically.
âInclude other Microsoft products in updates (i.e.
Office)
âThis doesnât include other non-Microsoft products.
Some may have pop-up reminders but make sure
you know what the real one looks like.
âThis is the one, single best thing you can do to
prevent breaches. Donât put it off.
26. Old Versions
âAnyone still using Windows XP?
âAfter a product is out there long enough, software
publishers will no longer support it with updates.
âFind a way to fit version updates into routine
technology refreshes. Systems wonât tell you they
are too old.
âWhat about applications that donât tell you they
need an update?
âSmartphones, for instance.
27. Security Software
âAre you using a comprehensive security software
solution on every machine? (Many banks and ISPs
will give you this for free)
âThey do more than block malware and are
generally updated automatically.
âIf this stops, you have a problem.
âLimitation: will only protect against already-known
threats.
âIf you have it make sure itâs updating. If you donât
have it see if someone will give it to you for free.
28. One final point...
âSometimes good computer hygiene can prevent
headlines like this:
âRussia Takes Cyber-Swipe at Illiniâ
News-Gazette, 3/17/2014
âDo to vulnerable and misconfigured servers,
someone was able to reflect an attack on Russian
infrastructure off of University servers.
âItâs all fun and games until someone causes an
international incident with your network...
29. Takeaways
âHave updates applied automatically where possible
(and make sure it stays that way).
âWhen pop-ups ask for updates, make sure you
apply them that dayâŠ
âBut know what the real pop-up looks like.
âBe aware when old versions of software are no
longer supported and replace them.
âMake sure security software is updated on a nightly
basis.
30. Item #3 - Regular Backups
âRemember cryptolocker?
âSometimes computer failures happen, would you
be able to recover your data?
âForensic work is my high hourly billing item.
âWhat happens if your computer or server fails?
âWhat is critical for your business to run? What
things are nice to have but you could live without?
âSome viruses will destroy a system or be
impossible to remove without a full reinstall.
31. Backups
âWhat is critical data?
âYour financial records?
âYour customer records?
âYour employee records?
âYour email address book?
âAny piece of data that if you lost forever would
cause irreparable and significant harm.
âJust enumerating this is a useful business exercise.
32. Backups
âA commercial solution is best (i.e. tapes) but there
are free software packages out there and you can
always just backup to external hard drives.
âMost important thing is to keep multiple backups
and some of those off-site from the company.
âYou could backup to cloud storage (Google Drive /
OneDrive) but be sure to encrypt sensitive
information.
âWhat if the cloud provider goes out of business?
33. Disaster Recovery
âIt is very easy to spend lots of money on this to
protect against a wide variety of situations that
arenât relevant to you.
âObvious situation is what to do if your systems fail
and that failure can be malicious.
âIf you have a server hosted by a third-party
provider, what do you do if they fail?
âHosting provider example.
âBest way to deal with an infected machine is to
wipe and reinstall.
34. Takeaways
âFailures happen, the difference between
recovering and going out of business is planning
and preparing.
âAll critical information for a business should be
identified and backed up with at least one backup
being off-site (i.e. safe in home).
âHave a plan for system failures.
35. Item #4 - Limit Access
âSometimes basic attacks succeed, people make
mistakes, someoneâs kid uses the employeeâs
laptop to play gamesâŠ
âThat mistake shouldnât give immediate and full
access to everything.
âSometimes disgruntled employees retaliate.
âSometimes people just make a mistake and didnât
intend to erase an entire disk.
âLimit the foothold an attacker can get.
36. Limiting File Access
âPeople tend to always want more access than they
need. General practice should be to grant access
based on need-to-know.
âAvoid giving people administrator access on their
computers.
âIf you have a server, does everybody need access
to everything? (Answer: no)
âCryptolocker example again.
37. Limiting Stored Data
âFirst rule: create no evidence...
âAvoid storing passwords in your web browser.
âAvoid creating files with sensitive information.
âAbsolutely limit what you put online that could be
useful to attackers.
âBe careful with what you e-mail (it goes across the
Internet in the clear).
âA simple press release from White House
exposed the CIAâs Station Chief in Afghanistan
40. Limiting Access to Systems
âDo your employees have laptops they bring home?
Do you?
âAvoid familial use
âPractice good physical security
âRecreational use of systems can lead to infections
(i.e. malvertising).
âAll machines should require logging in with a
password to use and should lock after 15 minutes
of inactivity.
âControl who has access to the building.
41. Limiting Access to your Network
âDo you have a âguestâ wireless network? Make it
separate from internal business network.
âWireless networks can be monitored from miles
away, make sure yours is using WPA2 and
passphrases at a minimum.
âAvoid having machines with direct internet access.
Have them behind a firewall or router (most cable
ISPs provide devices to do this already).
42. Sensitive Systems
âConsider having separate computers for use ONLY for
sensitive business transactions like payroll or high-
dollar transfers.
