1 of 45

Cybersecurity Update 2022: The Weakest Link

James M. Dodmead, USN Retired X 2

2 of 45

Contents

This presentation provides some high level background and recommendations for you. This briefing should not be viewed as all inclusive and as you know, cybersecurity is a rapidly changing area. Contents of this presentation are listed below:

Personal Cyber-Hygiene
General
Email
Social Media
Mobile Devices
At Home
At Work

2022 Update
2022 Scams
Center for Internet Security
Workshop
Final Exam

3 of 45

Data Breach Overview (2022 Verizon Data Breach Investigations Report)

From the latest Verizon DBIR, company analysts have examined 23,896 security incidents (5,212 of which were confirmed breaches) between November 1, 2020 and October 31, 2021, and found that:

External actors are 4 times more likely to cause breaches in an organization than internal ones (internal actors can contribute by “clicking that link” or “opening that file”)
Roughly 4 in 5 breaches can be attributed to organized crime
“Financial gain” is the number one motive for the overwhelming majority of data breaches, “espionage” is in the second spot
Over half of breaches involved the use of either remote access or web applications
62% of system intrusion incidents came through an organization’s partner (mostly due to single supply chain breaches)
82% of analyzed breaches over the past year involved a human element (human error, misuse of privilege, social engineering attacks, etc.)
The vast majority of breaches include only a handful of steps, with three actions being most common (Phishing, Downloader, and Ransomware)

4 of 45

Location, location, location

When you are on the internet you are no longer in the USA; you are in Yemen, Nigeria, Russia, Iran, China and other dubious places where hacking you is not illegal; all at the same time
You are only protected by U.S. Law when you are connecting to U.S. Companies which are physically located in the U.S.A.
If you get an email that you didn’t ask for, they are trying to hack you.

5 of 45

Personal Cyber-Hygiene

Review your credit report annually. Reviewed at no charge https://www.annualcreditreport.com/index.action
Never use the same password for multiple sites, Check https://haveibeenpwned.com/ to see if your account has been compromised
Keep your operating system, browser, anti-virus and other software up to date
Verify the authenticity of requests from companies or individuals by contacting them, using independently obtained contact information
Pay close attention to website URLs. Malicious websites can use a variation in spelling (for example, .com instead of .net) to deceive unsuspecting computer users. Look for: mypaypal.com instead of paypal.com or myusaa.com instead of usaa.com, amazon.org, etc.
Set secure passwords and don't share them with anyone.

Let’s talk about Personal cyber-hygiene. You should review your credit reports every year from all three credit reporting agencies. These are not only used for credit evaluation, but auto insurance and even for my security clearance. Also, make sure that you review your credit card and bank statements every month for unauthorized charges or transfers. As for passwords, make sure you use complex passwords with upper and lower case, numbers, and special characters. You may also want to consider using a password management application. Never reuse passwords between different sites. If you do, once the bad guys have your password, they will be able to access everything. Patch, patch, patch; keep all of your systems up to date. 85% of the vulnerabilities that are exploited have already been solved, it is just that the patch had not yet been installed. Never take any significant action based on an email, social media, telephone call, or voicemail. If you get an email from anyone asking for you to take action of any kind be it sending or transferring money, giving out personal information or passing a credit card number. ALWAYS, make an independent verification such as a telephone call before you grant access to your computer, change your password or transfer money. A cracker or malicious actor can subtly change a URL and it is difficult to catch. One company sued to stop this practice, but the courts ruled that this practice is legal.

The average person has 19 passwords - but 1 in 3 don't make them strong enough - Naked Security

The average employee manages nearly 200 passwords - Dark Reading

6 of 45

Personal Cyber-Hygiene

A brute force attack is a repetitive attempt to try every possible combination of characters for a password. There are much more sophisticated ways to hack a password, but this is typically the last resort if nothing else works. Review the table, number of characters, numbers only, lower case, upper and lower case, numbers, upper and lower case, numbers, upper and lower case, and special characters. Looking at this table, in the purple area you really don’t have a password. The red you have a very weak password. You probably want your passwords to be in the Orange, Yellow or green areas. Also, as computing power increases, the time to brute force attack a password is reduced. Looks like 12 characters with upper, lower, numbers and special characters are the sweet spot at 3,000 years to brute force. A password can be up to 128 or 256 characters, and in most systems a space is an authorized character, so you can use a pass phrased if you like. The time to brute force will reduce quickly, so get a password manager and make them complex and long!

