1 / 32

Cyber Threats

Cyber Threats. ABMTS – Cincinnati, OH. Malcolm Sykes, CISSP & Terry Lewis. The IRS as Target. Largest IT environment of any U.S. civilian agency. 700 + POD’s. More PII than any other government agency. Process $2.5T of revenues. Complex & diverse IT infrastructure.

teige
Download Presentation

Cyber Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cyber Threats ABMTS – Cincinnati, OH Malcolm Sykes, CISSP & Terry Lewis

  2. The IRS as Target • Largest IT environment of any U.S. civilian agency • 700 + POD’s • More PII than any other government agency • Process $2.5T of revenues • Complex & diverse IT infrastructure • Complex & diverse business processes utilizing many channels (e-file, paper, internet, phone, walk-in)

  3. The Threats & Vectors • Malware (Trojans, viruses, worms, spyware, etc.) • Web browsing • E-mail • Removable Media • Data Disclosure & Integrity • Authorized Users • Lost & stolen equipment • Network Penetration • Denial Of Service • Botnets • Insider attacks

  4. Emerging Threats Intrusion Worm Virus Blended Threat + + = • Memory Based root kits & other malware • Mobile Malware (Blackberry, iPhone, iPad) • Cloud Computing • Infrastructure & Contractor Outsourcing • Cross Platform Malware • Includes virtualized environments • Blended Threats (multiple vectors)

  5. Computer Hackers Who are they? No longer just techno-geeks.

  6. The Attackers • Criminal gangs • Financially or Politically motivated • Employ individuals or groups of hackers to steal PII, credit card & banking information. • Hacker Gangs • Create & sell botnets & hacker tools • Sometimes engage in activity to wage cyber war on each other or to boost their reputation • Political or religious groups • Hacking for military and commercial secrets & to inflict damage • Well resourced • Funded by criminal enterprises, nations, political or religious entities

  7. Political or Religious Groups • Highly motivated, professionally trained & equipped adversaries • Espionage and sabotage aimed at US Government, Military & Commercial sites • Strategic & Tactical Attacks • Threat to the military & economic security of the United states

  8. Botnet Attack1 • Distributed Denial of Service (DDOS) attack launched on weekend of July 4, 2009 • Targeted 27 American and South Korean government agencies and commercial Web sites • US Government targets included the White House, Secret Service, Federal Trade Commission, Transportation Dept.& the Treasury Dept. (but not IRS) • US Commercial targets included the New York Stock Exchange, Nasdaq, Yahoo & The Washington Post • South Korean targets included the presidential Blue House, Defense Ministry, National Assembly, Shinhan Bank, the Chosun Ilbo newspaper & top Internet portal Naver.com • Estimated over 50,000 IP addresses were participating in this attack • Rated as unsophisticated • Full Recovery less than one week As reported in the New York Times July 8, 2009

  9. Vulnerabilities & Mitigations • IRM Requirements & Policy Checkers • Standard workstation COE image based on the FDCC • Default machine configurations are inherently insecure • Patching & updating is often delayed in large organizations due to testing & implementation restrictions • Assigned staffs, timeframes & tracking of updates • Absent, disabled or outdated anti-virus programs, firewalls, etc. • Compliance reviews • Risky web-surfing & e-mail behavior • Security awareness presentations & materials • AV software, firewalls, site blocking software, network monitoring & IDSs • Social Engineering • Security awareness presentations & materials

  10. Targeting End-users Attackers no longer need to penetrate security perimeters • This is a byproduct of the move towards financially motivated malicious activity • Malicious activity has moved away from targeting computers & towards targeting end users themselves • Specifically, attackers are targeting confidential end-user information that can be used in fraudulent activity for financial gain as well as in attacking systems

  11. “ElectronicallyTransmitted Diseases” • More employees are using mobile media • CDs, DVDs, thumb drives, MP3 players (iPods), external hard drives • Mobile media is used by criminals as another vector to spread their malware. In addition to mobile media containing software, music, etc. purchased from flea markets, found in parking lots, etc. some commercially produced software has contained code that makes systems vulnerable to root kits & other malware • Mobile media connected to a non-IRS system will be exposed to any malware left behind from previously installed ETDs • Internal Revenue Manual (IRM) 10.8.1.5.2.5 prohibits the use of personally owned equipment, including software & media on IRS systems & vice versa

  12. Cybersecurity Misconceptions • No one knows who I am on the Internet • The Internet is a virtual world, so nothing bad can happen to me • Security software (anti-virus, firewall, etc.) will protect me • The IRS will protect me • Law enforcement will protect me • Who believes all this?

