Security for Everyone · •E-mail thread piggybacking attacks •Public Breaches •Untrusted...
Transcript of Security for Everyone · •E-mail thread piggybacking attacks •Public Breaches •Untrusted...
Security for Everyone Security Awareness Training in 2018
TELASA | SECURITY
About Me
Brian Greidanus [email protected]
• 18+ years of security and compliance experience delivering consulting and managed services to enterprises, governments and universities.
• Currently:
• Strategic and technical consulting
• Program measurement and metrics development
• Awareness training
Introduction
Goals of Security Awareness Training
• Provide users with knowledge to identify and respond appropriately to
attacks they may encounter
• Test users ability to identify and respond appropriately to those attacks
• Ensure that training is relevant and engaging
Presentation Overview
• Overview of current threat environment
• Key modern awareness concepts
• Technical review of key topics
• Guidance for personal assets
• One size does not fit all
• Testing and staying current
Overview of Current Threat Environment
7
Legacy Attacker Profile
Historically, attackers were:
• Curious researchers - looking to prove they could do it, looking for
attention.
• Individual criminals, or small groups, looking to steal passwords,
credit cards, for fraud and financial gain.
8
Modern attackers are now:
• Nation-states - with military and intelligence groups dedicated to obtaining intellectual property, economic, intelligence advantages.
• Large criminal organizations, with major investments in highly capable personnel, infrastructure, exploit development, application development. Primary motivation is financial.
These two groups are collectively known as Advanced Persistent Threat (APT).
Most organizations have limited resources to protect themselves. APT have unlimited time, resources, and funding to find weaknesses.
Modern Attacker Profile
9
the attacker only has to be right once,
the defender has to be right every time.
Defenders Challenge
Source: many, including the IRA and
https://www.forbes.com/sites/davelewis/2014/11/30/in-defense-of-the-
enterprise-against-criminal-hackers/#598483cc4a38
10
Attacking the user
Malicious programs
delivered via phishing, web, malvertising
Third-party breach that impacts user credentials
Connection to unsafe or
compromised environments
Social Engineering Malware Public Breaches Malicious Networks
Threats that Require User Awareness
Next section, “Key Modern Awareness Concepts” will discuss
these topics, with major focus on Social Engineering
11
90% of data breaches seen by
Verizon's data breach
investigation team have a
phishing or social engineering
component to them.
Source: https://www.bankinfosecurity.com/interviews/most-
breaches-trace-to-phishing-social-engineering-attacks-i-3516
A Common Element to Breaches
Source: https://www.darkreading.com/endpoint/91--of-
cyberattacks-start-with-a-phishing-email/d/d-id/1327704
12
Phishing site trending from Google
Source: https://transparencyreport.google.com/safe-browsing/overview
Key Modern Awareness Concepts
14
Key Modern Awareness Concepts
• Phishing and Spear Phishing
• SMS Phishing Attacks
• Phishing using technical errors
• Microsoft Office Malware
• Social media-based attacks
• Alternate character set attacks
• E-mail thread piggybacking attacks
• Public Breaches
• Untrusted networks
Phishing and Spear Phishing
16
Spear Phishing
Source: https://baymcp.com/dyre-
malware-has-stolen-over-1-billion-is-
your-companys-sensitive-data-at-risk/
17
Spear Phishing – The DNC Example
18
Spear Phishing – The DNC Example
Appears to be from
trusted sender
Warning about a
security problem.
