PHISHING - SHARKS & MINNOWS - Cybersecurity - Health Care Compliance Association

Page created by Daryl Boyd
 
CONTINUE READING
PHISHING - SHARKS & MINNOWS - Cybersecurity - Health Care Compliance Association
2/1/2021

                       PHISHING – SHARKS
                          & MINNOWS
                       Protecting yourself and your devices

1

               Cybersecurity

    PHISHING     PASSWORDS -             MOBILE DEVICES
                 PASSPHRASES

2

                                                                    1
PHISHING - SHARKS & MINNOWS - Cybersecurity - Health Care Compliance Association
2/1/2021

    Objectives
    ◦ Identify phishing emails and know what to do with them
    ◦ Apply good account password hygiene
    ◦ Proactively keep your phone and computers protected
      with simple easy steps

3

    Introduction
    Brian Hole
    Deputy CISO and Cybersecurity manager at Legacy Health
    ◦ bhole@lhs.org, LinkedIn: linkedin.com/in/brian-hole-9b314213
    ◦ Brian Hole is a Deputy Chief Information Security Officer for Legacy Health with extensive experience in
      security and compliance. He loves the outdoors and is active in the community. He earned a Certified
      Information Systems Security Professional, CISSP, certification from ISC2. Brian is passionate about security.
      He is a very focused person and loves a challenge. Brian enjoys unraveling mysteries and problems to
      find solutions that help everyone involved. He encourages collaboration and teamwork. He has worked
      in retail and served on boards of directors. His outdoor passions include skiing and backpacking.

4

                                                                                                                             2
PHISHING - SHARKS & MINNOWS - Cybersecurity - Health Care Compliance Association
2/1/2021

      Slide conventions – lower right corner
      This icon is for things that you can do personally.

      This icon is for things that you can look for at your company. Maybe to implement, maybe to audit.

5

    Which is easier for hackers?

      A.Hacking into your online accounts and then your
        computer?
      B. Fishing and catching steelhead in the Willamette river?
      Phishing and
      C.Phishing and tricking  youinto
                     tricking you   into giving
                                       giving    them
                                              them your
      your  username
        username        and password?
                  and password?
      D.Stealing or hacking into your phone?

6

                                                                                                                 3
PHISHING - SHARKS & MINNOWS - Cybersecurity - Health Care Compliance Association
2/1/2021

    What is phishing?
    ◦ Phishing is an approach used to try to trick you into doing something you don’t
      want to do. By taking this action it will ultimately compromise the security of your
      computer, phone, accounts, or financial information.

                         ◦ From a business perspective this can also include the personal and health information
                           which is entrusted to us by our patients.

7

           YES!
                                          Name of Covered Entity                    Covered Entity Type         Individuals
                                                                                                                Affected
                                          State of North Dakota                     Healthcare Provider            35,416
                                          Connecticut Department of Social Services Health Plan                    37,000
                                          Georgia Department of Human Services      Healthcare Clearing House      45,732
                                          Centerstone of Tennessee, Inc.            Healthcare Provider            50,965
                                          Mercy Iowa City                           Healthcare Provider            60,473
                                          Ascend Clinical, LLC                      Healthcare Provider            77,443
                                          Presbyterian Healthcare Services          Healthcare Provider          193,223
                                          Missouri-based BJC Healthcare             Healthcare Provider          287,876

8

                                                                                                                                    4
PHISHING - SHARKS & MINNOWS - Cybersecurity - Health Care Compliance Association
2/1/2021

                               It only takes one click in a
                                 phishing email to start a
                                       compromise.

