A New Era. A New Edge. Phishing within your company

Transcription

1 Phishing within your company

2 Learning Objectives What is phishing and how to minimize its impact Obtain a basic understanding of how to use virtual machines Use BackTrack, a tool used by many security and IT audit professionals Run Metasploit, a tool used by many security professionals Show users how to avoid phishing scams through demonstration

3 What is Phishing An art of getting information from someone. will come as HTML, with a link. Link could go to a fake website or point the user to an exploited issue. Set up a fake but real looking website (SET) or an exploited link using Metasploit. Spear-phishing targeted attack. - The content of the seems real. Attackers are getting smarter each day.

4 Phishing can be bad Examples of information collected: - User name and Password - SSN - Bank account number - Credit card numbers - Allow remote access of your machine - etc. Attackers can install viruses/spyware If they get one person to click, they can get some good information.

5 A sample of a phishing This came to me while I was working on this presentation. It went to my SPAM filter. I viewed the original source code and took screen shots. You will see how the link in my is different than what is in the HTML code inside of the .

6 Sample Phishing

7 The HTML Behind the Phishing E- mail

8 Sample that could take you to a Java Exploit

9 Quick Survey Anyone get any good s that were probably part of phishing scam? How many people are new to the concept of using Virtual Machines? Who is familiar with BackTrack?

10 What is a Virtual Machine (VM) A computer that runs in an existing computer. A computer trapped inside of another computer. The entire computer is contained within a file, it is software based. There are two terms used to describe virtualization: Host and Guest.

11 Virtual Machines Basics A Host is the main machine, sharing its resources A Guest runs on a Host Some of the resources a Host can share: - RAM - Processor - Hard drive - CD/DVD - USB - Network Card

12 VM scenario Suppose you have a laptop (host) with a 500GB hard drive and 8GB of RAM. If you create a Guest that is 60GB, the file starts at 0GB but can grow to 60GB as you use the Guest, your Host only has 440GB of space remaining. If you give the Guest 2GB of RAM, when it runs your Host will only have 6GB of RAM available for its operation. If you shut the machine down, the 2GB of RAM goes back to the Host, but the disk space is still allocated to the Guest.

13 Personal Virtual Software This presentation is covering laptops/desktops. Corporate versions are not typically free, but will cover them briefly. VMWare Player (Windows Free) - Fusion (Mac $$) Microsoft Virtual PC (Windows only Free) Oracle VirtualBox (Many OSs, Free)

14 Corporate Virtual Machines Many companies use VMWare ESX or Microsoft Hyper-V. VMWare ESX runs on a Linux/UNIX platform, vsphere is designed for cloud servers. Microsoft Hyper-V runs on Windows 2008 or 2012 If you auditing a server that is a Guest virtual machine. You may also need to audit the Host server.

15 How I may use Virtual Machines If you need to learn about a new Operating System You want to run security tools against various machines - Will not harm your network Configure SSH to move files from your Host to Guest by using a secure FTP application: Example, reports, logs, etc.

16 BackTrack Disclaimer: Do not use the tools demonstrated here on a live system without permission. You will get in trouble.

17 What is BackTrack? BackTrack is tool that contains a collection of security tools. These tools are used by security and penetration testing individuals. Here are some examples of the tools: - Information gathering - Password crackers - Network scanners (Bluetooth/wireless) - Vulnerability scanners - Penetration testing tools

18 List of categories

19 BackTrack Basics BackTrack is referred to as a Linux Live CD Great way to test security tools The underlying Linux used is Ubuntu Great way to learn Linux without buying a new machine Provides the tools that a script kiddie may use.

20 How to run BackTrack Download the ISO file: Options for running BackTrack - Burn the ISO image to a disk (Live) - Install on a hard drive (Permanent) - Create a virtual machine (Temporary)

21 Metasploit Designed by HD Moore, the current Chief Security Officer at Rapid7 Originally created in 2003 Used to find and expose vulnerabilities in software A paid version is available for easier management, from Rapid7

22 Metasploit terms When you are using Metasploit here are some terms you will see: Exploit - the weakness found Payload - when you exploit the machine what happens. Do you create a shell and see the victim s hard drive? Add an administrator account without knowing their password. Shellcode - the code used during the payload. You can write your own code to achieve your goal.

23 Some of the vulnerabilities Microsoft - MS (Stuxnet/Conficker) Java exploit Adobe

24 Social-Engineer Toolkit (SET) Designed by David Kennedy It is used to capture user names and passwords. If you are a penetration tester what would a few user accounts be worth? Allows you to create a clone of a website. The cloned site runs on your machine.

25 SET in Action - the Original site

26 SET in Action - The Attackers cloned site

27 An unsuspecting user

28 The Result

29 How can you protect your company Use of technology and policies can help Sample policies Sender ID (Company control) SPAM Filtering (Company control) End user training Use of personal while at work Define a group to handle concerns and incidents Antivirus/Antispyware Patching

30 Sender ID Good first line of defense before an can enter your network. Designed by Microsoft and a consortium of other companies. Has been approved for use by the Internet Engineering Task Force. Verifies an message from the Internet domain with an IP address associated with that Domain Name.

31 SPAM Filtering A good second layer is SPAM filtering. This can eliminate those s that sneak by the Sender ID Untangle (free, but more features can be purchased) Barracuda (subscription) SpamAssassin (Open source from Apache) MS Exchange add Real-time Block Lists (RBL) If you are running filtering block lists are they still current and working?

32 Online Protection (end user training) From IC3.gov 2011 Annual Report - Online Crime Prevention Be suspicious of any unsolicited requesting personal information. Avoid filling out forms in messages that ask for personal information. This could be a phishing scam. Always compare the link in the to the link that you are actually directed to visit. Log on to the entity s official website, instead of linking to it from an unsolicited . Contact the actual business that supposedly sent the to verify if the is genuine.

33 User Education If something gets by the company s technology. We need to rely on the end user. Train users not to immediately click on attachments or links, can come from their personal . Training, help users look for clues, bad grammar or hover over links before clicking on them.

34 Education by example Sometimes showing the user what can happen can be a powerful training tool. Use Social-Engineer Toolkit (SET) create your own fake site, demonstrate what can happen. Paid service to train users on Phishing. - phishme.com - wombatsecurity.com

35 Technology on the user s machine Keep browsers up to date - Use Anti-phishing features within newer browsers - New browsers highlight the domain Apply security patches from all vendors: Microsoft, Java, Adobe, etc. Keep Antispyware/Antivirus up to date, run if someone opened a link.

36 Browser domain highlight

37 Demonstration

38 Summary Phishing can result in bad things on your network Virtual machines are a software based computer. BackTrack runs on Linux and is a collection of security tools Metasploit can be found in BackTrack that exposes and can exploit software vulnerabilities.

39 Summary Create policies and use technology available Educate people, be careful on clicking on links and attachments Social-Engineer Toolkit allows you to clone a site. You can send a link to a user, if they enter their credentials, you can log in as them.

40 References IC3.GOV 2011 Annual report Microsoft Send ID Thanks to: John Hochevar, CISSP

41 Thank you Patrick Mattson, CISSP, CISA Sr. IT Consultant, Mattson Computer Consulting patrick at imattson.com Phone: Linkedin: