Department of Homeland Security

Similar documents
National Cybersecurity Assessment and Technical Services

National Cybersecurity Assessment and Technical Services: Capability Brief. Presented by: Sean McAfee Updated: May 5, 2014

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Top 20 Critical Security Controls

Presented by Evan Sylvester, CISSP

Technical Testing. Network Testing DATA SHEET

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Targeted attacks: Tools and techniques

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

How We're Getting Creamed

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Spear Phishing Attacks Why They are Successful and How to Stop Them

Information Security Services

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

FedRAMP Penetration Test Guidance. Version 1.0.1

SecurityMetrics Vision whitepaper

SANS Top 20 Critical Controls for Effective Cyber Defense

Defending Against Data Beaches: Internal Controls for Cybersecurity

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

PENETRATION TESTING GUIDE. 1

RSA Security Anatomy of an Attack Lessons learned

Penetration Testing Report Client: Business Solutions June 15 th 2015

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

Protecting Your Organisation from Targeted Cyber Intrusion

Seven Strategies to Defend ICSs

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Continuous Penetration Testing

A Case for Managed Security

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

Penetration Testing. Presented by

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Cyber Essentials. Test Specification

UNCLASSIFIED. General Enquiries. Incidents Incidents

How To Protect A Web Application From Attack From A Trusted Environment

Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes!

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

FORBIDDEN - Ethical Hacking Workshop Duration

Network Security Audit. Vulnerability Assessment (VA)

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

Agenda , Palo Alto Networks. Confidential and Proprietary.

How To Manage Security On A Networked Computer System

Thanks for showing interest in Vortex IIT Delhi & What After College (WAC) Ethical Hacking Workshop.

N-Dimension Solutions Cyber Security for Utilities

Penetration Testing - a way for improving our cyber security

Presented by: Mike Morris and Jim Rumph

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

How users bypass your security!

National Cybersecurity Assessment and Technical Services (NCATS) Year-End Engagement Report 2014

The Trivial Cisco IP Phones Compromise

Don t Fall Victim to Cybercrime:

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Cyber Security Metrics Dashboards & Analytics

SonicWALL Security Quick Start Guide. Version 4.6

Cyber Security Implications of SIS Integration with Control Networks

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Where every interaction matters.

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Global Security Report 2011

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Information Technology Security Review April 16, 2012

XGENPLUS SECURITY FEATURES...

Network and Security Controls

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Fighting Advanced Threats

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

Safe Practices for Online Banking

Course Title: Penetration Testing: Network & Perimeter Testing

Attack and Penetration Testing 101

Common Cyber Threats. Common cyber threats include:

Loophole+ with Ethical Hacking and Penetration Testing

Windows Operating Systems. Basic Security

Managed Security Services

SPEAR PHISHING TESTING METHODOLOGY

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Transcription:

Department of Homeland Security National Cybersecurity Assessments & Technical Services (NCATS) Service Overview, Success and Challenges 3/18/2016 1

Agenda Discussion about NCATS Current Programs and Services Cyber Hygiene Risk and Vulnerability Assessments High Value Asset (HVA) Scenarios Past Success Stories Pilot Services Offensive Security Assessment Phishing Campaign Service Current Challenges Questions 2

NCATS Overview Offer Full-Scope Red Team/Penetration Testing Capabilities through two primary programs: Risk and Vulnerability Assessment (RVA) and Cyber Hygiene Focus is on proactive engagements with stakeholders to improve their cybersecurity posture, limit exposure, reduce rates of exploitation Offers a full suite of tailored threat, vulnerability and risk assessment services and penetration testing capabilities to stakeholders Acts as a trusted advisor and provides independent review and recommendations for cybersecurity improvement 3

Stakeholder Groups Federal Civilian Executive Branch State, Local, Tribal, Territorial Governments (SLTT) Private Sector (PS) Unclassified / Business Networks Cyber Hygiene Mandatory for Federal Optional for SLTT and PS Risk and Vulnerability Assessments Optional for Federal, SLTT and PS FY16 Current Stakeholders Service Fed SLTT PS Total RVA 24 10 12 46 Cyber Hygiene 126 60 59 245 4

RVA Services and Capabilities Service Vulnerability Scanning Penetration Testing Social Engineering Wireless Discovery & Identification Web Application Scanning and Testing Database Scanning Operating System Scanning Description Internal/ External to Customer Network Program Conduct Vulnerability Assessments Both Cyber Hygiene/ RVA Exploit weakness or test responses in systems, applications, network and security controls Crafted e-mail at targeted audience to test Security Awareness / Used as an attack vector to internal network Identify wireless signals (to include identification of rogue wireless devices) and exploit access points Both External Internal RVA RVA RVA Identify web application vulnerabilities Both Cyber Hygiene/ RVA Security Scan of database settings and controls Security Scan of Operating System to do Compliance Checks (ex. FDCC/USGCB) Internal Internal RVA RVA 5