7 of 45

Multi Factor Authentication

Multi Factor Authentication (Pick 2)

Something You Know (PIN/Password)

Something you have (Hardware Token)
Something you are (Fingerprint or Iris)
Time Based One Time Password (text, email, phone call)
Password Manager

Regular Password Changes
Complex Passwords (12 Characters; upper, lower, number, special character good for 3,000 years)

There are three factors for authentication. Something you know, something you have and something you are. There is some discussion of a fourth factor, something you do (speak, walk, write, etc.) Something you know might be a password or a pin. Something you have might be a token of some sort, like the USB device in the upper right hand corner. Something you are might be a fingerprint or your iris. Many financial institutions have begun implementing a text/email/phone call time based, one time password. This has drastically improved security for them. Also, a password manager is very helpful in preventing password reuse and the implementation of strong passwords. I use 1Password, whose premise is that you only have to remember one password. You should consider regular password changes and always use a complex password.

8 of 45

General Guidance

Turn on Security features and read the setup instructions
Put IoT devices on a different network than your computers use (Most modern Wireless Access Points (WAP) have a second “guest” network which is isolated)
ALWAYS change default password on devices when placing them on your network
https://datarecovery.com/rd/default-passwords/
Ask the vendor or manufacturer for a secure configuration guide
Keep IoT software/firmware up to date

The Internet of Things (IoT) such as your smart TV, Ring Doorbell, Smart Refrigerator, Smart Sprinkler system, Digital Assistant, smart automobile, and so on. These devices may provide a back door or gateway into your network. A couple of years ago a casino lost 10 GB of their high rollers’ personal information via a wireless fish tank thermostat installed in their lobby. That is how the hackers got into the network and then downloaded all that information. Most wireless routers have a second “Guest” network that you can put your IoT devices on, which helps to isolate the IoT devices from your computers. Always, and I mean always change default passwords on devices. The datarecovery URL is one of many that lists the default accounts and password for most every device. All the bad guys need to do is figure out what make and model devices you have installed, which is trivial, and then they can try to log in with default accounts. This is hacker 101 and all YOU have to do is miss one password. Welcome to my world.

9 of 45

Email

Turn off the option to automatically download attachments
Never click on a link in an email you are unsure about. Carefully verify the URL, then copy and paste it into the navigation bar of your browser client.
Save and scan any attachments before opening them. If you have to open an attachment before you can verify the source, take the following steps:

Be sure your operating system and anti-virus software is up to date
Save the file to your computer or a disk
Run an anti-virus scan on it using your computer’s software

10 of 45

Email

Never click on a link in an email you are unsure about. Carefully verify the URL, then copy and paste it into the navigation bar of your browser client.
Hover over it and view the link to verify it.
Never click on a link in an email you are unsure about.

11 of 45

Email

When you see a link in a different color and underlined, that is a link that you can go to. The address that you can see, is not necessarily where you go. You can usually hover over a link to see where that link is really going to take you. If it doesn’t look right, don’t go there. This is one of the biggest ways that companies get hacked. Make sure that your employees and family members understand the risk of clicking on links. If you have an employee that is performing sensitive work, you may want to provide a second workstation for that sensitive work, off the network if possible. I have a separate laptop computer that I use for all my financial work. That is all it is used for. No email, no browsing, nothing but banking. You can actually get malicious software from a photograph, a video, an audio file, an office document, or even just going to the wrong website can result in installation of malicious software. On a smartphone it can be a text with a link or even if you answer a phone call on “what’s app;” hackers can install malicious software on your phone, once you have answered a call.

12 of 45

Social Media

Limit the amount of personal information you post. Do not post information that would make you vulnerable, such as your address or information about your schedule, routine or location
If a friend posts information about you, make sure the information is something that you are comfortable sharing with strangers. If not, ask them to remove it.
Take advantage of privacy and security settings. Use site settings to limit the information you share with the general public online.
Be wary of strangers and be cautious of potentially misleading or false information.

