PHISHING - SHARKS & MINNOWS - Cybersecurity - Health Care Compliance Association
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
2/1/2021
PHISHING – SHARKS
& MINNOWS
Protecting yourself and your devices
1
Cybersecurity
PHISHING PASSWORDS - MOBILE DEVICES
PASSPHRASES
2
1
2/1/2021
Objectives
◦ Identify phishing emails and know what to do with them
◦ Apply good account password hygiene
◦ Proactively keep your phone and computers protected
with simple easy steps
3
Introduction
Brian Hole
Deputy CISO and Cybersecurity manager at Legacy Health
◦ bhole@lhs.org, LinkedIn: linkedin.com/in/brian-hole-9b314213
◦ Brian Hole is a Deputy Chief Information Security Officer for Legacy Health with extensive experience in
security and compliance. He loves the outdoors and is active in the community. He earned a Certified
Information Systems Security Professional, CISSP, certification from ISC2. Brian is passionate about security.
He is a very focused person and loves a challenge. Brian enjoys unraveling mysteries and problems to
find solutions that help everyone involved. He encourages collaboration and teamwork. He has worked
in retail and served on boards of directors. His outdoor passions include skiing and backpacking.
4
2
2/1/2021
Slide conventions – lower right corner
This icon is for things that you can do personally.
This icon is for things that you can look for at your company. Maybe to implement, maybe to audit.
5
Which is easier for hackers?
A.Hacking into your online accounts and then your
computer?
B. Fishing and catching steelhead in the Willamette river?
Phishing and
C.Phishing and tricking youinto
tricking you into giving
giving them
them your
your username
username and password?
and password?
D.Stealing or hacking into your phone?
6
3
2/1/2021
What is phishing?
◦ Phishing is an approach used to try to trick you into doing something you don’t
want to do. By taking this action it will ultimately compromise the security of your
computer, phone, accounts, or financial information.
◦ From a business perspective this can also include the personal and health information
which is entrusted to us by our patients.
7
YES!
Name of Covered Entity Covered Entity Type Individuals
Affected
State of North Dakota Healthcare Provider 35,416
Connecticut Department of Social Services Health Plan 37,000
Georgia Department of Human Services Healthcare Clearing House 45,732
Centerstone of Tennessee, Inc. Healthcare Provider 50,965
Mercy Iowa City Healthcare Provider 60,473
Ascend Clinical, LLC Healthcare Provider 77,443
Presbyterian Healthcare Services Healthcare Provider 193,223
Missouri-based BJC Healthcare Healthcare Provider 287,876
8
4
2/1/2021
It only takes one click in a
phishing email to start a
compromise.
9
How to tell if an email is phishing?
◦ Determining if an email is safe can sometimes be more art than science. However, most phishing emails
share one or more of the following characteristics:
◦ Writing is not professional
◦ The “From” address doesn’t look right
The more of these items an
◦ The email has no branding or bad branding email has the higher the
◦ The message contains promises or threats
◦ It contains attachments
chances it is phishing!
◦ You are not expecting something
◦ The sender is familiar, but the message is unusual (tone)
10
5
2/1/2021
Examples
Security.ucop.edu
11
And perhaps most importantly…
TRUST YOURSELF
Cybercriminals are continually honing their skills, using
current events and finding new ways to trick you.
12
6
2/1/2021
Current events - Covid-19
◦ In the near future officials say to expect and be prepared for more scams involving vaccines.
◦ Taxes are just around the corner.
13
Actions
◦ Ask yourself, what will happen if I ignore and delete the message?
◦ “When in doubt, throw it out!”
◦ Does the email appear to be from someone you know?
◦ Send them a new email to ask if the message you received is legitimate. (Never reply to the actual suspicious email.)
◦ Get a second opinion.
◦ Consider double-checking with your manager or supervisor, co-worker or friend.
◦ Mark it as spam.
◦ Add it to your Junk list. All future messages from that sender will be filtered out.
◦ If you interacted with the message in any way – downloading images, opening attachments, etc.
◦ Personal devices, reboot. Run a virus scan. Change your password.