âRecreational use of a computer can lead to
infections. If that system processes payroll too now
bad guys have your payroll...
âThose systems need to be updated and secured too.
Access should be limited to those who need access to
execute those functions.
âIf relevant, consider throwaway computers for
guests.
43. Takeaways
âLimit access of employees to only what they need to
know.
âLimit access to information from outside entities.
âAvoid familial use of computers.
âHave separate computers for sensitive business
functions.
44. Item #5 - Use Strong Passwords
âUsually, your password is the key to your digital
identity. If that is captures, now that person is you.
âSimple passwords are cracked easily. Even 8
character passwords of random characters can be
cracked without too much effort.
âSecure passwords should be at least 12 characters
and include uppercase, lowercase, numbers and
special characters.
âAvoid password reuse between sites.
45. The 25 Worst Passwords of 2013
according to PCWorld
123456 iloveyou monkey
password adobe123 shadow
12345678 123123 sunshine
qwerty admin 12345
abc123 1234567890 password1
123456789 letmein princess
111111 photoshop azerty
1234567 1234 trustno1
000000
46. Weak Passwords
âThere are plenty of other weak passwords than what
was on last slide.
âAnything that is a dictionary word (or similar to one)
âAnything that is all numbers
âAnything that can be easily derived from you
âAnything that can be easily derived from the business
âAnything thatâs less than 12 characters
âAnything not changed within 90 days
47. Password Re-Use
âOne of the biggests causes of people having their
accounts accessed is password re-use.
âLetâs say you comment on a blog, you register with
your e-mail address and the password you use for
everything.
âIf a blog gets hacked, no one cares. But now they
have your e-mail and a password, they try the
password and are now in your e-mail.
âYour e-mail has everything youâve signed up for,
online banking, social media, perhaps work e-mail...
48. Password Reset Features
âAlmost everything has a password reset feature to
recover lost passwords automatically.
âThe questions can usually be easy to guess if you
know the person.
âSarah Palin example.
âMake sure password resets send some notification,
hopefully out-of-band (i.e. text message).
âConsider putting fake information in for password
recovery questions.
49. How to Make a Strong Password
Passwords should be long (more than 12 characters) and contain
upper & lower case, numbers and special characters.
Microsoftâs Advice:
Create an acronym from an easy-to-remember piece of information.
For example, pick a phrase that is meaningful to you, such as My
son's birthday is 12 December, 2004. Using that phrase as your guide,
you might use Msbi12/Dec,4 for your password.
Substitute numbers, symbols, and misspellings for letters or words in
an easy-to-remember phrase. For example, My son's birthday is 12
December, 2004 could become Mi$un's Brthd8iz 12124 (it's OK to use
spaces in your password).
Relate your password to a favorite hobby or sport. For example, I love
to play badminton could become ILuv2PlayB@dm1nt()n.
50. Use Unique Passwords
âIf you donât use the same password everywhere, one
compromised account doesnât compromise your
entire digital identity.
âIf ideal of unique password for everything in
unmanageable, at least have 3:
âOne for sensitive business use (i.e. payroll)
âOne for general business use
âOne as a throwaway (i.e. blogs, fantasy sportsâŠ)
âHow to make strong, unique passwords:
âMsbi12/Dec,4### (where ### is some unique site
identified)
51. Never Share Your Password
âAvoid situations where you share your password with
anyone, even coworkers.
âTry to have unique logins for each individual (can
later be used to track if needed).
âHow did Edward Snowder steal so much information?
âHe asked coworkers for their passwords and used
their access.
âAvoid shared accounts and escrow sensitive
passwords in a safe.
52. Two-Factor Authentication
âWhere possible, sensitive applications should use
two-factor authentication.
âSomething you have (i.e. cell phone) and
something you know (i.e. password)
âMost banks offer this for commercial accounts.
âMany other services (like Gmail, Twitter and
Facebook) will send text messages before letting you
fully log in.
âThis notifies you that your password is stolen while
still limiting what an attacker can access.
53. Takeaways
âHave unique strong passwords for each application or
site you use.
âAvoid password re-use and weak passwords.
âEveryone should have their own login.
âUse two-factor authentication for all sensitive
business applications where possible.
54. Last Point
âBasic computer maintenance goes a long way towards
security.
âIf someone isnât assigned in your office to maintain
computers, having general tech support handy can
help security.
âHaving someone in office with basic computer
support skills can work, better to invest in people
than technology when it comes to security.
55. Remember these 5 things
âEmploy Risk Management and Be Skeptical
âKeep Software Up-to-Date
âHave Backups and a Plan When Things go Wrong
âLimit Access to Resources and Information
âUse Strong and Unique Passwords
56. These slides available at:
http://tinyurl.com/jcbiesbga
Questions?
John Bambenek
jcb@bambenekconsulting.com
217.493.0760