jeff rovelli director it security knights of columbus · jeff rovelli director it security knights...

1

1

Jeff RovelliDirector IT Security

Knights of [email protected]

(203) 752-4033

2

IT Security Best Practices• Unprecedented number of data breaches

in 2014 and 2015

• Target, Sony, Home Depot, Anthem, OPM, Scottrade

• Estimated Anthem cost - millions of dollars • 9 months undetected

• New catch phrase… “It is not if, but when”

• This has greatly increased corporate executive awareness

• Increased visibility good for enhancing IT security programs

• How do we engage executives?2

3

IT Security Best Practices

• Develop an IT Security Business Plan detailing proposed and future IT Security enhancements.

• Internal and external IT Security review

• Shows executives you have a plan and what areas need improvement

• Develop a Cyber Incident Response Plan

• Conduct table top exercises to test and vet plan

• IT Security reports to Chief Compliance Officer rather than CTO or CIO

• Still work closely with ITS but eliminates conflict of interest 3

2

4

IT Security Best Practices• Unfortunately there is no silver bullet to

eliminate any chance of a successful attack.

• Weakest link – end users

• Basic IT Security

• Patch and update systems

• Browser/Internet security – McAfee, Websense

• Track access to malicious websites

• Track inappropriate user activity

• Email security – McAfee, Websense, Proofpoint

• Protect PII and other sensitive data

• Block phishing attempts

5

IT Security Best Practices• Basic IT Security

• Antivirus – McAfee, System Center Endpoint Protection(SCEP),

• Intrusion Detection System – Trustwave, Dell SecureWorks

• External/Internal Penetration Testing

• BeyondTrust, Rapid 7

• Web Application Testing

• Veracode

• Security Information and Event Management (SIEM) tool

• Collects log information and other security events into a central repository for trend analysis and alerting

5

6

IT Security Best Practices

• Encrypt laptops and other mobile devices

• Privileged user and application review

• Information Security Training

• Written Information Security Policies

• Acceptable use

• Written Information Security Plan (WISP)

• Incident Response Plan

• Cyber Insurance Policy

3

7

IT Security Best Practices• 2015 IT Security Project

• Protect against end user actions and zero day vulnerabilities

• 2015 Project - Desktop/laptop vulnerability to web attacks continues to be a very high risk. This includes user-targeted threats, including spear-phishing, watering hole attacks, drive-by downloads, and ransomware.

• A Desktop Protection Tool creates a secure virtual container, local to the desktop, to wall off and seamlessly run the most highly targeted applications, such as web browsers, PDF files and Microsoft Office files in an isolated environment.

8

Jeff RovelliDirector IT Security

Knights of [email protected]

(203) 752-4033

SCCERegional Compliance & Ethics Conference

Investigating Cyber Crime13 Nov 2015

Martin J. McBrideSupervisory Special Agent

FBI - Computer Intrusion Program

Martin J. McBrideSupervisory Special Agent

FBI - Computer Intrusion Program

4

FBI Priorities

• The FBI focuses on threats that:• Challenge the foundations of American society or • Involve dangers too large or complex for any local or

state authority to handle alone.

• In executing the priorities shown on the next slide, the FBI—as both:• A national security and • A Law enforcement organization

• Will produce and use intelligence to • Protect the nation from threats• Bring to justice those who violate the law

10

FBI Priorities

1. Protect the United States from terrorist attack2. Protect the United States against foreign intelligence operations and espionage

3. Protect the United States against cyber-based attacks and high-technology crimes4. Combat public corruption at all levels5. Protect civil rights6. Combat transnational/national criminal organizations and enterprises7. Combat major white-collar crime8. Combat significant violent crime9. Support federal, state, local and international partners10. Upgrade technology to successfully perform the FBI’s mission

11

FBI Cyber Priorities

• The Cyber Program investigates– Computer intrusions targeting the national information

infrastructure• National Security (Nation-state backed intruders)• Criminal

– Internet-facilitated criminal activity• For example, Significant Internet Fraud

– Highly organized– Large dollar amounts (hundreds of thousands)– Large victim population

– Supports FBI priorities across Program lines• Counterterrorism• Counterintelligence• Criminal investigations

12

5

Investigating Cyber Crime

• Objectives• RansomWare• Recognizing the good from the bad• What’s happening in CT today• Investigating internationally• Hop Points

• Why everyone should care about cyber security

• Reaching out to Law Enforcement• Who, what, where, why, when, and how

13

Ransomware

• Malware installed on a computer • Gives the installer the ability to lock a computer

remotely

• The malware often generates • Pop-up window• Webpage• Email warning

• Looks like it comes from an official authority

14

Ransomware

• Holds your computer/data hostage until you pay a fee to get it unlocked

• How is it installed?• User

• Opens a malicious email attachment• Clicks a malicious link

• E-mail message• Instant message• Web page

• Visits a malicious website• Social networking sites are big targets now

15

6

Ransomware

• Defense against ransomware• Maintain software patches and AV protection• Backup your important data and programs

