430 likes | 445 Views
CYBERSECURITY – AN ESSENTIAL VITAMIN OACUBO Annual Meeting 4/25/2019. MEET OUR TEAM. Know your presenter!. Background Security Forensics Degree from PTC CEH (Certified Ethical Hacker) 7+ Years with Schneider Downs. Services of Focus Penetration Testing
E N D
CYBERSECURITY – AN ESSENTIAL VITAMIN OACUBO Annual Meeting 4/25/2019
MEET OUR TEAM Know your presenter! • Background • Security Forensics Degree from PTC • CEH (Certified Ethical Hacker) • 7+ Years with Schneider Downs • Services of Focus • Penetration Testing • Incident Response / Digital Forensics • Purple Teaming Engagements • Distributed Information Systems Auditing • Data Security Compliance Auditing Stephen Bish, CEH Senior Cybersecurity Analyst
ABOUT SCHNEIDER DOWNS • Top 50 Public Accounting/Business Advisory Firm in the US • Two Offices, Columbus and Pittsburgh • Substantial IT Risk Advisory Services Team • IT Audit, Compliance, Risk Management are Core Competencies • Third Party Risk Management Specialty • Cybersecurity Operations and Consulting Team • Organization Wide Cyber Strategy and Consulting • Digital Forensics and Incident Response • Penetration Testing/Red Teaming/Purple Teaming
CLIENT INDUSTRIES SERVED Retail Automotive Manufacturing Banking / Financial Government Medical / Healthcare Higher Education Oil & Gas Professional Services Software as a Service
CYBERSECURITY TOPICS Administrative Permissions Anti-Virus Passwords Phishing Encryption Network Segmentation Physical Security Security Monitoring Data Governance Patching
Password Issues Commonly Observed Password Issues • Default passwords • Passwords that never expire • Passwords that are the same as usernames • Passwords reused across multiple accounts • Improper password storage • Improper password transmission • Insufficient password requirements • Weak passwords that meet sufficient requirements • External logins with single-factor authentication Passwords
Password Spraying ChangeMe123 Passwords P@sswr0d Buckeyes#1 Spring2019!
Password Cracking Analysis Passwords
Mitigation General Password Issues Single-Factor Authentication • Block all foreign IPs (if possible) • Detect, then block or shun IP • Failed Login Attempts (Volume / Origin) • Windows Event Log ID: 4625 • Implement multi-factor authentication • Application (DUO, Google Authenticator, etc.) • SMS • Physical Token (Yubikey) • NIST Password Policy Recommendations • 12 or More Characters / 3 out of 4 Complexity • Restrict Common Passwords • Restrict Months / Seasons / Sports Teams • Restrict Company Specific Terms • Expire Less Frequently • Disabling Built-In Windows Accounts • Remove Administrative Privileges • Assess How “Crackable” Your Passwords Are • Password Management (e.g., LastPass) • Employee Training Passwords
Takeaway Questions “Are we protecting/limiting any built-in Administrator accounts?” “How strong are our passwords?” “Are we effectively blacklisting common passwords?” “How do our users store / share passwords?” “Can we effectively detect password spraying on all external logins?” “Do we block/shun IP addresses that spray us?” “Do we check for successful login attempts from a spray attack and then change their password?” Passwords
Susceptibility to Phishing Phishing Most data breaches involve some form of social engineering
Credential Harvesting Phishing
Payload Execution Phishing
Mitigation • Review and Purchase Top 10 Similar Domains • Properly Configure Spam Filters • Block Similar Domains, New Domains, Known Bad Domains • Block Keywords • Block Certain Attachments (.EXE / .BAT / .VBS) • Advanced Anti-Phishing Software (e.g., Mimecast) • Algorithmic Spam Filter (Impersonations, Context, Domain Reputation) • Rewrite Links • Sandbox Attachments • Employee Training • Frequent Internal Simulations Phishing
Takeaway Questions “How advanced does a phishing attempt need to be to evade our spam filters?” “Are we performing phishing simulations that sufficiently expose users to all phishing variants?” “Do we have an effective communication channel for end-user reporting that initiates response workflow?” Phishing
Overly Permissive Admin Rights Administrative Permissions
Overly Permissive Admin Rights Obtaining local admin rights is a huge advantage for a hacker • Many offensive techniques require local admin rights • Bypassing endpoint protections and security controls is often possible with local admin rights • Local admin rights often translate to remote access • Local admin rights are often shared across multiple machines, leading to widespread compromise Administrative Permissions Many organizations are not restricting local admin rights due to technical and/or cultural challenges
Takeaway Questions “What users have local admin rights to what systems, and why?” “What users have elevated permissions, and why?” “Do all of those service accounts really need Domain Admin rights?” “Is each exception to the rule documented and given additional protections?” Administrative Permissions
Ineffective Anti-Virus • Not all Anti-Virus products are the same • Blind Spots • Default exclusions (certain files types, certain folders, etc.) can be exploited by attackers • Signature-based detections ONLY • Can be evaded by basic obfuscation techniques • Software flaws • Some Anti-Virus products can be easily disabled by terminating services on the endpoint Anti-Virus
Mitigation • Selection Process • Ensure that your anti-virus product has behavioral analysis and memory scanning capabilities • Only looking for bad file signatures is not effective • Proper Configuration • Ensure that your Anti-Virus product is configured to utilize its full potential • Routine Testing and Review • Review configuration • Confirm desired capabilities • Update Definitions Automatically upon Release Anti-Virus
Takeaway Questions “Is our anti-virus product configured and utilized to its fullest potential?” “How easily can our anti-virus product be tricked or evaded?” “Do we really need all of those manually added file and folder exclusions?” “Can end users turn off our anti-virus?” Anti-Virus
Lack of Encryption Effective encryption measures mitigate the following: • Lost/stolen endpoints • Lost/stolen mobile devices • Lost/stolen portable media storage devices • Boot device attacks Encryption Without encryption, any lost or stolen device can be a potential data breach, it is very easy for someone to read the data from an unencrypted device without credentials. Without encryption, a physical attacker can boot an endpoint into a VM and export sensitive data, and even dump system credentials.
