Top 12 Cyber Threats for Macintosh and PC Users

(1)

Top 12 Cyber Threats for

Macintosh and PC Users

(2)

Who is enCompass?

• We are a team of business technologists dedicated to the unique needs of credit unions and regulated SMBs operating in a highly secure environment.

• Our clients partner with enCompass to get more value from their technology investments and to leverage our team’s compliance, technology, and support expertise.

• We work with 25+ financial institutions providing services ranging from strategy, compliance management, project implementation, cloud services, to operational support.

• Recognized as one of Cleveland’s 95 Top Performing Companies in 2012 by Inside Business Magazine.

Who is Tom Suhadolnik?

• Principal consultant at Encompass.

(3)

Top 12 Cyber Threats Facing PC and Mac Users

Password Security

Backup & Disaster Recovery File System Security

Battery Backup and Surge Protection Email Noisy Viruses Privilege Creep Software Vulnerabilities Quiet Viruses Social Engineering Firewalls Wireless

(4)

Password Security

Password Security Backup

File System Security Power Conditioning Email

Noisy Viruses Quiet Viruses Social Engineering

Passwords should be complex

• Best practice 5 years ago minimum 8 characters length • Best practice today is minimum 15 characters length • Use punctuation, number, upper and/or lower case Passwords should not be used at multiple sites

Financial passwords should only be used once Do not write down passwords

Do not store passwords with user names Passwords should be changed regularly Simple passwords should be salted

Store your passwords in an password manager • You don’t need to remember your passwords • LastPass, 1Password, Roboform

Use tough security questions Software

Firewalls Wireless Hackers Privilege Creep

(5)

Worst passwords of 2012

File System Security Power Conditioning Email Noisy Viruses Quiet Viruses Social Engineering password 123456 12345678 abc123 qwerty monkey letmein dragon 111111 baseball iloveyou trustno1 1234567 sunshine master 123123 welcome shadow ashley football jesus michael ninja mustang password1 computer Software Firewalls Wireless Hackers Privilege Creep

(6)

Making weak passwords strong

File System Security Power Conditioning Email Noisy Viruses Quiet Viruses Social Engineering Privilege Creep

password

Password

Passw0rd

Passw0rdRED!

thomas

Thomas

Thom@s

Thom@sRED!

tiger

REDtiger

REDtiger7194

Software Firewalls Wireless Hackers

(7)

An easy to remember 37 character password

File System Security Power Conditioning Email Noisy Viruses Quiet Viruses Social Engineering Privilege Creep Software Firewalls Wireless Hackers

Open the pod bay door please Hal

OpenThePodBayDoorPleaseHal

Open!The@Pod#Bay$Door%Please^Hal

0pen!The@P0d#Bay$D00R%Please^Hal

(8)

Backup and Disaster Recovery

Image Based versus File Based Onsite verses Offsite

Free Backups • Timemachine • WindowsBackup

• Windows System Restore Cloud Based Backup for SOHO • Carbonite

• Crashplan • Mozy

Cloud Based Backups for SMB • ShadowProtect

• WindowsBackup • TimeMachine

Cloud based options do not replace local backups Software

Firewalls Wireless Hackers

(9)

File System Security

Encryption “scrambles” or “shreds” the contents of a disk or file Encryption algorithms use a key to encrypt and decrypt the data • Key needs to be strong to prevent dictionary attacks

Encryption is reversible Free Encryption Tools • GNU Privacy

• True Crypt

• Diskutility(Mac only) • 7 Zip (PC only)

• AX Crypt (PC only)

Advanced Encryption Standard (AES 128 Bit and AES 256 Bit) • Virtually unbreakable

Loss of key makes data unusable

Encryption is like compression - it will slow the computer Software

(10)

Battery Backup and Surge Protection

File System Security Power Conditioning Email Noisy Viruses Quiet Viruses Social Engineering Privilege Creep Types of resets • Soft • Hard

Battery backup is time dependent on load • Don’t put printers on battery backup

• Don’t put old CRT monitors on battery backup • Measured in Amp-Hours (Ah or Ahr)

APC.com for details

Laptops should be connected to surge protectors

Unplug all cables from your devices in severe weather Software

(11)

Email Security

Do not host your own mail

• Relatively expensive when considering TCO • Very insecure

• Not worth the effort

Bigger is better with respect to email Real Time Blacklist (RBL)

You get what you pay for

• Don’t build a business on a free email account • If you do use a “free” service buy a domain If you do host your own email use a smarthost • Socketlabs, GFI, Jangomail

• Inbound stops viruses, malware, phishing and spam • Outbound will keep you off an RBL

(12)

Noisy Viruses

PCs are still more susceptible to virus outbreaks than Macs Macs are not inherently more secure

• PCs have a larger attack surface

Recommended PC AV software as of 2/2013 • Vipre is my recommended choice

• AVG, AVAST, NOD32 ESET good too

• Symantec, Trend, MacAfee are not recommended Suggested Mac AV software as of 2/2013

• ClamXav is first choice – uses ClamAV engine • Avast, Avira, Sophos, Avira

Free is OK in a multi-layered environment

Not recommending Mac AV for our non-regulated clients

Two or more AV programs can make your computer very slow Good email hosts have anti virus protection built in

(13)

Quiet Viruses

File System Security Power Conditioning Email Noisy Viruses Quiet Viruses Social Engineering Privilege Creep Criminal in nature Mostly effect PCs Common PC types • Ransomware/Scareware • Browser Hijackers • Banking Viruses • Gauss (Stuxnet) • Flame

Common PC anti-malware software • Malwarebytes is recommended • CCleaner is recommended

• Most others are snakeoil No Mac anti-malware

(14)

Social Engineering

Becoming number one threat to individual users Targeted, non-technical attack

Primary targets • Cellphone accounts • Email accounts Secondary targets • Bank accounts • Trading accounts • Utility accounts

Two factor authentication as a defense • Something you know?

• Personal Questions • Something you have?

• Cellphone • RSA Token Software

Firewalls Wireless

(15)

Privilege & Feature Creep

Limit use of account with administrative privileges • “Root” accounts

• “Admin” accounts

Regularly delete or disable old accounts Disable features

• If you do not use WordPress Editor disable it Uninstall unused tools

Software Firewalls Wireless

(16)

Software Vulnerabilities

File System Security Power Conditioning Email Noisy Viruses Quiet Viruses Social Engineering Privilege Creep Software Firewalls Wireless

Open Source Software has a large attack surface Keep your OS, software and servers patched • Java, Adobe and Firefox ASAP

• PC’s should install patches as soon as available Be careful what and how you download

• Don’t trust driver download sites

• Don’t click next-next-done without reading • Only download from trusted sites

• OEM • CNET

• Do not host your own servers

• FTP and SQL servers are notoriously vulnerable WordPress Users

(17)

Firewalls

File System Security Power Conditioning Email Noisy Viruses Quiet Viruses Social Engineering Privilege Creep Software Firewalls Wireless

Use hardware firewalls for the perimeter of your network • Most cable and DSL modems come with adequate firewall • Leave them alone and they will work fine

Use software firewalls when connected to an untrusted network • All networks should be considered untrusted

(18)

Wireless

File System Security Power Conditioning Email Noisy Viruses Quiet Viruses Social Engineering Privilege Creep Software Firewalls Wireless Wireless standards • 802.11g and 802.11n • Wimax • Bluetooth PAN

Encryption Standards Matter • WEP is bad