Sense of urgency
Hyperlink to fix
Corporate mumbo
jumbo
19
Spear Phishing – The DNC Example
URL shortener
Spoofed e-mail
address
20
Date: Sat, 2 Jan 2016 09:58:07 GMT
Message-Id: <[email protected]>(link sends
e-mail)
To: <recipient's name removed>@ce.berkeley.edu(link sends e-mail)
Subject: Re:
X-PHP-Originating-Script: 1336:NPS.php
From: "[email protected]"(link sends e-mail) <[email protected]>(link sends
e-mail)
X-Mailer: PHP/5.5.29
Dear Dr. <recipient's name removed>;
I recently read your last article and it was very useful in my field of research. I
wonder, if possible, to send me these articles to use in my current research:
1- http://auth.berkeley.eduh.in/<link removed>
2- http://www.sciencedirect.com/science/article/pii/S1644966515000825(link is
external)
Thanks for you Cooperation in Advance.
John Doe
Department of Civil and Environmental Engineering University of Alberta
Phone: (XXX) XXX-XXXX
--21878cacb2d3a784678d12d61f1136d7--
Berkeley Faculty Spear Phishing Example
Bad source address
Bad URL to auth server
Source:
https://security.berkeley.edu/resources/ph
ishing/phishing-examples-archive
21
From: <NAME REMOVED> Date: Sat, Apr 1, 2017 at 2:09 PM
Subject: Library Account
To: [email protected] (link sends e-mail)
Dear Student, Your access to your library account is expiring
soon due to inactivity. To continue to have access to the library
services, you must reactivate your account. For this purpose,
click the web address below or copy and paste it into your web
browser.
A successful login will activate your account and you will be
redirected to your library profile.
https://auth.berkeley.edu/cas/login?service=https%3a%2f%
If you are not able to login, please contact <Name Removed> at
[email protected] (link sends e-mail) for immediate
assistance.
Sincerely, <Name Removed>
University Library University of California Berkeley
Berkeley Student Spear Phishing Example
Source: https://security.berkeley.edu/resources/phishing/phishing-examples-archive
Bad hyperlink
22
Phishing scam using SMS and Gmail
• Attacker knows email and phone
number.
• Send text to phone asking if user
has requested password reset.
Cross-platform Spear Phishing
23
• At same time, they request a
password reset of e-mail
account that is sent to phone.
• Tell user that in order to stop
the illegitimate password reset
they must text reset code.
• If user texts reset code, attacker
can access account.
Cross-platform Spear Phishing (continued)
24
Source: https://www.malware-traffic-
analysis.net/2018/04/23/index.html
Phishing – Reminder that attacks often emulate services you use
SMS Phishing
26
Phishing via SMS
27
SMS Phishing – many, many, many varieties!
28
SMS Phish redirects to fake Vendor site to steal credentials
Source: https://blog.eset.ie/2016/04/25/sms-phishing-
attackers-continue-to-pursue-apple-users/
29
Attempt to Extract Additional Information
Source: https://blog.eset.ie/2016/04/25/sms-phishing-
attackers-continue-to-pursue-apple-users/
Phishing using Technical Errors
31
SMTP Error Phishing Message
Source: @swiftonsecurity
Microsoft Office Malware
33
• Never open attachments you aren’t complete certain are safe
• If you simply can’t resist, open the attachment on your iPhone, or save it to
Google cloud and open there
• Malicious attachments can come in any form – PDF, ZIP, HTML, DOC, XLS, PPT
• This section focused on tricks associated with Microsoft Office Macros
Preface
34
• Office Macros are small programs embedded inside Microsoft Office Programs
(primarily Word and Excel) to automate repetitive tasks
• Early Macros would automatically execute, which caused major problems –
functionality must now be explicitly enabled
• There has been a resurgence in Macros in last few years, primarily as
downloaders for malware
• Key now for attackers is to trick users into enabling the macros
Microsoft Office Macros
35
We will look at several Office Macro examples
All Malicious Office Macros have the same initial goal - to get users
to click the ‘Enable Content’ button to execute the macro.
Microsoft Office Macro Examples
Malicious Office Macro – Wrong Version of Word
Wrong version of
Word – need to
click
Malicious Office Macro – Something Went Wrong
Something went wrong – need to click
Malicious Office Macro – This Document is Protected!
