How I’ll Steal Your Data – And What You Can Do To Stop...

How I’ll Steal Your Data –And What You Can Do To Stop Me

Robert W. Beggs, CISSProbert.beggs@digitaldefence.caDRIE Toronto, 19 March 2013

Overview

We’ll be taking a tactical perspective

•Conclusions

•Cyberattack as a Disaster•The Changing Threat Environment

•Anatomy of a “hack•Responding to the disaster

Conclusions

• Increased stress from external, internal hackers

• Tools and techniques are easy to use• Regulations, laws, law enforcement can’t keep

up; you are required to police your network• Your network will be compromised• Financial, reputational impact = disaster

• Survival depends on agile approach – proactive, and reactive response

The Cyberattack as a Disaster

USB Data Loss - 2009

And in 2013 …

Analysis of the Victims (Canadian Data) 1

• 30 incidents, 2011 – 2012

• 80% due to external attacker

• 10% due to business partner or vendor

• 10% due to internal employee, student

• 40% were targeted attacks

Analysis of the Victims (Canadian Data) 2

• Resolution costs: up to $80K

– Not including notification costs (~$200 per client record)

– Not including fines, regulatory fees– Not including brand, reputational

damage

• In 11 cases, the perpetrator was identified

• No one prosecuted

Law Enforcement in Canada

• 61,000 police officers in Canada

• 245 specialize in cybercrime (0.4%)• Overall, lack budget and training

• Still developing legal infrastructure tosupport criminal investigations (lawful intercept legislation)

• In short, an effective response is generally up to the victim

• Are you ready?

The Changing Threat Environment

Classical Threats (“Old School”)

• Data leakage and misconfigurations

• Script kiddies, vandals

• Social engineering• Physical attacks• Unpatched systems

• Accounts and passwords

Mafiaboy

• February 2000 – Several major commercial website come under a Denial of Service attack

• Not sophisticated; script-kiddie stuff

• Damages reported to be $1.7 – 2 billion dollars

• Start of cross-border media “frenzy”

• Investigation by RCMP, FBI, US Dept of Justice• “Mafiaboy” was bragging about the DoS attacks

on an IRC channel• Did a search, found use of that handle at a

Montreal ISP, Look Communications• Seized records, used logs to identify the

residence of Mafiaboy• By use of wiretap, determined it was a 15-year

old male• What was his punishment?

Mafiaboy 2

Mafiaboy 3

• Under Canadian laws in existence at that time, the maxpenalty was 2 years in jail

• Pleaded guilty to 55 counts of“mischief”

• 8 months in a youth detention centre• 1 year probation

• Fined $160• Fair enough ?

Emerging Threats - Attackers

• Attacker profile changed;now financially motivated

• Organized crime

• Economic downturn = increased insider threat, competitors

• State-sponsored hacking

• Online activism

Emerging Threats – New Attacks

• New technologies (bittorrent, mobility, cloud, BYOD)

• Complex infrastructure, network attacks

• End-users targeted (phishing, malicious PDFs)• New attacks (e.g. man-in-the-browser attacks)• QR codes, abbreviated URLs

• Virtualization and the cloud• Malware (APT) + social

engineering

Phishing for End Users

The Social Engineering Twist

Emerging Threats - Malware

• Automated or targeted attacks• “Malnets”• Defy traditional anti-virus• Anti-forensics• Exploit kits

– Blackhole; 95% of infected web pages– $1,000 - $5,000 annual license– Better support than Microsoft

Blackhole Exploit Kit

How Real is the Threat?

In 40% of network penetration tests, malware is found resident

in system memory – even if anti-virus is enabled

Anatomy of “The Hack”

“Classical” Hacking

BackTrack

The New Hack (Kill Chain)

Consider Work Effort in the Kill Chain

Passive Recon

• Want to know about the company

– Physical location– Mergers, acquisitions

– Corporate culture (events, communications)

• Want to know the employees– Aid social engineering attacks

– Password guessing / brute force attacks

Pen Testing Execution Standard, PTES

• OSINT – Open Source Intelligence

• Freely available online

• Cannot differentiate between attacker and legitimate requests

Data Leakage

Data Leakage (Control School from ‘Net)

Google Hacking

• Google indexes the Internet

• “Google dorks” searches Google,not the target

Shodan – Google for Hackers

Something Really Creepy …

• Creepy scans a user’s Twitter account

• Isolates geographical info; logs to Google maps

Twitter Nano

PushPin – 1 Location, Multiple Social Media

Your Data – What Is It, and Where?

