Cyber Security: Identifying the Risks & Your Responsibilities SPEAKER

Transcription

1 Cyber Security: Identifying the Risks & Your Responsibilities SPEAKER 1

2 2 Cyber Breach Headlines

3 Where is the Failure? 3 Reliance on Compliance OPM Systems (and Contractors) passed compliance assessments Light or non-existent testing Many organizations are not doing testing even simple vulnerability assessments Reliance on Software to solve ALL security There is no magic bullet software is a tool, like a hammer to a builder. Its not the total solution Naivety It will not happen to me! Underestimating the threat

4 What % of Cyber Breaches Impact Small Business? a) 3% b) 13% c) 31% d) 43% 4

5 5 31% of All Cyber Attacks Occur at Companies With Fewer Than 250 Employees 5

6 Overview Defining Cyber Security Defense Strategies Hackers and the Hacker Mindset Cyber Espionage Case Exploitation and Social Engineering 6

7 Defining Cyber Security The body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. (Definition from: Whatis.com) The concept to protect the confidentiality, integrity, and availability of data hosted on various information systems platforms. 7

8 Characteristics of an Organization at Risk of a Cyber Breach 8 8

9 Characteristic Cyber Risks Do You Have a Website? 9

10 Characteristic Cyber Risks Do You Rely on Networks? 10

11 Characteristic Cyber Risks Do You Generate Online Revenue? 11

12 12 Characteristic Cyber Risks Do You Control Production, Manufacturing or Supply Chain via a Network?

13 Characteristic Cyber Risks Do You Utilize an Intranet or Extranet? 13

14 Characteristic Cyber Risks Do You house personal identifiable information (PII)? 14

15 What Are The Possible Root Causes of a Cyber Breach? a) Malware b) Trusted Insider c) Hacker d) Lost or Stolen Device 15

16 16 75% of All Cyber Breaches are the Result of Human Error

17 17 Lost or Stolen Paper & Electronic Files

18 18 Lost or Stolen Smartphone, Laptop, Tablet or USB/Data Storage

19 19 s Sent to the Wrong Party

20 Why Did IT Fail to Stop The Breach? Insufficient Security Controls Lack of Expertise 3 rd Party Vetting Failure Poor Leadership Incomplete Knowledge of where Sensitive Data Exists Lack of Data Classification Lack of Accountability 20

21 What is a Hacker? Describe a hacker 21

22 22 What is a Hacker?

23 23 They Get Worse

24 What is ahacker? Kevin Mitnick Adrian Lamo Jonathan James 24

25 Hacker Categories State Sponsored Industrial/Corporate Organized Crime Hacktivists (LulzSec, Anonymous, Etc.) Trusted Insider - Intentional Trusted Insider - Un-intentional Script Kiddies (low skilled and reckless attackers using any piece of random malware code they can find, sometimes purposely provided to them by higher skilled attackers) Ethical - aka White Hat (contracted or hired to test an organization s network to find holes before a malicious attacker can) Security Researchers (research code and report vulnerabilities to the vendors to fix before it can be exploited) 25

26 Hacker Mindset Unconventional, creative, and adaptive thinking Hack All Things Mindset look at all pieces of the puzzle, every element that the desired data touches or interfaces with (and every element that element touches, so on and so forth) The Human Element: defeat and/or use a human s trust against them 26

27 What Do You Think the Cost Per Record is on a Cyber Breach? a) $37 b) $79 c) $157 d) $217 27

28 28 Average Cost Post-Breach: $217/per Record

29 How are Costs Per Record Calculated? Loss Image/Reputation Lost Time & Productivity Technology IT Audit Costs Notification Costs Consultants & Attorneys Fees Lost Revenue Regulatory Fines & Suits 11% 18% 27% 23% 46% 38% 52% Source: Ponemon Institute 2014: A Year of Mega Breaches Study Published Jan

30 Basic Hacking Methodology Information/Intelligence Gathering Vulnerability Analysis Exploitation Post Exploitation Reporting 30

31 Information/Intelligence Gathering Open Source (WHOIS, DNS, Port Scanning) Data Center Locations (Time Zones, Products, Org Charts) Corporate Communications (Websites, Format, Marketing, Lawsuits, Job Openings, Phone Trees) Government Communications (FOIA, Tax Info, Zoning Info) Relationships (Charity, Networks, Vendors, Competitors, etc.) Individuals (Social Networks, Pipl, Spokeo) Footprinting (ID ing Assets) Archived Information (Way Back Machine) Onsite Gathering (User Activities, Local Coffee Shops, Badge Usage, Security Guards, Locking Devices, Security Lighting, Dumpster Diving, Wireless Access Points) 31

32 Vulnerability Analysis Using captured information to identify potential vulnerabilities for exploitation Often done through a combination of manual review and through the use of vulnerability tools Common Vulnerability Assessment Tools General Network Scanners: Nessus, Retina, Qualys, Nexpose Web Application Tools: WebInspect, Burp Suite, OWASP ZAP Code Analysis: Fortify, Veracode 32

