410 likes | 423 Views
Anatomy of a Hack. Agenda. Introduction Story time, aka what is “cyber crime”? Security statistics Attack case studies Activities to mitigate or provide comfort. With you t oday. J oe Strain Manager, RSM US LLP, Philadelphia
E N D
Agenda • Introduction • Story time, aka what is “cyber crime”? • Security statistics • Attack case studies • Activities to mitigate or provide comfort
With you today Joe Strain • Manager, RSM US LLP, Philadelphia • Speaker at information security conferences: IIA/ISACA, InfraGard, etc.
Time traveling… Mainframes Data Centers Cloud Computing
What is cyber crime? • The use of computer networks to gain illicit access to confidential information, typically that is held by a government, individuals or another organisation • Can involve nation-states, corporations, individuals, groups of all shapes/sizes • Objectives include: • Financial • Military • Trade Secrets • Reputational • … just because they want to Source: Focus Training
Example hacking incidents • AOL (2005) • A former engineer stole a million screen names and email addresses. • These were sold to spammers who then sent 7 billion unsolicited emails. • Target (2014) • Hackers infiltrated POS systems, installing skimmers. • They stole 70 million credit card numbers. • Ashley Madison (2015) • Hacktivists leaked the personal details of 37 million users of the website. • Sony (2015) • Alleged North Korean hackers infiltrated Sony due to the release of the film The Interview. • 100 terabytes were stolen: unreleased movie scripts, employee salary details, emails and other sensitive data.
Security statisticsCost of a breach The 2017 study summarizes RSM/NetDiligence's findings from a sampling of 591 cyber claims, 343 of which involved the loss, exposure or misuse of sensitive personal data from a variety of industry sectors. The average cost for crisis services (forensics, notification, credit monitoring, legal guidance) was $349,000. Hackers were the most frequent cause of loss (27%), followed by malware and viruses (16%). Third parties accounted for 13% of the claims submitted. Payment Card Industry (PCI) • was the most frequently exposed data, followed by protected health information (PHI) and personally identifiable information (PII). Nanorevenue companies (less than $50 million) experienced the majority of records exposed (43%). Health care and professional services were the most frequently breached (18%), followed by financial services (13%). Insider involvement occurred in 25% of the claims submitted. 88% of the claims submitted in this study are for organizations less than $2B.
Threat overview • Rise of the “low-tech” hack • Very polished method of social engineering that does not require actual “hacking” • Fancy name for traditional “con games” • Attacking an environment via manipulating people • Hacking by the KISS principle • Keep it simple, stupid • Why go through all of the effort to bypass firewalls, anti-virus, monitoring solutions, etc.? • Why not just have the target do all the work for you? • Human nature dictates that these attacks WILL be successful.
Threat overview • Vendor fraud aka invoice fraud aka supply chain fraud: • Attacker identifies a vendor of the organization • Attacker attempts to convince the organization to make a normal or additional payment to a new account • Organization unaware of fraud until notified by the vendor • Typical example: To: [Someone in finance] From: Executive@vend0r.com Sent: Mon, Oct 5, 2016 at 2:01am Mr./Mrs. Someone, please be aware that we have recently changed banking providers. Our new account and routing numbers are in the attached pdf. Respectfully, Mr. Vendor Executive
Threat overview • Fake executives: • Often create entire fake email chains including supposed communications with other executives • May tie to fake vendor claims, but also tax payments, legal fines, issuing corporate credit cards, fake checks, etc. • Utilize organizational and positional pressure to succeed • Typical example: To: [Someone in finance] From: Executive@ourc0mpany.com Sent: Mon, Jan 15, 2017 at 4:07pm Hey, [nickname]. I was just contacted by one of our key vendors and it looks like we missed a payment last month. We are currently negotiating next year's contract so this is VERY sensitive. Immediately wire $xxx,xxx to the attached account information or there will be hell to pay for all of us. Respectfully, CEO Executive
Skill vs. motivation • Food for thought • Legacy universe of attackers • Underground markets bringing the two sides together • Motivated attackers place bounties for the skilled attackers to chase. • Skilled attackers breach environments and sell access to the motivated. • Newer automated tools require less technical skill to use. Attackers of Concern
Where are we? • What is the corporate approach on cybersecurity? • Is anyone in charge of cybersecurity?
Security controls overview • Attacks are generally carried out in in four stages. • These four stages are often referred to as “The Breach Quadrilateral.” • Controls must be deployed within the environment that impede your adversary at each stage of the breach cycle. • Typical defensive focus is on the infiltration stage, but attackers are often most skilled in this area. • Successful defense is often tied to controls in the later three.
Security controls overview • Make sure you have at least basic controls in three layers. • Prevent Detect Correct • Have you made yourself a hard target? • Are you capable of knowing if you have been breached? • Can you respond effectively?
A public service announcement • (Compliance + Governance) ≠ Security • Provide meaningful metrics—boards love them. • IT security is a continual process; that one “certification” or the yearly “risk assessment” won't keep you safe.
Some fieldwork types (not all-inclusive) • Internal Penetration Testing/Vulnerability Scanning • External Penetration Testing/Vulnerability Scanning • Web Application Penetration Testing • Cloud Security Reviews • Social Engineering • Mobile Application Security • Security Architecture
Internal • Internal Penetration Testing • “Rent a hacker” • Can be scenario/objective based • Focused on internal infrastructure • Focus is on • Getting data • Showing impact • Internal Vulnerability Scanning • “Enumerating all of the bad,” some would say. • Consulting firms leverage proprietary and openly available tools. • Organizations of all shapes and sizes • Should “hook in” to your patching model (E.g., your organization says that they patch XYZ every month; are there any forgotten computers?)
External penetration testing • The “we performed an external penetration test so we must be safe” mentality is outdated and dangerous. • Your NextGen XTRA Secure™ firewall won't protect you against someone clicking on a malicious link because they were promised a free breakfast coupon for IHOP.
Web application penetration testing • Focus on • Web application/web site • Vulnerabilities that can be executed by end users • Mechanisms where attacker can perform horizontal or vertical privilege escalation • Data exfiltration • Don't confuse this with external testing. • Generally this testing is for dynamic websites with user interaction. If you own a restaurant that has a static website that only has a menu and hours, you probably don't need this.
NIST CSF gap assessment • Reviews weaknesses and areas of improvement within the NIST CSF framework • Great way to hit a lot of topics in a quick manner, such as: • Risk management strategy • Identity and access management • Security awareness • Security continuous monitoring • Recovery planning
Conclusion • Misconception • Scenario: We're too small to hack, no one would target us. • Reality: Small to medium sized businesses are the bread and butter to many hackers. They don't have the resources of a Fortune 500 company that can employ multiple individuals with the sole job of securing the enterprise. Hackers don't care who you are, you have a corporate bank account.
Summary • Understand that security controls fall into three categories: • Prevent Detect Correct • Modern attacks bypass preventive controls rather easily, more focus and effort needed within detective and corrective controls. • These controls need to be systemically deployed in a way to detect attacker behavior each stage of the attack cycle, stop focusing on the network boundary. • Enhancing preventive controls forces attackers to make noise, detective controls identify the activity, corrective controls allow for response and remediation. • Corrective controls are more than “just run an AV scan” or “full blown incident.” • Do not become a “hacker snack.” • Hard and crunchy on the outside, soft and gooey in the middle
Contact Information Joe Strain joe.strain@rsmus.com
RSM US LLP 30 South 17th Street, Suite 710, Philadelphia, PA 19103 +1 800 274 3978 rsmus.com