The document provides tips on how businesses can protect themselves from cyber attacks. It begins by introducing common hacker tactics like phishing, exploiting wireless networks, and scanning for website vulnerabilities. It then discusses the types of attackers and their motives, usually to steal financial information or damage a company's reputation. Several specific attack vectors are outlined, including using default passwords, vulnerable websites, insecure wireless networks, flaws in internet banking, and social engineering through phishing emails. The presentation emphasizes adopting a "protect, detect, correct" mindset and classifying sensitive data, as well as following security best practices like enabling two-factor authentication, using strong unique passwords, and keeping software updated. The key message is that businesses of any size can take
How I'd hack into your business and how you can stop me!
1. How I’d hack into your business,
and how you can stop me!
Michael McKinnon, Security Advisor
mmckinnon@avg.com.au | @bigmac
2. What are we looking at today?
Ask
questions!
What sort of
business do
you have?
2
AVG Confidential
We are all
here to prosper
together.
3. Overview
Introduction
• Who is AVG?
• What data are you protecting in your business?
Common hack tactics
• Phishing, Wireless Networks, Website
vulnerabilities
• Malicious links, Mobile devices, Automated scans
Security, it’s a way of thinking
• Protect, Detect and Correct
• Staying in the “know” when it comes to security.
3
AVG Confidential
4. Top line statistics in Australia
During 2012
• 5.4 million Australians fell victim to cyber crime
• Estimated cost to the economy $1.65 billion
• 250 Businesses surveyed found 1 in 5 were victims
• No mandatory disclosure laws means the problem
may well be much bigger
4
AVG Confidential
5. Business - How vulnerable are you?
Is your business MORE or LESS vulnerable than the
business next door?
79%
victims were targets of opportunity
96%
attacks were not highly difficult
85%
took two-weeks or more to discover
Source: Verizon Data Breach Investigations Report 2012
5
AVG Confidential
9. Motive & opportunity
The ability for anyone to attack your business is always
based on two factors:
• How much they want to (their motive)
• How easy it would be to do (their opportunity)
When your business is connected to the Internet:
• Motivations are magnified by currency exchange rates in
poorer countries – something you don‟t value is worth
much more.
• Opportunity is provided through instant electronic
connectivity anywhere in the world. Can be so tempting,
that motivation sometimes is hard to identify!
9
AVG Confidential
11. Motives - Follow the money
• Cybercriminals tend to “follow the money”
• So, the types of attack are often predictable
•
•
•
•
•
Credit card data
Private customer information
Refund / returns policy
Bank accounts
Financial processes
• Think about the money leaving
the business…
11
AVG Confidential
12. Example – Stealing POS transaction data
• Lots of examples in the news…
http://www.cio.com.au/article/436663/two_romanians_plead_guilty_point-of-sale_hacking/
12
AVG Confidential
13. Motives – Using your reputation
• When money isn‟t available, you are the stepping stone
• You could be related to the “real” target
• So, the types of attack change slightly
•
•
•
•
Installing links on your website to snare visitors
Private Customer Information
Phishing attacks using your e-mail
Passing themselves off as your business
• The damage to your reputation could last a life time
13
AVG Confidential
15. Common types of attack
How many involve the incorrect use of passwords? 5 out of 10
* Source: Verizon Data Breach Investigations Report 2012
15
AVG Confidential
16. Malware / Trojans
• Common varieties that cause general havoc
(Fake antivirus, ransomware)
• Retail / POS specific – “RAM Scrapers”
(Designed to exflitrate transaction data)
• Remote Control Trojan or Rootkit
(Designed to remain hidden for future access)
16
AVG Confidential
17. Hacking
• When combined with custom written malware, this is
highly-targeted and designed to avoid detection and
remain in place for a long time.
• In 2011, Verizon reported that 81% of incidents utilised
some form of hacking.
17
AVG Confidential
19. #1. Default passwords
1. The user manual says:
“Step 1. Change the default password”
2. Far too common that these are not changed, or they‟re
changed to someone else‟s “default” password (which
is widely known)
19
AVG Confidential
20. Passwords – Back to basics!
What should we aim for in a password?
•
•
Should be easy for you to remember
Should be hard for someone else to guess (and
“brute-force”)
20
AVG Confidential
22. Can someone guess your password?
• Favourite football team?
• Pet‟s name?
• Family members?
22
AVG Confidential
23. Rank these passwords in order of strength…
1. E56#av+Yb!
2. Password123
3. aaaaaAAAAA#####43
4. 123456
5. lucasjames
23
AVG Confidential
MOST SECURE
24. Why? Anatomy of a good password
•
•
•
•
•
•
The password: aaaaaAAAAA#####43
It is 17 characters in length
Contains upper and lowercase letters
Contains numbers
Contains the „#‟ symbol
How many combinations?
•
•
24
AVG Confidential
72 combinations, 17 combinations long is 72^17
That‟s 37 thousand billion billion billion combinations!
25. Password separation
•
Make new passwords for different accounts you access…
•
Start with your “base” password (aaaaaAAAAA#####43)
•
•
•
25
aaaaaAAAAA#####43fb
•
•
“Facebook” – you could take the letters “f” and “b” from
Facebook and create a new password:
aaaaaAAAAA#####43tr
“Twitter” – you could take the letters “t” and “r” from Twitter
and create another password:
Mix it up! Be creative! And don‟t use these examples!