I have all but given up on social media. There are too many malicious things going on. The Chinese are watching me, maybe the Russians, 50 very attractive young women want to be my friend on Facebook, and so on. If you are traveling, always wait until you get home to post on Facebook. Someone posted a picture of us in Budapest the day we arrived and announced we were going on a 14 day River Cruise. Now the whole world knew that we were gone and our home will be empty for the next two weeks. If you are contacted by anyone on facebook or anywhere else on the internet asking for money, make sure you verify it separately. There is an interesting story about a fellow that changed girlfriends, and when he shared his Netflix account, his new girlfriend could see all the movies he had watched with his ex. This resulted in some friction, so you may want to consider the ramifications of sharing account logins. Also, if you must use social media, make sure you restrict your privacy settings so only your friends can see your posts.

13 of 45

Mobile Devices

Only access the Internet over a secure network or a VPN Connection. Public networks may expose your login information
Maintain the same vigilance you use on your computer on your mobile device
Be suspicious of unknown links or requests sent through email or text messages. Do not click on unknown links or answer strange questions sent to your mobile device, regardless of who the sender appears to be or what the application is
Download only trusted applications from reputable sources or marketplaces
Make sure you understand your exposure if you use your phone for financial transactions (CC number vis a vis direct access to bank account/ATM card or especially a business ATM Card)
Consider Disabling Push Notifications

Then there was the story about the fellow that gave his old Ipad to his child. What he forgot to do was to change the password on his cloud storage account. The child got into the icloud account and could see dad’s pictures. Then the child asked the mother “Mommy, who is that lady with daddy?” Or the fellow that let his new girlfriend have access to his cloud storage account and she got to see all the intimate pictures of him and his ex in various parts of the house that they now shared. I don’t know what happened in the first story, but in the second story, he ended up buying a hew house. As I have mentioned before, when you respond to unknown texts or emails or even voice mails, make sure you know who you are talking to. Apple is pretty good about checking apps for security, but if you have an Android, it is not so closely monitored. Be wary of Push notifications which allow you to see texts without logging in. Since this is now being used for enhanced security by financial institutions, you may want to disable that feature and require a login to see a text message just to add another layer of protection.

14 of 45

At Home

Talk to your children about Internet safety
Keep your family’s computer in an open area and talk to your children about what they are doing online, including who they’re talking to and what websites they’re visiting
Discuss appropriate internet behavior that is suitable for the child's age, knowledge, and maturity

15 of 45

My Data

According to an EU Study, the Average American’s Data is Put up for bid 747 Times a day
This Bidding Generated $117 billion last year
Your Credit Card Info goes for $8-70, Your SSN is $0.20-$5, ID, Passport, Driver’s License $1-$50 (Depending on Quality of Info)

16 of 45

At Work

Restrict access and secure personal information for employees and customers to prevent identity theft.
Be suspicious of unsolicited contact from individuals seeking internal organizational data or personal information
Verify a request’s authenticity by contacting the requesting entity or company directly via independent means (telephone call)
Immediately report any suspected data or security breaches to your supervisor, manager or law enforcement

At work you should institute a cybersecurity training program. Stress the importance of your employees knowing who they are communicating with. There was a small local company with a new employee running payroll. In response to what she thought was a request from the company president, she had sent him all the company’s W2s. She later saw him in the hallway and asked if he had received all the W-2s. He didn’t know what she was talking about and told her that he never asked for them. Unfortunately, it was her second week on the job and she was now beginning a new job search because she just cost the company $130 thousand dollars. It never hurts to pick up the phone and verify that they actually sent you that email or text, before taking action on it. Especially when dealing with sensitive information. Oh, and ensure that YOU make the call. There have been significant strides in creating voice files that sound exactly like a given individual. There was another case where an employee acted on a voice mail from the CEO, (he thought) and transferred $150,000 to an outside account. I’m not sure if he still has his job.

