How I’ll Steal Your Data – And What You Can Do To Stop...

How I’ll Steal Your Data –And What You Can Do To Stop Me

Robert W. Beggs, [email protected] Toronto, 19 March 2013

Overview

We’ll be taking a tactical perspective

•Conclusions

•Cyberattack as a Disaster•The Changing Threat Environment

•Anatomy of a “hack•Responding to the disaster

© 2012 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.

Slide 2

Conclusions

• Increased stress from external, internal hackers

• Tools and techniques are easy to use• Regulations, laws, law enforcement can’t keep

up; you are required to police your network• Your network will be compromised• Financial, reputational impact = disaster

• Survival depends on agile approach – proactive, and reactive response


Slide 3

The Cyberattack as a Disaster


Slide 4

USB Data Loss - 2009


Slide 5

And in 2013 …


Slide 6

Analysis of the Victims (Canadian Data) 1

• 30 incidents, 2011 – 2012

• 80% due to external attacker

• 10% due to business partner or vendor

• 10% due to internal employee, student

• 40% were targeted attacks


Slide 7

Analysis of the Victims (Canadian Data) 2

• Resolution costs: up to $80K

– Not including notification costs (~$200 per client record)

– Not including fines, regulatory fees– Not including brand, reputational

damage

• In 11 cases, the perpetrator was identified

• No one prosecuted


Slide 8

Law Enforcement in Canada

• 61,000 police officers in Canada

• 245 specialize in cybercrime (0.4%)• Overall, lack budget and training

• Still developing legal infrastructure tosupport criminal investigations (lawful intercept legislation)

• In short, an effective response is generally up to the victim

• Are you ready?


Slide 9

The Changing Threat Environment


Slide 10


Slide 11

Classical Threats (“Old School”)

• Data leakage and misconfigurations

• Script kiddies, vandals

• Social engineering• Physical attacks• Unpatched systems

• Accounts and passwords


Slide 12

Mafiaboy

• February 2000 – Several major commercial website come under a Denial of Service attack

• Not sophisticated; script-kiddie stuff

• Damages reported to be $1.7 – 2 billion dollars

• Start of cross-border media “frenzy”


• Investigation by RCMP, FBI, US Dept of Justice• “Mafiaboy” was bragging about the DoS attacks

on an IRC channel• Did a search, found use of that handle at a

Montreal ISP, Look Communications• Seized records, used logs to identify the

residence of Mafiaboy• By use of wiretap, determined it was a 15-year

old male• What was his punishment?


Mafiaboy 2

Mafiaboy 3

• Under Canadian laws in existence at that time, the maxpenalty was 2 years in jail

• Pleaded guilty to 55 counts of“mischief”

• 8 months in a youth detention centre• 1 year probation

• Fined $160• Fair enough ?


Emerging Threats - Attackers

• Attacker profile changed;now financially motivated

• Organized crime

• Economic downturn = increased insider threat, competitors

• State-sponsored hacking

• Online activism


Slide 16

Emerging Threats – New Attacks

• New technologies (bittorrent, mobility, cloud, BYOD)

• Complex infrastructure, network attacks

• End-users targeted (phishing, malicious PDFs)• New attacks (e.g. man-in-the-browser attacks)• QR codes, abbreviated URLs

• Virtualization and the cloud• Malware (APT) + social

engineering


Slide 17

Phishing for End Users


Slide 18

The Social Engineering Twist


Slide 19

Emerging Threats - Malware

• Automated or targeted attacks• “Malnets”• Defy traditional anti-virus• Anti-forensics• Exploit kits

– Blackhole; 95% of infected web pages– $1,000 - $5,000 annual license– Better support than Microsoft


Slide 20

Blackhole Exploit Kit


Slide 21

How Real is the Threat?

