1 / 36

Cybersecurity, Phishing, and MFA for VPN

Cybersecurity, Phishing, and MFA for VPN. Irwin Gaines Report to UEC Dec 7 2018.

davidporter
Download Presentation

Cybersecurity, Phishing, and MFA for VPN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cybersecurity, Phishing, and MFA for VPN Irwin Gaines Report to UEC Dec 7 2018

  2. “Rebranding” of former computer security teamWe are now the Cybersecurity teamAll communication to cybersecurity@fnal.gov(including incident reports, phishing reports or questions, other cybersecurity questions, etc.)new web page at http://securityawareness.fnal.govEmphasis on partnership between cybersecurity team, management, and employees Phishing Report - Irwin Gaines

  3. Phishing Report - Irwin Gaines

  4. Outline • Cybersecurity is everyone’s responsibility • Phishing: Forged email trying to induce the recipient to click on a link which will either download malicious software to their computer (or mobile device) or take the user to a seemingly legitimate website to “phish” for user credentials or other personal information. • Why phishing exercises • What were the exercises • Results of the exercises • Consequences: moving forward (Proofpoint) • MFA and VTC • MFA already in use at Fermi but primarily for privileged access to enterprise systems and any access to business and HR systems; scientists and user community not impacted • New threats require additional use, in particular VPN which will impact scientists and users Phishing Report - Irwin Gaines

  5. Why phishing exercises • Statistically, phishing remains as one of the primary means to compromise an individual or company • According to a study done by Google, phishing poses the biggest threat to your online security [1] • 91% of cyber attacks (from 2015 to 2016) start with a phishing email [2] • Notable compromises have been accomplished via phishing – a handful of examples include: PNNL/ORNL [3], Sony [4], and DNC [5]. • Phishing combined with password reuse leads to further possible compromises via credential stuffing • Fermilab has implemented anti-phishing training and incorporated phishing assessment as part of its security awareness training • There previously hasn’t existed means to actually test the effectiveness of this training Phishing Report - Irwin Gaines

  6. Why phishing exercises (2) • We have not done phishing exercises in the past, partly because of my (now proved to be mistaken) belief that our employees and users would not click on malicious links in email • But with the increasing prevalence of phishing and with the frequent breaches of government systems because of responses to phishing, the government and DOE are requiring such exercises • Seeing the handwriting on the wall, we began regular exercises last summer (shortly before we were told to do them) Phishing Report - Irwin Gaines

  7. Initial Flood of Phishing Reports • On Tuesday, June 26, 2018 (starting at 8:50am), a flood of reports (over 40) came into Fermi’s Incident Response (FIR) Team • Link was blocked within five minutes by FIR • Looking into the email, it appeared that the sender’s account was compromised Art Lee | User Compromise Involving Lab Director Phishing Emails

  8. Phishing exercise details • A number of different campaigns have been run – these were all based on real-world scenarios and had different goals to assess awareness with Fermi users (those with mailboxes). All had a variety of clues indicating they were not legitimate • July 2017 • The first campaign was a package delivery phish which simulated a UPS delivery notification – its intent was to look slightly “genuine” • The second campaign was a password reset phish which was based on a real password reset email – its intent was to see the response rate for garden variety phishing • Aug 2017 • The first campaign was a password reset phish modeled after a real email reported to CST last month • This included a link to a website (hosted on by the testing provider) that simulated a web-based password reset form • The second campaign was a scam phish requesting a user to send money as an investment to receive more money • This was based on real (and frequent) scam emails, however has been modified for context Phishing Report - Irwin Gaines

  9. Phishing exercise details (2) • Sep 2017 • The first campaign was a Facebook deactivation confirmation phish • This was based on real phishing emails not generally received by Fermi users; however these are very common • The second campaign was a scam phish impersonating a Charles Schwab email requesting a user to receive money • This was based on a real phishing email received by Fermi users • Oct 2017 • The first campaign was a FedEx delivery notification phis • This was based off a real FedEx delivery email. This is a followup to the UPS delivery notification phish from July of this year. • The second campaign was a scam phish noting that a foreign email address was added to a user’s Paypal account • This was based on a real phishing scheme – however this has not been reported to us from Fermi users. Phishing Report - Irwin Gaines

  10. Phishing exercise details (3) • Nov 2017 • The first campaign was a Netflix billing campaign • This was based off a real Netflix phishing scam. It was designed to trick users into thinking that their Netflix payment was not validated, resulting in a suspension of the account. • The second campaign was a USPS phish noting the delivery status of the shipment. • This was targeted specifically to repeat offenders that clicked on both the past UPS and FedEx package delivery phish campaigns. • Feb 2018 • The first campaign was a Microsoft security alert • This is an email from “Microsoft” stating that someone else may have accessed his/her account. If the user clicks the link to verify the account, a fake login page will be shown. The user may enter his/her credentials into this form. • The second campaign was a DropBox sharing notification • This is an email from “DropBox” stating that a person has shared a PDF regarding neutrinos with the user Phishing Report - Irwin Gaines