◦ Contact your support desk right away…. And if your computer is acting funny or sending emails without your
permission, it’s always a good idea to shut it down.
14
7
2/1/2021
Actions/audit to reduce risks
◦ Multifactor authentication(MFA) for email and all internet facing services
◦ Email system protection using SPF, DMARC and DKIM
◦ Email protection from spam and malicious email – Email gateways
◦ Don’t allow incoming attachments with macros
◦ [EXTERNAL] added to the subject line
◦ WebLinks / URL rewrites. (allows for disabling a link once it is found malicious)
◦ Firewall protections for DNS and web filtering
◦ Phishing education
◦ Endpoint tools that limit execution of software (allow/deny lists)(Machine Learning)
15
Minnows
◦ min·now
◦ /ˈminō/ - noun
◦ 1. a small freshwater Eurasian cyprinoid fish that typically forms large shoals.
16
8
2/1/2021
Cybersecurity
PHISHING PASSWORDS - MOBILE DEVICES
PASSPHRASES
17
Poll number 1
◦How many characters are in the
password for your email account?
18
9
2/1/2021
Strong passwords Upper
Case
letters
◦What makes up
Lower
Not most
case
common
letters
a strong
Length
password or
Known
passphrase?
Not
dictionary Numbers
words
Symbols
19
Strong passwords
◦ Strong, complex passwords can help stop cyberthieves from accessing your
information or company information. Simple passwords can make access
easy. If a cybercriminal figures out your password, it could give them access to
the company’s network or your personal data. Creating unique, complex
passwords is essential.
◦ There are essentially 3 ways for someone to get your password
1. You give it out (phishing)
2. Hacker guesses it
3. Hacker uses a computer program to figure it out (password cracking)
20
102/1/2021
How secure is your password?
◦POLL RESULTS SHOWN
HERE
21
How secure is your password?
◦ # of characters – how long to figure out your password (crack it)
◦ 7 characters – 22 seconds
◦ 8 characters – 19 minutes
◦ 9 characters – 16 hours
◦ 10 characters – 1 month
◦ 11 characters – 4 years
◦ 12 characters – 200 years
◦ 13 characters – 12,000 years
◦ How Secure Is My Password? | Password Strength Checker (security.org)
22
112/1/2021
Strong passwords
◦ Don’t use anything that can be easily figured out
◦ Anything you post on social media
◦ Don't use Social Security numbers, phone numbers, addresses, or other personally identifiable information as
passwords
◦ Examples that I have used
◦ Love Actually-2003
◦ Sgt.Peppers Lonely Hearts Club Band 1967
◦ Where the Crawdads Sing-2020
23
Password manager
◦ Password managers generate unique complex passwords for each site and service. Don’t use the same
password for multiple sites, and always use a unique mix of upper and lower case letters, numbers and
other characters. “Sure, there is usually a minimum recommendation of eight characters – but if you
follow that rule, you are making it easier for hackers to crack that password. As a rule, always use double
the minimum amount of characters or even more.”
◦ Start using a password manager to help you generate strong passwords and store them in one safe
place.
◦ Don't save passwords in your browser
◦ Immediately change your passwords following a data breach
◦ Don't store passwords with your laptop or mobile device
24
122/1/2021
More than passwords
◦ Companies may also require multi-factor authentication when you try to access sensitive network areas. This
adds an additional layer of protection by asking you to take at least one extra step — such as providing a
temporary code that is sent to your smartphone — to log in.
◦ Things you know ( knowledge ), such as a password or PIN.
◦ Things you have ( possession ), such as a badge, YubiKey token or smartphone.
◦ Things you are ( inherence ), such as a biometric like fingerprints or voice and facial recognition.
◦ Enable multi-factor authentication on all accounts with sensitive information
◦ Personal email
◦ Banking
◦ Healthcare portals
25
Actions
◦ Install a password manager
◦ Use the password manager to change all your passwords to secure ones
◦ If you don’t want to change them all, at least change any listed here Haveibeenpwnd
◦ Want to do more to protect your privacy? Here are some extra steps
◦ https://www.zdnet.com/article/online-security-101-how-to-protect-your-privacy-from-hackers-spies-and-
the-government/
◦ https://digitalguardian.com/blog/101-data-protection-tips-how-keep-your-passwords-financial-personal-
information-safe
26
132/1/2021
Actions
◦ Does your company require passwords that are appropriately complex to protect the information you
have? If not, work with the teams to increase the length.