• You can’t control the network

• Control the data

• What is your business critical data?

• Where is it?

– Stored, used, transmitted, backed up– Data flow diagram

Your Date – What is It, and Where?

• Conduct a sweep for “sensitive information”

– Employee HR and personal data– Client, partner personal data

– Financial data (corporate, client)– Regulated data (credit card numbers, SIN)

• Manual search• Automated scan (Cornell Spider;

http://www2.cit.cornell.edu/security/tools/)

Your Data – What Is It, and Where?

• Asset control - If you lost device “x”, what data is on it?

• Information privacy

– You are legally obligated to ensure that partners treat data the way you do (PIPEDA)

• End-of-Use

– Control with contracts– When no longer need, destroyed

– Certificate of Data Destruction issued

Physical (In)security …

Physical Security Monitoring … Fails

Security Monitoring in RW Not Effective

Physical Security

Your Data ….

Physical Security – What Can I Do?

Physical Security Considerations

• Be consistent – especially with access controls

• Control physical data flow – paper, hard drives in printers, etc

• Physical and logical security must not be separated

• Walk the fence – how does an outsider see your data environment?

• Customers are conducting (in)formal audits of physical security

The Exploit

• Attacker has to identify only 1 key vulnerability

• Defender has to protect ALL possible vulnerabilities

• We’re not always looking for “r00t

• There is no such thing as “unsophisticated”

• Target usually involves weakest link (humans)

SQL Injection + Poor Passwords

The Controls You HAVE To Have …

• Secure network design

• Secure remote access, mobile devices• Strong passwords

• Vulnerability management– Identify missing patches, upgrades

– Perform vulnerability scans– Ensure patches, upgrades and fixes applied

(especially 3rd party applications)

Responding to the Disaster

Failure of a Response Process

Proactive Management Measures

• Develop incident management strategic plan; integrate it into corporate business strategy

• Risk assessment – IM is a business risk

• Develop policy and SOPs • Assign roles and responsibilities• Support technical staff

• Augmentation with appropriate 3rd parties• Collect metrics

Pro-Active Security Operations

• Network access controls

• Apply forensics to network management (memory analysis)

• Pro-active data forensics• Network and employee monitoring• Egress monitoring

• End-user education• Logs, logs, logs!

Contact Me

DigitalDefence

• Focus: 24 x 7 Breach Protection

• Provide training: CISSP, ethical hacking, data forensics, custom courses

How I’ll Steal Your Data – And What You Can Do To Stop...

Documents

Transcript of How I’ll Steal Your Data – And What You Can Do To Stop...

Planar Waveguide Illuminator with Variable Directionality ...psilab.ucsd.edu/publications/(presentation_2013)_Mellette_UCSD... · Planar Waveguide Illuminator with Variable Directionality

UKTI SUBSEA EXPO 2014 PRESENTATION_2013

Soprano - Rawsonmusic.rawson.me.uk/catalogue/choral/freescores/fivespirituals.pdf · Soprano Steal a- way, Steal a- way, Steal a- way to Je - sus, Alto Steal

Thesis PP Presentation_2013

STEAL THIS PRESENTATION

I’ll have soup. NOUNaaronfurgiueletesol.weebly.com/.../4/7/7/...slides.pdf · I’ll have soup. I’ll have the chicken noodle soup. I’ll also have some vanilla ice cream. I’ll

STEAL Characters

Just for Today I’ll let go off anger, I’ll let go off worry, I’ll count my blessings, I’ll do my work honestly & I’ll be kind to every living creature.

To Steal or Not to Steal: The Art of Managing Controlled … · 2018-04-03 · To Steal or Not to Steal: The Art of Managing Controlled Substances Diversion Nancy Elrod, PharmD, BCPS

Wendy Max · steal steal me you me you steal steal steal steal the the time , num num ber ber ven_ ven_ me, me, ven_ ven_ ven_ ven_ (fine) (fine) that that D.C. Now Now al fine ver

Steal What Works

BruWind presentation_2013

Subclavian steal syndrome

STEAL THAT PROPERTY

Steal My Top-Performing Autoresponder Email Scriptsthecopycloset.com/wp-content/uploads/2016/04/Steal-My-Scripts.pdf · Steal My Top-Performing Autoresponder Email Scripts ... and

Subclavian Steal

Steal the Oil

The Big Steal

Mni for web listing presentation_2013

Top scratch ignite-presentation_2013