33 Exploitation Precision Attack/Strike Direct attack on a computer running a service that is known to be vulnerable (likely due to not being patched) Customized Exploit Fuzzing, Sniffing, Brute-force, Routing Protocol Attacks Radio Frequency (RF) Attacks Attacking WiFi, Attacking Access Points, Cracking WiFi passwords, various Authentication attacks, etc. Attacking the User DNS, Bluetooth, Rouge Access Points, Web (via XSS), Ad-Hoc Networks (fake network), Man-in-the-Middle Attacks, Social Engineering Web Attacks Injection attacks (SQL injection), Cross-site Scripting (XSS), Session Attack 33

34 Post Exploitation Establish Additional Access Channels (in case your method in is detected and closed) Elevate Privileges and Create New Accounts (or hi-jack existing accounts) Nothing is better than establishing access via a legitimate channel Penetrate Further into Network & Compromise more Systems Capture Data Exfiltration of Data, Configurations, Important Files, Auto-Start Directories Clean Up Delete logs, uninstall software, restore files, revert system and configuration changes, re-enable security systems 34

35 Reporting For a security firm: Detailed reporting on what was testing, how they may have compromised the system, and how to fix it For a malicious hacker: The organization s valuable data is stored, sold, made public, or saved for later exploitation Access to the organization s data could also be disabled and then ransomed 35

36 36 Question: What asset do you think is most frequently compromised in any organization across the globe?

37 37 Answer:

38 Social Engineering Example 1:56-3:48 38

39 What Can Organizations Do To Defend Themselves? Mitigate things that are easy targets for attackers low hanging fruit Know and Maintain Your Environment Analyze the Risk You Face Mitigate Risk Control Access Use Compliance as a Process Educate Your Users 39

40 Know and Maintain Your Environment Conduct a thorough inventory of your environment PATCH UPDATE PATCH UPDATE REPEAT!!!! All OS s, Network Devices, Applications/Software, etc. Keep Anti-Virus/HIPS Current Ensure all devices are configured correctly using security best practices 40

41 Analyze the Risk One of the main hurdles currently faced is the cost of implementing cyber security What is the most valuable data in your organization? 41

42 42 Mitigate Risk

43 Mitigate Risk: Passwords 55% percent of users have the same password for most if not all websites Do NOT use easy passwords: Password, , YourName, Dictionary Words or Information about you personally Use sentences and mix in letters and numbers My big dog, who is 8, walked down 15th street for the $. Mbd,wi8,wd15sft$. Use Two Factor Authentication whenever possible 43

44 Mitigate Risk: Smaller Environment Tips Website Internet Desktop Mobile Users Change PW Frequently Keep Basic (non PHP/Java) Don t Click on Suspicious Links Use Virus/Malware Protection Be mindful of App Permissions Train, Train, Train Don t Click on Suspicious s/Links Update your CMS Avoid Java, but keep it updated Patch All Software! Check Device Approval Security is Everyone's Jobs Use Encryption When Possible Limit Personal Info Use Complex PW s Access Controls (User/Admin) Use Screen Locks Proper Use of Internet Don t login over Public networks Have it tested for OWASP Top 10 Use 2 Factor Authentication (when available) Use EMET Consider Device encryption Limit user access based on need 44

45 Mitigate Risk: Effective Tips (Enterprise) Website Internet Desktop Mobile Users Implement VPN for External Systems Update CMS and Web Server Platform Implement thorough Inbound AND Outbound filtering at Firewall Enterprise Virus/Malware Be mindful of App Permissions Train, Train, Train Configure Filters and Security Settings Use Encryption When Possible/Digital Signatures Ensure attachments are scanned with AV Ensure Host Conducts Security Testing Use valid certificates Implement Blacklisting at Firewall Use Sandboxing When Possible 3 rd Party Testing Use 2 Factor Authentication (when available) Use Imaged Builds & Patch! Access Controls (User/Admin) Be wary of BYOD. Segregate them. Enterprise Policy and Filters Security is Everyone's Jobs Proper Use of Internet Signed Agreements Use EMET Device Encryption Limit user access based on need 45

46 Control Access Privileged User and Administrators User/Non Admin Accounts Role Based Access Control Segregate/VLANs Application Access Mobile Devices External Access 46

47 Use Compliance as a Process Compliance is designed to be performed as a continual process Create living documents of actual processes to implement security Automate compliance where possible but always conduct manual checks on tools and configurations Understand the intention of the control Compliance is not just a check in the box! 47

48 48 My organization conducts annual security awareness training. (T/F)

49 Educate Your Users People are the most vulnerable Establish a training program, keep it current Attend Training Get Certified (DOD 8570 admins) Train Everyone Test your users 49

50 50 In Summary There are two kinds of people in America today: those who have experienced a foreign cyber attack and know it, and those who have experienced a foreign cyber attack and don't know it. Frank Wolf

51 51 Questions