17 of 45

At Work (continued)

Be aware that both smart phones and personal assistants (e.g., Alexa, Siri, Google, etc.) are listening devices
Do not conduct sensitive conversations with Smartphones or Personal Assistants in the room
Vulnerability Summary https://www.kb.cert.org/vuls/bypublished/desc/
Print Nightmare
Pulse Secure VPN
Patch, Patch, Patch

18 of 45

18 Secrets from People that Never Get Hacked�Wired Magazine: Joe McKinley Updated: Feb. 02, 2022

They never shop on a website with an “http” URL
They only use trusted apps
They use a VPN
They don’t use debit cards for online purchases
They use two-step verification
They protect their credit card info
They lock out lost devices
They protect their passwords
They use password managers
They don’t click unknown links
They avoid connecting to public Wi-Fi
They take precautions when using connected devices
They are aware of data breaches
They are wary of random outreach
They don’t use public chargers
They update their security software regularly
They come up with creative answers to security questions
They keep things manual

So you should look in your browser navigation bar for a padlock, or a HTTPS URL. Never arbitrarily download apps without verifying security. I personally don’t use any financial apps on my phone or tablet, I work with the people that develop applications. You should always use a secure Virtual Private Network connection. I use express vpn, which provides secure connections for 5 devices for under $100 a year. Never use Debit Cards for online transactions. If you do decide to use a Debit Card, contact your financial institution to make sure that you understand what your exposure is. If your financial institution offers it, always use the MFA, text, email, or phone call; this is a Time Based one time pass code. Be sensitive to credit card information, never throw away statements, always shred them. Use a password Manager. As I said, I use 1Password and it is under $70 per year for my family. Never click unknown or suspicious links. If you connect to public wi fi such as the airport or coffee shop, immediately connect your VPN to hide your traffic. When using connected devices such as cell phones, televisions, refrigerators and so on, be careful not to enter any sensitive information. Consider any recent data or system breaches that may affect you and consider changing any passwords related to the breach. Whenever you get an unsolicited letter, email, text, phone call, always be wary of the source and don’t take any action on that correspondence before independently verifying it. Whenever using a public charger, always use a data blocker, which is widely available. See the upper right corner for a sample. Always, always, always patch all of your software, not just your security software. Number 17 is hard to keep track of and I try to make sure that the questions that I answer are near impossible to find on the internet. Finally, turn off any automatic downloads or accesses from cloud systems. Do it manually when you need that feature.

19 of 45

2022 Update Topics: Vulnerabilities

This is a table of vulnerabilities discovered over the last 21 years. You can see that there has been a significant increase in the number of vulnerabilities found. This can partially be attributed to the focus on cybersecurity since the “Year 2000 debacle.” There were 18,378 vulnerabilities found in 2021, which works out to 50.4 vulnerabilities identified every day of the year. High severity vulnerabilities were down slightly, but the totals remained roughly the same from 2020 to 2021. A total of 240,405 vulnerabilities have been found as of 3 October 2022. The last time I estimated that number that there are, it was about 2 million, so there are about 1.8 million vulnerabilities that haven’t been reported. They may have been discovered, but are now being sold on the black market.

20 of 45

2022 Update Topics: Network Sharing

Sidewalk

Amazon Sidewalk is a shared network that helps devices like Amazon Echo devices, Ring Security Cams, outdoor lights, motion sensors, and Tile trackers work better at home and beyond the front door
Amazon just decided that they would start sharing your wireless network with other Echo/Ring users in your area
It can be disabled
Recent research revealed Alexa and other voice assistants monitor and record conversations up to 19 times a day

https://www.zdnet.com/article/working-from-home-switch-off-amazons-alexa-say-lawyers/

Last year Amazon just decided that they would start sharing your wireless network with your neighbors. You didn’t have to opt in, but if you had an extra hour or so to waste, you can opt out. Also, as I mentioned before, Alexa and other personal digital assistants are always monitoring your conversations in order to ensure that they do not miss your requests; most digital assistants are always listening or randomly listening. This will ensure that when you are talking about a new sweater or jacket, they can add it to your shopping list without you having to ask. Whenever you are conducting a sensitive conversation or meeting, you may want mute or unplug the device. You will never going to commit the perfect crime if Alexa is listening. Trust me: Law enforcement is all over it. Also, you should consider your smart phone as another monitoring device. Never have a sensitive conversation with your phone in the same room. Turning it off is not good enough, nor is taking out the battery.