Document is
protected – need
to click
Malicious Office Macro – Document Secured by McAfee
Document is
secured by
McAfee – need to
click
Malicious Office Macro – Document Protected by Norton DLP
Document
protected by
Norton DLP
Social Media Based Attacks
42
Malvertising on Twitter
Cool – anyone can get the
verified check on Twitter.
43
This certainly looks official.
Malvertising on Twitter
44 44
Wait – they need my credit card?
Phishing Malware on Twitter
45 45
And why isn’t this a Twitter domain?
Phishing Malware on Twitter
46
Source: https://www.knowbe4.com/phishing
Phishing messages in LinkedIn
Standard phish, but via
LinkedIn private message
Alternate Character Set Attacks
48
Homograph attacks use characters from other character
sets that look like standard Latin character set in order to
redirect unsuspecting users to attacker-controlled sites.
Alternate Character Set Attacks
49
There are over 136,000 Unicode characters to represent
letters and symbols in 139 scripts.
“a” in Latin is Unicode value “0061”, and in Cyrillic is
“0430”.
Source: https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/
Unicode
50
Can create URLs that appear identical or virtually
identical to the human eye, but have very different
meanings to computers.
Unicode
51
Alternate Character Set Attacks
Can you spot the difference?
52
How about now?
Alternate Character Set Attacks
53
Before Chrome 58
(native representation)
After Chrome 58
(punycode representation)
Alternate Character Set Attacks
E-mail Thread Piggybacking Attacks
55
E-mail Thread Piggybacking Attacks
• Malware infects one device.
• Malware then replies to e-mail
threads in the infected device inbox
with phishing e-mails.
• Coming from a trusted sender in an
existing thread, higher likelihood
targets will click.
Reporting Phishing
57
Reporting Phishing
Report Phishing sites to
Google safebrowsing
team:
https://safebrowsing.goo
gle.com/safebrowsing/re
port_phish/?hl=en
Public Breaches
59
Public Breach Risks
• When a public breach occurs, risk isn’t necessarily the site
that was breached.
• Attackers will immediately take credentials and try them on
other, potentially more valuable sites.
• Users need to be hyperaware of breaches, and this “domino
effect” of exposed credentials.
60
Public Breach Risks
Awareness of
exposed
credentials is
critically
important.
Untrusted Networks
62
Untrusted Networks
How many common wireless
networks are saved on our phones
that we autoconnect to?
63
Wireless Attack Kits Easily Accessible Online
Photograph is public domain. License info: All photos published on Unsplash are licensed under Creative Commons Zero which means you can copy, modify, distribute and use the photos for free, including commercial purposes, without asking permission from or providing attribution to the photographer or Unsplash. CREATIVE COMMONS ZERO: http://creativecommons.org/publicdomain/zero/1.0/
Technical Review of Key Topics
65
Technical Topics for Social Engineering Detection
• Understanding domains and subdomains, spotting fakes
• Understand what SSL/TLS certificates mean and what they DON’T mean
• Understanding URL shorteners and redirects
66
Domains and Subdomains
Which of these is
a legitimate
Facebook URL?
67
Domains and Subdomains
Which of these is
a legitimate
Facebook URL?
68
Which of
these is a
legitimate
PayPal URL?
Domains and Subdomains
69
Which of
these is a
legitimate
PayPal URL?
Domains and Subdomains
70
To understand if a domain is legitimate, work from right to left.
Primary domain is just left of the .com/.net domain extension,
subdomains are left of the domain:
https://beta.facebook.com
facebook is the domain
beta is the subdomain
This is legitimate facebook site, it is part of facebook domain.
Domains and Subdomains
71
To understand if a domain is legitimate, work from right to left.
Primary domain is just left of the .com/.net domain extension,
subdomains are left of the domain:
https://paypal.com-custom-opencase.net
com-custom-opencase is the domain
paypal is the subdomain
This is NOT a legitimate paypal site, it is part of com-custom-
opencase.net domain.
