Cyber Security AMSC FM Training Symposium Alex Roosma, 1st Lt, USAF Land of Lincoln (LoL) Chapter of the American Society of Military Comptrollers (ASMC) half-day Financial Management Training Symposium on Thursday, 6 March 2014, at the Scott Club, Scott AFB, IL from 0730 to 1215 Alex Roosma, 1st Lt, USAF 6 March 2014

Overview Real-world cyber attacks Hacker methodology How to protect yourself and others Resources Questions Cyber security is a vastly expansive field that touches just about everything we do from waking up to our cell phone to checking email at work to falling asleep to Netflix at night. We’ll cover just a glimpse of how cyber can and does affect our daily work lives.

Real-World Examples Recent High Profile Breaches: Adobe user passwords Target US Dept of Energy LivingSocial Snowden Leaks New York Times AHMC Hospitals Breach Cyber attacks are a reality today, it is easy to perform a Google search and see many results and these stories are becoming very common in the news headlines, almost regularly. Here are some of the recent and REPORTED high profile network attacks representing various forms of attacks. Potential attacks include our SCADA or ICS (Industrial Control System) networks which can yield some very kinetic results. Specifics: Adobe – 150 million account credentials Target – Millions of credit cards and associated PINs US Dept of Energy – AHMC Hospitals Breach – In October 2013, more than 729,000 patients were put in jeopardy when two unencrypted laptops were stolen from California-based AHMC hospitals. Private patient information, including patient names, Social Security numbers and diagnostic and procedure codes, was compromised in the theft, affecting six major health institutions overall. Living Social – Encrypted password theft New York Times – Chinese hackers were able to access any computer on the Time’s network for 4 months

Hacker Motivations Motivations for network attacks: Money – Selling financial, personal or corporate information Fame – Kevin Mitnick Ideology – Edward Snowden, Anonymous Money – selling credit cards on the black market [dollar signs and something representing personal info] Fame – Kevin Mitnick [Hollywood star and news headline] Ideology – Edward Snowden, Anonymous aka Hacktivism [Anonymous mask] Mitnick served five years in prison—four and a half years pre-trial and eight months in solitary confinement—because, according to Mitnick, law enforcement officials convinced a judge that he had the ability to "start a nuclear war by whistling into a pay phone",[9] meaning that law enforcement told the judge that he could somehow dial into the NORAD modem via a payphone from prison and communicate with the modem by whistling to launch nuclear missiles.[10] He was released on January 21, 2000. During his supervised release, which ended on January 21, 2003, he was initially forbidden to use any communications technology other than a landline telephone.dward Snowden or WikiLeaks

Attack Vectors Social Engineering Fraudulent Website Phishing Malicious Code Insider Threat There are many ways to get into a computer network. Nothing is safe unless it is unplugged.

Reconnaissance Scanning Exploit Keeping Access Covering Tracks Anatomy of an Attack Reconnaissance Scanning Exploit Keeping Access Covering Tracks

How to protect yourself and others Be aware of attack vectors Phishing Social Engineering Email Attachment Malware Websites (just because you can get to a site at work doesn’t guarantee its safety) Secure your password Not guessable from your social media profile Employ a password manager Secure Personal Identifiable Information (PII) Keep data at rest encrypted Encrypt email messages or use AMRDEC SAFE: https://safe.amrdec.army.mil/safe/ Be aware that you are a target at home as well as at the office as a member working for the government. Through social media, it is very easy to identify who works where and what information they might be privy to. SAFE is designed to provide AMRDEC and its customers an alternative way to send files other than email. SAFE supports file sizes up to 2GB.

Resources http://www.staysafeonline.org/ http://www.getnetwise.org/ http://www.onguardonline.gov/ http://www.ikeepsafe.org/ For those of you with children, these sites give you great ideas of how to explain security and online safety to them, in addition to providing practical implementation advice.

Questions ?