1 / 43

Under the Black Hat

Under the Black Hat. Daniel Nelson, C | EH, CIPP/US. August 27, 2014. How Bad is the Hacking Threat?. “Hackers” write sophisticated computer code to invade computer networks Hackers do this to target personal information which is then used for identity theft

eliana-allen
Download Presentation

Under the Black Hat

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Under the Black Hat Daniel Nelson, C|EH, CIPP/US August 27, 2014

  2. How Bad is the Hacking Threat? • “Hackers” write sophisticated computer code to invade computer networks • Hackers do this to target personal information which is then used for identity theft • “Hacking” is the digital equivalent of robbing a bank: hackers break into a system, rob it, and make their get-away • Hacking leaves digital fingerprints that can be traced back to catch the thief

  3. What’s the Real Story?

  4. Who’s The Hacker?

  5. Who’s The Hacker Berkley Blue & Oaf Tobark Adrian Lamo Mercedes Haefer Kevin Poulsen John “Captain Crunch” Draper Robert Morris

  6. They Hack for Profit Sometimes, but: • Revenge • Information • “A Cause” • Street Cred • Boredom • “Because It’s There”

  7. They Are After Our Personal Information • Says who? --Brian Krebs, KrebsonSecurity.com

  8. Hackers Are Computer “Black Belts”

  9. Everything A Hacker Needs Over 100 Hacking Tools Pre-installed

  10. Tools such as: • John the Ripper (Password Cracking) • Angry IP Scanner (Scanning) • THC Hydra (Password Cracking) • Cain & Abel (Anything you can imagine on a Windows System) • Burp-Suite (Web Apps) • Social Engineering Toolkit (“SET”) • Wire Shark (packet sniffer) One of the biggest challenges is to choose from among a plethora of tools

  11. How Bad for You/Good for Me Vulnerability Name: So I Can Find It Easily Nessus

  12. Trespassing At Will?....Priceless Kali Linux…………………… The Included Tools………… Nessus………………………. FREEFREEFREE

  13. But the Two Most Powerful Hacking Tools?

  14. Google • Pre-hack Reconnaissance on Target: • System configurations • Usernames • Passwords • Email Addresses • Reporting Relationships • The Answer to Any “How Do I” Question You Could Ever Ask

  15. YouTube FUD: Fully Undetectable Remote Administration Terminal (a Trojan)

  16. True Hackers… • Love to Share • Know-how • Exploits • Data • Updates

  17. Hacking Is Easily Detected

  18. Hacking Leaves Digital Tracks

  19. Quick Overview of Hacking • Basic (but still dangerous) hacking requires access to YouTube and a willingness to learn • Hackers have many different targets • Good Hackers may lurk in a system for months • Hacking is extremely difficult to detect

  20. What Can Be Done • Combat Social Engineering • Understand the Threat • Train • Engage With Security • Understand what “IT” really means • Take Charge • Understand Current Legal Requirements • Avoid The Compliance Trap • Be Your Own CISO

  21. Social Engineering • “Hacking the Wetware” • The most direct, efficient and effective form of attack • One simple goal: generate an emotional response • Takes Many Forms: • Phishing/Spearphising • Physical Intrusion • Remote • Odds are strongly in Hacker’s favor

  22. Phishing/Spearphishing • Phishing: Impersonal “blast” email • Spearphishing: Uses personal information about “sender” or recipient to encourage recipient to trust the email • Vacation plans • Recent promotions • Company events • Hobbies • This information is all too easy to find:

  23. Spearphishing Takes Many Forms

  24. There’s An App For That

  25. Phishing With SET

  26. Physical Intrusion First Rule of Hacking: If you can touch it, you will own it.

  27. Social Engineering Countermeasures • Build Awareness • Every Employee is Part of Your Security Plan • Train • Recognize the Common Attack Vectors • Appreciate the Dangers

  28. Engage With Security • Understanding “IT” • The field is highly specialized • Network • Desktop • Database • Programming • Website • Security is 10% IT, and 90% Everybody Else • Physical Security • Mobile Device Security • Anti-Phishing

