It security the condensed version

IT SECURITY – THE CONDENSED
VERSION
BRIAN PICHMAN | EVOLVE PROJECT
TWITTER: @BPICHMAN

http://breachlevelindex.com/assets/Breach-Level-Index-Infographic-H1-2016-1500.jpg

http://breachlevelindex.com/assets/Breach-Level-Index-Infographic-H1-2017-Gemalto-1500.jpg

THE COSTS OF BREACHES
• his year’s study reports the global average cost of a data breach is down 10 percent over previous years to
$3.62 million. The average cost for each lost or stolen record containing sensitive and conﬁdential information
also signiﬁcantly decreased from $158 in 2016 to $141 [per record] in this year’s study.
• However, despite the decline in the overall cost, companies in this year’s study are having larger breaches. The
average size of the data breaches in this research increased 1.8 percent to more than 24,000 records
[http://www-03.ibm.com/security/data-breach/]
• Data Breached Companies Experience…
• People loose faith in your brand
• Loss in patrons
• Financial Costs
• Government Requirements,
Penalties, Fees, etc.
• Sending of Notifications
• Payment of Identity Protection or
repercussions.
• Business Continuity
https://betanews.com/2016/02/10/the-economic-cost-of-being-hacked/

WHY DO PEOPLE ATTACK?
• Financial Gain
• Stocks
• Getting Paid
• Selling of information
• Data Theft
• For a single person
• For a bundle of people
• Just Because
• Malicious

YOU CAN ONLY MITIGATE RISK…NEVER PREVENT ALL RISK
Understanding your network and evaluating their risks; allows you to build plans around mitigating risk.
You can never remove all risk. You aren’t “un hackable”

SO WHAT DO YOU NEED TO PROTECT?
• Website(s)
• ILS
• Staff Computers
• And what they do on them
• Patron Computers
• And what they do on them
• Network
• And what people do on them
• Stored Data, Files, etc.
• Business Assets
• Personal Assets
• ….anything and everything that is plugged
in…

Outside
• Modem Router Firewall
Switches
• Servers
End User
• Phones
• Computers
• Laptops

OUTER DEFENSES (ROUTERS/FIREWALLS)
• Site to Site Protection (Router to
Router or Firewall to Firewall)
• Encrypted over a VPN Connection
• Protection With:
• IDS
• IPS
• Web filtering
• Antivirus at Web Level
• Protecting INBOUND and OUTBOUND

UNIFIED THREAT MANAGEMENT
• Single Device Security
• All traffic is routed through a
unified threat management
device.

AREAS OF ATTACK ON OUTER DEFENSE
External Facing Applications
• Anything with an “External IP”
• NAT, ONE to ONE, etc.
• Website
• EZProxy Connection
• Custom Built Web Applications or Services
Internal Applications
• File Shares
• Active Directory (usernames / passwords)
• Patron Records
• DNS Routing
• Outbound Network Traffic
• Who is going where

ATTACKS
• Man in the Middle
• Sitting between a conversation and either listening or altering the data as its sent across.
• DNS Spoofing (https://null-byte.wonderhowto.com/how-to/hack-like-pro-spoof-dns-lan-redirect-traffic-your-
fake-website-0151620/) set up a fake website and let people login to it.
• D/DoS Attack (Distributed/Denial of Service Attack)
• Directing a large amount of traffic to disrupt service to a particular box or an entire network.
• Could be done via sending bad traffic or data
• That device can be brought down to an unrecoverable state to disrupt business operations.
• Sniffing Attacks
• Monitoring of data and traffic to determine what people are doing.

Kali Linux / Backtrack
Wireshark

INNER DEFENSES (SWITCHES/SERVER CONFIGS)
• Protecting Internal Traffic, Outbound Traffic,
and Inbound Traffic
• Internal Traffic = device to device
• Servers
• Printers
• Computers
• Protected By:
• Software Configurations
• Group Policy
• Password Policy
• Hardware Configurations
• Routing Rules

It security the condensed version

COMPUTER SECURITY AND POLICY
Why IT Loves It
• Protects the computers from accidental changes
• Protects Data
• Lots of things depend on the running operation
of the network.
• Filtering helps with network efficiency
Why it is a Barrier
• You need something done to improve your job
(efficiency /performance)
• Patrons!
• Filtering limits access.

UPDATES, PATCHES, FIRMWARE
• Keeping your system updated is
important.
• Being on the latest and greatest
[software/update/firmware] isn’t always
good.
• Need to test and vet all updates before
implementation
• If you can – build a dev environment to
test and validate.

