How I’ll Steal Your Data – And What You Can Do To Stop...
Transcript of How I’ll Steal Your Data – And What You Can Do To Stop...
How I’ll Steal Your Data –And What You Can Do To Stop Me
Robert W. Beggs, [email protected] Toronto, 19 March 2013
Overview
We’ll be taking a tactical perspective
•Conclusions
•Cyberattack as a Disaster•The Changing Threat Environment
•Anatomy of a “hack•Responding to the disaster
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 2
Conclusions
• Increased stress from external, internal hackers
• Tools and techniques are easy to use• Regulations, laws, law enforcement can’t keep
up; you are required to police your network• Your network will be compromised• Financial, reputational impact = disaster
• Survival depends on agile approach – proactive, and reactive response
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 3
The Cyberattack as a Disaster
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 4
USB Data Loss - 2009
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 5
And in 2013 …
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 6
Analysis of the Victims (Canadian Data) 1
• 30 incidents, 2011 – 2012
• 80% due to external attacker
• 10% due to business partner or vendor
• 10% due to internal employee, student
• 40% were targeted attacks
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 7
Analysis of the Victims (Canadian Data) 2
• Resolution costs: up to $80K
– Not including notification costs (~$200 per client record)
– Not including fines, regulatory fees– Not including brand, reputational
damage
• In 11 cases, the perpetrator was identified
• No one prosecuted
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 8
Law Enforcement in Canada
• 61,000 police officers in Canada
• 245 specialize in cybercrime (0.4%)• Overall, lack budget and training
• Still developing legal infrastructure tosupport criminal investigations (lawful intercept legislation)
• In short, an effective response is generally up to the victim
• Are you ready?
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 9
The Changing Threat Environment
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 10
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 11
Classical Threats (“Old School”)
• Data leakage and misconfigurations
• Script kiddies, vandals
• Social engineering• Physical attacks• Unpatched systems
• Accounts and passwords
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 12
Mafiaboy
• February 2000 – Several major commercial website come under a Denial of Service attack
• Not sophisticated; script-kiddie stuff
• Damages reported to be $1.7 – 2 billion dollars
• Start of cross-border media “frenzy”
Page 13© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
• Investigation by RCMP, FBI, US Dept of Justice• “Mafiaboy” was bragging about the DoS attacks
on an IRC channel• Did a search, found use of that handle at a
Montreal ISP, Look Communications• Seized records, used logs to identify the
residence of Mafiaboy• By use of wiretap, determined it was a 15-year
old male• What was his punishment?
Page 14© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Mafiaboy 2
Mafiaboy 3
• Under Canadian laws in existence at that time, the maxpenalty was 2 years in jail
• Pleaded guilty to 55 counts of“mischief”
• 8 months in a youth detention centre• 1 year probation
• Fined $160• Fair enough ?
Page 15© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Emerging Threats - Attackers
• Attacker profile changed;now financially motivated
• Organized crime
• Economic downturn = increased insider threat, competitors
• State-sponsored hacking
• Online activism
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 16
Emerging Threats – New Attacks
• New technologies (bittorrent, mobility, cloud, BYOD)
• Complex infrastructure, network attacks
• End-users targeted (phishing, malicious PDFs)• New attacks (e.g. man-in-the-browser attacks)• QR codes, abbreviated URLs
• Virtualization and the cloud• Malware (APT) + social
engineering
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 17
Phishing for End Users
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 18
The Social Engineering Twist
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 19
Emerging Threats - Malware
• Automated or targeted attacks• “Malnets”• Defy traditional anti-virus• Anti-forensics• Exploit kits
– Blackhole; 95% of infected web pages– $1,000 - $5,000 annual license– Better support than Microsoft
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 20
Blackhole Exploit Kit
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 21
How Real is the Threat?
In 40% of network penetration tests, malware is found resident
in system memory – even if anti-virus is enabled
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 22
Anatomy of “The Hack”
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 23
“Classical” Hacking
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 24
BackTrack
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 25
The New Hack (Kill Chain)
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 26
Consider Work Effort in the Kill Chain
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 27
Passive Recon
• Want to know about the company
– Physical location– Mergers, acquisitions
– Corporate culture (events, communications)
• Want to know the employees– Aid social engineering attacks
– Password guessing / brute force attacks
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 28
Pen Testing Execution Standard, PTES
• OSINT – Open Source Intelligence
• Freely available online
• Cannot differentiate between attacker and legitimate requests
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 29
Data Leakage
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 30
Data Leakage (Control School from ‘Net)
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 31
Google Hacking
• Google indexes the Internet
• “Google dorks” searches Google,not the target
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 32
Shodan – Google for Hackers
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 33
Something Really Creepy …
• Creepy scans a user’s Twitter account
• Isolates geographical info; logs to Google maps
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 34
Twitter Nano
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 35
PushPin – 1 Location, Multiple Social Media
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 36
Your Data – What Is It, and Where?
• You can’t control the network
• Control the data
• What is your business critical data?
• Where is it?
– Stored, used, transmitted, backed up– Data flow diagram
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 37
Your Date – What is It, and Where?
• Conduct a sweep for “sensitive information”
– Employee HR and personal data– Client, partner personal data
– Financial data (corporate, client)– Regulated data (credit card numbers, SIN)
• Manual search• Automated scan (Cornell Spider;
http://www2.cit.cornell.edu/security/tools/)
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 38
Your Data – What Is It, and Where?
• Asset control - If you lost device “x”, what data is on it?
• Information privacy
– You are legally obligated to ensure that partners treat data the way you do (PIPEDA)
• End-of-Use
– Control with contracts– When no longer need, destroyed
– Certificate of Data Destruction issued
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 39
Physical (In)security …
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 40
Physical Security Monitoring … Fails
© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 41
Security Monitoring in RW Not Effective
© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 42
Physical Security
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 43
Your Data ….
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 44
Physical Security – What Can I Do?
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 45
Physical Security Considerations
• Be consistent – especially with access controls
• Control physical data flow – paper, hard drives in printers, etc
• Physical and logical security must not be separated
• Walk the fence – how does an outsider see your data environment?
• Customers are conducting (in)formal audits of physical security
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 46
The Exploit
• Attacker has to identify only 1 key vulnerability
• Defender has to protect ALL possible vulnerabilities
• We’re not always looking for “r00t
• There is no such thing as “unsophisticated”
• Target usually involves weakest link (humans)
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 47
SQL Injection + Poor Passwords
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 48
The Controls You HAVE To Have …
• Secure network design
• Secure remote access, mobile devices• Strong passwords
• Vulnerability management– Identify missing patches, upgrades
– Perform vulnerability scans– Ensure patches, upgrades and fixes applied
(especially 3rd party applications)
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 49
Responding to the Disaster
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 50
Failure of a Response Process
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 51
Proactive Management Measures
• Develop incident management strategic plan; integrate it into corporate business strategy
• Risk assessment – IM is a business risk
• Develop policy and SOPs • Assign roles and responsibilities• Support technical staff
• Augmentation with appropriate 3rd parties• Collect metrics
Pro-Active Security Operations
• Network access controls
• Apply forensics to network management (memory analysis)
• Pro-active data forensics• Network and employee monitoring• Egress monitoring
• End-user education• Logs, logs, logs!
Contact Me
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 54
DigitalDefence
• Focus: 24 x 7 Breach Protection
• Provide training: CISSP, ethical hacking, data forensics, custom courses
© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Slide 55