  29. The Biggest Mistake • Ignoring Counsel’s Essential Role in Data Security • What You Give Up: • Privilege • Participation in decisions when it matters most • Independent analysis

  30. Protecting Privilege • Attorney-client privilege can be invoked between the victim company’s outside legal counsel and hired third-party forensic firms that perform a review of the system during a breach. Invoked privilege allows the forensic company to report breach results directly to the law firm. http://www.secretservice.gov/ECTF_best_practices.pdf

  31. Being There When It Matters Most • Data Security incidents often have legal consequences • Regulators • Insurance coverage issues • Lawsuits • IT won’t be representing the company! • You can be there when decisions are made, or you can be there when the die has been cast.

  32. Independent Eyes • Why do we have outside auditors? • Same principal holds true for data forensics: often outside eyes see more clearly • Independent evaluation of what went right, and what went wrong • May well be more qualified for forensic work • Better expert witnesses • Detect the “inside job”

  33. The Second Biggest Mistake • Failure to have a plan • Data Incidents take many forms, and involve complicated questions that demand real-time answers • Regulators (and underwriters) increasingly looking to whether you had a plan

  34. What’s the Next Step? • Front Desk Security calls: There are two FBI Agents in the Lobby asking to speak to the head of Information Security. • Do you meet with them? • Do you allow them access to your network? • What is your company’s policy with respect to cooperation with law enforcement?

  35. What’s the Next Step (Part II) • Your CEO receives an email containing the private financial information of ten of your customers. The sender informs you that they have all 10,000 such records, and intend to release them unless your company pays a ransom within 12 hours. • What is your company’s policy for this? • Do you involve law enforcement? • What is your media strategy? • Does your cyber policy cover this? • How do you evaluate whether the threat is real?

  36. Understand the Legal Requirements • Fast Changing Landscape • The “Law” Simply Can’t Keep Up • FTC “Common Law” on Security • HIPAA • State Data Security Laws • Long on Recommendations, but Short on Specifics

  37. Recent FTC Enforcement Actions • Cbr Systems, Inc. • Cbr’s privacy policy promised to handle personal information securely and in accordance with its Privacy Policy and Terms of Service • After unencrypted data contained on storage media and a laptop were stolen from a Cbr employee’s car, the FTC charged Cbr with deceptive trade practices because Cbr failed to meet its promised security promises. In particular, the FTC focused on Cbr’s failure to employ secure data transport practices, failure to encrypt data, and retention of data for which Cbr no longer had a business need

  38. Enforcement Actions • TRENDnet • SecurView cameras for home monitoring • Software issue allowed anyone with camera's web address to view the live feed • FTC charged: • Failure to utilize reasonable measures to test security; • Unencrypted transmission of user credentials, and unencrypted mobile storage of login information.

  39. Massachusetts Data Security Laws • Requires “Comprehensive” data security program that includes: • Designated responsible employee(s) • Identification & assessment of risks • Employee security policies • Oversight of service providers (including requiring such providers, by contract, to maintain appropriate security measures) • Encryption of data that will “travel across public networks” or that will be “transmitted wirelessly”

  40. Encryption • Growing body of regulations and enforcement actions requiring some form of encryption • Encryption may come in many forms: • Encryption in transmission (e.g. PCI Rules, TSL/SSL, PGP Email) • File level Encryption • Full disk Encryption

  41. The Compliance Trap • Compliance can be Security’s Worst Enemy • “Check the Box” is not the same as “Secure” • Compliance: Do you have a home alarm? • Security: Do you actually turn it on?

  42. Be Your Own CISO • Update & Patch • Very little “Zero Day” Malware • Significant Amount of Malware is Reverse Engineered from the Patch • Password Security • Wrc$5oo93=T • Longer is Better • PollyWants1Cracker • Secure Physical Access • Change Default Passwords • Computers/Wireless Access Points • Home Alarms

  43. Questions? Dan Nelson, C|EH, CIPP/US, Partner314.552.6650 dnelson@armstrongteasdale.com http://twitter.com/DanNelsonEsq www.linkedin.com/in/danielcnelson

More Related