CYBER SECURITY AWARENESS MONTH CPT Wilson Bautista, NCNG Cyber Network Defense Team

Transcription

1 1 CYBER SECURITY AWARENESS MONTH 2015 CPT Wilson Bautista, NCNG Cyber Network Defense Team

2 2 Disclaimer The views and opinions expressed in this presentation are the personal views of the speaker and do not necessarily reflect the views, policies, or procedures of the State government of North Carolina, North Carolina National Guard, or the speaker s present or past employers.

3 3 Prelude Malicious Internet Activity in 2015 US Department of Office Personnel Management (OPM) Anthem Insurance Ashley Madison

4 4 What is a hacker? Merriam Webster defines as a person who secretly gets access to a computer system in order to get information, cause damage, etc. : a person who hacks into a computer system a person who plays a sport badly Different Types of Hackers White Hats = Good Guys Gray Hats = Opportunists Black Hats = Bad Guys (Cyber Criminals)

5 5 What are cyber criminals trying to achieve? Steal Usernames and Passwords Steal Credit Card Information Steal Social Security Numbers Steal Bank Account Information Popularize Personal/Religious/Political agendas Aim to defame or embarrass people, governments, and ideologies

6 So why are we here? 6

7 7 Tenets of Good Information Security Awareness Password Usage and Management Protection from viruses, worms, Trojans, and malicious code Report suspicious activity Unknown s and unknown attachments Desktop security

8 8 Information Security Awareness Topics- Review Passwords Change often Make it complex Do not share with anyone Protection from malware Update your antivirus Scan often Report Suspicious activity Physical security Logical security Unknown s and attachments Open at your own risk or delete Don t click on links in the Don t download or open any attachments from unknown sources Desktop Security Lock your screen when you leave your area Take your CAC card!

9 9 What are we trying to achieve? Security for the State Awareness of malicious activity Don t share your password Change your password Make your password more complex Etc.

10 10 My question to you is. Do you apply what you ve learned about cybersecurity awareness at home?

11 Topic for today is. 11

12 12 What is Social Engineering? Social engineering is using manipulation, influence and deception to get a person, a trusted insider within an organization, to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker. -Kevin Mitnick

13 13 Common Misconceptions Cyber criminals are basement dwelling beings who still live in mom A hack or a breach is a singular time event Your work life and your private life are separate entities and will never cross

14 The reality is Not everyone who is information security is a typical IT guy Social engineering activities can be performed by anyone Hacking is much more than using computers..

15 15 The Reality- A hack or a breach is a singular time event The use of unauthorized methods to gain access, control, and to exfiltrate data from a computing system Oceans 11 Hired personnel with expertise in different skill sets Studied their target Reconnaissance Social Engineering Open Source Intelligence Identified vulnerabilities Exploited vulnerabilities Exfiltrated and covered their tracks

16 Ocean s 11 Danny Ocean (George Clooney) and Rusty Ryan (Brad Pitt) Reuben Tishkoff (Elliott Gould)- Insider/ Financier Linus Caldwell (Matt Damon)- Pick pocket Saul Bloom: Playing Lyman Zerga, an arms dealer with a special delivery he needs to be located in the casino-vault. Basher Tarr: Basher is the munitions expert of the team. Frank Catton: Inside man at the Bellagio, game host in Bank s casino. The Malloy Brothers: Talent to adapt to any character. The Amazing Yen: The grease man by Danny and Rusty, brought in for his flexibility and short posture Livingston Dell: Livingston is the tech-guy

17 Ocean s 11- Relation to Social Engineering Planning and Preparation There was an idea to steal money from 3 casinos = Crown Jewels Info Gathering and Analysis The team needed to understand the environment Info Gathering + Insider Information Vulnerability Assessment (Reconnaissance) The team had to find gaps in the casino defense Social engineering + Masquerading (Casino employees) Rehearsed the plan prior to execution Penetration Attempt Issued Orders and Supervised Everyone executed their role in disabling the layers of defense through: Social Engineering, Masquerading, Infiltration, Distracting Cleaning Up Any evidence is removed Clean exfiltration

18 18 The Reality- Everyone here is a social network Cyber criminals are constantly finding ways to get information from you (Government or Personal) Facebook LinkedIn Myspace How about information from your family? Facebook Instagram Twitter Chat Rooms FaceBook Messenger

19 19 Social Engineering via Social Media Scenario #1- I m your friend! Let s talk! Facebook messenger is a convenient platform to connect with your contacts Typically you trust the people you connect with. Cyber criminals are trying to take over as many computers to do malicious things with and it s as easy as a click of a link Take advantage of people not updating their browser s security Will download Trojans and other things you don t want Make you a part of their network of computers they ve taken control of Steal your account credentials and start talking to your friends.

20 20 Social Media as an Attack Vector -Name -Contact Info -Friends/Family -Pictures

21 21 A Social Engineering True Story Method: 1. Contacted via Facebook Messenger 2. Small Talk Establish Rapport and Trust Motorcycles Next Deaf Event 3. Build Interest In Something 4. Sent a Link 5. Asked if I clicked it Information: 1. Family 2. Friends List 3. Photos (Tagged) 4. Locations 5. Likes 6. Dislikes 7. Shares 8. Posts

22 22 A Social Engineering True Story Method: 1. Contacted via Facebook Messenger 2. Small Talk Establish Rapport and Trust 3. Build Interest In Something 4. Sent a Link 5. Asked if I clicked it What is scary: 1. Knows our Families 2. His Friends List 3. Photos (Tagged) Info on current or related events 4. Locations Info on places we ve been 5. Likes/Dislikes/Shares/Posts Info on similar interests

23 Scenario 2: Free Wifi 24

24 Which would you choose? 25

25 Scenario 2: Free Wifi 26

26 27 Scenario 2: Free Wifi Man in the Middle Attack

27 28 So let s talk about how. Your work life and your private life are separate entities and will never cross

28 29 Bringing it all together. How does all of this really tie into my work?

29 30 Scenario 3 We don t like X about North Carolina s government and we are bent on trying to ensure that they are embarrassed. Not Credit Card Information or Social Security Numbers! Target: Gather as much personal contact information of residents of NC and send malicious texts.

30 How an attacker would do it. 31

31 32 Sequence of Events- Information Gathering and Vulnerability Assessment Find employees of the NC government that would work in IT as an administrator on LinkedIn Google Find family or friends for an social media attack vector Engage them Social Engineering Create fake accounts on social media Infect their systems AV isn t up to date Take control of their home networks Keylog credentials and passwords Find the Username/Password of the administrator(s) and employees Find that you can hop between departments

32 33 SOE- Exploitation During information gathering Administrators in different departments do not have passwords that expire Administrators have the same username and passwords on all their servers Employees have multiple usernames and passwords for their accounts in a single document Exploitation Collect all contact information of every state employees via Department of Education

33 34 The Attack Once a large amount of information is collected: Send texts masquerading as the Department of Emergency Management Message says: The State of North Carolina is currently in a state of emergency due to the lack of X.etc. etc. etc. Would a breach in the network and the use of information against the government be an embarrassment?

34 35 The next steps Take the training that you ve learned about information security and apply it to your personal life Take a moment to train your family on the importance of information security Talk about internet safety Google yourself Decrease your internet footprint Don t download illegal material! Change your passwords often Be cautious but not paranoid

35 Questions? 36