T ARGET : YOU! Theyre hacking us, the employees. LinkedIn: A - - PowerPoint PPT Presentation

Y U: THE TARGET

Kurt Willey Beth Tinsman

TARGET: YOU!

“They’re hacking us, the employees.” “LinkedIn: A reconnaissance map to . . . company hierarchies.” “Email: a way to inject a virus inside the

• rganizaGon network, bypassing the company
• firewall. Personal email at work: beKer yet.”

“Your personal gadget: A new route into corporate systems.”

A FEW TERMS

OMG I’M IN THE WRONG PRESENTATION!

• Virus
• APT (advanced

persistent threat)

• Malware
• Social Engineering
• Trojan
• Botnet
• 0 day

A FEW MORE TERMS

OMG I’M IN THE WRONG PRESENTATION!

• Hack, Hacker, Hacked
• Black Hat, White Hat
• PenetraGon TesGng

(ethical hacking)

• PCI Scan (payment

card industry): ecommerce

TARGET: YOU

Not if but when.

• Advanced persistent threat. How many here

have had credit cards replaced?

• ADacks are fast and plenty. Avoiding them

all is nearly impossible.

• Financially beneficial. Hackers keep trying

unGl successful.

TARGET: YOU

Hacking is easy.

• 80 – 90% of successful breaches of

corporate networks required only the most basic techniques.

• Styx Pack (Crimeware)

TARGET: YOU

It’s not personal. It’s business.

• Rustock botnet: 30 billion messages per day, 1

million infected computers

• Russia/Estonia - $9.4 million stolen from more

than 2,100 ATMs across at least 280 ciGes around the world in less than 12 hours

TARGET: YOU

It’s not personal. It’s business.

• Banner ads looking to

recruit malware engineers give a rate of between $2,000 and $5,000 a month.

COUNTRY

• MIN. ANNUAL

WAGES, 2012 Estonia $4,923 Brazil $4,172 Russia $1,794 Moldova $595

WHAT DAMAGE ARE THEY DOING?

• Stealing resources, not just data
• Lily-pad and Spear Fishing

– Davenport Schools

• Espionage

– Closed bids hacked by compeGtor

• Id

Iden enGty Th y Thef ef

• Fin

Finan ancial cial Crime Crime

WHAT DAMAGE ARE THEY DOING?

• Na\onal examples
• Local examples

– UMB (insider threats) – Stolen bank credenGals via a – Schnuck’s trojan/keylogger – Marshall’s – Proxy server – Sony – Spam botnet – EMC

• Virus
• Valid credenGals

– Payroll informaGon

MORE ABOUT WHO

Profit without blame: write it and sell it

– Windows XP exploit typically sells for $50-$150k – Exploit kits: once underground, now public links

MORE ABOUT WHO

Gov’t. vs. Gov’t.

– US Chamber of Commerce (China) – Stuxnet (Iran)

MORE ABOUT WHO

Criminal Ac\vity

– Poland, Russia, the “stans” – Organized crime connecGons – IT interest and limited job opportuniGes

WHY AREN’T OUR SYSTEMS SECURE?

Time and People

– Takes Gme to implement, and technology changes quickly – Mistakes happen – Inconvenient to users – RepeGGve tasks get boring – Resistant to change

WHY AREN’T OUR SYSTEMS SECURE?

• Poli\cal not technical

– OrganizaGonal effort is required

• Expensive

– ROI - spend more than the compeGtor – TesGng and implemenGng – Difficult to measure non-occurrence

• Distributed and Diffused

WHO’S IN CHARGE?

The role of Informa\on Technologist

– Responsible for coordinaGon, evaluaGon, governance and integraGon – Backups – Support (talking the language) – Part of the team to idenGfy data, not solely responsible

WHO’S IN CHARGE?

• Data is owned by the producing department!
• IT does not have complete authority

– They have a supporGng role in how data moves through the organizaGon.

OBJECTIVES

• Security Life Cycle

– Security Analysis – Impact Analysis – Asset Exposure – Risk Analysis – Risk MiGgaGon – Security Review

STRATEGY

Security Analysis

– What do you have that is desirable? – Where is located and who has authority? – What is at risk if that informaGon falls outside the

• rganizaGon?

QUALITATIVE Risk Analysis and Safeguarding Also, classificaGon and quanGtaGve methods

TOP ACTIONS

1

Applica\on Whitelis\ng

– Built into Windows 7 (UlGmate and Enterprise) – ApplicaGon-aware firewall – Third-party applicaGons

• Bundle with your AnG-Virus

TOP ACTIONS

2/3 Patch and Stay Up to Date (counts as two!)

– 75% of aKacks use publicly known vulnerabiliGes in commercial sofware that could be prevented by regular patching – Systems – Sofware

TOP ACTIONS

Restrict administra\ve privileges

4

TOP ACTIONS: CHALLENGES

Applica\on Whitelis\ng

– Webinars – Once/year or single use apps – New technology – Slows systems – False posiGves

TOP ACTIONS: CHALLENGES

Keeping Up To Date

– Systems – Sofware

• Maintenance windows
• ApplicaGons may fail to run post-patch
• Time
• Expensive

TOP 4 ACTIONS: CHALLENGES

Restrict administra\ve privileges

– Restricts customizaGon – No new applicaGons – Support

GOVERNANCE

• If you can’t measure it you can’t manage it!

– StaGsGcs – Training – Outliers, Logs, Reports, Baselines, Audits

• low and high
• one-offs
• Policy
• 85% of breaches took months to be discovered

– the average Gme is five months

ACTIONS IN-DEPTH

• Know your data, systems,

and sohware – Inventory, risks, responsible parGes

• Control admin access
• Log

– Web – File access – System event logs – System process logs

• Filter

– Web (in and out) – Email – ApplicaGon control

• Training

ACTIONS IN-DEPTH

• An\virus
• Two factor authen\ca\on
• Automa\on and Reports
• Intrusion Preven\on
• DLP
• Security Assessment (at

the end) to validate – aka “audit”(self, CPA, IT companies) – Password audits – Wireless audits – Social Engineering

ACTIONS RESOURCES

• SANS 20 CriGcal Security Controls
• Australian Government Department of Defense

Top 35 MiGgaGon Strategies

• NIST SP 800-53; Recommended Security

Controls for Federal InformaGon Systems and OrganizaGons

ACTIONS RESOURCES

• What to do if you’ve been hacked?

– Call in the pro’s (your IT staff, us, etc.) – Keep a chain of custody – Find out if the breach is sGll open – Stop the bleeding – Find out what they stole – Figure out who you must tell

Qu QuesG esGon

• ns?

s?