1 / 39

Anatomy of a Hack

Anatomy of a Hack. Agenda. Introduction Story time, aka what is “cyber crime”? Security statistics Attack case studies Activities to mitigate or provide comfort. With you t oday. J oe Strain Manager, RSM US LLP, Philadelphia

tack
Download Presentation

Anatomy of a Hack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Anatomy of a Hack

  2. Agenda • Introduction • Story time, aka what is “cyber crime”? • Security statistics • Attack case studies • Activities to mitigate or provide comfort

  3. With you today Joe Strain • Manager, RSM US LLP, Philadelphia • Speaker at information security conferences: IIA/ISACA, InfraGard, etc.

  4. Time traveling… Mainframes Data Centers Cloud Computing

  5. What is cyber crime? • The use of computer networks to gain illicit access to confidential information, typically that is held by a government, individuals or another organisation • Can involve nation-states, corporations, individuals, groups of all shapes/sizes • Objectives include: • Financial • Military • Trade Secrets • Reputational • … just because they want to Source: Focus Training

  6. What is a computer worth?

  7. Example hacking incidents • AOL (2005) • A former engineer stole a million screen names and email addresses. • These were sold to spammers who then sent 7 billion unsolicited emails. • Target (2014) • Hackers infiltrated POS systems, installing skimmers. • They stole 70 million credit card numbers. • Ashley Madison (2015) • Hacktivists leaked the personal details of 37 million users of the website. • Sony (2015) • Alleged North Korean hackers infiltrated Sony due to the release of the film The Interview. • 100 terabytes were stolen: unreleased movie scripts, employee salary details, emails and other sensitive data.

  8. Security Statistics

  9. Breach statistics

  10. Breach statistics

  11. Breach statistics

  12. Security statisticsCost of a breach The 2017 study summarizes RSM/NetDiligence's findings from a sampling of 591 cyber claims, 343 of which involved the loss, exposure or misuse of sensitive personal data from a variety of industry sectors. The average cost for crisis services (forensics, notification, credit monitoring, legal guidance) was $349,000. Hackers were the most frequent cause of loss (27%), followed by malware and viruses (16%). Third parties accounted for 13% of the claims submitted. Payment Card Industry (PCI) • was the most frequently exposed data, followed by protected health information (PHI) and personally identifiable information (PII). Nanorevenue companies (less than $50 million) experienced the majority of records exposed (43%). Health care and professional services were the most frequently breached (18%), followed by financial services (13%). Insider involvement occurred in 25% of the claims submitted. 88% of the claims submitted in this study are for organizations less than $2B.

  13. Current Threat Landscape

  14. Threat overviewTop attack types as seen by RSM DFIR

  15. Threat overview • Rise of the “low-tech” hack • Very polished method of social engineering that does not require actual “hacking” • Fancy name for traditional “con games” • Attacking an environment via manipulating people • Hacking by the KISS principle • Keep it simple, stupid • Why go through all of the effort to bypass firewalls, anti-virus, monitoring solutions, etc.? • Why not just have the target do all the work for you? • Human nature dictates that these attacks WILL be successful.

  16. Threat overview • Vendor fraud aka invoice fraud aka supply chain fraud: • Attacker identifies a vendor of the organization • Attacker attempts to convince the organization to make a normal or additional payment to a new account • Organization unaware of fraud until notified by the vendor • Typical example: To: [Someone in finance] From: Executive@vend0r.com Sent: Mon, Oct 5, 2016 at 2:01am Mr./Mrs. Someone, please be aware that we have recently changed banking providers. Our new account and routing numbers are in the attached pdf. Respectfully, Mr. Vendor Executive

  17. Threat overview • Fake executives: • Often create entire fake email chains including supposed communications with other executives • May tie to fake vendor claims, but also tax payments, legal fines, issuing corporate credit cards, fake checks, etc. • Utilize organizational and positional pressure to succeed • Typical example: To: [Someone in finance] From: Executive@ourc0mpany.com Sent: Mon, Jan 15, 2017 at 4:07pm Hey, [nickname]. I was just contacted by one of our key vendors and it looks like we missed a payment last month. We are currently negotiating next year's contract so this is VERY sensitive. Immediately wire $xxx,xxx to the attached account information or there will be hell to pay for all of us. Respectfully, CEO Executive