Domains and Subdomains
72
SSL/TLS certificates
What does the SSL lock mean?
• It means that traffic is encrypted, and that
the site has a valid SSL certificate
What does the SSL lock NOT mean?
• It does not mean the site is legitimate
• It does not mean the site is safe
73
• Some URLs are extremely long, which can make them hard
to view on a page or to type.
• URL shorteners translate long URLs to shortened versions
that are easy to copy/paste
• Shortened URLs are ideal for attackers, as they obscure the
destination page that they are sending users to.
URL Shorteners
74
• A URL shortener was used in
DNC Podesta attack
discussed earlier.
• Use of URL shorteners in
email should be a warning
flag for users.
Example from: http://cofense.com/wp-
content/uploads/2014/07/Phishing-email1.png
URL shorteners
75
Common URL shorteners include the following:
• Bit.ly
• Goo.gl
• T.co
• TinyUrl
Common URL shorteners
Protecting Yourself
77
Suspicious E-mail Subject Lines
• “You have received a secure document”
• “We have identified unusual activity in your account”
• “Alert from ________________”
78
Most Clicked Phishing E-mail Subject Lines
• Official Data Breach Notification
• UPS Label Delivery 1ZBE312TNY00015011
• IT Reminder: Your Password Expires in Less Than 24 Hours
• Change of Password Required Immediately
• Please Read Important from Human Resources
• All Employees: Update your Healthcare Info
• Revised Vacation & Sick Time Policy
• Quick company survey
• A Delivery Attempt was made
• Email Account Updates
Source: https://www.itgovernance.co.uk/blog/the-ten-most-clicked-phishing-email-subject-lines/
79
Other Suspicious Signs
• Always be wary of attachments you weren’t expecting
• Always be wary of messages that warn you of a security problem and stress urgency
• Always be wary of messages that ask you to Enable Content on a Macro
• Use of URL shorteners
Guidance for Personal Assets
81
Why Encourage Employees to Secure Personal Assets?
• Ever e-mailed anything related to work to Gmail? To print, read on phone, to
read at home?
• Ever have a password that is similar or shared across home and work
accounts?
• Is there any work related content on your personal home computer?
• Have a personal device that connects to institution WebMail, SSLVPN,
IPSecVPN?
82
Guidance for Employees
• Emphasize need to separate business and personal
• Ask that employees perform regular cleanup of business content on
personal assets:
• Ensure passwords for personal and work accounts are not similar (per public
breach discussion)
• Encourage employees to check personal accounts (Gmail, Google Drive,
OneNote) for work materials, and ensure they are deleted.
• Encourage employees to delete work-related materials from personal devices.
83
Protections for Personal Assets
Provide guidance to employees to better protect personal devices
• Laptops
• Use Google Chrome
• Enable Microsoft Defender
• Install an Ad Blocker (uBlock origin)
• Phones
• Install an Ad Blocker (uBlock origin)
• Enable multifactor authentication whereever possible for personal accounts
84
Authentication Security Ladder
Username and
Password
Two-factor SMS
authentication
Authenticator
U2F Key
No longer satisfactory for
sensitive accounts. If you
use username and
password only, use a
password manager like
1Password.
Better than passwords,
easy to use, but can be
forged.
Security codes
delivered to mobile
device. Harder to
forge, but relies on
phone staying secure.
Hardware device
(~$20) that is used to
authenticate.
Most secure, but
hardware is needed
when authenticating to
new devices.
85
Securing Gmail
Following the authentication
security ladder – at a bare
minimum SMS should be used.
For better security, use the
Authenticator app
For best security, use a Security
Key.
86
Securing Facebook
Facebook supports SMS,
authenticator, U2F.
87
Securing Twitter
Can use authenticator app with
Twitter, but Twitter does not offer
U2F hardware option
88
Securing Amazon
SMS and
Authenticator
available at
Amazon.