AVG Confidential
26. The golden rules of passwords
•
Never, never, ever give your password to someone else!
•
Absolute minimum of 15 characters
•
Use a combination of different characters
•
•
•
Upper and lowercase (a – z, A – Z)
At least one numeral ( 0 – 9 )
At least one symbol ( !@#$%^&*()_+= )
•
•
26
Password length is always better than randomness
Must be easy for you to remember
AVG Confidential
27. #2. Your vulnerable website
•
Websites are being compromised too frequently, especially:
•
Wordpress, Joomla and others
•
Is your website password also used elsewhere?
•
Examples of impact to your business could be:
•
•
•
•
•
27
Theft of credit card details if you have a shopping cart
Stolen credentials can be used to access other systems
Visitors to your website can be infected/snared into other scams
Your website could be implicated in spam or phishing attacks
Get your website updated or tested.
AVG Confidential
28. #3. Insecure wireless networks
•
•
•
28
Wireless networks are convenient
But poorly configured they represent a huge security risk!
Data packets can be “sniffed” by nearby attackers
AVG Confidential
29. Secure your wireless networks
•
•
•
•
29
Amazing how many are insecure – including my GP!
Never use “WEP”, always use “WPA” or “WPA2”
Wireless password should be very long and NOT easy to
remember (okay to write it down somewhere safe)
When using public WiFi networks, it‟s always better to use
password protected ones rather than “open” wireless
networks – easy for criminals to “sniff” the traffic
AVG Confidential
30. #4. Incorrect internet banking
•
Many businesses I speak with are using “Consumer” grade
Internet banking
•
•
Not secured with two-factor authentication
Sharing logins with bookkeepers etc. (no ability to separate
permissions – i.e. who can transfer money?)
•
•
General security when accessing Internet banking
•
•
30
SOLUTION: Talk to your bank!
AVG Confidential
Never from an unprotected computer – keyloggers etc.
Always bookmark the Bank URL with https://…
31. Internet banking – Two-factor authentication
•
•
31
Insist on “Two-factor” authentication for business Internet
banking; either a security token (preferred) or an SMS
response code.
Contact your bank ASAP if you find anything unusual
AVG Confidential
32. #5. Phishing, spear phishing & whaling
•
•
“Click here to see the details of your order”
–> (login page)
•
32
Sending of specially crafted e-mails to trick users into
divulging sensitive information
Does your e-mail use anti-spam to stop these?
What about the ones that it won‟t stop?
AVG Confidential
40. Big events – London 2012 games on YouTube
40
AVG Confidential
41. Mobile security – Rogue apps
•
•
Malicious functionality can communicate with remote
servers, install additional malware, botnet functions
•
41
Trojan-infected version of „Angry Birds Space‟ appeared in
January 2012
Only download from official app stores
AVG Confidential
43. “Microsoft” acam – How the call starts
•
•
…a Partner of Microsoft and Microsoft R&D, given information
by your ISP that you are infected…
•
•
…viruses being tracked back to your IP number…
•
43
…Microsoft had told them of the failure and that your system
was in danger of crashing…
…My ID Number is XXX. We have been notified that your
system is infected…
…have been commissioned by Microsoft to help people
remove malware from infected systems…
AVG Confidential
45. Mobile security - What are the risks?
•
•
45
AVG Confidential
Physical loss of the device, still the biggest risk
Infection from malware and possible fraud
46. Mobile security – Physical risks
•
Device locks
•
•
Can you locate your lost/stolen phone?
•
•
46
AVG Confidential
PIN numbers and/or passwords
“Find My iPhone/iPad”
Android solutions as well
47. Mobile Security - Protecting Mobile Data
•
What data do you have on your devices?
•
•
•
•
47
AVG Confidential
Do an audit to find out!
Classify your data and think about the consequences
Does it need to be mobile?
Device encryption available in latest mobile devices
48. Mobile security - Preventing mobile malware
•
Use anti-malware on your mobile
•
Don‟t install apps from outside trusted marketplaces
•
•
When installing apps always check permissions
•
48
AVG Confidential
Never, ever hack your phone
•
i.e. iPhone/iPad “Jailbreak” or Android “root”
Limit/consider implications of clicking on links on a mobile
device, especially via social networking sites
50. Identify and classify your data
•
•
•
•
Top secret (if obtained could shut your business down)
•
50
Consider classifying all the data in your business into
three areas:
Your strategies around protecting your information will
be much easier.
AVG Confidential
Classified (if obtained would cause embarrassment)
Unclassified (everything else, brochures, publicly
available)
51. Summary
•
•
•
Use strong two-factor authentication whenever you can.
•
If you didn’t ask for it, don’t click the link. But if you
do, make sure you‟ve got software to detect and correct.
•
51
Change default passwords, and use strong and long
passwords, and separate them.
And communicate this advice to your colleagues and staff
and even customers! You‟re only as secure as your weakest
link.
Always update your computers and mobile devices (use
auto-update where possible).
AVG Confidential
52. Thank you!
For more information please visit our website:
www.avg.com.au/business
facebook.com/avgaunz
twitter.com/avgaunz
resources.avg.com.au