9

     How to tell if an email is phishing?
     ◦ Determining if an email is safe can sometimes be more art than science. However, most phishing emails
       share one or more of the following characteristics:

       ◦ Writing is not professional
       ◦ The “From” address doesn’t look right
                                                                     The more of these items an
       ◦ The email has no branding or bad branding                   email has the higher the
       ◦ The message contains promises or threats
       ◦ It contains attachments
                                                                     chances it is phishing!
       ◦ You are not expecting something
       ◦ The sender is familiar, but the message is unusual (tone)

10

                                                                                                                     5
PHISHING - SHARKS & MINNOWS - Cybersecurity - Health Care Compliance Association
2/1/2021

     Examples

      Security.ucop.edu

11

     And perhaps most importantly…

                          TRUST YOURSELF

     Cybercriminals are continually honing their skills, using
     current events and finding new ways to trick you.

12

                                                                       6
PHISHING - SHARKS & MINNOWS - Cybersecurity - Health Care Compliance Association
2/1/2021

     Current events - Covid-19
     ◦ In the near future officials say to expect and be prepared for more scams involving vaccines.
     ◦ Taxes are just around the corner.

13

     Actions
     ◦ Ask yourself, what will happen if I ignore and delete the message?
        ◦ “When in doubt, throw it out!”

     ◦ Does the email appear to be from someone you know?
        ◦ Send them a new email to ask if the message you received is legitimate. (Never reply to the actual suspicious email.)

     ◦ Get a second opinion.
        ◦ Consider double-checking with your manager or supervisor, co-worker or friend.

     ◦ Mark it as spam.
        ◦ Add it to your Junk list. All future messages from that sender will be filtered out.

     ◦ If you interacted with the message in any way – downloading images, opening attachments, etc.
        ◦ Personal devices, reboot. Run a virus scan. Change your password.
        ◦ Contact your support desk right away…. And if your computer is acting funny or sending emails without your
          permission, it’s always a good idea to shut it down.

14

                                                                                                                                        7
PHISHING - SHARKS & MINNOWS - Cybersecurity - Health Care Compliance Association
2/1/2021

     Actions/audit to reduce risks
     ◦ Multifactor authentication(MFA) for email and all internet facing services
     ◦ Email system protection using SPF, DMARC and DKIM
     ◦ Email protection from spam and malicious email – Email gateways
     ◦ Don’t allow incoming attachments with macros
     ◦ [EXTERNAL] added to the subject line
     ◦ WebLinks / URL rewrites. (allows for disabling a link once it is found malicious)
     ◦ Firewall protections for DNS and web filtering
     ◦ Phishing education
     ◦ Endpoint tools that limit execution of software (allow/deny lists)(Machine Learning)

15

     Minnows
     ◦ min·now
     ◦ /ˈminō/ - noun
     ◦ 1. a small freshwater Eurasian cyprinoid fish that typically forms large shoals.

16

                                                                                                    8
PHISHING - SHARKS & MINNOWS - Cybersecurity - Health Care Compliance Association
2/1/2021

                   Cybersecurity

        PHISHING     PASSWORDS -   MOBILE DEVICES
                     PASSPHRASES

17

     Poll number 1

     ◦How many characters are in the
      password for your email account?

18

                                                          9
PHISHING - SHARKS & MINNOWS - Cybersecurity - Health Care Compliance Association
2/1/2021

     Strong passwords                                          Upper
                                                                Case
                                                               letters

     ◦What makes up
                                                                                 Lower
                                              Not most
                                                                                  case
                                              common
                                                                                 letters
      a strong
                                                            Length
      password or
                                                            Known
      passphrase?
                                                 Not
                                              dictionary                        Numbers
                                                words

                                                              Symbols

19

     Strong passwords
     ◦ Strong, complex passwords can help stop cyberthieves from accessing your
       information or company information. Simple passwords can make access
       easy. If a cybercriminal figures out your password, it could give them access to
       the company’s network or your personal data. Creating unique, complex
       passwords is essential.
     ◦ There are essentially 3 ways for someone to get your password
       1. You give it out (phishing)
       2. Hacker guesses it
       3. Hacker uses a computer program to figure it out (password cracking)

20

                                                                                                10
2/1/2021

     How secure is your password?

