PHISHING - SHARKS & MINNOWS - Cybersecurity - Health Care Compliance Association
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
2/1/2021 PHISHING – SHARKS & MINNOWS Protecting yourself and your devices 1 Cybersecurity PHISHING PASSWORDS - MOBILE DEVICES PASSPHRASES 2 1
2/1/2021 Objectives ◦ Identify phishing emails and know what to do with them ◦ Apply good account password hygiene ◦ Proactively keep your phone and computers protected with simple easy steps 3 Introduction Brian Hole Deputy CISO and Cybersecurity manager at Legacy Health ◦ bhole@lhs.org, LinkedIn: linkedin.com/in/brian-hole-9b314213 ◦ Brian Hole is a Deputy Chief Information Security Officer for Legacy Health with extensive experience in security and compliance. He loves the outdoors and is active in the community. He earned a Certified Information Systems Security Professional, CISSP, certification from ISC2. Brian is passionate about security. He is a very focused person and loves a challenge. Brian enjoys unraveling mysteries and problems to find solutions that help everyone involved. He encourages collaboration and teamwork. He has worked in retail and served on boards of directors. His outdoor passions include skiing and backpacking. 4 2
2/1/2021 Slide conventions – lower right corner This icon is for things that you can do personally. This icon is for things that you can look for at your company. Maybe to implement, maybe to audit. 5 Which is easier for hackers? A.Hacking into your online accounts and then your computer? B. Fishing and catching steelhead in the Willamette river? Phishing and C.Phishing and tricking youinto tricking you into giving giving them them your your username username and password? and password? D.Stealing or hacking into your phone? 6 3
2/1/2021 What is phishing? ◦ Phishing is an approach used to try to trick you into doing something you don’t want to do. By taking this action it will ultimately compromise the security of your computer, phone, accounts, or financial information. ◦ From a business perspective this can also include the personal and health information which is entrusted to us by our patients. 7 YES! Name of Covered Entity Covered Entity Type Individuals Affected State of North Dakota Healthcare Provider 35,416 Connecticut Department of Social Services Health Plan 37,000 Georgia Department of Human Services Healthcare Clearing House 45,732 Centerstone of Tennessee, Inc. Healthcare Provider 50,965 Mercy Iowa City Healthcare Provider 60,473 Ascend Clinical, LLC Healthcare Provider 77,443 Presbyterian Healthcare Services Healthcare Provider 193,223 Missouri-based BJC Healthcare Healthcare Provider 287,876 8 4
2/1/2021 It only takes one click in a phishing email to start a compromise. 9 How to tell if an email is phishing? ◦ Determining if an email is safe can sometimes be more art than science. However, most phishing emails share one or more of the following characteristics: ◦ Writing is not professional ◦ The “From” address doesn’t look right The more of these items an ◦ The email has no branding or bad branding email has the higher the ◦ The message contains promises or threats ◦ It contains attachments chances it is phishing! ◦ You are not expecting something ◦ The sender is familiar, but the message is unusual (tone) 10 5
2/1/2021 Examples Security.ucop.edu 11 And perhaps most importantly… TRUST YOURSELF Cybercriminals are continually honing their skills, using current events and finding new ways to trick you. 12 6
2/1/2021 Current events - Covid-19 ◦ In the near future officials say to expect and be prepared for more scams involving vaccines. ◦ Taxes are just around the corner. 13 Actions ◦ Ask yourself, what will happen if I ignore and delete the message? ◦ “When in doubt, throw it out!” ◦ Does the email appear to be from someone you know? ◦ Send them a new email to ask if the message you received is legitimate. (Never reply to the actual suspicious email.) ◦ Get a second opinion. ◦ Consider double-checking with your manager or supervisor, co-worker or friend. ◦ Mark it as spam. ◦ Add it to your Junk list. All future messages from that sender will be filtered out. ◦ If you interacted with the message in any way – downloading images, opening attachments, etc. ◦ Personal devices, reboot. Run a virus scan. Change your password. ◦ Contact your support desk right away…. And if your computer is acting funny or sending emails without your permission, it’s always a good idea to shut it down. 14 7
