Targeted Attacks

1. Targeted Attacks The Current State of Cyber Security and How to Defend Your Data

2. About Sequestered Solutions Jacob Kelley Our History Our Services & Solutions

3. The act of manipulating people to accomplish goals that may or may not be in the “target’s” best interest • Example – Your child uses social engineering to get you to buy a toy they want • Or – A hacker gets you to plug a USB device into your PC • Social Engineering is a tactic that is widely used by hackers/attackers to gain access to systems • By exploiting our inherent proclivity for kindness, attackers use our own nature against our best interests • Imagine you find a thumb drive laying around in the office or parking lot – What do you do? Social Engineering: A Primer

4. Common hacker tools now have infrastructure exploits • Secure infrastructure devices exist – but are they patched? • Brazil blackouts spur hacking fears • Anchorage traffic signs hacked • Stuxnet/Natanz disruption Attacks on Critical Infrastructure

5. Hacktivism is politically motivated hacking • Recently, hacktivism has seen a drastic increase in volume and visibility • Hacktivists responsible for 58% of all data stolen in 2011 • In 2011 alone, hacktivists stole 100 million records, almost twice as much data as was stolen by financially motivated cyber criminals • Conduct a Google search for “Anonymous HB Gary” to see how damaging hacktivism can become • Gary McKinnon “hacked” NASA by logging on with default (read:no) password Hacktivism

6. President Obama confirmed Stuxnet was developed by US and Israel • Iran claims USAF drone rootkit/keylogger was theirs • Plan X – DARPA’s cyber warfare project Cyber Warfare

7. FBI ranks Cyber Attacks as third greatest threat to the U.S. behind nuclear war and WMDs (weapons of mass destruction) • Over 10 Million Cyber Attacks daily • Cyber Attacks up 93% in 2011 • Due to Cyber Criminals using “attack Kits” • Cyber Attacks could paralyze the nation – 2012 Leon Panetta Secretary of Defense report Some Frightening Statistics!

8. “An ounce of prevention is worth a pound of cure” • Australian government has provided excellent free advice • See Australia’s 35 Strategies to Mitigate Cyber Intrusions • 4 Basic strategies prevent over 90% of intrusions • Application Whitelisting, Patching OS, Patching 3rd Party Software, Limiting Admin Privileges • Free Security Websites - NIST, US-CERT, SANS, etc… • NSA Manageable Network Plan • SANS – Free security resources • 20 Critical Security Controls • Free Security Templates A Kilobyte of Prevention Or Gigabytes of Repair! Prevention

9. Follow basic security best practices • Routine penetration testing, vulnerability assessment and review • Social Engineering – training, policies, procedures, and prevention/protection • Critical Infrastructure – one-way data flow, disaster recovery, backup configurations • Hacktivism – SQL injection prevention/code review, DDoS prevention, network infrastructure planning, user education • Cyber Warfare – see social engineering above Risk Mitigation Strategies

10. *Social Engineer Toolkit: https://www.trustedsec.com/downloads/social-engineer-toolkit/ *More Information about social engineering: http://www.social-engineer.org/ *Iron key product available: https://www.ironkey.com/ *CNN Report on Cyber Warfare: http://www.cbsnews.com/2100-18560_162-5555565.html *McAfee predicts high profile attacks: http://www.zdnet.com/blog/btl/mcafee-predicts-more-high-profile-targeted-attacks-in-2012/65883 *Anchorage signs hacked: http://community.adn.com/adn/node/161662 *Hacker tools to attack infrastructure: http://blog.alexanderhiggins.com/2012/04/05/critical-infrastructure-exploits-packaged-hacker-tools-113881 *Anonymous attacks against HB Gary: http://www.thetechherald.com/articles/After-dealing-with-Anonymous-HBGary-Federals-CEO-resigns *Gary McKinnon hacks: http://www.guardian.co.uk/law/2012/sep/16/britain-us-extradition-menzies-cambpell *USAF Drone Gets Hacked: http://www.wired.com/dangerroom/2011/12/iran-drone-hack-gps/ *Obama Confirms Stuxnet: http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all *Cyber Attacks FBI Ranks Third Behind Nuclear War and WMD’s: http://www.tgdaily.com/security-features/40861-fbi-ranks-cyber-attacks-third-most-dangerous-behind-nuclear-war-and-wmds *Cyber Attacks Nearly Double in 2010: http://techzwn.com/2011/04/cyberattacks-nearly-doubled-in-2010-symantc-report *10 Million Daily Cyber Attacks: http://www.forbes.com/2010/08/06/internet-government-security-technology-cio-network-cyber-attacks.html *5.5 Billion Cyber Attacks in 2011: http://www.information-management.com/news/cyber-attack-Symantec-spam-malware-10022411-1.html *Panetta Report: http://www.businessweek.com/news/2012-10-12/cyberattacks-could-become-as-destructive-as-9-11-panetta *35 Strategies to Mitigate Cyber Intrusions: http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm *NSA Manageable Network Plan: http://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdf *SANS Templates: http://www.sans.org/security-resources/policies/ *SANS Critical Security Controls: http://www.sans.org/critical-security-controls/ *Social Engineering paper: http://essay.utwente.nl/59233/1/scriptie_B_Oosterloo.pdf *Checkpoint study on mobile devices: http://www.checkpoint.com/downloads/products/check-point-mobile-security-survey-report.pdf References

11. *Android growth outpacing Apple in 2012: http://www.insidemobileapps.com/2012/09/06/android-surges-as-ios-slows-comparing-the-growth-of-android-to-ios/ *Iran set to take legal action in response to Stuxnet: http://www.haaretz.com/news/diplomacy-defense/iran-threatens-to-counter-cyber-warfare-with-legal-action-1.458486 *TED talk about Stuxnet: http://www.youtube.com/watch?v=CS01Hmjv1pQ *Slide 3 image credit: https://www.trustedsec.com/downloads/social-engineer-toolkit/ *Slide 4 image credit: http://www.flickr.com/photos/thewildernesssociety/216020173/ *Slide 5 image credit: http://bringingforthworldequality.wordpress.com/2011/09/28/anonymous-what-do-they-actually-support-who-are-they-really-working-for/ *Slide 8 image Credit: http://edmahoney.wordpress.com/2010/01/13/cyber-war-home-theater/ *Slide 10 image Credit: http://www.eci.com/blog/237-network-security-threats--best-practices-for-hedge-funds.html *Brazillian blackouts: http://www.foreignpolicyjournal.com/2009/11/15/brazils-next-battlefield-cyberspace/ *Hacktivism statistics: http://money.cnn.com/2012/03/22/technology/hacktivists-verizon-data-breach-report/ *Smartphone sales outpace PCs: http://mashable.com/2012/02/03/smartphone-sales-overtake-pcs/ References

12. PLEASE VISIT OUR BOOTH We want to meet you! Questions?