Cyber Security: Identifying the Risks & Your Responsibilities SPEAKER

Cyber

Security:

Identifying

the

Risks

&

Your

Responsibilities

Cyber

Breach

Headlines

Where

is

the

Failure?



Reliance on Compliance



OPM Systems (and Contractors) passed compliance assessments



Light or non-existent testing



Many organizations are not doing testing even simple vulnerability

assessments



Reliance on Software to solve “ALL” security



There is no magic bullet – software is a tool, like a hammer to a builder.

Its not the total solution

a)

3%

b)

13%

c)

31%

d)

43%

4

What

%

of

Cyber

Breaches

Impact

Small

Overview

Defining

Cyber

Security

Hackers

and

the

Hacker

Mindset

Exploitation

and

Social

Engineering

Cyber

Espionage

Case

Defense

Strategies

6

Defining

Cyber

Security



The body of technologies, processes and practices designed to

protect networks, computers, programs and data from attack,

damage or unauthorized access.

(Definition from: Whatis.com)



The concept to protect the

confidentiality, integrity, and

availability

of data hosted on various information systems

platforms.

8

Characteristics

of

an

Organization

at

Risk

of

a

Cyber

Breach



Do You Have a Website?

10



Do You Rely on Networks?



Do You Generate Online Revenue?

12



Do You Control Production, Manufacturing or

Supply Chain via a Network?



Do You Utilize an Intranet or Extranet?

14



Do You house personal identifiable information (PII)?

a)

Malware

b)

Trusted Insider

c)

Hacker

d)

Lost or Stolen Device

What

Are

The

Possible

Root

Causes

of

a

16

75%

of

All

Cyber

Breaches

are

18

Lost

or

Stolen

Smartphone,

Laptop,

20



Insufficient Security Controls



Lack of Expertise



3

rd

Party Vetting Failure



Poor Leadership



Incomplete Knowledge of where Sensitive Data

Exists



Lack of Data Classification



Lack of Accountability

What

is

a

Hacker?

Describe a hacker…

What

is

a

Hacker?

What

is

a Hacker?

Kevin

Mitnick

Adrian

Lamo

Jonathan

James

Hacker

Categories



State Sponsored



Industrial/Corporate



Organized Crime



Hacktivists (LulzSec, Anonymous, Etc.)



Trusted Insider - Intentional



Trusted Insider - Un-intentional



Script Kiddies (low skilled and reckless attackers using any piece of random malware code they

can find, sometimes purposely provided to them by higher skilled attackers)



Ethical - aka White Hat (contracted or hired to test an organization’s network to find holes before a

malicious attacker can)

Hacker

Mindset



Unconventional, creative, and adaptive thinking



“Hack All Things Mindset” – look at all pieces of the puzzle, every

element that the desired data touches or interfaces with (and every

element that element touches, so on and so forth)



The Human Element: defeat and/or use a human’s trust against them

What

Do

You

Think

the

Cost

Per

Record

is

on

a

Cyber

Breach?

a)

$37

b)

$79

28

Average Cost Post-Breach:

How

are

Costs

Per

Record

Calculated?

52%

46%

38%

27%

23%

18%

Loss Image/Reputation

Lost Time & Productivity

Technology IT Audit Costs

Notification Costs

Consultants & Attorneys Fees

Lost Revenue

Basic

Hacking

Methodology

Information/Intelligence

Gathering

Vulnerability

Analysis

Exploitation

Post

Exploitation

Reporting

Information/Intelligence

Gathering



Open Source

(WHOIS, DNS, Port Scanning)



Data Center Locations

(Time Zones, Products, Org Charts)



Corporate Communications

(Websites, Email Format, Marketing, Lawsuits, Job Openings,

Phone Trees)



Government Communications

(FOIA, Tax Info, Zoning Info)



Relationships

(Charity, Networks, Vendors, Competitors, etc.)



Individuals

(Social Networks, Pipl, Spokeo)



Footprinting

(ID’ing Assets)

Vulnerability

Analysis



Using captured information to identify potential vulnerabilities for

exploitation



Often done through a combination of manual review and through the

use of vulnerability tools



Common Vulnerability Assessment Tools



General Network Scanners: Nessus, Retina, Qualys, Nexpose



Web Application Tools: WebInspect, Burp Suite, OWASP ZAP



Code Analysis: Fortify, Veracode

Exploitation



Precision Attack/Strike



Direct attack on a computer running a service that is known to be vulnerable

(likely due to not being patched)



Customized Exploit



Fuzzing, Sniffing, Brute-force, Routing Protocol Attacks



Radio Frequency (RF) Attacks



Attacking WiFi, Attacking Access Points, Cracking WiFi passwords, various

Authentication attacks, etc.