2/1/2021 Actions/audit to reduce risks ◦ Multifactor authentication(MFA) for email and all internet facing services ◦ Email system protection using SPF, DMARC and DKIM ◦ Email protection from spam and malicious email – Email gateways ◦ Don’t allow incoming attachments with macros ◦ [EXTERNAL] added to the subject line ◦ WebLinks / URL rewrites. (allows for disabling a link once it is found malicious) ◦ Firewall protections for DNS and web filtering ◦ Phishing education ◦ Endpoint tools that limit execution of software (allow/deny lists)(Machine Learning) 15 Minnows ◦ min·now ◦ /ˈminō/ - noun ◦ 1. a small freshwater Eurasian cyprinoid fish that typically forms large shoals. 16 8
2/1/2021 Cybersecurity PHISHING PASSWORDS - MOBILE DEVICES PASSPHRASES 17 Poll number 1 ◦How many characters are in the password for your email account? 18 9
2/1/2021 Strong passwords Upper Case letters ◦What makes up Lower Not most case common letters a strong Length password or Known passphrase? Not dictionary Numbers words Symbols 19 Strong passwords ◦ Strong, complex passwords can help stop cyberthieves from accessing your information or company information. Simple passwords can make access easy. If a cybercriminal figures out your password, it could give them access to the company’s network or your personal data. Creating unique, complex passwords is essential. ◦ There are essentially 3 ways for someone to get your password 1. You give it out (phishing) 2. Hacker guesses it 3. Hacker uses a computer program to figure it out (password cracking) 20 10
2/1/2021 How secure is your password? ◦POLL RESULTS SHOWN HERE 21 How secure is your password? ◦ # of characters – how long to figure out your password (crack it) ◦ 7 characters – 22 seconds ◦ 8 characters – 19 minutes ◦ 9 characters – 16 hours ◦ 10 characters – 1 month ◦ 11 characters – 4 years ◦ 12 characters – 200 years ◦ 13 characters – 12,000 years ◦ How Secure Is My Password? | Password Strength Checker (security.org) 22 11
2/1/2021 Strong passwords ◦ Don’t use anything that can be easily figured out ◦ Anything you post on social media ◦ Don't use Social Security numbers, phone numbers, addresses, or other personally identifiable information as passwords ◦ Examples that I have used ◦ Love Actually-2003 ◦ Sgt.Peppers Lonely Hearts Club Band 1967 ◦ Where the Crawdads Sing-2020 23 Password manager ◦ Password managers generate unique complex passwords for each site and service. Don’t use the same password for multiple sites, and always use a unique mix of upper and lower case letters, numbers and other characters. “Sure, there is usually a minimum recommendation of eight characters – but if you follow that rule, you are making it easier for hackers to crack that password. As a rule, always use double the minimum amount of characters or even more.” ◦ Start using a password manager to help you generate strong passwords and store them in one safe place. ◦ Don't save passwords in your browser ◦ Immediately change your passwords following a data breach ◦ Don't store passwords with your laptop or mobile device 24 12
2/1/2021 More than passwords ◦ Companies may also require multi-factor authentication when you try to access sensitive network areas. This adds an additional layer of protection by asking you to take at least one extra step — such as providing a temporary code that is sent to your smartphone — to log in. ◦ Things you know ( knowledge ), such as a password or PIN. ◦ Things you have ( possession ), such as a badge, YubiKey token or smartphone. ◦ Things you are ( inherence ), such as a biometric like fingerprints or voice and facial recognition. ◦ Enable multi-factor authentication on all accounts with sensitive information ◦ Personal email ◦ Banking ◦ Healthcare portals 25 Actions ◦ Install a password manager ◦ Use the password manager to change all your passwords to secure ones ◦ If you don’t want to change them all, at least change any listed here Haveibeenpwnd ◦ Want to do more to protect your privacy? Here are some extra steps ◦ https://www.zdnet.com/article/online-security-101-how-to-protect-your-privacy-from-hackers-spies-and- the-government/ ◦ https://digitalguardian.com/blog/101-data-protection-tips-how-keep-your-passwords-financial-personal- information-safe 26 13