Casper Suite - https://www.jamf.com/products/jamf-pro/

SWITCH CONFIGURATIONS
• Routing Rules
• Split networks into
• Public: 10.0.10.X
• Staff: 10.0.20.X / :: Wireless Staff
• Servers: 10.0.30.X
• Wireless Public
• Route traffic so Public LAN cannot see
Staff LAN
• Access Restrictions
• Limit devices connecting to LAN
• MAC Address Filtering
• Limit Port Scanning, IP Scanning, etc
on network.
• Limit which networks have access to
which ports.

PROTECTING END DEVICES
• Protecting Assets
• Business Assets
• Thefts
• Hacking
• Personal Devices
• Security Risk
• Usually pose an INBOUND threat
to your network

PASSWORDS
• Let’s talk about Passwords
• Length of Password
• Complexity of password
requirements
• DO NOT USE POST IT NOTES
• A person’s “every day account”
should never have admin rights to
machines.
• That includes your IT Folks!

TRAINING
Staff and ?Patrons? Should all be required to attend Training

MYTHS
• I’m not worth being attacked.
• Hackers won’t guess my password.
• I have anti-virus software.
• I’ll know if I been compromised.

UNDERSTANDING BREACHES AND HACKS
• A hack involves a person or group to gain authorized access to a protected computer or network
• A breach typically indicates a release of confidential data (including those done by accident)
• Both of these require different responses if breaches/hacks occur.

EXAMPLES OF HACKS/BREACHES
• An employee/family member allows a hacker to access their machine through:
• Email Attachments
• Social Engineering
• Walking away from their computer unattended
• An employee/family member sends information to someone thinking they are someone else
• “Hi, I’m the CFO assistant, he needs me to collect all the W2s”
• Or more intrusive –
• There is an attack on a database or server that then allowed a hacker in (SQL Injection)
• There is a brute force attack or someone guessed the password on a key admin account, on servers/networks,
etc.

BEST KIND OF TRAINING
• Awareness
• Reporting Issues Immediately
• Precautions
• Being smart about links, emails, and phone calls.
• Don’t know the person – probably not legit.
• Site doesn’t look familiar – probably not legit
• Checking Others
• Seeing someone doing something “suspicious?”
• Seeing someone not following the “security training?”
• Acting as “owners” to data and assets.

CALL SPOOFERS
• Phone calls from “Microsoft”
• Wanting to remote in and fix your computer.
• Phone calls from your “Bank”
• Wanting to talk to you about your credit card
• Rule:
• Just. Hang. Up. Then call the number on the back of the card or directly off their actual
website.

GOOGLE ISN’T ALWAYS YOUR FRIEND

DUAL FACTOR AUTHENTICATION
• After logging in; verify login via Email, SMS, or an app with a code.

CREDIT CARD TOOLS FOR ONLINE SHOPPING
• Check out Privacy.Com
• https://privacy.com/join/473XB
shameless plug

SITES TO HELP
• Haveibeenpwnd.com
• Sign up and check to see if your data appears
after a hack is released
• https://krebsonsecurity.com/
• Great blog to stay informed of what is
happening with IT Security
• LifeLock, Identify Guard
• Monitoring Your Data and Privacy

RECAPPING
• Protect Outer Perimeter with Hardware
• Filtering, IPS/IDS, Antivirus
• Protect Inner Perimeter with Configurations
• Group Policy, Switch Configurations, Routing
• Protect End Devices with Software
• Antivirus, Firewalls
• Protect Users with Training
• Passwords

BUILDING A PLAN
• Risk Assessments
• Training Plans
• Policies, Policies, Policies!
• Training
• Breaches
• Asset
• Computer Use
• Back Up Plans
• Data Recovery from Threats
• System Recovery from Threats

RISK ASSESSMENT
• Threats are sources of
danger to information
assets
• Vulnerabilities exist in
people, processes, and
technologies.
• Risks are possible events or conditions
that could have undesirable outcomes for
the organization. Risks occur at the
intersection of threats and vulnerabilities.

DISASTER AND SECURITY PLANS
• Are tested and audited.
• Audit account usage, audit network logs, check computers for malicious software, check if computers aren’t
receiving updates.
• Test staff’s ability to follow basic security rules and principles.
• Refined and Monitored
• As your infrastructure grows or as things change, you will need to continually refine and update your security
plan and policy.
• Plans are followed.
• There shouldn’t be exceptions to rules.

ONION ROUTING, TOR BROWSING
• Technique for anonymous communication to take place over a network. The encryption takes place at
three different times:
• Entry Node
• Relay Node
• Exit Node
• Tor is made up of volunteers running relay servers. No single router knows the entire network (only its
to and from).
• Tor can bypass internet content filtering, restricted government networks (like China) or allow people to
be anonymous whistle blowers.
• Tor allows you to gain access to “.onion” websites that are not accessible via a normal web browser.
• Communication on the Dark Web happens, via Web, Telnet, IRC, and other means of communication
being developed daily.