21 of 45

2022 Update Topics: Devices

Monitoring Devices

Computer with Camera
Television With Camera
Smartphones
Fitness Watches
Game Consoles with Cameras and/or microphones
Tablets with Camera
Smart Speakers
Smart Doorbells
Automobiles with Onstar or similar services
MP3 players with microphones
Smart Appliances responding to voice commands
Next Year: Who Knows?

22 of 45

2022 Update Topics: Ransomware

Ransomware: https://ransomwhe.re/

$128,102,319.80 paid in ransom as of 9/21/2022

1. MAKE SURE YOUR ANTIVIRUS SOFTWARE IS UP TO DATE

2. UNDERSTAND WHAT'S HAPPENING ACROSS THE NETWORK

3. SCAN AND FILTER EMAILS BEFORE THEY REACH YOUR USERS

4. HAVE A PLAN FOR HOW TO RESPOND TO A RANSOMWARE ATTACK, AND TEST IT

5. THINK VERY LONG AND HARD BEFORE YOU PAY A RANSOM

6. UNDERSTAND WHAT YOUR MOST IMPORTANT DATA IS AND CREATE AN EFFECTIVE BACKUP STRATEGY

7. UNDERSTAND WHAT'S CONNECTED TO YOUR NETWORK

8. MAKE IT HARDER TO ROAM ACROSS YOUR NETWORKS

9. TRAIN STAFF TO RECOGNIZE SUSPICIOUS EMAILS

10. CHANGE DEFAULT PASSWORDS ACROSS ALL ACCESS POINTS

11. APPLY SOFTWARE PATCHES TO KEEP SYSTEMS UP TO DATE

Here are some tips on the ubiquitous ransomware threat. It is easy to get and plant ransomware, with a potentially very high payoff for the perpetrators. Most ransomware is initially planted by someone clicking a link in an email. Train your staff to be wary of clicking links and opening files of any kind from an unknown source. Also, make sure that you have an effective, and regularly tested system backup. This is the easiest way to make sure that you can recover from a ransomware attack. Also, make sure that your backup is not accessible via the network. Most recent ransomware attacks start by encrypting network files first in order to ensure that your online backups are not available for recovery. Ransomware gangs are now downloading all the data, before they encrypt your copy. Once your data is encrypted, they ask for a ransom for the key to decrypt your data. Next, they want another ransom to pay them not to post your data online. Finally, they go to your business partners ask them for a ransom to not post their data. Another technique that they are testing is threatening to destroy your data and asking for a ransom; if you don’t pay up then they will get rid of your data. Very Scary. The average ransomware payout is now $229,000.

23 of 45

2022 Update Topics: Brushing

Brushing Scam: If you receive an unexpected package, you may be the victim of a Brushing Scam

Vendors may send a package in order to bolster their reviews
This practice is illegal in the U.S.
It may indicate that your personal information has been compromised
If you receive an unsolicited package you can keep it, discard it or try to return it
Monitor your financial accounts (bank and credit cards) to ensure that you were not charged for the item

24 of 45

2022 Update Topics

Identity Theft, Phishing and Pharming: Scammers gain access to your confidential information, like social security numbers, date of birth and then use it to apply for credit cards, loans and financial accounts. Typically, the victim receives an email that appears to be from a credible, real bank or credit card company, with links to a website and a request to update account information. But the website and email are fakes, made to look like the real website.

Phone scams: Scammers call anyway, of course, and they've even found a way to scam consumers by pretending to be a government official calling to sign you up or confirming your previous participation on the Do Not call list! A good example of this is the "Your Microsoft license key has expired" scam call - which you can hear and read about on this page: https://www.microsoft.com/security/blog/2014/06/26/is-that-call-from-microsoft-a-scam/ .

If you are like me, your information has been stolen many, many times. The good news is that most credit companies now notify you if there is an account requested in your name or if there is a credit record check. You may get a Phishing email luring you in to click a link, or they may just plant software on your machine to obtain your sensitive information. This is referred to as Pharming. Once again, the phone call could be from the local Sheriff wanting your credit card number since you missed jury duty. Pay up or go to jail. Or it could be the Microsoft help desk wanting money to renew your license. Ask them to send you a letter and hang up. If you are nervous about it, call the local Sheriff about any of these type calls you receive. This may give them information needed to warn other people before they get scammed.

