You are on page 1of 17

ATLANTIC CONNECTIONS

Cyber
prevention
basics

Presented By

Dan Michaluk

November 18, 2020


Agenda
Cyber attack prevention basics

o Recent reports
• Twitter NY DFS report
• Marriot ICO report
• Coveware Q3 report
o Key program elements
• Basic technical defences
• Access and authentication
• Addressing the human element
• Intrusion detection
• Incident response

2
Recent reports
Recent reports

Twitter NY DFS report – 15 October 2020


o July 2020 - hackers gain access to Twitter’s
account management tools - hijack over 100
accounts.
o Impersonated the Twitter IT department and
called employees to help with VPN
problems
o Directed employees to a fake login page,
which allowed them to capture credentials
and circumvent multifactor authentication

4 Dan Michaluk
Recent reports

Twitter NY DFS report – October 15, 2020


o Stricter privilege limitations, with access being
re-certified regularly
o “The most secure form of MFA is a physical
security key, or hardware MFA, involving a USB
key that is plugged into a computer to
authenticate users.”
o Establish uniform standards of communications
and educate employees about them
o “Robust” monitoring via security information and
event management systems – monitoring in
“near real-time”

5 Dan Michaluk
Recent reports

Marriot ICO Report – 30 October 2020


o Starwood compromised in 2014, purchased
by Marriott in 2016
o Foothold used to install Mimikatz –
credential theft of accounts, only some of
which secured by MFA
o Encrypted data found - staged for export
o Finally found in September 2018 when
intrusion detection tool alerts to access to
activity relating to credit card data

6 Dan Michaluk
Recent reports

Marriot ICO Report – 30 October 2020


o Not surprisingly, findings relate to the deeper
layers cyber defence
• Monitoring of privileged accounts (more
logging, more analysis, more alerts – signature
and heuristic capabilities)
• Monitoring of databases (risk based evaluation
of what to activity to log and what alerts to set)
• Server hardening (via binary software
whitelisting on certain devices)
• Encryption (based on documented risk
analysis)

7 Dan Michaluk
Recent Reports

Coveware Q3 Ransomware Report – 4 November 2020


o Average payments increasing
o 50% of cases involve threat to release
exfiltrated data
o “Coveware has seen a fraying of promises
of cybercriminals (if that is a thing) to delete
the data.”
o Time to “doxx” could be shortening

8 Dan Michaluk
Recent Reports

Coveware Q3 Ransomware Report – 4 November 2020


o “The repetitive exploitation of improperly
secured Remote Desktop Protocol (RDP) is
the gift that keeps on giving for the cyber
extortion economy.”
o “As the size of an organization grows, the
method of ingress shifts to the next
cheapest and most plentiful attack vector.
This tends to be either email phishing or
unpatched vulnerabilities.”

9 Dan Michaluk
Key program elements
Key program elements

Basic technical defences


o Technical layer creating strong perimeter that
is used to stop the intrusion
• Firewalls can block RDP access
• Intrusion Prevention Systems identify attacks
from traffic patters
o Secure backups
• 3-2-1 principle
• Test them
o Vulnerabilities and patching, and testing
o Tune based on threat intelligence
Mandiant: Ransomware Protection and Containment
11 Strategies
Key program elements

Access and authentication


o Network segmentation
• Restrict lateral communication
o Least privilege principle
• Periodic revocation reviews
o Multi-factor authentication
• Not all multi-factor authentication is the same

12
Key program elements

Addressing the human element


o Awareness campaigns – necessary but not
sufficient
• At least annually
• Simulated attacks
• External message warnings
o Recall the NY DFS prescription – tell
employees how we will and will not
communicate
o There is a link to organizational social media
policy

13
Key program elements

Intrusion detection
o IDPS and SEIM systems
o Constraint is typically cost of security
analysis (through a “SOC”)
o Recall the ICO
• Signature based detection
• Heuristic based detection

14
Key program elements

Incident response
o It will happen, and bad and good response
can dramatically affect outcomes – can you
hide in the noise?
o A good response plan will
• Save you time
• Lead to better decision-making
o Prepare it, update it

15
Questions?
Thank You
For more information, contact:

Dan Michaluk
Partner
416.367.6097
dmichaluk@blg.com

Ira Nishisato
Partner, National Leader, Cybersecurity
416.367.6349
inishisato@blg.com

Eloise Gratton
Partner, National Co-Leader, Privacy
416.367.6225
egratton@blg.com

The information contained herein is of a general nature and is not intended to constitute legal advice, a complete statement of the law, or an opinion on
any subject. No one should act upon it or refrain from acting without a thorough examination of the law after the facts of a specific situation are considered.
You are urged to consult your legal adviser in cases of specific questions or concerns. BLG does not warrant or guarantee the accuracy, currency or
completeness of this presentation. No part of this presentation may be reproduced without prior written permission of Borden Ladner Gervais LLP.

© 2020 Borden Ladner Gervais LLP. Borden Ladner Gervais is an Ontario Limited Liability Partnership.