2/1/2021 Actions ◦ Does your company require passwords that are appropriately complex to protect the information you have? If not, work with the teams to increase the length. ◦ Is multi-factor authentication in place for sensitive data? Internet facing services? ◦ Does your company recommend a password manager for employees to use? ◦ Do you have a reduced sign on initiative? If not, start one! 27 Motoro Stingray ◦ sting·ray ◦ /ˈstiNGˌrā/ - noun ◦ 1. any of the rays, especially of the family Dasyatidae, having a long, flexible tail armed near the base with a strong, serrated bony spine with which they can inflict painful wounds. 28 14
2/1/2021 Cybersecurity PHISHING PASSWORDS - MOBILE DEVICES PASSPHRASES 29 Mobile Devices ◦ They are pervasive today. They need to be analyzed for risk and managed appropriately whether that is in an organization or yours personally. 30 15
2/1/2021 How important is your data to you? Unlock your cell phone or tablet. Did your heart skip a beat? Did you exclaim “No”? 31 Mobile Devices ◦ All it takes is a single mishap where your device slips out of your pocket at the grocery store or restaurant, and your data could wind up in the hands of someone who will use it maliciously. ◦ You leave it in your car, and someone breaks in and steals it. ◦ When was the last time you thought your device was lost? ◦ It’s crucial to protect these devices and the good news is it is easier than it has ever been. 32 16
2/1/2021 Mobile Devices ◦ We already covered the importance of passwords so these next topics shouldn’t surprise you ◦ Lock your smartphone and tablet devices ◦ If it is locked, then someone will have to crack your password to get into the device ◦ Set yours to automatically lock ◦ Enable Touch ID if you use an Apple device or fingerprint unlock on Android ◦ Encrypt the device ◦ Have this setup when you are buying the device or there are step by step guides. ◦ Search the web for your device name and encryption. 33 Mobile Devices – free Wi-Fi ◦ We all love free Wi-Fi. It’s just too easy for people to view what you are doing when connected ◦ Turn off wireless connectivity and Bluetooth when you aren’t using them ◦ This avoids connecting to insecure networks and saves your battery life ◦ Use a Virtual Private Network(VPN) tool ◦ Some devices have this software built and there are plenty of downloadable tools ◦ This shields your activities from anyone else on the same free connection 34 17
2/1/2021 Mobile Devices – Applications ◦ Buy and download apps and software only from official stores ◦ Keep applications up to date ◦ Enable automatic updates for any applications that allow it. ◦ Update your firmware as soon as possible. ◦ Update your applications on a frequent basis. ◦ Install anti-virus software ◦ There aren’t a significant number of viruses for mobile but they can be devastating. ◦ Bonus! Anti-virus software often includes protections for your web browser which is a top vector. 35 Mobile Devices – Device management ◦ Mobile Device Management(MDM) and Mobile Application Management(MAM) ◦ This is software that businesses use to manage mobile devices. ◦ The simplest way to look at the difference between these two: ◦ MDM is managing the device as a whole. It determines if there will be a passcode or not, what Wi-Fi to connect to or not, what applications are installed and whether a user can install more. ◦ MAM is managing a single or multiple application as a set but NOT the overall device settings. Management includes versions of the application, features available in the application, whether the application is encrypted and whether you can cut and paste to or from the application. ◦ MDM is generally used for managing corporate owned devices. MAM is generally the better choice for corporate management of personal devices. 36 18
2/1/2021 Actions ◦ Going to the next level ◦ Your home has devices too. Check this out to help secure your smart home. ◦ https://us.norton.com/internetsecurity-iot-smart-home-security-core.html 37 Actions ◦ For corporate device management start conversations with the teams responsible for devics ◦ What is our risk tolerance? ◦ What is our management strategy? ◦ What controls are in place for our management of devices? 38 19
2/1/2021 Swordfish ◦ sword · fish ◦ /’sôrdfiSH/ - noun ◦ a large edible marine fish with a streamlined body and a long flattened swordlike snout, related to the billfishes and popular as a game fish. 39 Do you want to be a shark? Keep going! 40 20