89
Securing Amazon Web Services
Multifactor Authentication
should be enabled on AWS
Root account and AWS IAM
accounts
AWS supports SMS,
Authenticator, Hardware
tokens
90
Multifactor Authentication Guidance
www.turnon2fa.com is
site that provides
guidance for enabling
multifactor
authentication for many
popular sites.
Photograph is public domain. License info: All photos published on Unsplash are licensed under Creative Commons Zero which means you can copy, modify, distribute and use the photos for free, including commercial purposes, without asking permission from or providing attribution to the photographer or Unsplash. CREATIVE COMMONS ZERO: http://creativecommons.org/publicdomain/zero/1.0/
One Size Does Not Fit All
92
Security Awareness - One Size Does not Fit All
Employees that may be individually targeted:
• Executives
• Defense, technology, Intellectual property
• Controlling funding, finance
• Direct access to any of the above (admins, assistants, etc.)
93
Whaling
Targeting executives,
primarily focused on:
• Financial
transactions
• Disclosure of
sensitive corporate
information
94
Security Guidelines – For Higher Risk Employees
Security guidelines for
Congressional Campaigns:
https://techsolidarity.org/resour
ces/congressional_howto.html
95
Security Awareness – For Higher Risk Employees
Guidance from Tech Solidarity:
• Use Signal messenger
• Android phones prohibited
• No opening of attachments on PC, open only on mobile, remote (Google drive)
• Chrome only permitted browser
• uBlock origin and HTTPS Everywhere
Testing and Staying Current
97
Testing and Staying Current
• Encourage employee communication
• Cannot be punitive when employees fail test, or get Phished in real life
• Don’t want to disincentivize employees from reporting
• Gamification of Training
• Phishing services
• Staying current
98
Anyone Can Get Phished
Getting phished should not
be a source of
embarrassment - an FS-
ISAC employee was recently
phished
Source: https://krebsonsecurity.com/2018/03/financial-
cyber-threat-sharing-group-phished/
99
Gamification
New trend in Security Awareness
Training, research indicates that
gamification increases
engagement
Example from: http://informationsecurityawareness.in
100
Gamification
A number of startups exist in this
field to create more engaging,
more sophisticated user
awareness training.
Example from: elevatesecurity.com
101
Phishing Services
• Numerous vendors offering Phishing campaign services, including
• Development of targeted content for organizations and users
• Running campaigns
• Redirecting users to security awareness training when they click on links
• Detailed metrics and reporting
• Numerous free services exist as well. We will walk through one free service,
Duo Insight (insight.duo.com) now.
102
Free Phishing Service – Duo Insight
Simple walkthrough - pick a
type of document that
Phishing e-mail will link to
103
Choose document title and
description
Free Phishing Service – Duo Insight
104
Free Phishing Service – Duo Insight
Pick a sender’s name, email
address, Phishing domain
105
Phishing campaign
email received.
Free Phishing Service – Duo Insight
106
If I clicked on
the link
Free Phishing Service – Duo Insight
107
Simplicity of Spear Phishing E-mail Creation
JMU Audit and
Management
Services team
• Mark Stallard is an
auditor
• Has a CISA
certification
• Reports to Rebecca
Holmes, also an
auditor
108
Phishing E-mail from “Rebecca Holmes” to Mark Stallard
109
E-mail Body
110
Staying Current
Name Description
@Krebsonsecurity Brian Krebs, security journalist Links to current news stories, breach focus,
attacker technique focus
@swiftonsecurity Unknown, Windows and security
expert
News, commentary, runs decentsecurity.com
that provides practical advice
@jepayneMSFT Jennifer Payne, Microsoft security Current attack trends and detection
capabilities for Microsoft
@lennyzeltser Lenny Zeltzer Overall security industry news
@JohnLaTwC John Lambert, Microsoft Security Malware trends, news
Discussion, Questions
TELASA | SECURITY