t arget you
play

T ARGET : YOU! Theyre hacking us, the employees. LinkedIn: A - PowerPoint PPT Presentation

Y U: T HE T ARGET Kurt Willey Beth Tinsman T ARGET : YOU! Theyre hacking us, the employees. LinkedIn: A reconnaissance map to . . . company hierarchies. Email: a way to inject a virus inside the organizaGon network, bypassing the


  1. Y U: T HE T ARGET Kurt Willey Beth Tinsman

  2. T ARGET : YOU! “They’re hacking us, the employees.” “LinkedIn: A reconnaissance map to . . . company hierarchies.” “Email: a way to inject a virus inside the organizaGon network, bypassing the company firewall. Personal email at work: beKer yet.” “Your personal gadget: A new route into corporate systems.”

  3. A F EW T ERMS OMG I’ M IN THE W RONG P RESENTATION ! • Virus • APT (advanced persistent threat) • Malware • Social Engineering • Trojan • Botnet • 0 day

  4. A F EW M ORE T ERMS OMG I’ M IN THE W RONG P RESENTATION ! • Hack, Hacker, Hacked • Black Hat, White Hat • PenetraGon TesGng (ethical hacking) • PCI Scan (payment card industry): ecommerce

  5. T ARGET : Y OU Not if but when. • Advanced persistent threat . How many here have had credit cards replaced? • ADacks are fast and plenty . Avoiding them all is nearly impossible. • Financially beneficial . Hackers keep trying unGl successful.

  6. T ARGET : Y OU Hacking is easy. • 80 – 90% of successful breaches of corporate networks required only the most basic techniques. • Styx Pack (Crimeware)

  7. T ARGET : Y OU It’s not personal. It’s business. • Rustock botnet: 30 billion messages per day, 1 million infected computers • Russia/Estonia - $9.4 million stolen from more than 2,100 ATMs across at least 280 ciGes around the world in less than 12 hours

  8. T ARGET : Y OU It’s not personal. It’s business. • Banner ads looking to M IN . A NNUAL C OUNTRY W AGES , 2012 recruit malware engineers Estonia $4,923 give a rate of between Brazil $4,172 $2,000 and $5,000 a Russia $1,794 month . Moldova $595

  9. W HAT D AMAGE ARE T HEY D OING ? • Stealing resources, not just data • Lily-pad and Spear Fishing – Davenport Schools • Espionage – Closed bids hacked by compeGtor • Id Iden enGty Th y Thef ef • Fin Finan ancial cial Crime Crime

  10. W HAT D AMAGE ARE T HEY D OING ? • Na\onal examples • Local examples – UMB (insider threats) – Stolen bank credenGals via a – Schnuck’s trojan/keylogger – Marshall’s – Proxy server – Sony – Spam botnet – EMC • Virus • Valid credenGals – Payroll informaGon

  11. M ORE ABOUT W HO Profit without blame: write it and sell it – Windows XP exploit typically sells for $50-$150k – Exploit kits: once underground, now public links

  12. M ORE ABOUT W HO Gov’t. vs. Gov’t. – US Chamber of Commerce (China) – Stuxnet (Iran)

  13. M ORE ABOUT W HO Criminal Ac\vity – Poland, Russia, the “stans” – Organized crime connecGons – IT interest and limited job opportuniGes

  14. W HY A REN ’ T O UR S YSTEMS S ECURE ? Time and People – Takes Gme to implement, and technology changes quickly – Mistakes happen – Inconvenient to users – RepeGGve tasks get boring – Resistant to change

  15. W HY A REN ’ T O UR S YSTEMS S ECURE ? • Poli\cal not technical – OrganizaGonal effort is required • Expensive – ROI - spend more than the compeGtor – TesGng and implemenGng – Difficult to measure non-occurrence • Distributed and Diffused

  16. W HO ’ S IN C HARGE ? The role of Informa\on Technologist – Responsible for coordinaGon, evaluaGon, governance and integraGon – Backups – Support (talking the language) – Part of the team to idenGfy data, not solely responsible

  17. W HO ’ S IN C HARGE ? • Data is owned by the producing department! • IT does not have complete authority – They have a supporGng role in how data moves through the organizaGon.

  18. O BJECTIVES • Security Life Cycle – Security Analysis – Impact Analysis – Asset Exposure – Risk Analysis – Risk MiGgaGon – Security Review

  19. S TRATEGY Security Analysis – What do you have that is desirable? – Where is located and who has authority? – What is at risk if that informaGon falls outside the organizaGon? QUALITATIVE Risk Analysis and Safeguarding Also, classificaGon and quanGtaGve methods

  20. T OP A CTIONS 1 Applica\on Whitelis\ng – Built into Windows 7 (UlGmate and Enterprise) – ApplicaGon-aware firewall – Third-party applicaGons • Bundle with your AnG-Virus

  21. T OP A CTIONS 2/3 Patch and Stay Up to Date (counts as two!) – 75% of aKacks use publicly known vulnerabiliGes in commercial sofware that could be prevented by regular patching – Systems – Sofware

  22. T OP A CTIONS 4 Restrict administra\ve privileges

  23. T OP A CTIONS : C HALLENGES Applica\on Whitelis\ng – Webinars – Once/year or single use apps – New technology – Slows systems – False posiGves

  24. T OP A CTIONS : C HALLENGES Keeping Up To Date – Systems – Sofware • Maintenance windows • ApplicaGons may fail to run post-patch • Time • Expensive

  25. T OP 4 A CTIONS : C HALLENGES Restrict administra\ve privileges – Restricts customizaGon – No new applicaGons – Support

  26. G OVERNANCE • If you can’t measure it you can’t manage it! – StaGsGcs – Training – Outliers, Logs, Reports, Baselines, Audits • low and high • one-offs • Policy • 85% of breaches took months to be discovered – the average Gme is five months

  27. A CTIONS IN - DEPTH • Know your data, systems, • Filter and sohware – Web (in and out) – Inventory, risks, – Email responsible parGes – ApplicaGon control • Control admin access • Training • Log – Web – File access – System event logs – System process logs

  28. A CTIONS IN - DEPTH • An\virus • Security Assessment (at the end) to validate • Two factor authen\ca\on – aka “audit”(self, CPA, IT • Automa\on and Reports companies) • Intrusion Preven\on – Password audits • DLP – Wireless audits – Social Engineering

  29. A CTIONS R ESOURCES • SANS 20 CriGcal Security Controls • Australian Government Department of Defense Top 35 MiGgaGon Strategies • NIST SP 800-53; Recommended Security Controls for Federal InformaGon Systems and OrganizaGons

  30. A CTIONS R ESOURCES • What to do if you’ve been hacked? – Call in the pro’s (your IT staff, us, etc.) – Keep a chain of custody – Find out if the breach is sGll open – Stop the bleeding – Find out what they stole – Figure out who you must tell

  31. Qu QuesG esGon ons? s?

More recommend