• Recovery• Pay ransom and pray for decrypt code• Restore pre-infection backup

16

Internet - Recognizing Bad Things

• Indicators of a Scam• Too good to be true, MOST LIKELY IT IS A SCAM!• Scams come in a variety of flavors:

• unsolicited email messages• online relationships• online advertisements• online job offers• online purchases, auctions, etc.• unsolicited phone calls

• Use of difficult-to-trace money transfer services • Western Union, GreenDot, BitCoin, other uninsured online currencies

• Use of foreign countries in movement of money • Nigeria, Romania, UK, Canada, Ukraine

17


• Older Examples

18

7


19


20


21

8


22


• Phishing

23


24

9


25


• Reading e-mail headers• Viewing full headers vs. normal headers• Bottom up is the key

26


• Lookup Tools• Whois

• Look up DNS information• Owner of domain names• Owner of IP addresses• Ping• Traceroute• Reverse IP look up

27

10

Business Email CompromiseScenario 1

• Spoofing e-mail header to establish bona fides– Introduce new player who will conduct the transactions– New player now acts on behalf of your boss

• Transfer money for accounts payable• Account given is owned by scammers

– Money is transferred to scam account• Likely somewhere off shore

28

29

30

11

31

32

33

12

34


• Similar to Scenario 1 – Began with a telephone call and was – Email follow up spoofing the CEO’s e-mail address– Third person introduced to conduct transactions– Employee was instructed to talk to no one about this

• Project was a “special assignment directly from the CEO”

• Multiple money transfers under $10k were used to “avoid security checks”.

35


• Intercept legitimate e-mail traffic• Register a look-alike domain • Insert yourself into an existing e-mail conversation

– Include previous message thread – It’ll look like a continuous communication

• Change payment information– Divert payment to an account controlled by scammer(s)

36

13

37

38

39

14

40

41

Reverse Social Engineering

• Power Company Intrusion– Vulnerable billing system

• Gathered data on target’s customers– Customer Name– Address– Telephone #– E-mail addresses– Account #– Billing information

• Due dates, amounts due, recent payment history, etc.

42

15

Reverse Social Engineering-continued-

• Used caller ID spoofing– Spoofed customer telephone numbers for easier account access– Spoofed power company numbers when calling customers

• Told customers their most recent bill hadn’t been paid and power will have to be shut off if payment isn’t received within 30 minutes– To authenticate the call, they used both

• data acquired from Power Company intrusion• Spoofed caller ID

– Provided two options for making payment within 30 minutes• Go to nearest customer service center (always more than 30

minutes away)• Go to CVS and purchase GreenDot card and provide card info to

make payment

43

Hop Points

• One objective of APT:– To acquire and use Hop Points while remaining

undetected

• Means to avoid raising suspicions based on IP addresses– Hop Points can be geographically near target– Network entry and data exfiltration

• Otherwise non-descript computers can be used to – Facilitate the undetectable theft of trade secrets– Other National Security information

44

16

Cyber National Security

• Show of hands– Who here believes their computer

network could be used to steal secrets from:• U.S. Government?• Government Contractors?

– Proprietary information from Fortune 500 companies?

46

US Defense Contractors

Small US Consulting Business

Foreign University

Small US Construction Business

Foreign Web Hosting Service

State-sponsored Cyber Actors

The Big Cases2014 - present

• Target, Home Depot, Sony, Anthem, OPM– Intrusions that compromise enormous amounts

of Personally Identifiable Information• Adversaries use data to identify government and

military personnel• Criminals use data to capitalize it

– Sell data to other criminals– Create fake credit cards for ATM and POS transactions– Use for online purchasing– Steal identities

– Revenge/coercion• Sony, for example

48

17

The Big Cases2014 - present

• Realized harm– Damage to company reputation– Damage to U.S. economy– Consumer distrust of e-commerce

• Usually an uninformed distrust– Point-of-Sale (POS) data compromised rather than

Internet sale data

• If you make yourself a target, you WILL BE COMPROMISED!!!

49

Investigating Internationally

• What to do when the criminals operate exclusively beyond U.S. borders?– Establish global law enforcement

presence• FBI Legal Attaches (LEGAT)

– Global coverage from more than 60 embassies

• Interpol• Mutual Legal Assistance Treaties (MLAT)

50

Romanian Phishing Case Study

• Case began in June 2005 when an InfraGard member received a phishing e-mail from Peoples Bank– Member did not have an account with Peoples

Bank and immediately recognized it as phishing

• A spoofed e-mail address and graphical images were created to look like the message was truly from Peoples Bank

• Phishing e-mail contained a link to a phishing web site unwittingly hosted in Minnesota

51

18


• Unwitting owner of phishing web site provided copies of files used to produce the web site– From the scripts, it was determined that

phished data was sent to an e-mail collector account, [email protected]

– Search warrants and subpoenas to Yahoo! and various ISPs revealed a connection to Romania

52


• Investigative assistance provided by Peoples Bank revealed numerous ATM withdrawals made in Romanian cities using phished data

• The LEGAT in Bucharest was brought into the investigation– The LEGAT worked closely with the

