cybersecurity and social engineering - apwa...
TRANSCRIPT
Ben Hayden
Background:
• US Marine Corps
• Law Enforcement
• Financial Institution – IT Security/Fraud
• U of I – BBA
• ISU – MS
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Disclaimers
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Disclaimers• SHAZAM vs Competitors• Hacking Tools
• Federal Laws• Policies
• I don’t know everything• No magic bullet• “Not if, but when”
Question 1
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
QuestionWhy do organizations/people “get hacked”?
• Grudge
• Ideology (“Hacktivism”)
• Theft (Financial gain)
• Fun
• Espionage(State-sponsored)
• Some other reason
Question
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
AnswerWhy do organizations/people “get hacked”?
• Theft (Financial Crime) – 80%• Espionage (State Sponsored) – 15%• Everything Else – 5%
Source: 2016 Verizon Data Breach Report
Why are we here?
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
In 2015….
More than 169 million personal records were exposed with an average cost of $154 per stolen record (minus medical records -$363 per record).
Source: 2015 ITRC Data Breach Report
Risks
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
What are some risks cities face?• Points of compromise – think WHY?
• Customer payment systems
• Employee records
• Tax/property records
• Traffic sensors
• Water sensors
• GPS systems
• Phone/radio systems
Risks
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Standards/Regulations• Financial Industry
• GLBA
• Health Care• HIPAA
• HITECH
• What does public sector have?
Case Studies
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
San Francisco Municipal Transit • November 2016
• Transit system’s payment network was encrypted, as was their email server.
• Payment machines wouldn’t accept payments.
• 100 Bitcoin was demanded.
• SF opened gates to transit system, riders allowed to ride for free for two days until the system was restored.
Attack Cycle
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Target Identification
Recon
Gaining Access
Scanning the
Network
Exploits
Exfiltration
Target Identification
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Target Identification• Types of Hackers
• Organized Crime• Nation States• Hacktivist• Insiders
Target Identification
Attack Example
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Hypothetical Attack• Footprinting
• Social Networks
• Website
• Maltego
Recon
Attack Example
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Social Engineering• Phishing
• Client emails
• Spear Phishing
• Giving out passwords
Approximately 70% of attacks used a combination of phishing and hacking.
Source: 2016 Verizon Data Breach Report
Gaining Access
Attack Example
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Maltego
Attack Example
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Scanning the Network
Network is probed for vulnerabilitiesOpen portsOut-of-date patchesUnlocked systemsAdministrator access
Multiple access points established
Scanning the
Network
Attack Example
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Tools• Network mapping tools
• Zenmap, SoftPerfect
• Packet Sniffers• WireShark
• Keyloggers
What are they looking for?• Vulnerabilities
• Outdated/unpatched systems/applications
• Weak passwords with admin privileges
Scanning the
Network
Scanning
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
SoftPerfect
Scanning
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Nmap
Scanning
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Nmap (GUI)
Scanning
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Nmap (GUI)
Attack Example
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Passwords
EncryptionWhat does it actually mean?Breaking/CircumventionPublically available rainbow tables
On average – 24 online accountsOnly 6 passwords
73% of passwords are duplicates47% of passwords are 5+ years old77% of passwords are 1+ year old
Source: TeleSign Consumer Account Security Report
Attack Example
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Types of Exploits
• Two basic types:• Known
• Unknown
• What they do• Elevate privileges
• Attack other applications
• Exploit Kits• Dark Web (tor)
Exploits
Attack Example
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Exfiltrating the data
• Difficult to detect
• Mimics “normal” behavior
What do they do with the data?
• Sell it
Unless it’s Ransomware
• Encrypt specific file types on device/server
Exfiltration
What can you do?
@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.
Best Practices
• Think When not If
• Follow IT policies/procedures
• Don’t open unusual links/attachments• Trust through verification
• Think before you click
• Use strong passwords