In 40% of network penetration tests, malware is found resident

in system memory – even if anti-virus is enabled


Slide 22

Anatomy of “The Hack”


Slide 23

“Classical” Hacking


Slide 24

BackTrack


Slide 25

The New Hack (Kill Chain)


Slide 26

Consider Work Effort in the Kill Chain


Slide 27

Passive Recon

• Want to know about the company

– Physical location– Mergers, acquisitions

– Corporate culture (events, communications)

• Want to know the employees– Aid social engineering attacks

– Password guessing / brute force attacks


Slide 28

Pen Testing Execution Standard, PTES

• OSINT – Open Source Intelligence

• Freely available online

• Cannot differentiate between attacker and legitimate requests


Slide 29

Data Leakage


Slide 30

Data Leakage (Control School from ‘Net)


Slide 31

Google Hacking

• Google indexes the Internet

• “Google dorks” searches Google,not the target


Slide 32

Shodan – Google for Hackers


Slide 33

Something Really Creepy …

• Creepy scans a user’s Twitter account

• Isolates geographical info; logs to Google maps


Slide 34

Twitter Nano


Slide 35

PushPin – 1 Location, Multiple Social Media


Slide 36

Your Data – What Is It, and Where?

• You can’t control the network

• Control the data

• What is your business critical data?

• Where is it?

– Stored, used, transmitted, backed up– Data flow diagram


Slide 37

Your Date – What is It, and Where?

• Conduct a sweep for “sensitive information”

– Employee HR and personal data– Client, partner personal data

– Financial data (corporate, client)– Regulated data (credit card numbers, SIN)

• Manual search• Automated scan (Cornell Spider;

http://www2.cit.cornell.edu/security/tools/)


Slide 38

Your Data – What Is It, and Where?

• Asset control - If you lost device “x”, what data is on it?

• Information privacy

– You are legally obligated to ensure that partners treat data the way you do (PIPEDA)

• End-of-Use

– Control with contracts– When no longer need, destroyed

– Certificate of Data Destruction issued


Slide 39

Physical (In)security …


Slide 40

Physical Security Monitoring … Fails


Slide 41

Security Monitoring in RW Not Effective


Slide 42

Physical Security


Slide 43

Your Data ….


Slide 44

Physical Security – What Can I Do?


Slide 45

Physical Security Considerations

• Be consistent – especially with access controls

• Control physical data flow – paper, hard drives in printers, etc

• Physical and logical security must not be separated

• Walk the fence – how does an outsider see your data environment?

• Customers are conducting (in)formal audits of physical security


Slide 46

The Exploit

• Attacker has to identify only 1 key vulnerability

• Defender has to protect ALL possible vulnerabilities

• We’re not always looking for “r00t

• There is no such thing as “unsophisticated”

• Target usually involves weakest link (humans)


Slide 47

SQL Injection + Poor Passwords


Slide 48

The Controls You HAVE To Have …

• Secure network design

• Secure remote access, mobile devices• Strong passwords

• Vulnerability management– Identify missing patches, upgrades

– Perform vulnerability scans– Ensure patches, upgrades and fixes applied

(especially 3rd party applications)


Slide 49

Responding to the Disaster


Slide 50

Failure of a Response Process


Slide 51

Proactive Management Measures

• Develop incident management strategic plan; integrate it into corporate business strategy

• Risk assessment – IM is a business risk

• Develop policy and SOPs • Assign roles and responsibilities• Support technical staff

• Augmentation with appropriate 3rd parties• Collect metrics

Pro-Active Security Operations

• Network access controls

• Apply forensics to network management (memory analysis)

• Pro-active data forensics• Network and employee monitoring• Egress monitoring

• End-user education• Logs, logs, logs!

Contact Me


Slide 54

DigitalDefence

• Focus: 24 x 7 Breach Protection

• Provide training: CISSP, ethical hacking, data forensics, custom courses


Slide 55

How I’ll Steal Your Data – And What You Can Do To Stop...

Documents

Transcript of How I’ll Steal Your Data – And What You Can Do To Stop...