Cybersecurity and Social Engineering Ben Hayden IT & Risk Consultant
Ben Hayden Background: • US Marine Corps • Law Enforcement • Financial Institution – IT Security/Fraud • U of I – BBA • ISU – MS @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Disclaimers Disclaimers • SHAZAM vs Competitors • Hacking Tools • Federal Laws • Policies • I don’t know everything • No magic bullet • “Not if, but when” @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Question 1 Question Why do organizations/people “get hacked”? • Grudge • Fun • Ideology (“Hacktivism”) • Espionage(State-sponsored) • Theft (Financial gain) • Some other reason @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Question Answer Why do organizations/people “get hacked”? • Theft (Financial Crime) – 80% • Espionage (State Sponsored) – 15% • Everything Else – 5% Source: 2016 Verizon Data Breach Report @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Why are we here? In 2015…. More than 169 million personal records were exposed with an average cost of $154 per stolen record (minus medical records - $363 per record). Source: 2015 ITRC Data Breach Report @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Risks What are some risks cities face? • Points of compromise – think WHY? • Customer payment systems • Employee records • Tax/property records • Traffic sensors • Water sensors • GPS systems • Phone/radio systems @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Risks Standards/Regulations • Financial Industry • GLBA • Health Care • HIPAA • HITECH • What does public sector have? @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Case Studies San Francisco Municipal Transit • November 2016 • Transit system’s payment network was encrypted, as was their email server. • Payment machines wouldn’t accept payments. • 100 Bitcoin was demanded. • SF opened gates to transit system, riders allowed to ride for free for two days until the system was restored. @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Attack Cycle Target Identification Recon Exfiltration Gaining Exploits Access Scanning the Network @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Target Identification Target Identification Target • Types of Hackers Identification • Organized Crime • Nation States • Hacktivist • Insiders @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Attack Example Hypothetical Attack • Footprinting Recon • Social Networks • Website • Maltego • Google @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Attack Example Social Engineering • Phishing Gaining Access • Client emails • Spear Phishing • Giving out passwords Approximately 70% of attacks used a combination of phishing and hacking. Source: 2016 Verizon Data Breach Report @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Attack Example Maltego @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Attack Example Scanning the Network Network is probed for vulnerabilities Scanning the Open ports Network Out-of-date patches Unlocked systems Administrator access Multiple access points established @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Attack Example Tools Scanning • Network mapping tools the • Zenmap, SoftPerfect Network • Packet Sniffers • WireShark • Keyloggers What are they looking for? • Vulnerabilities • Outdated/unpatched systems/applications • Weak passwords with admin privileges @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Scanning SoftPerfect @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Scanning Nmap @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Scanning Nmap (GUI) @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Scanning Nmap (GUI) @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Attack Example Passwords Encryption What does it actually mean? Breaking/Circumvention Publically available rainbow tables On average – 24 online accounts Only 6 passwords 73% of passwords are duplicates 47% of passwords are 5+ years old 77% of passwords are 1+ year old Source: TeleSign Consumer Account Security Report @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Attack Example Types of Exploits • Two basic types: Exploits • Known • Unknown • What they do • Elevate privileges • Attack other applications • Exploit Kits • Dark Web (tor) @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Attack Example Exfiltrating the data • Difficult to detect Exfiltration • Mimics “normal” behavior What do they do with the data? • Sell it Unless it’s Ransomware • Encrypt specific file types on device/server @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
What can you do? Best Practices • Think When not If • Follow IT policies/procedures • Don’t open unusual links/attachments • Trust through verification • Think before you click • Use strong passwords @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Thank you! QUESTIONS ? @2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Recommend
More recommend