securing organizational credentials - internet2 · 2019-03-27 · securing organizational...
TRANSCRIPT
Securing Organizational Credentials:New and Pervasive Cyber-Threats
PRESENTER NAME: Kim MilfordExecutive Director, REN-ISAC
[ 2 ]
THREATS
[ 3 ]
[ 4 ]
Ransomware
[ 5 ]
Business Email Compromise
[ 6 ]
[ 7 ]
REN-ISAC CSIRT Notifications, 12/31/2018
0 200 400 600 800 1000 1200 1400 1600 1800 2000
Dorkbot, 2015
Nivdort, 2016
Pushdo, 2007
Fleercivet, 2014
Kelihos, 2010
ZeroAccess, 2013
Ponmocup, 2006
Gozi, 2013
Bedep, 2015
Conficker, 2008
[ 8 ]
CSIRT STATISTICS, 2018 COMPARED TO 2016
[ 9 ]
STOLEN CREDENTIALS
[ 10 ]
Stolen Credentials Used for Exfiltration
[ 11 ]
[ 12 ]
[ 13 ]
[ 14 ]
IMPACT
[ 15 ]
[ 16 ]
Password Dump Cleanup
Parse out old domain names
Run the list through a macro to see if the password composition meets
current (enforced) password policy.
Feed surviving credentials into a script that checks against current authoritative
credential store.
Reset passwords on at-risk/exploited credentials and notify users
[ 17 ]
[ 18 ]
• Underreported• If reported at all, generally a long delay• Risk is uncertain, depends on circumstances
– Requires additional analysis
Stolen Credentials
[ 19 ]
MITIGATION
[ 20 ]
Training and Education
[ 21 ]
Two Factor Authentication
[ 22 ]
[ 23 ]
Modlishka
[ 24 ]
MITM Mitigation
• User education• U2F tokens• Password managers• Limit exposure, e.g, short timeouts for tokens• Phishing page detection, e.g. Chrome extension• Site authentication to the user• Reduce the life of user accounts
[ 25 ]
Student Lifecycle
0
1
2
3
4
5
6
Application Admission Enrollment
Student Accounts Granted
[ 26 ]
Student Lifecycle
- Account disabled after 2 consecutive semesters of non-enrollment- Account disabled 6 months after last enrolled semester, OnTrack account
disabled 1 year after last enrolled semester - Deactivated one term after student was last eligible to register, deleted
one term after that - Access retained for "things like unofficial transcripts and academic and
employment information"; email deactivated after no attendance for a year
- Access retained for "things like unofficial transcripts and academic and employment information"; email deactivated after no attendance for a year
[ 27 ]
References• 2018 Verizon Data Breach Investigations Report
– https://enterprise.verizon.com/resources/reports/dbir/
• 2015 DHS Intelligence Assessment on Research and Education (R&E)– https://intellihub.com/wp-content/uploads/2015/02/DHS-UniversityCyberThreats.pdf
• March 2019: Wall Street Journal “Chinese Hackers Target Universities in Pursuit of Maritime Military Secrets”
• FireEye Threat Report: APT40 Examining a China-Nexus Espionage Actor– https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-
espionage-actor.html
• https://haveibeenpwned.com/
[ 28 ]