HVA Testing Scenarios FY15 Derived from trending analysis data gathered through: Previous Risk and Vulnerability Assessments Emulation of Known Adversary Tactics, Techniques, and Procedures Scenario #1: External Assessment (EA) - Determine what vulnerabilities exist in the agency s web presence and publically available hosts that an unauthorized, Internet-based attacker could discover and exploit. Scenario #2: Phishing Campaign (PC) Determine how effective a phishing campaign would be against agency employees by using enticing emails to convince users to click on malicious links. Scenario #3: Web Application Assessment (WAA) Determine the accessibility of sensitive information through an agency web application by evaluating how the application processes, protects, and stores data submitted by application users. Scenario #4: Internal Assessment (IA) - Determine what vulnerabilities exist within the agency internal network that an attacker with physical access to the network could discover and exploit. Scenario #5: Internal Threat Emulation (ITE) Simulate an attacker with assumed internal access, through phishing and other means, navigating the agency network to gain access to core servers, applications, and other sensitive information. Scenario #6: Data Exfiltration (DE) Simulate a malicious insider gathering sensitive information and transferring the data outside the internal network. 6

Reduction % Vulnerable Hosts Success Story: HeartBleed 250 200 150 100 50 0 100% 80% 60% 40% 20% 0% Vulnerable Hosts Found Over Time Potential vs. Actual Vulnerability Reduction Over Time Actual Potential Notable Observations: DHS had the capability to initiate scanning immediately but was delayed due to a lack of authorization Observed 98% vulnerability reduction between first and last scan Had scanning started April 7th and achieved similar results the length of exposure could have been reduced by 29% 7

Offensive Security Assessment Currently Piloting the Service Limited to Federal Stakeholders 90 Day Engagements External Testing Only All Testing Performed from NCCIC Lab Allows for simultaneous engagements Goal is to train agencies to identify breaches Monitor, train and track progress True Red Team Capability Measure response and sharing of Indicators of Compromise (IOCs) 8

Why OSA? Black Box Assessment Mirrors APT Provide security personnel real world examples of being attacked Trains Security Operations Center (SOC) personnel to recognize and respond to threat indicators Help identify security holes within an organization Track response times of security events across government agencies Master Scenario Event List (MSEL) used to measure response 9

Team (Module) Concept Assembly line like concept Breaks up methodology into manageable pieces Clear lines of responsibility Modular Easy to substitute testers/team members Focused operations 10

Modules Module 1 Module 2 Module 3 Online Information Gathering Gain foothold Phishing External Exploits Set up Persistent Callback Maintain Callback Hand off to Module 2 Escalate Privilege Spread throughout the network Map Key Areas Take control of Active Directory Hand off to Module 3 Locate Key Information and resources Kick off Measurable Events Record response times Work closely with Trusted Agent 11

12

Rapid Response Test of external system(s) within two (2) business days of request Limited scope to include no more than: 5 IP addresses 1 Web Application Communications Daily Briefing Draft Report delivered Next Business Day Successful Pilot with CFO Act Agency 1st Qtr, FY16 13

Phishing Campaign Service Purpose Most common attack vector used to breach a stakeholder s environment Scope 13-week (90 Day) engagement period Stakeholder provides a reasonable list of target users Phishing emails capture click-rate only, NO payloads Objectives Increase security awareness Decrease potential threat of successful attacks Provide meaningful and actionable metrics 14

PCS Methodology Complexity Levels: Method for calculating the difficulty to identify indicators of a crafted phishing email Levels 0-10+ (Easy to Difficult) Calculation based on four categories of indicators: 1. Appearance 2. Sender 3. Relevancy 4. Behavior/Emotion Time Windows: Varied periods during the day to send crafted phishing emails Monday morning (just before business hours) Tuesday afternoon (lunch hour) Wednesday evening (after business hours) Thursday late (middle of the night) Friday afternoon (just before business hours end) 15

PCS Complexity Calculator Phishing E-mail Template Complexity Rating Calculator Category Indicator Ranking Scale Ranking Appearance Sender Relevancy Behavior (Optional) Grammar Link Domain Logo/Graphics External Internal Authoritative Organization Public News Fear Pride or Shame Greed 0=Poor, 1=Decent, 2=Good 0=Fake, 1=Impersonated 0=Fake, 1=Impersonated 0=Fake, 1=Impersonated 0=Fake, 1=Impersonated 0=Fake, 1=Corporate, 2=Federal 0=No, 1=Yes 0=No, 1=Yes 0=No, 1=Yes 0=No, 1=Yes 0=No, 1=Yes Total 16

