FortConsult. IT Security

Transcription

1 FortConsult IT Security

2 Who am I? Jan Skovgren - jsk@fortconsult.net Principal Security Consultant, FortConsult Has worked dedicated with cyber security since 2005 Specialist in web application security, network security and Social engineering GIAC Certified Penetration Tester GIAC Web Application Penetration Tester Performed various pen tests worldwide For small, medium and large companies (banks, insurance companies, pension companies, industrial corporations etc.) Freeletics fanatic

3 FortConsult Global IT-Security company, HQ Copenhagen Delivering security assessment, review, test and incident response Working with financial, government, tech and top 100 companies worldwide Owned by NCC Group PLC, 1500 skilled security professionals in 18 location World largest team of penetration testers

4 Agenda (questions answered) What is social engineering (SE)? Why do attackers rely on SE? How do attackers perform SE? What is the impact of a SE attack? Prevention and mitigation advice

5 What s going on? Verizon Data Breach Report (DBIR) Global trends Denmark is included! The top three industries affected are the same as previous years: Public, Information, and Financial Services.

6 What - Social engineering

7 What - Social engineering Hacking human minds Attacks security at its weakest link: People. Any act that influences a person to take an action that may or may not be in their best interest. Quote

8 Why - Social engineering

9 Why - Social engineering Why hack web servers or networks when you can hack humans? Little or no awareness We are very trustworthy in Denmark (good and bad) Organizations are hard outside, but soft inside Using a combination of attacks AV not detecting malware (70-90% NOT detected)

10 Social engineering methodology

11 Social engineering methodology Information Gathering Corporate & personal websites, blogs etc. Document metadata Search engines Whois & domain registration records DNS records Social media Public records

12 Social engineering methodology Reconnaissance Google Street View Google Maps Satellite View Physical walk or drive by Telephone reconnaissance Trash bins(a.k.a dumpster diving) CCTV location, securityguards, door entry systems etc Unprotected entrances, fire exits, unmanned receptions etc. Weak entry points such as open windows(usually out of scope for breach) Times of busy or quiet periods, lunch breaks etc. Location of smoking areas, car parking etc. Surveillance will be mostly covert. Taking pictures of buildings, staff ID badges, delivery points etc.

13 Social engineering methodology Breach Gain network access Work at a staff unattended desk Install a rogue access point Remove specific equipment Make external calls from office equipment Reach sensitive areas of the building, serverroom, mail room etc. Phish credentials or perform client exploits

14 Dissecting a social engineer

15 Dissecting a social engineer

16 Dissecting a social engineer

17 Social engineering three main attacks

18 Client Side Attacks Phishing for credentials Malicious attachments Instructing users to install or run malicious software Exploiting browser related vulnerabilities Malicious USB sticks etc.

19 Phishing mail

20 Phishing mail statistics Source Verizon data breach report (

21 Phishing - statistics 23% of recipients now opening phishing messages 11% clicking on attachments 10 s yields a greater than 90% chance that at least one person will click You have to move fast! Median time-to-first-click coming in at one minute, 22 seconds 50% of users open s and click on phishing links within the first hour 66% of incidents that comprise the Cyber-Espionage pattern have featured phishing. Source Verizon data breach report (

22 Phishing - mail

23 Phishing - web site

24 Phishing - victim view - web site

25 Phishing - victim view - after login

26 Phishing - attacker view - browser hook

27 Phishing - attacker view - run executable

28 Phishing - attacker view - captured screenshot

29 Phishing - attacker view - webcam

30 Phishing - attacker view - credentials verified

31 Malicious USB sticks Rubber-duck Keyboard emulating starting writing commands Payload downloaded from internet Delivery guy (wine, flower) Leave at: parking lot, elevator, reception etc.

32 Malicious USB sticks

33 Physical Intrusions Tail gating staff (also secured doors) Unprotected entrances, fire exits, unmanned receptions etc. (just walk in or blend in) Gain entry under pretext situation, i.e. electricity meter reader, unannounced quality check from cleaning company, confused foreigner etc. Use of fake ID badges or uniforms etc. Use of obtained door entry fobs or access cards

34 Telephone Attacks (vishing) Calls into organization under relevant pretext, i.e. impersonate staff member calling IT helpdesk for password reset or setup a site visit. Eliciting useful information, i.e. internal building layout, names or job titles of staff, additional telephone numbers for further attacks etc. (receptionist name) Off-site wingman, providing off-site standby cover should the need arise. i.e. to provide confirmation of the legitimacy of a pretext

35 So what is needed for a breach? One click on a link and exploit known or zero-day vuln One run of a malicious file One inserted malicious USB (rubber duck) One DHCP network socket in a meeting room Compromised user è Compromised client è Compromised server è Compromised network

36 Prevention and Mitigation Advice Adopt a security culture from the top down Top down leadership is vital Everyone has to be encouraged to be security conscious Ensure security policies and procedures include cover for social engineering vectors Implement & enforce clear desk policies Implement & enforce visible staff ID badges (to be removed outside buildings) Report detected social engineering attempts to security officer Report mistakes or suspected mistakes to security officer Regularly audit policies and procedures Regularly assess your controls

37 Prevention and Mitigation Advice Training Staff Train staff to increase awareness Training to include phishing attack techniques, how to spot them, how to handle and report attempts Training on physical security, tailgating and social engineering etc. Assess Staff Assess staff through simulated social engineering attacks on a regular basis

38