  11. UPS Quantum View campaign Phishing Report - Irwin Gaines

  12. ICT Service Desk campaign Phishing Report - Irwin Gaines

  13. Please reset your password campaign (1 of 2) Phishing Report - Irwin Gaines

  14. Please reset your password campaign (2 of 2) Phishing Report - Irwin Gaines

  15. LETTER FROM HOSPITAL campaign Phishing Report - Irwin Gaines

  16. Sorry to see you leave Facebook! campaign Phishing Report - Irwin Gaines

  17. Your Schwab Brokerage Deposit campaign Phishing Report - Irwin Gaines

  18. FedEx Tracking Email campaign Phishing Report - Irwin Gaines

  19. Paypal email address campaign Phishing Report - Irwin Gaines

  20. Netflix Billing Campaign Phishing Report - Irwin Gaines

  21. USPS Delivery Status Phishing Report - Irwin Gaines

  22. Microsoft Security Alert Phishing Report - Irwin Gaines

  23. Microsoft Security Alert Phishing Report - Irwin Gaines

  24. DropBox Sharing Phishing Report - Irwin Gaines

  25. Phish landing page Phishing Report - Irwin Gaines

  26. Phish landing page Phishing Report - Irwin Gaines

  27. Results of Phishing Exercises Phishing Report - Irwin Gaines

  28. Overall lessons learned • Click rates are still higher than we would like, but overall performance is improving • Repeat offenders be a problem, considering 137 users fell for both the UPS and the FedEx shipping phishes, and 50 still fell for the USPS phish • Users reporting phishes has gone way up • Many users read the phish email from mobile devices and/or from outside of Fermilab (and so will not be protected by web blocks at the lab) • Note that first report of a new phish will have the landing site for that phish blocked in our web proxies, providing protection for anyone who is on site when they click Phishing Report - Irwin Gaines

  29. Going forward • Regular phishing campaigns will continue to be implemented – some will use varied attack vectors • There will be consequences to users when they repeatedly “fail” a phishing exercise • Currently 43 3-time offenders have had Remedial Phishing Training added to their ITPs • URL “defanging” service being implemented from ProofPoint • This will prepend links to ProofPoint’s servers to verify if a link is legitimate or not • Unlike controls like the proxy servers, this can mitigate risks outside of the lab • This can also mitigate risks regardless of platform (Windows, MacOS, iOS, Android, etc.) • Whitelisting and blacklisting will be possible for versatility • Still need to raise ongoing awareness with users • securityawareness.fnal.gov Phishing Report - Irwin Gaines

  30. Phishing Report - Irwin Gaines

  31. Proofpoint decoding • ProofPoint URL Decoder Self-service tool for decoding a ProofPoint URL • ProofPoint URL: https://urldefense.proofpoint.com/v2/url?u=https-3A__powerpedia.energy.gov_wiki_IM-2D24-5FData5FCalls&d=DwMFAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ct1EoviYG4gx4IPJGo2How&m=GGGQWNlRADGtfJDUdQMMNdYP2tEjYN-0bovWUq4yFN4&s=kJSAJqFIZym8fe7uhNnXiJ2kJCTEVOkYm-wE4IBfiTA&e= • Decoded URL: hxxps://powerpedia.energy.gov/wiki/IM-24_Data_Calls Phishing Report - Irwin Gaines

  32. Phishing Report - Irwin Gaines

  33. References • [1] https://www.engadget.com/2017/11/11/google-study-hijack/ • [2] http://www.darkreading.com/endpoint/91--of-cyberattacks-start-with-a-phishing-email/d/d-id/1327704 • [3] https://www.computerworld.com/article/2510012/malware-vulnerabilities/second-doe-lab-is-likely-victim-of-spear-phishing-attack.html • [4] https://www.tripwire.com/state-of-security/latest-security-news/sony-hackers-used-phishing-emails-to-breach-company-networks/ • [5] https://www.engadget.com/2017/11/03/ap-investigation-russia-hack-dnc-clinton-emails/ Phishing Report - Irwin Gaines

  34. MFA and VPN • Multi Factor Authentication (MFA) is the use of at least two of three possible modalities for identification: something you know (a password); something you have (smartcard or phone); something you are (fingerprints) • Fermilab is presently (under DOE mandate) using PIV-I smart cards for access to enterprise privileged systems and RSA tokens (both hardware and software tokens) for access to business and HR systems. Note that the RSA tokens do not satisfy the strictest level of authentication assurance and so need to be migrated to a “better” token • Recent cyber attacks have highlighted a possible vulnerability in VPN access to the lab, which presently only requires use of the services password that is also used for email access • Current MFA upgrade project will • Switch to a single token (Yubikey) for most access (so no need for two types of tokens) • Satisfy DOE requirements for authentication assurance • Extend to additional systems (in particular VPN) Phishing Report - Irwin Gaines

  35. MFA usage for VPN • Project in initial stages, in particular we need to understand use cases for remote science access to data acquisition and analysis systems • We intend to support both token-based and software-based authentication methods • Will take several months to roll out credentials to all VPN users • Currently asking users to make sure they have the root certificate from the Fermliab CA installed on the machines they will be using for token-based VPN access in the future. • Will be reaching out to user community to identify who needs to use VPN and what devices they will be using for this access. For example, we need to know: • Will users be present at Fermilab to be issued hardware tokens or are they only remote users • Are they using access devices with USB ports • Will they have access to smartphones or other devices to do software authentication Phishing Report - Irwin Gaines

  36. Future path • Watch FermiNews and VPN users mailing list for updated information over next several months • VPN already accepts Yubikey and RSA authentication. • Pilot users will be issued Yubikey tokens in January, RSA tokens already available at Service Desk. Volunteers for pilot program eagerly accepted. Phishing Report - Irwin Gaines

More Related