Sample Phishing Email To: <Stakeholder List> From: Apples Customer Relations <freeapplesforyou@gmail.com> Subject: Free ipad Just Complete a Survey! Want the new ipad or ipad Mini? I got mine free from this site: <newtechnologyforfree.apples.biz>!!!!! We would like to invite you to be part of a brand new pilot program to get our new product in the hands of users before official release. This assures that any issues or errors are mitigated before the release. If you are accept to participate in this program all we ask is that you submit a survey at the end of the Pilot. You be able to keep ipad at the end for free! Apples Customer Relationships Office Apples Campus, Cupertino, California 95114 1 17

PCS Metrics User Based %Clicked Are employees falling for the phishing email? %Reported Are employees alerting security regarding suspicious emails? System Based %Browser What browser software and version are employees using by default? %Mobile Are employees opening email on their mobile devices? Time Based Time until first click Time until first user reporting and/or security response Training and Awareness Effectiveness %Clicked delta between Round 1 and Round 2 %Complete - Are employees acknowledging and completing security awareness training? 18

Current Challenges 19

Questions? For more information: NCATS_info@hq.dhs.gov 20

Backup Slides 21

RVA Service Examples Service Example Impact Mitigation Network Scanning Stakeholder believed they had 800 hosts, scan revealed over 7,000 Flat network, person in region 1 can access all machines in region 8 Segment network with router or firewall rules Penetration Test Discovered over 200 security cameras accessible with default credentials Physical security, theft, watching key strokes of users Change default credentials and add network level filters Application Test SQL Injection- successfully crafted and input a data string that enumerated web application usernames and passwords. Used credentials to log into web application and other devices Unauthorized user access was achieved from the internet Sanitize all input provided by an untrusted source. Implement server-side controls of whitelisted character sets. Encrypt data stored on the database Penetration Test Discovered an application that had login credentials for user admin cached. This allowed for administrative access on the active directory. Loss of confidentiality. Anyone on the network could potentially become the Domain Admin Restrict Access to the application and if possible turn off caching on the application Wireless Test Discovered WAP buried underneath paper/trash/debris and plugged into the Local Area Network Security controls implemented to connected to the LAN are bypassed. Anyone at Starbucks next door could have access Monitor network for rogue devices, conduct periodic walkthroughs to identify rogue devices Phishing Campaign Phishing email sent to a limited number of employees. One employee, forward to the entire agency All machines were potentially compromised or had to be cleaned. IT resources allocated to mitigation and clean up Train users to identify malicious email, implement technical controls. Application Testing Password reset function allowed the reset password to be mailed to any email address Anyone could reset an account and log into the application. This logic flaw impacted Confidentiality, Availability and Integrity Ensure passwords can only be reset by the actual account owner and sent to the email address on record for the account owner 22

Cyber Hygiene Activities Scanning Identify Active hosts, Operating System and Services Vulnerabilities and weaknesses Common configuration errors Improperly signed Domains Expired SSL Certificates Understand how external systems and infrastructure appear to potential attackers Past and Present Use Federal Response to Heartbleed OMB: M-15-01 Identification of publicly available vulnerabilities DHS Binding Operational Directive Individual Stakeholder persistent scans and exposure status 2800+ Reports delivered this Fiscal Year 185 Stakeholders and growing 23

Initial PCS Infrastructure 24

Week Action Dependency Initial coordinate of scope, plan, pre-assessment Stakeholder agrees to service activities -2 information gathering, template creation, and rules of engagement -1 Test templates created and tweak for use in campaign Feedback from stakeholder POCs 1 Launch Level 0-1 phishing Complete pre-assessment 2 Launch Level 2-3 phishing Complete previous phishing 3 Launch Level 4-5 phishing Complete previous phishing 4 Launch Level 6-7 phishing Complete previous phishing 5 Launch Level 8-9 phishing Complete previous phishing 6 Launch Level 10+ phishing Complete previous phishing 7 Stakeholder Phishing Awareness Action Briefing of initial Round 1 findings and assistance with awareness action Development of stakeholder specific materials or implementation of default materials 8 Launch Level 0-1 phishing Complete awareness action 9 Launch Level 2-3 phishing Complete previous phishing 10 Launch Level 4-5 phishing Complete previous phishing 11 Launch Level 6-7 phishing Complete previous phishing 12 Launch Level 8-9 phishing Complete previous phishing 13 Launch Level 10+ phishing Complete previous phishing +1 Closing brief of initial Round 2 findings compared to Completion of all phishing and Round 1 pre-awareness action collection of all metrics +2 PCS Timeline Completed report of findings, and recommendations for awareness and security best practices Stakeholder satisfaction with campaign and metrics discussed in closing brief 25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information