  13. Credit Card Sales

  14. “5568” <A> Billing: Pxxx xxx <A> xxx xxx Road <A> Suite 400 <A> xxx, CA xxx <A> US <A> Phone: xxxxxx7605 <A> e-mail: pxxx.xxx@atf.gov <A> Payment Method: Credit Card <A> Name On Card: Pxxx x. xxx <A> Credit Card #: 5568xxxxxxxxxxxx <A> Credit Type: MasterCard <A> Expires: 05/2009 <A> CVV2: 421

  15. Capturing Card Number & PIN • Organization database attacks • Social engineering via e-mail, web site, telephone or postal mail • Dumpster diving & trash collection • Man in the middle web site attacks • Bank ATM modifications • Equipment disguised to look like normal ATM • Wireless “skimmer” & video camera transmit scanned card information & PIN • Criminals copy cards & use PINs to withdraw cash

  16. Wireless Scanner • Equipment being installed on top of existing bank card slot.

  17. Wireless Video Camera • PIN reading camera being installed on the ATM is housed in an innocent looking leaflet enclosure.

  18. From Patch to First Attack Oct. 17, 2000 Patch MS00-078 Sept. 18 2001 Nimda 336 Days Jul. 24, 2002 Patch MS02-039 Jan. 25 2003 Slammer 185 Days Aug. 11 2003 Jul 16, 2003 Patch MS03-026 Blaster 26 Days Apr. 13, 2004 Patch MS04-011 April 30 2004 17 Days Sasser June 2005 0-Day JView Jul. 12, 2005 Patch MS05-037

  19. Zero-Day Exploits • Sometimes discovered by hackers & kept secret prior to use • High risk, undocumented vulnerabilities with no approved patch • Some patches not released timely (RPC memory overflow – over 4 years) • CSIRC released 10 Critical Advisories & 1 Bulletin for zero-day exploits since Jan 1, 2009 • Multiple zero-day exploits targeted IRS Business Units via e-mail

  20. Zero-Day Exploit Against IRS • In February 2009, an e-mail was sent to 2 IRS e-mail accounts • Attachments utilized a Microsoft Excel Zero-Day exploit • Malware designed to export data to a remote IP address • Used custom encryption (non SSL) over TCP port 443 • Target IRS e-mail Addresses included: • Former Employee (Account/Email disabled) • Distribution List (e-mail forwarded to 10 employees) • Analysis confirmed outbound connection attempts were blocked & no data was exported

  21. Zero-Day Exploit Overview

  22. Real or Fake?

  23. CNN Phishing • Spam e-mail was circulating in January 2009 containing factual information about the Israeli/Hamas conflict • It appeared to originate from CNN & contained a link to a website posing as CNN, which contained what looked like a video file • All links on the website actually resolved to the valid CNN website • Visitors who attempted to view the video were prompted to update to a new version of the Adobe Flash Player • Update was actually malicious code

  24. CNN Phishing

  25. IRS Response to CNN Phishing • IRS initiated Content Filtering to block the e-mail • Only 11 of 38 AV products could detect stage one • Only 2 of 38 AV vendors’ signatures could detect stage two • Analysis revealed 36 IRS systems visited the fraudulent CNN website (Stage One) • Additional analysis identified 1 IRS system issuing HTTP GET requests to the Russian IP address every 20 minutes (Stage Two) • Further analysis confirmed that no data was exported

  26. “Just Surfing the Web” • In November 2009, an employee performs a search via Yahoo! for “1979-2007 vehicle wiring diagrams”.

  27. “Just Surfing the Web” • First (non-sponsored) URL listed by the search engine was malicious • Embedded HTML executed a PHP file, downloading the malware file 45096.exe • Malware executes & begins beaconing home to: kinoarts.com over TCP port 80 • Analysis revealed 2 additional call back sites not being blocked by IRS • Further analysis confirmed outbound connection attempts were blocked & no data was exported

  28. Beacons • A beacon is an intentionally conspicuous device designed to attract attention to a specific location • In the cyber world, a beacon is a system that repeatedly attempts to make a hidden connection with one or more systems outside of its network • Ordinary user traffic is fairly random, so traffic generating a significant regular pattern is indicative of a beacon

  29. Beaconing Activity • Beaconing from infected IRS system attempting to “call home” to a website in China for further instructions. • Website was a known malicious website that was blocked

  30. SCADA • Supervisory Control & Data Acquisition • Provides data display, alarming, trending, reporting, & control for devices & equipment in remote locations (via LAN, modem, wireless technologies, or Internet) • Think US Critical Infrastructure

  31. Cyber Attacks on SCADA • Unintentional consequences caused by internal personnel or mechanisms (testing software on operational systems or unauthorized system configuration changes) • Unintentional consequences or collateral damage from malware • Intentional attacks such as gaining control or DoS attack • Aurora - Simulated cyber attack on SCADA system in March 2007 • Both unintentional and intentional attacks on SCADA systems have been documented

  32. Questions or Comments

More Related