     ◦POLL RESULTS SHOWN
      HERE

21

     How secure is your password?
     ◦ # of characters   – how long to figure out your password (crack it)
     ◦ 7 characters      – 22 seconds
     ◦ 8 characters      – 19 minutes
     ◦ 9 characters      – 16 hours
     ◦ 10 characters     – 1 month
     ◦ 11 characters     – 4 years
     ◦ 12 characters     – 200 years
     ◦ 13 characters     – 12,000 years

     ◦ How Secure Is My Password? | Password Strength Checker (security.org)

22

                                                                                    11
2/1/2021

     Strong passwords
     ◦ Don’t use anything that can be easily figured out
        ◦ Anything you post on social media
        ◦ Don't use Social Security numbers, phone numbers, addresses, or other personally identifiable information as
          passwords

     ◦ Examples that I have used
        ◦ Love Actually-2003
        ◦ Sgt.Peppers Lonely Hearts Club Band 1967
        ◦ Where the Crawdads Sing-2020

23

     Password manager
     ◦ Password managers generate unique complex passwords for each site and service. Don’t use the same
       password for multiple sites, and always use a unique mix of upper and lower case letters, numbers and
       other characters. “Sure, there is usually a minimum recommendation of eight characters – but if you
       follow that rule, you are making it easier for hackers to crack that password. As a rule, always use double
       the minimum amount of characters or even more.”
     ◦ Start using a password manager to help you generate strong passwords and store them in one safe
       place.
     ◦ Don't save passwords in your browser
     ◦ Immediately change your passwords following a data breach
     ◦ Don't store passwords with your laptop or mobile device

24

                                                                                                                              12
2/1/2021

     More than passwords
     ◦ Companies may also require multi-factor authentication when you try to access sensitive network areas. This
       adds an additional layer of protection by asking you to take at least one extra step — such as providing a
       temporary code that is sent to your smartphone — to log in.
        ◦ Things you know ( knowledge ), such as a password or PIN.
        ◦ Things you have ( possession ), such as a badge, YubiKey token or smartphone.
        ◦ Things you are ( inherence ), such as a biometric like fingerprints or voice and facial recognition.

     ◦ Enable multi-factor authentication on all accounts with sensitive information
        ◦ Personal email
        ◦ Banking
        ◦ Healthcare portals

25

     Actions
     ◦ Install a password manager
        ◦ Use the password manager to change all your passwords to secure ones
        ◦ If you don’t want to change them all, at least change any listed here Haveibeenpwnd

     ◦ Want to do more to protect your privacy? Here are some extra steps
     ◦ https://www.zdnet.com/article/online-security-101-how-to-protect-your-privacy-from-hackers-spies-and-
       the-government/
     ◦ https://digitalguardian.com/blog/101-data-protection-tips-how-keep-your-passwords-financial-personal-
       information-safe

26

                                                                                                                          13
2/1/2021

     Actions
     ◦ Does your company require passwords that are appropriately complex to protect the information you
       have? If not, work with the teams to increase the length.
     ◦ Is multi-factor authentication in place for sensitive data? Internet facing services?
     ◦ Does your company recommend a password manager for employees to use?
     ◦ Do you have a reduced sign on initiative? If not, start one!

27

     Motoro Stingray
     ◦ sting·ray
     ◦ /ˈstiNGˌrā/ - noun
     ◦ 1. any of the rays, especially of the family Dasyatidae, having a long, flexible tail armed near the base
       with a strong, serrated bony spine with which they can inflict painful wounds.

28

                                                                                                                        14
2/1/2021

                           Cybersecurity

          PHISHING              PASSWORDS -           MOBILE DEVICES
                                PASSPHRASES

29

     Mobile Devices
     ◦ They are pervasive today. They need to be analyzed
       for risk and managed appropriately whether that is in
       an organization or yours personally.

30

                                                                            15
2/1/2021

     How important is your data to you?

                                              Unlock your cell phone
                                              or tablet.

                   Did your heart skip a beat? Did you exclaim “No”?

31

     Mobile Devices
     ◦ All it takes is a single mishap where your device slips out of your pocket at the grocery store or
       restaurant, and your data could wind up in the hands of someone who will use it maliciously.
     ◦ You leave it in your car, and someone breaks in and steals it.