25 of 45

2022 Update Topics: Zelle

Zelle is a free phone app that allows transfering funds between bank accounts at no charge
Zelle Users have Lost Thousands of Dollars in Money-transfer Scams
In 2021 users sent $490 Billion through Zelle ($230 Billiion in Venmo)
Generally the Scams begin with Social Engineering and an urgent need for a funds transfer such as having your power cut off
Protect Yourself:

Don’t Respond to Unsolicited Texts or Emails

Watch for Urgent Requests from new Respondents
Never Give Anyone Your Two Factor Authentication Code
Use Zelle for Transfers only to People or Businesses that you know and trust

26 of 45

2022 Update Topics: QR Codes

Quick Response (QR) Codes can be used to take you to a restaurant menu, a business website, a phone number, email address and so on
Within the past few years, the popularity of QR codes has exploded. Not only do you see them in many stores at the local mall, but now they are scattered across magazines (and even junk mail)
QR codes are a specially formulated bar code that a smart phone’s camera/operating system converts into an Internet hyperlink to display something onscreen
Criminals can also use QR codes to steer victims towards malicious websites – and some QR code apps have been found to contain malware

https://gcn.com/cybersecurity/2022/04/how-qr-codes-work-and-what-makes-them-dangerous-computer-scientist-explains/364152/

27 of 45

2022 Update Topics

Internet merchandise scams: You purchase something online, but it is either never delivered or it is not what they claimed it was, or is defective. Online shopping, and other shop from home, such as catalog, mail and phone shopping scams are on the rise. Remove your Personal Information From Google Search:

Type something into the world’s most popular search engine and you will likely find it – to include some of your PII. Google has long-provided a mechanism to remove data from its search engine database – but now has expanded that capability to permit individuals to request their PII to be removed (good news for INFOSEC-minded individuals) https://support.google.com/websearch/answer/4628134?hl=en#zippy=%2Cremove-image-with-sensitive-financial-medical-or-national-id-info

28 of 45

2022 Update Topics

Credit Bureaus and related credit scams: �Credit/debit card fees, pay day loans, credit repair companies and unauthorized use of credit/debit cards. Some of these complaints involved hidden fees and billing disputes as well. Phishing/Spoofing Emails: �Emails that pretend to be from a company, organization or government agency but ask you to enter or confirm�your personal information

Online Credit Card Processing: �Since 2019 Tens of Millions of $s have been charged via fake websites using stolen credit card numbers. BE SURE TO REGULARLY REVIEW YOUR CREDIT CARD STATEMENTS!!!

29 of 45

2022 Scams: More Information

U.S. CERT bulletins on Scams: https://search.us-cert.gov/search?utf8=%E2%9C%93&affiliate=us-cert&query=scams

The hot spot imposter (He’s close, real close) https://search.us-cert.gov/search?utf8=%E2%9C%93&affiliate=us-cert&sort_by=&query=wireless+scams

30 of 45

2022 Scams: Don’t Say “Yes”

Voice Recording: Can you hear me? If you hear that, just hang up. The person on the other end will be recording the call, and would then use the track of you saying “yes” to access your sensitive information. How? The three-letter word is used frequently by companies to confirm account changes, security settings, and purchases, giving the scammer extensive access to your stuff.

https://www.rd.com/article/four-word-phone-scam/?_cmp=readuprdus&_ebid=readuprdus422021&_mid=408088&ehid=e3eaae2d9e21610b7f3b5290e7d22d6a573ca180

31 of 45

Workshop

What shall I do with this email?

32 of 45

What did we learn?

Final Exam

Question 1

What are the two main takeaways from this presentation?

33 of 45

What did we learn?

Independently verify any transaction (text, email, voice mail, etc.) before acting on it.

34 of 45

What did we learn?

Do Not Click on that Link!

(Unless you are sure about it)

35 of 45

What did we learn?

Final Exam

Question 2

What is the cybersecurity weakest link?

36 of 45

What did we learn?

You

(the user)

37 of 45

Got Questions?

Questions?

Secure@CYBERDEF.BIZ

Cybersecurity Assessment, Staff training, IT Consulting,

System Hardening, Data Recovery, Intellectual Property/Data Loss

38 of 45

CSAM 2022

39 of 45

Got Questions?