  18. Skill vs. motivation • Food for thought • Legacy universe of attackers • Underground markets bringing the two sides together • Motivated attackers place bounties for the skilled attackers to chase. • Skilled attackers breach environments and sell access to the motivated. • Newer automated tools require less technical skill to use. Attackers of Concern

  19. Where are we? • What is the corporate approach on cybersecurity? • Is anyone in charge of cybersecurity?

  20. Security controls overview • Attacks are generally carried out in in four stages. • These four stages are often referred to as “The Breach Quadrilateral.” • Controls must be deployed within the environment that impede your adversary at each stage of the breach cycle. • Typical defensive focus is on the infiltration stage, but attackers are often most skilled in this area. • Successful defense is often tied to controls in the later three.

  21. Security controls overview • Make sure you have at least basic controls in three layers. • Prevent  Detect  Correct • Have you made yourself a hard target? • Are you capable of knowing if you have been breached? • Can you respond effectively?

  22. A public service announcement • (Compliance + Governance) ≠ Security • Provide meaningful metrics—boards love them. • IT security is a continual process; that one “certification” or the yearly “risk assessment” won't keep you safe.

  23. Gaining Comfort—Some Options

  24. Some fieldwork types (not all-inclusive) • Internal Penetration Testing/Vulnerability Scanning • External Penetration Testing/Vulnerability Scanning • Web Application Penetration Testing • Cloud Security Reviews • Social Engineering • Mobile Application Security • Security Architecture

  25. Internal • Internal Penetration Testing • “Rent a hacker” • Can be scenario/objective based • Focused on internal infrastructure • Focus is on • Getting data • Showing impact • Internal Vulnerability Scanning • “Enumerating all of the bad,” some would say. • Consulting firms leverage proprietary and openly available tools. • Organizations of all shapes and sizes • Should “hook in” to your patching model (E.g., your organization says that they patch XYZ every month; are there any forgotten computers?)

  26. External penetration testing • The “we performed an external penetration test so we must be safe” mentality is outdated and dangerous. • Your NextGen XTRA Secure™ firewall won't protect you against someone clicking on a malicious link because they were promised a free breakfast coupon for IHOP.

  27. Web application penetration testing • Focus on • Web application/web site • Vulnerabilities that can be executed by end users • Mechanisms where attacker can perform horizontal or vertical privilege escalation • Data exfiltration • Don't confuse this with external testing. • Generally this testing is for dynamic websites with user interaction. If you own a restaurant that has a static website that only has a menu and hours, you probably don't need this.

  28. NIST CSF gap assessment • Reviews weaknesses and areas of improvement within the NIST CSF framework • Great way to hit a lot of topics in a quick manner, such as: • Risk management strategy • Identity and access management • Security awareness • Security continuous monitoring • Recovery planning

  29. Conclusion • Misconception • Scenario: We're too small to hack, no one would target us. • Reality: Small to medium sized businesses are the bread and butter to many hackers. They don't have the resources of a Fortune 500 company that can employ multiple individuals with the sole job of securing the enterprise. Hackers don't care who you are, you have a corporate bank account.

  30. Summary • Understand that security controls fall into three categories: • Prevent  Detect  Correct • Modern attacks bypass preventive controls rather easily, more focus and effort needed within detective and corrective controls. • These controls need to be systemically deployed in a way to detect attacker behavior each stage of the attack cycle, stop focusing on the network boundary. • Enhancing preventive controls forces attackers to make noise, detective controls identify the activity, corrective controls allow for response and remediation. • Corrective controls are more than “just run an AV scan” or “full blown incident.” • Do not become a “hacker snack.” • Hard and crunchy on the outside, soft and gooey in the middle

  31. Contact Information Joe Strain joe.strain@rsmus.com

  32. RSM US LLP 30 South 17th Street, Suite 710, Philadelphia, PA 19103 +1 800 274 3978 rsmus.com

More Related