1 salient proprietary | hack-a-thon results and cyber risk the evolving landscape brian denny,...

1 Salient Proprietary | www.salientcommercial.com

Hack-a-thon Results and Cyber Risk

The Evolving LandscapeBrian Denny, Security Audit LeadDecember 3, 2015


Agenda

• Burning question• Our “Hack-a-thon” experience• What we learned• Technical tips for resolution• Business tips for resolution


Our Burning Question…

Why isn’t our industry – especially small to midsized carriers – more proactive when it

comes to cyber security?



May 2014233 million credentials and PII



June 20142.6 million debit/credit cards



June 20144.5 million SSN and personal data



August 201476 million consumers, 7 million small businesses



September 201456 million debit/credit cards



October 20141.2 million credit cards



November 2014Emails and personnel data



February 201580 million customers’ PII



March 201511 million financial and medical records



4.2 millionOPM security files Employees Applicants Family/Friends References PII Mental health info Drug/alcohol use 1.1M fingerprints

22.1XXXX



Over 70% of companies do not disclose breaches

It’s no longer a question of IF but WHEN you will have a cyber incident


Most Common Responses

• Higher priorities (both business and IT)• Budget and resource constraints• How do I begin? Where do I start?• Hackers wouldn’t be interested in our company• We took care of that last year

• Ongoing• Evolving• Persistent


Most Common Responses

• IT handles thatCyber security is NOT an IT issue!

Protecting the company and its data is a business risk management responsibility

• Fiduciary • Liability • Public Relations/Reputation• Consumer confidence


What can we do?

• How can we demonstrate the need for urgency?

• What if we convinced 10 insurance companies to let us try to hack into their systems?


Who participated?

• Wide range of companies• Personal, Commercial, Workers’ Comp, Niche, Life• $10M - $500M• Stock, Mutual, Privately Held, Non-Profit• Spread across US


What did we do?

• A brief, focused assessment to quickly: • Illustrate immediate risks• Provide a high-level view of security

posture

Meant to illustrate what an attacker’s first steps would be when pursuing access to a target network

Aimed to identify vulnerabilities in network perimeter, and to provide feedback outlining potential attack vectors


What did we do?

• Step 1 – Open source research of a target and its Internet presence

• Step 2 – Two discrete tasks to test for vulnerabilities:• Active Scanning – simulating a real attacker by

scanning the target to identify remotely accessible services and associated vulnerabilities

• Spear Phishing – sending targeted “phishing” emails to users to illustrate possibility of perimeter bypass


Active Scanning

• What?• Performed remote scans from external infrastructure

• Leveraged publicly available tools• Probed Internet facing presence• Assessed common ports and protocols

• Focused on vulnerability discovery rather than exploitation of target network

whois

digDNS brute force


Active Scanning

• Why?• Public-facing servers and services they provide are

the front doors to an organization's network • Default configurations, along with poor security

settings, leak information that can be extremely useful to an attacker

• With knowledge about types of systems and software, research can be done to find or develop exploits tailored to gain access to sensitive and proprietary information and systems


Active Scanning

• Why?• Once an initial foothold is gained, an attacker has a

platform from which he/she can explore more areas that are supposed to be quarantined from the public Internet


What were the results?

100% of companies had vulnerabilities

9 out of 10 had MINOR vulnerabilities10 out of 10 had MODERATE vulnerabilities

8 out of 10 had CRITICAL vulnerabilities



24%

59%

17%

256 Total Vulnerabilities

Minor

Moderate

Critical



Denial of ServiceVPN Vulnerabilities

OverflowCross Site Scripting

Man-in-the-middleSSL Vulnerabilities

Information Disclosure

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Common Scanning Vulnerabilities by Cat-egory


Prominent Overarching Theme

The root cause was the lack of security updates that allowed

stolen user credentials

70% of the most common scanning errors could have been avoided by

applying available updates and patches

An unpatched vulnerability in Windows was taken

advantage of by 3rd party


Spear Phishing

• What?• Performed targeted “phishing” of client users

• Regular phishing scams / emails cast a large net, attempting to lure many users into performing certain actions

