1 / 58

Training Your Staff in Cyber Threats

Training Your Staff in Cyber Threats. Isaac Wagner Chief Operations Officer National Defense Group. Brief Bio. Bachelor of Science from Brigham Young University in Electrical Engineering Master of Science from University of Maryland Baltimore County in Systems Engineering

ettas
Download Presentation

Training Your Staff in Cyber Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Training Your Staff in Cyber Threats Isaac Wagner Chief Operations Officer National Defense Group

  2. Brief Bio • Bachelor of Science from Brigham Young University in Electrical Engineering • Master of Science from University of Maryland Baltimore County in Systems Engineering • Very hands-on career: • Hardware testing • Hardware design • Software testing • Software engineering • Reverse engineering • Very concerned with practical security measures and policy implementation

  3. What Type of Training? • Current threat landscape • Study breaches, even those not related to your business sector • Vulnerability announcements • Best practices for IT personnel • For example, CIS Controls • Best practices for software developers • For example, CERT Coding Standards • Conferences, podcasts, webinars, blogs, etc. • Doing “something” every week to learn more

  4. Agenda • Case Studies of things that went wrong • What the organization can do • What the individuals can do • Security Mindset • Ongoing training

  5. Case Study Facebook (2018)

  6. The Discovery • Facebook engineers observed traffic spike on September 16, 2018 • Started investigating • Located root cause on September 25, 2018 • Three interrelated bugs with the “view as” feature • Stole estimated 50M authentication tokens • Determined that data was mined from around 30M accounts

  7. Facebook Reaction • Deactivated feature while patch was being written • Deactivated stolen tokens (50M) • Deactivated tokens from anyone who had use that feature (40M) • Patched software the day after discovery • Reported breach to FBI

  8. Fallout • What motivation might the hackers have? • Major lawsuits • Loss of reputation • Potential for identity theft and blackmail

  9. What did they do wrong? • Code had been active for more than a year • They reacted quickly • No such thing as enough testing – it’s a tradeoff • Probably just a lapse of judgement or failing to consider all consequences

  10. Case Study British airways (2018)

  11. British Airways • RiskIQ – great writeup about technical details • Attacked by Magecart threat group • Data stolen from 380,000 customers • Digital version of credit card skimmers • Binds to JavaScript events that submit payment • Sends data to baways.com – on quick glance looks legit • Destination URL had signed SSL certificate

  12. British Airways (cont’d) • How did they do it? • Gained access to British Airways infrastructure by some unknown means • Added 22 lines of JavaScript to Modernizr library • In other attacks Magecart taints the supply chain • For example, they infected 3rd part software called “Shopper Approved,” used by e-commerce sites

  13. Case Study Anthem (2014)

  14. Gearing Up for the Attack • Anthem is a United States based health care company • Very personal and private records on millions of people • Listened to interview with Stephen Moore, former Staff Vice President of Cyber Security Analytics • Months before breach Moore and team found malware • Attribution to China • Surprised and unprepared for an attack by a nation state

  15. What Happened? • Actively working threats from one Chinese actor • A separate Chinese actor breached their systems • Anthem in middle of acquisition • Attackers used phishing email and got inside smaller companies network • Lateral movement through systems, right into main Anthem network • At least 90 systems compromised • Private data on 78.8M people stolen • DB Admin noticed a job running that he didn’t start

  16. Case Study Target (2013)

  17. The Setup • Hackers “cased the joint” • Open source reconnaissance • Google searches • Case study written by Microsoft describing Target’s use of their products and the network infrastructure • Found vendor list • Learned about their target network

  18. The Attack • Phishing email campaign toward Target vendors • Compromised HVAC vendor • Found and took credentials to access Target vendor site • Used common tools to find vulnerable and misconfigured devices on the network • Lateral pivot though network • Got into auto-update systems, and pushed malware to POS systems • Reaped credit card info

  19. What went wrong? • There was not a single point of failure • Multiple issues combined • Vendor network should have been isolated from main network • Misconfigured servers • Default passwords on some devices • Security vendor software (FireEye) alerted Target, but not action was taken

  20. And Many Others…

  21. The Breaches Keep on Coming… • Equifax (2017) • Network scanning to find vulnerable servers • Known Apache Struts vulnerability left unpatched • Yahoo (2014) • Spear phishing email • Single click brought down Yahoo and exposed 3B accounts • Uber (2016) • Passwords to Amazon AWS data servers were in code on GitHub • Uber tried to cover it up

  22. Password Databases Or, how to make it super easy for criminals

  23. A Tale of Two Websites • Had a web site hosted for a couple years (circa 2006) • Trouble logging in one day • Clicked “forgot password” link • Received email containing clear text password (VERY BAD!) • Was told by tech support it was “easier for customers” to send their passwords, rather than forcing a reset • Last month, clicked “forgot password” on web site touting cybersecurity training • You guessed it, clear text password emailed

  24. Accumulated Results

  25. This is bad folks • Stop making it easy for hackers • Database is accumulation of CLEAR TEXT credentials recovered from various data breaches • Password reuse between sites • Simple variations on password themes • ********93@Hotmail.com:!luvb33pb33p • ********93@Hotmail.com:1luvb33pb33p • ********93@Hotmail.com:iluvbeepbeep • Non-sophisticated hacker wannabes can now access accounts

