cybersecurity and social engineering - apwa...

Ben HaydenIT & Risk Consultant

Cybersecurity and Social Engineering

Ben Hayden

Background:

• US Marine Corps

• Law Enforcement

• Financial Institution – IT Security/Fraud

• U of I – BBA

• ISU – MS

@2016. Proprietary & Confidential. SHAZAM, Inc. information is of general applicability and current as of date of presentation.

Disclaimers


Disclaimers• SHAZAM vs Competitors• Hacking Tools

• Federal Laws• Policies

• I don’t know everything• No magic bullet• “Not if, but when”

Question 1


QuestionWhy do organizations/people “get hacked”?

• Grudge

• Ideology (“Hacktivism”)

• Theft (Financial gain)

• Fun

• Espionage(State-sponsored)

• Some other reason

Question


AnswerWhy do organizations/people “get hacked”?

• Theft (Financial Crime) – 80%• Espionage (State Sponsored) – 15%• Everything Else – 5%

Source: 2016 Verizon Data Breach Report

Why are we here?


In 2015….

More than 169 million personal records were exposed with an average cost of $154 per stolen record (minus medical records -$363 per record).

Source: 2015 ITRC Data Breach Report

Risks


What are some risks cities face?• Points of compromise – think WHY?

• Customer payment systems

• Employee records

• Tax/property records

• Traffic sensors

• Water sensors

• GPS systems

• Phone/radio systems

Risks


Standards/Regulations• Financial Industry

• GLBA

• Health Care• HIPAA

• HITECH

• What does public sector have?

Case Studies


San Francisco Municipal Transit • November 2016

• Transit system’s payment network was encrypted, as was their email server.

• Payment machines wouldn’t accept payments.

• 100 Bitcoin was demanded.

• SF opened gates to transit system, riders allowed to ride for free for two days until the system was restored.

Attack Cycle


Target Identification

Recon

Gaining Access

Scanning the

Network

Exploits

Exfiltration



Target Identification• Types of Hackers

• Organized Crime• Nation States• Hacktivist• Insiders


Attack Example


Hypothetical Attack• Footprinting

• Social Networks

• Website

• Maltego

• Google

Recon

Attack Example


Social Engineering• Phishing

• Client emails

• Spear Phishing

• Giving out passwords

Approximately 70% of attacks used a combination of phishing and hacking.

Source: 2016 Verizon Data Breach Report

Gaining Access

Attack Example


Maltego

Attack Example


Scanning the Network

Network is probed for vulnerabilitiesOpen portsOut-of-date patchesUnlocked systemsAdministrator access

Multiple access points established

Scanning the

Network

Attack Example


Tools• Network mapping tools

• Zenmap, SoftPerfect

• Packet Sniffers• WireShark

• Keyloggers

What are they looking for?• Vulnerabilities

• Outdated/unpatched systems/applications

• Weak passwords with admin privileges

Scanning the

Network

Scanning


SoftPerfect

Scanning


Nmap

Scanning


Nmap (GUI)

Attack Example


Passwords

EncryptionWhat does it actually mean?Breaking/CircumventionPublically available rainbow tables

On average – 24 online accountsOnly 6 passwords

73% of passwords are duplicates47% of passwords are 5+ years old77% of passwords are 1+ year old

Source: TeleSign Consumer Account Security Report

Attack Example


Types of Exploits

• Two basic types:• Known

• Unknown

• What they do• Elevate privileges

• Attack other applications

• Exploit Kits• Dark Web (tor)

Exploits

Attack Example


Exfiltrating the data

• Difficult to detect

• Mimics “normal” behavior

What do they do with the data?

• Sell it

Unless it’s Ransomware

• Encrypt specific file types on device/server

Exfiltration

What can you do?


Best Practices

• Think When not If

• Follow IT policies/procedures

• Don’t open unusual links/attachments• Trust through verification

• Think before you click

• Use strong passwords

Thank you!

QUESTIONS?


cybersecurity and social engineering - apwa...

Documents