     ◦ When was the last time you thought your device was lost?

     ◦ It’s crucial to protect these devices and the good news is it is easier than it has ever been.

32

                                                                                                                 16
2/1/2021

     Mobile Devices
     ◦ We already covered the importance of passwords so these next topics shouldn’t
       surprise you
     ◦ Lock your smartphone and tablet devices
       ◦ If it is locked, then someone will have to crack your password to get into the device
       ◦ Set yours to automatically lock
     ◦ Enable Touch ID if you use an Apple device or fingerprint unlock on Android
     ◦ Encrypt the device
       ◦ Have this setup when you are buying the device or there are step by step guides.
       ◦ Search the web for your device name and encryption.

33

     Mobile Devices – free Wi-Fi
     ◦ We all love free Wi-Fi. It’s just too easy for people to view what you are doing
       when connected
       ◦ Turn off wireless connectivity and Bluetooth when you aren’t using them
       ◦ This avoids connecting to insecure networks and saves your battery life
     ◦ Use a Virtual Private Network(VPN) tool
       ◦ Some devices have this software built and there are plenty of
         downloadable tools
       ◦ This shields your activities from anyone else on the same free connection

34

                                                                                                      17
2/1/2021

     Mobile Devices – Applications
     ◦ Buy and download apps and software only from official stores
     ◦ Keep applications up to date
        ◦ Enable automatic updates for any applications that allow it.
        ◦ Update your firmware as soon as possible.
        ◦ Update your applications on a frequent basis.
     ◦ Install anti-virus software
        ◦ There aren’t a significant number of viruses for mobile but they can be devastating.
        ◦ Bonus! Anti-virus software often includes protections for your web browser which is a
          top vector.

35

     Mobile Devices – Device management
     ◦ Mobile Device Management(MDM) and Mobile Application Management(MAM)
        ◦ This is software that businesses use to manage mobile devices.

     ◦ The simplest way to look at the difference between these two:
     ◦ MDM is managing the device as a whole. It determines if there will be a passcode or not, what
       Wi-Fi to connect to or not, what applications are installed and whether a user can install more.
     ◦ MAM is managing a single or multiple application as a set but NOT the overall device settings.
       Management includes versions of the application, features available in the application,
       whether the application is encrypted and whether you can cut and paste to or from the
       application.
     ◦ MDM is generally used for managing corporate owned devices. MAM is generally the better
       choice for corporate management of personal devices.

36

                                                                                                               18
2/1/2021

     Actions
     ◦ Going to the next level
     ◦ Your home has devices too. Check this out to help secure your smart home.
     ◦ https://us.norton.com/internetsecurity-iot-smart-home-security-core.html

37

     Actions
     ◦ For corporate device management start conversations with the teams responsible for devics
     ◦ What is our risk tolerance?
     ◦ What is our management strategy?
     ◦ What controls are in place for our management of devices?

38

                                                                                                        19
2/1/2021

     Swordfish
     ◦ sword · fish
     ◦ /’sôrdfiSH/ - noun
     ◦ a large edible marine fish with a streamlined body and a long flattened swordlike snout, related to the
       billfishes and popular as a game fish.

39

     Do you want to be a shark?

                             Keep going!

40

                                                                                                                      20
2/1/2021

     Phishing: news and videos
      ◦ Stop That Phish | SANS Security Awareness

      ◦ Phishing 101 video - 4 minutes
      ◦ CRI Cyber Security Awareness - Phishing Video – 3 minutes
      ◦ Phishing 201 Phishing and Spear Phishing – 3 minutes

41

     Phishing: The “From” address doesn’t look right
      The name associated with an email address
      can be set to just about anything someone
      wants it to be. However, when you look at it
      closely, it may not look quite right.

      Messages from people within Legacy almost always show as names, not email
      addresses. They share a common format, as shown in the following examples:

      For non-Legacy “from” addresses, ask yourself, does everything after the @ look
      right?
      If claims to be from Facebook, does the address show @facebook.com?