◦ Is multi-factor authentication in place for sensitive data? Internet facing services?
◦ Does your company recommend a password manager for employees to use?
◦ Do you have a reduced sign on initiative? If not, start one!
27
Motoro Stingray
◦ sting·ray
◦ /ˈstiNGˌrā/ - noun
◦ 1. any of the rays, especially of the family Dasyatidae, having a long, flexible tail armed near the base
with a strong, serrated bony spine with which they can inflict painful wounds.
28
142/1/2021
Cybersecurity
PHISHING PASSWORDS - MOBILE DEVICES
PASSPHRASES
29
Mobile Devices
◦ They are pervasive today. They need to be analyzed
for risk and managed appropriately whether that is in
an organization or yours personally.
30
152/1/2021
How important is your data to you?
Unlock your cell phone
or tablet.
Did your heart skip a beat? Did you exclaim “No”?
31
Mobile Devices
◦ All it takes is a single mishap where your device slips out of your pocket at the grocery store or
restaurant, and your data could wind up in the hands of someone who will use it maliciously.
◦ You leave it in your car, and someone breaks in and steals it.
◦ When was the last time you thought your device was lost?
◦ It’s crucial to protect these devices and the good news is it is easier than it has ever been.
32
162/1/2021
Mobile Devices
◦ We already covered the importance of passwords so these next topics shouldn’t
surprise you
◦ Lock your smartphone and tablet devices
◦ If it is locked, then someone will have to crack your password to get into the device
◦ Set yours to automatically lock
◦ Enable Touch ID if you use an Apple device or fingerprint unlock on Android
◦ Encrypt the device
◦ Have this setup when you are buying the device or there are step by step guides.
◦ Search the web for your device name and encryption.
33
Mobile Devices – free Wi-Fi
◦ We all love free Wi-Fi. It’s just too easy for people to view what you are doing
when connected
◦ Turn off wireless connectivity and Bluetooth when you aren’t using them
◦ This avoids connecting to insecure networks and saves your battery life
◦ Use a Virtual Private Network(VPN) tool
◦ Some devices have this software built and there are plenty of
downloadable tools
◦ This shields your activities from anyone else on the same free connection
34
172/1/2021
Mobile Devices – Applications
◦ Buy and download apps and software only from official stores
◦ Keep applications up to date
◦ Enable automatic updates for any applications that allow it.
◦ Update your firmware as soon as possible.
◦ Update your applications on a frequent basis.
◦ Install anti-virus software
◦ There aren’t a significant number of viruses for mobile but they can be devastating.
◦ Bonus! Anti-virus software often includes protections for your web browser which is a
top vector.
35
Mobile Devices – Device management
◦ Mobile Device Management(MDM) and Mobile Application Management(MAM)
◦ This is software that businesses use to manage mobile devices.
◦ The simplest way to look at the difference between these two:
◦ MDM is managing the device as a whole. It determines if there will be a passcode or not, what
Wi-Fi to connect to or not, what applications are installed and whether a user can install more.
◦ MAM is managing a single or multiple application as a set but NOT the overall device settings.
Management includes versions of the application, features available in the application,
whether the application is encrypted and whether you can cut and paste to or from the
application.
◦ MDM is generally used for managing corporate owned devices. MAM is generally the better
choice for corporate management of personal devices.
36
182/1/2021
Actions
◦ Going to the next level
◦ Your home has devices too. Check this out to help secure your smart home.
◦ https://us.norton.com/internetsecurity-iot-smart-home-security-core.html
37
Actions
◦ For corporate device management start conversations with the teams responsible for devics
◦ What is our risk tolerance?
◦ What is our management strategy?
◦ What controls are in place for our management of devices?
38
192/1/2021
Swordfish
◦ sword · fish
◦ /’sôrdfiSH/ - noun
◦ a large edible marine fish with a streamlined body and a long flattened swordlike snout, related to the
billfishes and popular as a game fish.