Attacking the User



DNS, Bluetooth, Rouge Access Points, Web (via XSS), Ad-Hoc Networks (fake

network), Man-in-the-Middle Attacks, Social Engineering

Post

‐

Exploitation



Establish Additional Access Channels

(in case your method in is detected and

closed)



Elevate Privileges and Create New Accounts

(or hi-jack existing accounts)



Nothing is better than establishing access via a legitimate channel



Penetrate Further into Network & Compromise more Systems



Capture Data



Exfiltration of Data, Configurations, Important Files, Auto-Start Directories



Clean Up



Delete logs, uninstall software, restore files, revert system and configuration

changes, re-enable security systems

Reporting



For a security firm:



Detailed reporting on what was testing, how they may have

compromised the system, and how to fix it



For a malicious hacker:



The organization’s valuable data is stored, sold, made public, or

saved for later exploitation



Access to the organization’s data could also be disabled and

then ransomed

Question:

What

asset

do

you

think

is

most

frequently

compromised

in

any

organization

across

the

globe?

Social

Engineering

Example



https://youtu.be/bjYhmX_OUQQ?t=1m56s

1:56-3:48

What

Can

Organizations

Do

To

Defend

Themselves?

Mitigate things that are easy targets for attackers “low hanging

fruit”

Know

and

Maintain

Your

Environment

Analyze

the

Risk

You

Face

Mitigate

Risk

Control

Access

Use

Know

and

Maintain

Your

Environment



Conduct a thorough inventory of your environment



PATCH – UPDATE – PATCH – UPDATE – REPEAT!!!!



All OS’s, Network Devices, Applications/Software, etc.



Keep Anti-Virus/HIPS Current



Ensure all devices are configured correctly using security best

practices

Analyze

the

Risk



One of the main hurdles currently faced is the

cost of implementing cyber security



What is the most valuable data in your

organization?

Mitigate

Risk

Mitigate

Risk:

Passwords



55% percent

of users have the same password for most

if not all websites



Do NOT use easy passwords

: Password, 123456,

YourName, Dictionary Words or Information about you

personally



Use sentences and

mix in letters and numbers

Mitigate

Risk:

Smaller

Environment

Tips

Email Website Internet Desktop Mobile Users

Change PW Frequently

Keep Basic (non 

PHP/Java) Don’t Click on  Suspicious Links Use  Virus/Malware  Protection Be mindful of App  Permissions

Train, Train, Train Don’t Click on 

Suspicious 

Emails/Links

Update your CMS Avoid Java, but 

keep it updated

Patch All Software! Check Device 

Approval 

Security is 

Everyone's Jobs Use Encryption 

When Possible

Limit Personal Info Use Complex PW’s Access Controls 

(User/Admin)

Use Screen Locks Proper Use of 

Internet

Don’t login over 

Public networks

Have it tested for 

OWASP Top 10

Use 2‐Factor Authentication (when available)

Use EMET Consider Device 

encryption

Limit user access 

based on need

Mitigate

Risk:

Effective

Tips

(Enterprise)

Email Website Internet Desktop Mobile Users

Implement VPN  for External  Systems Update CMS and  Web Server  Platform Implement thorough Inbound  AND Outbound  filtering at Firewall Enterprise Virus/Malware Be mindful of App  Permissions

Train, Train, Train

Configure Filters  and Security  Settings Ensure Host Conducts Security  Testing Implement Blacklisting at  Firewall

Use Imaged Builds 

& Patch! Be wary of BYOD.  Segregate them. Security is  Everyone's Jobs Use Encryption  When  Possible/Digital  Signatures Use valid  certificates Use Sandboxing  When Possible Access Controls  (User/Admin) Enterprise Policy  and Filters Proper Use of  Internet – Signed Agreements

Control

Access

Privileged

User

and

Administrators

User/Non

‐

Admin

Accounts

Role

Based

Access

Control

Segregate/VLANs

Application

Access

– Mobile

Devices

External

Access

46

Use

Compliance

as

a

Process



Compliance is designed to be performed as a

continual process



Create “living” documents of actual processes to

implement security



Automate compliance where possible but always

conduct manual checks on tools and configurations

My

organization

conducts

annual

security

awareness

training.

(T/F)

Educate

Your

Users

People

are

the

most

vulnerable

Establish

a

training

program,

keep

it

current

Attend

Training

Get

Certified

In

Summary

“There

are

two

kinds

of

people

in

America

today:

those

who

have

experienced

a

foreign

cyber

attack

and

know

it,

and

those

who

have

experienced

a

foreign

cyber

attack

and

don't

know

it”.

‐

Frank

Wolf

50