Romanian National Police (RNP) in a joint investigation

53


• Joint international investigation– Allowed informal sharing of information outside

of the burdensome and time-consuming MLAT process

– MLAT process was still necessary for the collection of evidence that would be used against defendants

– Based on search warrants to Yahoo!, Google, and other U.S. ISPs and corroboration of IP addresses and official identification documents by the RNP, more than 20 Romanians were identified as being involved in phishing

54

19


• Timeline– June 13, 2005 – case begins from e-mail receipt– August 2005 – first of many search warrants issued– January 18, 2007 – seven Romanians indicted in CT– February 2007 – Interpol Red Notices issued– June 6, 2007 – First arrest (OINR) made in Bulgaria

• OINR was transiting Bulgaria for vacation in Turkey– November 8, 2007 – extradition of OINR from Bulgaria– April 17, 2008 – FBI investigative technique in phishing

case helps RNP locate their subject in an eBay fraud case– May 19, 2008 – FBI Los Angeles indicts 33 in similar case

and CT case gets unsealed due to some overlap

55


• Timeline – continued –– July 22, 2008 – OINR is convicted of phishing charges– January 20, 2009 – PBB arrested in Canada

• Had moved from Romania to Canada during investigation

– March 30, 2009 – OINR sentenced to 50 months in U.S. prison

– July 18, 2009 – CIT arrested in Croatia• Was working on a cruise ship that had docked there

– May 8, 2009 – Secretary of State Clinton signs Protocols of Exchange of Instruments of Ratification for the U.S.-Romania Mutual Legal Assistance Protocol and the U.S.-Romania Extradition Treaty

56


57

20


• Timeline – continued –– September 4, 2009 – CIT arrives in CT without

contesting extradition– September 25, 2009 – PBB extradited from Canada– January 14, 2010 – CIT pleads guilty to CAN-SPAM– February 18, 2010 – CIT sentenced to 7 months– August 5, 2010 – PBB pleads guilty to phishing charges– November 10, 2010 – fourteen new indictments– Between December 2011 and November 2013, nine

Romanians were arrested and extradited directly from Romania

58


• Timeline – continued –– December 3, 2012 – NDD pleads guilty at jury selection– December 2012 – BB only defendant to go to trial

• Convicted on both counts charged

– May 15, 2013 – IS arrested in Sweden– June 10, 2013 – BB sentenced to 80 months– June 13, 2013 – NDD sentenced to 78 months– September 12, 2013 – IS extradited to CT– April 23, 2014 – IS pleads guilty– June 17, 2014 – PBB sentenced to 22 months– July 8, 2014 – IS sentenced to 45 months

59


• Results– 13 Arrests

• 1 Bulgaria, 1 Canada, 1 Croatia, 9 Romania, 1 Sweden• None had ever been to the United States

– 13 Extraditions from 5 different countries– 13 Convictions

• 12 guilty pleas and 1 at trial

– 13 Sentences ranging from 7 – 80 months• Average around 50 months

– First extradition for computer crimes committed by someone who had never been to the U.S.

– First extraditions directly from Romania of Romanian citizens

60

21

Reaching out to Law Enforcement

• Who, what, where, why, when, and how• Who

• KNOW IN ADVANCE WHO YOU WILL CALL!!!• Large Businesses

• FBI, USSS, Postal Inspectors, State Police

• Small Businesses• IC3, State Police, FBI, USSS, Postal Inspectors

• Individuals• IC3 (www.ic3.gov), Local Police, State Police

• Call a known person• Calling publically listed numbers is BAD PLANNING!• Verify at least annually your contact information

61


• What• Computer intrusions and Internet-

facilitated criminal activities• Loss or no loss

• National Security investigation• Criminal investigation, if loss is significant• Referral to other resources (e.g. IC3)

• If loss is less significant• Intelligence collection

• Valuable in all cases of mischievous cyber activity

62


• Where• Agency responsible for

• Location of intrusion• where are the computers?

• Location of Subject• Often not known until deep into investigation

• Company headquarters• If HQ is better equipped to assist with investigation

63

22


• Why– Because the security of the Internet is a

global community concern• All of us need to work together on this• A secure Internet will boost every legitimate

business• A non-secure Internet may knock out some

competition, but the bottom line of the survivors will not reap the benefits that a secure Internet can provide

64


• When– After the dust settles

• Law enforcement is not equipped to be a first-responder for cyber incidents

• Too many proprietary variables

– Executing business continuity plan is critical– Collect as much information as you can before

calling law enforcement• Once law enforcement becomes involved, restrictions

on gathering evidence may attach• More information will help to determine if an

investigation will be opened and what, if any, public exposure the victim may face

65


• How– However you had it planned

• Work day, work hours• Work day, after hours• Weekend• Holiday• POC on vacation

66

23

Questions???

SSA Martin J. McBride203-503-5106

[email protected]

SSA Martin J. McBride203-503-5106

[email protected]

jeff rovelli director it security knights of columbus · jeff rovelli director it security knights...

Documents