• Spear phishing is much more focused, targeting specific users with relevant content (far more effective and believable)


Spear Phishing

• What?• Mimicked client website and internal email user

[email protected] vs. [email protected]://vpn.smithcompany.com vs. https://vpn.srnithcompany.com

• Used valid SSL certificates, which prevented browsers from warning users about an “untrusted connection”

https://vpn.smithcompany.com/

https://vpn.srnithcompany.com/


Spear Phishing

• What?• Requested users visit our spoofed site and enter their

credentials to verify access• If user clicked our link, our server recorded the IP

address and browser user agent string for every connection received

• If user submitted the login form:• Server securely logged his or her credentials• Redirected connection to the authentic site, if it existed (if not, user was

presented with a “login failed” message)• From there, the user could log in normally


Spear Phishing Sample


Spear Phishing

• Why?

• Illustrates a common security bypass/perimeter breach technique

• Even if a client’s perimeter is secure (i.e., not remotely exploitable), “client side exploits” pose a real threat

Hackers got into eBay after obtaining login credentials from employees allowing them to access the corporate network.


Spear Phishing

• Why?• If an internal user can be lured to initiate an outbound

connection, a remote attacker can potentially have a vector to deliver malicious code to the target user on the inside of the network • This vector wouldn’t exist if the client user didn’t initiate a connection to

the attacker’s server• This enables the possibility for the attacker to exploit a client application

(e.g., the web browser making the connection)• That is, a “client side attack or exploit”


Spear Phishing

Why?

If a remote VPN is present, captured credentials can give an attacker immediate, authenticated access to a network

If not present, credentials can still be used to access internal legitimate corporate email Theft of IP and PII

May enable further attacks



8 of the 10 companies fell prey to our spear phishing email

Average of 52% of users clicked on fake link

Average of 42% gave us their credentials



• Clicking on email link using old browsers allow exploitation of browser into internal network (CRITICAL)

• Clicking on email link using current or unknown browsers allows information leakage (MINOR)

• Entering credentials where remote SSL VPN exists gives immediate access to internal systems (CRITICAL)

• Entering credentials where no remote SSL VPN exists gives access to email server (MODERATE)

• Recommendation: User education


What did we learn?

• We must be proactive as well as reactive• Risk management• Mitigation strategy• Incident response

• Cyber security is never once and done

• Everyone is a target – either directed or opportunistic


Top Technical Tips

Comply with the SANS Top 20 Critical Security Controls including these quick hits

Close all unneeded ports ("default deny" mindset)

Regularly patch all systems (including devices, servers, and workstations)

Create and enforce complex password requirements


Top Technical Tips

• Move to 2-factor authentication for remote access to your networks

• Use S/MIME for digital signatures (to protect against e-mail spoofing)

• Invest in monitoring and prevention capabilities within your enterprise

• Subscribe to data sharing service (threat intelligence)• Be aware of increased attack surface (protect your periphery)

• BYOD• Unsecured public wi-fi• Partners/providers


Top Business Tips

• Adopt a corporate process to properly manage your cyber risk as part of overall risk management portfolio • Include in enterprise risk management (reporting to leadership team

and board of directors)• Technical prevention alone is never enough • Policies/tools to reduce impact of breaches• Incident response (table top exercises, crisis management team)


Top Business Tips

• Human behavior resists efforts to control

• Social Engineering – spear phishing, watering holes

• The best security prevention is crowdsourcing – i.e. responsibility of all employees

• Develop a culture of security awareness (including user training)


Top Business Tips

• Inventory and classify all information assets (to inform your risk calculus)

• Seek compliance against relevant government and industry standards for your market• Partner with legal, compliance and internal audit• NAIC Principles

• Conduct an annual independent 3rd party testing to benchmark your program and determine gaps


Contact Information and Q&A

Thank you for your attention during today’s presentation. For more information, please contact:

Brian DennySecurity Audit Lead

[email protected]

And now, to our Q&A portion of today’s event.

mailto:[email protected]

http://www.salientcommercial.com/

1 salient proprietary | hack-a-thon results and cyber risk the evolving landscape brian denny,...

Documents