2/1/2021 Phishing: news and videos ◦ Stop That Phish | SANS Security Awareness ◦ Phishing 101 video - 4 minutes ◦ CRI Cyber Security Awareness - Phishing Video – 3 minutes ◦ Phishing 201 Phishing and Spear Phishing – 3 minutes 41 Phishing: The “From” address doesn’t look right The name associated with an email address can be set to just about anything someone wants it to be. However, when you look at it closely, it may not look quite right. Messages from people within Legacy almost always show as names, not email addresses. They share a common format, as shown in the following examples: For non-Legacy “from” addresses, ask yourself, does everything after the @ look right? If claims to be from Facebook, does the address show @facebook.com? Does the “From” address look legitimate? 42 21
2/1/2021 Phishing: The email has wrong or bad branding Scam emails often reference company, department, or team names that are similar to (but not quite the same as) those we really use. For example, it may refer to “IT” instead of “IS.” Other emails pretend to be from reputable companies. And some scam emails don’t have branding at all. How is the message branded? 43 Phishing: Message contains promises or threats “Phishers” know that they need to motivate you to act: ◦ False promises… a package is waiting for you, you’ve won something or by simply “clicking here”, you’ll get something free. ◦ Scare tactics. Scam messages often contain threats that something bad will happen imminently if you don’t take a specific action. Is the message trying to motivate you to act? 44 22
2/1/2021 Phishing: It contains attachments Has your IS department ever sent you an attachment claiming it will fix a problem if you click on it? ALWAYS think carefully before opening an attachment. Most companies, financial institutions, retailers, and other reputable companies do not send attachments via email. Why does the message contain an attachment? 45 Phishing: You aren’t expecting something Your package has arrived – but have you ordered anything? Your invoice is enclosed – but are you expecting an invoice? Instructions for collecting your prize are enclosed – but did you enter a contest? Perhaps the most important thing you can do to protect yourself from phishers is to consider the context. Is this something you’re expecting? Do you know what it is? Or why it is? 46 23
2/1/2021 Phishing: The sender is familiar, but the message is unusual Even emails from familiar people – those that appear to be coming from valid, internal addresses can still be unsafe. They may have clicked something that, in turn, generated messages to their favorite contacts. Or someone may have “spoofed” (faked) the email address when they sent the message. Is this message characteristic of the sender? 47 Worst passwords ◦ SplashData produces an annual list of the worst passwords based on popularity. Here are the top 25 from 2019: 1. 123456 9. 111111 18. lovely 2. 123456789 10. 123123 19. 7777777 3. qwerty 11. abc123 20. 888888 4. password 12. qwerty123 21. princess 5. 1234567 13. 1q2w3e4r 22. dragon 6. 12345678 14. admin 23. password1 7. 12345 15. qwertyuiop 24. 123qwe 8. iloveyou 16. 654321 25. 666666 17. 555555 48 24
2/1/2021 Risks associated with password reuse ◦ Reusing passwords, while convenient, greatly increases your risk of compromise and the work required to change if it becomes compromised through a breach. Whenever a system is compromised that has passwords those passwords get added to the list of passwords that hackers will try the next time they try to access a system. You can view this as a key to your house, if hackers find out the password then it's only a matter of time until your lock can be opened. Think of the risk that exists if you use a common password like "password1" as that password likely works on many accounts. ◦ https://www.beckershospitalreview.com/cybersecurity/25-most-... 49 Mobile devices ◦ How to Secure Your Mobile Device in Six Steps ◦ Enable lost and stolen device protection which IOS, Android and Microsoft Windows have built in. ◦ Mobile device security awareness video 50 25
2/1/2021 Sharks ◦ shark ◦ /SHärk/ - noun ◦ a long-bodied chiefly marine fish with a cartilaginous skeleton, a prominent dorsal fin, and toothlike scales. Most sharks are predatory, although the largest kinds feed on plankton, and some can grow to a large size. 51 26
You can also read