Backup Slides

40 of 45

History

The Wild, Wild West

1903 A magician “trolls” John Fleming's demonstration of wireless telegraphy by sending insulting Morse code messages
1939 Polish cryptologists developed the “Bombe” to break the Enigma machine reliably
1943 René Carmille, comptroller general of the French Army, hacked the punched card system used by the Nazis to locate Jews
1957 Joe "Joybubbles" Engressia, a blind 7 year-old boy with perfect pitch discovered that whistling 2600 Hz opened AT&T's telephone systems, creating “phreaking”
1967 The first network penetration took place when a computer club at a Chicago high school was given access to IBM's network

In 1903 John Fleming preparing for his demonstration of sending Morse code, wirelessly, over long distances for the first time: then it happened. The apparatus began to tap out a message: “Rats. Rats. Rats.” Then a poem came in: “There was a young fellow from Italy (Marconi), who diddled the public quite prettily…” They were being trolled. Therefore the first trolling incident occurred 117 years ago. One of the greatest heroes of World War II was Rene Carmille, French Army Comptroller. He is often credited as “the first hacker” for his work in defying the Nazi’s by using the IBM system that was used to track down French Jews. Not only did Rene withhold information about Jews from the Nazi’s, but he used “data mining” to find thousands of ex-French soldiers who might be good recruits for the French Resistance. Seven year old Joybubbles started the phreaking “phenom” of getting a dial tone to access the telephone system for free, simply by whistling a tone of 2600 hertz.

41 of 45

History

The Creeper virus detected on the Advanced Research Project Agency Network (ARPANET) in the early 1970s.
In 1985 a coworker and I unknowingly hacked into a highly classified system in the Philippines
The Iloveyou virus that was all over the news in the year 2000. This worm originated in the Philippines and as daybreak moved west to Hong Kong, to Europe, and finally to the U.S. The outbreak cost $5.5-8.7 billion in damages and another $15 billion to remove the worm.
Russia's 2007 cyber attack on Estonia is considered be the first volley in cyber warfare, U.S. officials concluded that cyber attacks had become a staple of modern warfare.

Here are some more milestones associated with Cybersecurity. We see the first virus, the Creeper, as early as 1971. Creeper was an experimental self-replicating program written by Bob Thomas at Bolt, Baranek, and Neuman Technologies in 1971. In 1985 a couple of us sailors (me and another guy) wanted to test a computer we had installed and guessed the password. Imagine our surprise when it came up and told us it was at a higher classification than either of us were authorized for. I turned us in, but leadership took care of it. In 2000, you probably remember the Iloveyou virus that spread like wildfire and caused billions of dollars of damage. The dawn of Cyberwarfare was in 2007 when Russia attacked Estonia and again in 2008 when Russia attacked Georgia. In honor of the Dawn of Cyberwarfare, NATO Cyber headquarters is located in Tallinn, Estonia. Today we see evidence of cyberwarfare and hacking every day on the news.

42 of 45

Evolution

Organized Crime

1989 The detection of AIDS (Trojan horse) is the first ransomware detection.
1994 Russian crackers siphon $10 million from Citibank and transfers the money to accounts in Finland and Israel. He is sentenced to three years in prison and authorities recover all but $400,000 of the stolen money
2003 The hacktivist group Anonymous was formed
2004 North Korea claims to have trained 500 hackers who successfully crack South Korean, Japanese, and their allies' computer systems
2004 A spear phishing incident at the Office of the Secretary of Defense steals sensitive defense information, leading to significant changes in identity and message-source (HSPD 12)

AIDS, also known as Aids Info Disk or PC Cyborg Trojan, is a trojan horse that would count the number of times the computer has booted. Once the boot count reached 90, AIDS hid directories and encrypted the names of all files on the C: drive. $189 was the charge to get your data back. As for the $10M stolen in 1984, from Citibank, the perps were all busted and did hard time. Anonymous is a decentralized international hacktivist group that is widely known for its various cyber attacks against governments, corporations, and even the Church of Scientology. This organization has resulted in the term “hacktivist.” Bureau 121 is a North Korean cyberwarfare agency. Cyber operations are a cost-effective way for North Korea to maintain an asymmetric military option, as well as a means to gather intelligence. The last incident at OSD resulted in Homeland Security Presidential Directive (HSPD) 12 requiring significant effort in identification and Access Management for which we have spent billions to implement.