  26. Solution Round 1 – Hash Passwords • Hash the passwords before inserting into database • Clear text never touches the database • During login the hash of the password the user entered is compared to the hash in the database • sha256(“password”) => 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 • sha256(“p@ssword”) => 0fd205965ce169b5c023282bb5fa2e239b6716726db5defaa8ceff225be805dc

  27. Hashed Password Problems • Only SLIGHTLY harder for attackers to get passwords • Passwords are still easy to hack • “password” always maps to the exact same hash value • Easy ways to attack hashed passwords • Large database of pre-computed hashes and their clear text passwords • Rainbow tables • Other attack methods • Brute force • Dictionary

  28. Solution Round 2 – Hash + Salt Passwords • “Salt” is a known string added to the password • A salt does not need to be secret • Similar to Initialization Vector (IV) in cryptography in that respect • sha256(“password”) => 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 • sha256(“SALTpassword”) => f11aa9c84e9747bd128105ce648845cbc0689b5253443a9f1c8fc84e2fe4c650

  29. Salted + Hashed Password Discussion • Hackers cannot pre-computer hash database unless they know the salt • Precomputed databases or rainbow tables take a relatively long time • Statistical attack against sufficiently large sample • Can still brute force or dictionary attack if they know salt

  30. Sidebar – Statistical Attack • Most-used passwords tend to vary little • Makes it possible to order passwords by their frequency • Top passwords from database

  31. Statistical Attack (cont’d) • All passwords use the same salt • Order hashes by most used • Most-used hashes neatly line up with most-used passwords • Profit!

  32. Unique Salt + Hash • Unique salt per user + hash • sha256(“password”) => 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 • sha256(“SALT1password”) => fbc0a6cc26b851659a9f1004c3cec1a60f2159d6fc9b7ef835bb0f9997f4cbef • sha256(“SALT2password”) => 4c858b049a353c14ce294a1e682574e1f6edeaadf8058a7c4ff898e2e6323a7c

  33. Solution 3 For The Win! • Hashes all differ for same password • Salt does not need to be secret • Can be stored in database • Statistical attack impossible • Hackers must break passwords one at a time • No way to do bulk cracking

  34. DANGER WILL ROBINSON!!!! • Never ever everever implement your own hash, encryption, or other technical security solution • Always use a well trusted library just for that purpose • People spend years of their lives on cryptography and security solutions and still get it wrong • DON’T DO IT!

  35. What can be done? at least make them work a little for your data

  36. Small and Simple Things • More often than not it’s the little things • Clicking a link • Bringing a device to work • Internal server with same password • Default passwords • Not keeping up with patches

  37. Center for Internet Security (CIS) • Sixty page PDF document containing 20 controls • Ranked in order of implementation priority • Contains description of control, why it’s important, and ways to implement • From CIS Controls v7: The CIS Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state. They also change the discussion from “what should my enterprise do” to “what should we ALL be doing” to improve security across a broad scale.

  38. CIS Controls – Basic • Inventory and control of hardware assets • Inventory and control of software assets • Continuous vulnerability management • Controlled use of administrative privileges • Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers. • Maintenance, monitoring, and analysis of audit logs

  39. CIS Controls – Foundational • Email and web browser protections • Malware defenses • Limitations and control of network ports, protocols, and services • Data recovery capabilities • Secure configuration for network devices, such as firewalls, routers, and switches • Boundary defense • Data protection • Controlled access based on the need to know • Wireless access control • Account monitoring and control

  40. CIS Controls – Organizational • Implement a security awareness and training program • Application software security • Incident response and management • Penetration tests and red team exercises

  41. Defense in Depth • Traditional thinking is hard firewall – secure perimeter • Intranet resources easy to access for employees • “It’s OK” mentality • No or shared credentials for internal services • Common password for build farm or servers • Out-of-date software and patches • CIS controls are prioritized • “Boundary Defense” is number 12

  42. Defense in Depth (cont’d) • Both Anthem and Target compromised initially through phishing • Both came in from the side • Hackers moved through internal networks with relative ease • Soft and squishy center with hard shell don’t work

  43. What can employees do? • Use unique passwords for each system/account • Don’t install unauthorized browser plugins • Verify minimized/tiny URL’s • Don’t click links in email • Don’t open email attachments • Promptly report violations of policy, including accidental • Save work to properly backed up server

  44. Corporate Security Practices • Hash + Salt passwords stored in a database • Delete user accounts immediately when person leaves company • Two-factor authentication • Least privilege • DAC/MAC • Limit lateral movement • Enforce password complexity requirements

  45. Corporate Security Practices (continued) • Block Social Media • Supply Chain Interdiction • Beware of common attacks • Phishing • Cross-site scripting • SQL Injection • DoS Attacks • DNS Redirection

  46. Synergy Not just a buzzword

  47. The Dreaded Buzzword • “Synergy” has been abused as a buzzword • Fits perfectly the idea I want to convey • Work together with each other and the community • “Community” could be other teams in the company, depending on environment • Following example shows two differing views

  48. Voting Equipment Hacking • DefCon Voting Village for past two years • Identified many security vulnerabilities and wrote formal report • Election Systems and Software (ES&S): “[F]orums open to anonymous hackers must be viewed with caution, as they may be a green light for foreign intelligence operatives who attend for purposes of corporate and international espionage. “We believe that exposing technology in these kinds of environments makes hacking elections easier, not harder, and we suspect that our adversaries are paying very close attention.”

  49. In other words… • Security through obscurity • Sticking head in sand doesn’t work • Community was very helpful and wrote a really nice report • Free penetration testing!

  50. Security Professional Response

More Related