SOME HISTORY
• Originally grew with help from the U.S. Military as a way to
communicate without detection.
• In 1995 the concept of “onion routing” was born.
• The Deep Web was coined in 2001 by BrightPlanet which
specializes in locating content within the dark web.
• In 2004 the U.S. Naval Research Lab released the Tor code to the
public, and in 2006 it was retooled as the Tor Project.

SURFACE WEB, DEEP WEB, DARK WEB
• The Deep Web is anything a
search engine can’t find.
• Search Engines use links to
“crawl” the internet.
• Within the Deep Web is the
Dark Web which requires
special software or network
configurations, and access
rights in order to access.
• The Dark Web is a small
portion of the Deep Web

THE SILK ROAD
• Former Online Black Market the first “darknet” market for selling illegal drugs.
• Launched in February 2011 where users had to purchase an account through an auction and later
would be set at fixed fees.
• October 2013 the site was shutdown by the FBI after arresting the hacker named “Dread Pirate
Roberts” (Ross William Ulbricht). One month later the site resurfaced but was shut down again.

OPERATION ONYMOUS
• International law enforcement operation
targeting over 400 darknet markets on the
Tor network that sold drugs, money
laundering, and other contraband.

CLOAK OF INVISIBILITY
Anonymous Browsing tools like the Tor Project

• Top reasons why people want to hide their IP address:
• Hide their geographical location
• Prevent Web tracking
• Avoid leaving a digital footprint
• Bypass any bans or blacklisting of their IP address
• Perform legal/illegal acts without being detected

• How do you Hide an 800lb Gorilla?
• Use Free Wifi (To Hide your location)
• Use a Secure Web Browser
• Use a Private VPN
• Go back to Dial-up
• Setup RF Data Transfer over CB Radio Waves
• Use Kali linux to hack someone else’s Wifi Encryption.
• Setup long-range Wireless Antennas

• How to hide yourself?
• Private VPN
• You want a TOTALLY anonymous service.
• Look for one that keeps no log history (Verify via reviews)
• Look at Bandwidth & Available Servers
• Recommendations:
• Private Internet Access (PIA)
• TorGuard VPN
• Pure VPN
• Opera Web Browser
• Avast AntiVirus (SecureLine)
• Worst Case: Free WIFI

• How Tor anonymizes – “You”.
• How VPN keeps ”You” protected.

HOW TO NAVIGATE AND PREVENT WRONG
TURNS
NAVIGATING THE DARK WEB - INCLUDING THE PITFALLS

HOW TO NAVIGATE AND PREVENT WRONG TURNS
• Who are the people we’re trying to void?
• Hacker Groups
• Lizard Squad. ...
• Anonymous. ...
• LulzSec. ...
• Syrian Electronic Army. ...
• Chaos Computer Club (CCC) ...
• Iran's Tarh Andishan. ...
• The Level Seven Crew. ...
• globalHell.

USING A VPN CLIENT
You can mask your geographical location.

NORMAL USERS AND HOW THEY APPEAR:

TOOLS TO BECOME A HACKER
EXPLORE TOOLS HACKERS USE TO EXPLOIT COMPANIES AND US

• Get a router that allows for VPN at the router
• Install a second VPN Client on the PC
• Use Tor Browser for Browsing
• Use other tools form this point
• Keeps everything anonymized and encrypted

• The Basics.
• Social Engineering
• Get a Voice that’s not behind a computer.
• Write a Batch File
• Odd, but Windows still has DOS hidden underneath

TOP HACKER TOOLS
• #1 Metasploit.
• #2 Nmap.
• #3 Acunetix WVS.
• #4 Wireshark.
• #5 oclHashcat. ...
• #6 Nessus Vulnerability Scanner. ...
• #7 Maltego. ...
• #8 Social-Engineer Toolkit.

MORE SOURCES
• https://www.reddit.com/r/deepweb/
• DuckDuckGo.Com doesn’t track searches
• Also lets you search of .onion sites when using TorBrowser to access.

WHAT TO DO IF YOU’VE BEEN HACKED?

YOU AS A LIBRARY - OBLIGATIONS
• You are obligated to protect the data and privacy of:
• Employees
• Patrons
• Business Partners/Vendors/Etc.
• Sometimes, we forget we house a lot of personal and identifying information about our employees and
patrons.
• Employees Social/Payroll/HR
• Patron Records/Accounts/Catalog History(?)
• What employees/patrons are accessing on the web
• A sniffing tool, key logger, or fake DNS redirects can monitor not only the sites people are accessing but what they use
for their username / password

STEPS – COMMUNICATION AND SPEED!
• Communicate
• People will ask “How long did you know XYZ happened” before communicating to them an attack
occurred.
• If you discover a breach, hack, or any other compromise that may have the impact of data
being stolen or viewed, you MUST communicate quickly and effectively.
• While every scenario is different and has different factors – groups that move faster with the
information they know (as soon as they know it) they are generally better off long term (ie don’t’
wait months as you “investigate” the issue. Give people time to protect themselves)
• Don’t over communicate and have one spokesperson
• Be clear and concise. Too many details can be harmful.