39
Do you want to be a shark?
Keep going!
40
202/1/2021
Phishing: news and videos
◦ Stop That Phish | SANS Security Awareness
◦ Phishing 101 video - 4 minutes
◦ CRI Cyber Security Awareness - Phishing Video – 3 minutes
◦ Phishing 201 Phishing and Spear Phishing – 3 minutes
41
Phishing: The “From” address doesn’t look right
The name associated with an email address
can be set to just about anything someone
wants it to be. However, when you look at it
closely, it may not look quite right.
Messages from people within Legacy almost always show as names, not email
addresses. They share a common format, as shown in the following examples:
For non-Legacy “from” addresses, ask yourself, does everything after the @ look
right?
If claims to be from Facebook, does the address show @facebook.com?
Does the “From” address look legitimate?
42
212/1/2021
Phishing: The email has wrong or bad branding
Scam emails often reference company,
department, or team names that
are similar to (but not quite the
same as) those we really use.
For example, it may refer to “IT”
instead of “IS.”
Other emails pretend to be from
reputable companies.
And some scam emails don’t
have branding at all.
How is the message branded?
43
Phishing: Message contains promises or threats
“Phishers” know that they need to motivate you to act:
◦ False promises… a package is waiting for you, you’ve won something or by simply
“clicking here”, you’ll get something free.
◦ Scare tactics. Scam messages often contain threats that something bad will happen
imminently if you don’t take a specific action.
Is the message trying to motivate you to act?
44
222/1/2021
Phishing: It contains attachments
Has your IS department ever sent you an attachment claiming it will fix a problem if
you click on it?
ALWAYS think carefully before
opening an attachment.
Most companies, financial
institutions, retailers, and other
reputable companies do not
send attachments via email.
Why does the message contain an attachment?
45
Phishing: You aren’t expecting something
Your package has arrived –
but have you ordered anything?
Your invoice is enclosed – but
are you expecting an invoice?
Instructions for collecting your
prize are enclosed – but did you
enter a contest?
Perhaps the most important thing
you can do to protect yourself from phishers is to consider the context. Is this
something you’re expecting?
Do you know what it is? Or why it is?
46
232/1/2021
Phishing: The sender is familiar, but the message is
unusual
Even emails from familiar people – those that appear to be coming from valid,
internal addresses can still be unsafe.
They may have clicked something that, in turn, generated messages to their favorite
contacts.
Or someone may have “spoofed” (faked) the email address when they sent the
message.
Is this message characteristic of the sender?
47
Worst passwords
◦ SplashData produces an annual list of the worst passwords based on popularity. Here are the top 25 from
2019:
1. 123456 9. 111111 18. lovely
2. 123456789 10. 123123
19. 7777777
3. qwerty 11. abc123
20. 888888
4. password 12. qwerty123
21. princess
5. 1234567 13. 1q2w3e4r
22. dragon
6. 12345678 14. admin
23. password1
7. 12345 15. qwertyuiop
24. 123qwe
8. iloveyou 16. 654321
25. 666666
17. 555555
48
242/1/2021
Risks associated with password reuse
◦ Reusing passwords, while convenient, greatly increases your risk of compromise and the work required to
change if it becomes compromised through a breach. Whenever a system is compromised that has
passwords those passwords get added to the list of passwords that hackers will try the next time they try
to access a system. You can view this as a key to your house, if hackers find out the password then it's
only a matter of time until your lock can be opened. Think of the risk that exists if you use a common
password like "password1" as that password likely works on many accounts.
◦ https://www.beckershospitalreview.com/cybersecurity/25-most-...
49
Mobile devices
◦ How to Secure Your Mobile Device in Six Steps
◦ Enable lost and stolen device protection which IOS, Android and Microsoft Windows have built in.
◦ Mobile device security awareness video
50
252/1/2021
Sharks
◦ shark
◦ /SHärk/ - noun
◦ a long-bodied chiefly marine fish with a cartilaginous skeleton, a prominent dorsal fin, and toothlike
scales. Most sharks are predatory, although the largest kinds feed on plankton, and some can grow to a
large size.
51
26You can also read