        Does the “From” address look legitimate?

42

                                                                                             21
2/1/2021

     Phishing: The email has wrong or bad branding
         Scam emails often reference company,
         department, or team names that
         are similar to (but not quite the
         same as) those we really use.

         For example, it may refer to “IT”
         instead of “IS.”

         Other emails pretend to be from
         reputable companies.

         And some scam emails don’t
         have branding at all.

         How is the message branded?

43

     Phishing: Message contains promises or threats
                 “Phishers” know that they need to motivate you to act:
                 ◦ False promises… a package is waiting for you, you’ve won something or by simply
                   “clicking here”, you’ll get something free.
                 ◦ Scare tactics. Scam messages often contain threats that something bad will happen
                   imminently if you don’t take a specific action.

                  Is the message trying to motivate you to act?

44

                                                                                                            22
2/1/2021

     Phishing: It contains attachments
           Has your IS department ever sent you an attachment claiming it will fix a problem if
           you click on it?

           ALWAYS think carefully before
           opening an attachment.

           Most companies, financial
           institutions, retailers, and other
           reputable companies do not
           send attachments via email.

             Why does the message contain an attachment?

45

     Phishing: You aren’t expecting something
           Your package has arrived –
           but have you ordered anything?

           Your invoice is enclosed – but
           are you expecting an invoice?

           Instructions for collecting your
           prize are enclosed – but did you
           enter a contest?

           Perhaps the most important thing
           you can do to protect yourself from phishers is to consider the context. Is this
           something you’re expecting?

           Do you know what it is? Or why it is?

46

                                                                                                       23
2/1/2021

     Phishing: The sender is familiar, but the message is
       unusual
                    Even emails from familiar people – those that appear to be coming from valid,
                    internal addresses can still be unsafe.

                    They may have clicked something that, in turn, generated messages to their favorite
                    contacts.

                    Or someone may have “spoofed” (faked) the email address when they sent the
                    message.

                    Is this message characteristic of the sender?

47

        Worst passwords
        ◦ SplashData produces an annual list of the worst passwords based on popularity. Here are the top 25 from
          2019:
        1. 123456                             9. 111111                            18. lovely
        2. 123456789                          10. 123123
                                                                                   19. 7777777
        3. qwerty                             11. abc123
                                                                                   20. 888888
        4. password                           12. qwerty123
                                                                                   21. princess
        5. 1234567                            13. 1q2w3e4r
                                                                                   22. dragon
        6. 12345678                           14. admin
                                                                                   23. password1
        7. 12345                              15. qwertyuiop
                                                                                   24. 123qwe
        8. iloveyou                           16. 654321
                                                                                   25. 666666
                                              17. 555555

48

                                                                                                                         24
2/1/2021

     Risks associated with password reuse
     ◦ Reusing passwords, while convenient, greatly increases your risk of compromise and the work required to
       change if it becomes compromised through a breach. Whenever a system is compromised that has
       passwords those passwords get added to the list of passwords that hackers will try the next time they try
       to access a system. You can view this as a key to your house, if hackers find out the password then it's
       only a matter of time until your lock can be opened. Think of the risk that exists if you use a common
       password like "password1" as that password likely works on many accounts.

     ◦ https://www.beckershospitalreview.com/cybersecurity/25-most-...

49

     Mobile devices
     ◦ How to Secure Your Mobile Device in Six Steps
     ◦ Enable lost and stolen device protection which IOS, Android and Microsoft Windows have built in.
     ◦ Mobile device security awareness video

50

                                                                                                                        25
2/1/2021

     Sharks
     ◦ shark
     ◦ /SHärk/ - noun
     ◦ a long-bodied chiefly marine fish with a cartilaginous skeleton, a prominent dorsal fin, and toothlike
       scales. Most sharks are predatory, although the largest kinds feed on plankton, and some can grow to a
       large size.

51

                                                                                                                     26
You can also read