OTHER POINTS ON COMMUNICATION
• Once you know a breach has occurred, by law you are required to inform
customers if their data has been compromised.
• Some states have deadlines of when the announcement has to be made
• Every impacted person must be told that a data breach has occurred, when it
occurred, and what kind of information was compromised.
• Answer: what are you doing to provide a remedy and should they do
• (next slide)

WHAT ARE YOU DOING TO PROVIDE A REMEDY AND SHOULD THEY DO
You as the Library
• Build a website with information about the
breach
• Offer a Toll Free number people to call in for
questions
• If the possibility of social information provide
contact information for Equifax, Experian and
Transunion, and the quick links for fraud
protection.
Them as Impacted Parties
• Fraud Protection (if necessary)
• Request them to change their passwords if their
password was compromised
• Highlight if they use this password on OTHER
sites to change those passwords too

STEP 2 - INVESTIGATE
• You will most likely need to hire an outside cyber
security firm – they have the tools and resources to
track what might have been stolen and who stole it.
• Solve which computers and accounts were
compromised, which data was accessed (viewed) or
stolen (copied) and whether any other parties – such as
clients, customers, business partners, users, employees.
Was the stolen data encrypted or unencrypted?
• Also involve folks from the people you pay for services
(depending on where the breach occurred) such as
ISPs, Web Hosting Providers, Security Software,
Firewall Vendors, etc.
• Contact your local, county or state police computer
crimes unit and the FBI, which can do forensic
analyses and provide valuable guidance

STEP 3 SOLVE IT
• Through the investigation and hiring of consultants and engagement of local/state/federal
groups – find out what happened and how to prevent it from happening again
• Removing infected computers or servers (if it was from a virus/malware)
• Consider reformatting hacked computers and restoring data with clean backups or replacements
• Removing access from the outside world to your network (or specific applications)
• If the breach occurred because of non patch system or software – patch it, then put a policy in place
to check patches.
• If the breach was done through a stolen or weak passwords, secure those accounts and set new,
complex passwords that will be hard to crack.
• Communicate the resolution and promise to the users impacted

REPERCUSSIONS
• Depending on the severity of the hack and type of hack you may:
• Need to pay a fine/penalty from a governing body if it was because of lack of security or no reasonable efforts
to defend users data
• Pay for identity protection for those impacted users (usually at least a year)
• Pay a settlement

MOVING FORWARD / PREVENTION
• Make sure your security defenses are running properly and that data is being backed up securely.
• You should run activity logs and tracking on all network devices and public facing servers. These logs should be
checked and monitored for unwanted access or sudden activity.
• Follow up with vendors to see what they are doing to protect your/their data – and share with
customers best practices for their own security (like strong passwords).
• Create a disaster recovery plan and train employees so everyone can respond quickly and calmly if they
know of an attack or see something that could be indicative of being attacked.

CYBER-INSURANCE
• Policies can be purchased from most major insurance carriers for between $5,000 and $10,000 per $1
million in protection.
• Policies will generally cover:
• Legal Fees
• Forensic Fees
• Costs for providing customer credit monitoring for those impacted
• Any court costs related to civil litigation and class actions.
• Some policies include access to portals/support so if and when an attack occurs, you can get guidance and
support on what to do.

YOU – AS A PERSON (IF INFECTED MACHINE)
• If you think you infected your machine (through an email, virus, etc)
• Disconnect it from the internet.
• Immediately shut down the computer
• If you notice an odd message take a photo first so an IT person (or you) could do more research
• You can remove your drive from your computer and using another computer (that’s not network
connected) run scans on the drive.
• Depending on the severity – you may need to wipe your computer.
• If this is a work computer – always inform IT Security or IT. They rather have a false alarm than an actual
issue leak to the entire organization.

IF YOUR EMAIL GOT HIJACKED
• If its your personal email
• Send an email to all your contacts letting them know (if a fake message was sent out) that it wasn’t
you who sent the message and to delete it.
• Change your email password.
• Google will tell you what sites you have connected your Google Account too:
• https://myaccount.google.com/intro/secureaccount
• If it’s your work email
• Inform IT / Security – and ask them the best course of action.

QUESTIONS?
• Brian Pichman
• Twitter: @bpichman
• Email: bpichman@evolveproject.org

It security the condensed version

More Related Content

What's hot (20)

Similar to It security the condensed version (20)

More from Brian Pichman (20)

Recently uploaded (20)

It security the condensed version

Editor's Notes