43 of 45

Evolution

Dawning of the Age of Cyber-Warfare (Nation States)

2008 Around 20 Chinese hackers claim to access to the world's most sensitive sites, including The Pentagon. They operated from an apartment on a Chinese Island.
2010 The Stuxnet worm is found. Stuxnet was unusual in that while it spread via Windows computers, its payload targeted just one specific model and type of SCADA system. It slowly became clear that it was a cyber attack on Iran's nuclear facilities
2012 Computer hacker sl1nk announced that he has hacked a total of 9 countries' SCADA systems. The proof includes 6 countries: France, Norway, Russia, Spain, Sweden and the United States (almost all major utilities, ships, cities, airlines, etc. use SCADA)
2016 July 22: WikiLeaks published the documents from the 2016 Democratic National Committee email leak

In 2008 Chinese hackers attacked the U.S. Government, DoD, Senator McCain, President Obama, the NY Times, on orbit satellites, the Washington Post and probably a bunch of other places we are not aware of. You’ve probably heard of STUXNET where the Iranian nuclear enrichment capability was attacked. Supervisory Control and Data Acquisition (SCADA) generally controls nuclear power plants, water treatment/distribution, power plants, power distribution, sewage treatment, ships, and even airplanes. Don’t believe me? do a search on “Planesploit”, but after you see what it can do don’t plan on ever getting on a commercial airliner. SCADA is a control system created with almost no security, which many companies unwittingly connect to the internet. Security for this technology is being improved, but it takes a lot of work to secure 60 year old technology that is being used all over the planet.

44 of 45

Risks and Mitigations (Overview)

Ransomware: Criminals Encrypt your data

Resulting in Loss of access to data.

Can be mitigated through Frequent File Backups

Loss of Intellectual Property: Someone steals your work.
To mitigate Encrypt and/or Isolate from network and users
Critical National Infrastructure: Damage to Power, telecommunications, highways,

water, hospitals, fire departments,

police departments

Isolate from Global Network Access

And “Bake In” security

This is a partial list of risks and what could be done to control those risks. Everyone knows what needs to be done for these attacks, but it all costs money. To mitigate the results of a ransomware attack, you should take frequent backup copies of your data. In order to protect your intellectual property, you want to encrypt your data or keep it off the network. Critical National Infrastructure is a lot more fragile than you think. Many of these large scale systems like factories, water or fuel distribution plants, national power grids, natural gas distribution pipelines, and so on are controlled by SCADA systems, which was developed in the 60s. This was before anyone thought that their system would be accessible via a global network. A good example of intellectual property theft is in the lower right hand corner. The left photo is the U.S. Space Shuttle, the center picture is the Russian space shuttle, and the right picture is a mock up of the Chinese space shuttle. When I see these pictures, the term “stolen intellectual property” comes to mind.

45 of 45

Risks and Mitigations (Overview)

Cyber Warfare: Critical to National Defense; DHS, DoD and Each service now have a Cybersecurity Organization to monitor and defend government/commercial/military cyber resources
Financial Institutions: Inability to conduct commerce could

Wreak Havoc on our Country

Need to significantly improve security on banking and other financial networks. (Smart Cards/Multi Factor Authentication via email or text)
National Intelligence: Every time there is a loss of intelligence

documents we lose invaluable national resources

Stop the leaks

There is DHS, U.S. CERT, and DoD Cyber command provide oversight to all national cyber services in order to protect networks and systems. Financial systems are critical to the world. Imagine if credit cards or ATM cards could not be used. It is impressive that the financial industry has started using smart cards and multi factor authentication, by sending an email or a text with a time based, one time password. I suspect that has dramatically improved the security of the financial system. The loss of National Intelligence can be catastrophic. We have people all over the globe that are in clandestine roles in our national interest. The loss of intel could potentially expose clandestine operatives to fatal risk. Also, the exposure of our sources & methods may render them useless for future intelligence efforts.