Mitigation • Database Encryption • Encrypt databases, full database encryption or specific columns • Laptops AND Desktops • Utilize built-in TPM endpoint encryption capabilities • Mobile Devices • Advanced mobile device management product (e.g., Airwatch) • Portable Media Storage Devices • Enforce encryption of all USB devices containing sensitive data Encryption
Takeaway Questions “Do we have any unencrypted devices (including desktops) within our organization?” “How likely is it for a device to become lost/stolen?” “Do we have any unencrypted databases that contain sensitive data?” Encryption
Data Governance Issues Ex: Users storing sensitive data in unprotected locations Data Governance Why hack the SQL database when sensitive data can be found in someone’s Desktop or My Documents folder?
Mitigation • Policy • Data classification/usage policies and procedures. • Enforcement • Advanced data governance product (e.g., Digital Guardian, Spirion) • Audit • Routinely identify and remediate exceptions to policies • Employee Training Data Governance
Takeaway Questions “Who has access to what data and why?” “Are users storing sensitive data in unprotected locations?” “What exceptions exist within our network file share permissions?” Data Governance
Flat Networks Network Segmentation Lateral movement is much easier when an attacker has access to a wide range of communication protocols across the entire network.
Mitigation • Network Segmentation • Divide network into logical and physical groups • Use and restrict virtual local area networks (VLAN) • Protect the most critical systems from being easily accessible from anywhere on the network • Local Firewall Restriction • Block / restrict ports on each system • Only allow communication that necessary (inbound and outbound) Network Segmentation
Takeaway Questions “Is it possible to scan our entire network (including servers) from a single endpoint?” “Why can our user endpoints ping each other?” “Is it possible for us to restrict all unnecessary communication within our network?” “Is our guest wireless truly segmented as intended?” Network Segmentation
Poor Security Monitoring Security Monitoring Are you confident that you would detect a data breach?
Poor Security Monitoring Commonly Undetected Hacking Activities: • Phishing attempts • Password spraying (Failed Login Attempts) • AD enumeration as a standard user from a remote non-domain system • NMAP scans of various types (Internal / External) • Nessus scans of various types (Internal / External) • Use of PowerShell based malware • Code execution via SMB (CrackMapExec) on numerous systems • Duplication and extraction of a shadow copy from a domain controller • Widespread rapid use of a single user’s credentials on multiple systems Security Monitoring Without detection capabilities, an attacker can utilize more aggressive tactics that generate more logs and activity, but are also more successful.
Mitigation • System Logs • Ensure all desired logs are being collected properly • Network Traffic • Network traffic should be monitored with effective rulesets to alert on specific activity thresholds • Configuration/Design • Ensure specific detection capabilities for each intended attack scenario • Validate capabilities with routine attack simulations Security Monitoring
Takeaway Questions “How many of the top hacker techniques can we effectively detect?” “Are we routinely validating our detection capabilities with simulated attack scenarios?” “Do each of our detection alerts initiate an appropriate incident response workflow?” Security Monitoring
Unpatched Systems Patching
Takeaway Questions “Are there any systems on our network not receiving security patches?” “Do we run our own internal vulnerability scans?” “Are we also patching applications?” “Do we have a process in place for emergency patching?” Patching
Physical Access Control Gaps Commonly identified issues: • Overly agreeable guards/receptionists • Unlocked doors • Unlocked and unattended systems • Back doors that can be tailgated • Motion sensors that can be hacked • Security camera blind spots • Unsecured vents • Drop ceilings • Unsecured network closets Physical Security Why hack a system when you can just walk up to it, sit down and access it?
Hacker Hardware (Physical) Physical Security
Pretexting “We damaged a fiber optic cable nearby and need to look at your data center to make sure your network performance wasn’t affected.” Physical Security
Takeaway Questions “How difficult would it be for someone to access our internal office space?” “Does everyone question the presence of someone they don’t know?” “How many of our users leave their systems unlocked during breaks?” Physical Security
Q & A Get in touch with us: Address 65 E State St Ste 2000 Columbus, OH 43215 Phone & Email Main Line: (614) 621-4060 contactsd@schneiderdowns.com Website www.schneiderdowns.com