Using Technology and Techno-People to Improve Threat Resistance

Stephen Cobb, CISSPSenior Security Researcher, ESET NA(as presented at MISAC 2014)

How many city workers have seen this man?

I will be talking about how to:

• Combine people and technology to maximize your cybersecurity

• Use existing security research to maximize your security budget

• Improve security education and awareness

• Leverage McDumpals and friends

Why am I here?

• In 1991 I wrote a book about personal computer and network security because…

• This technology has great potential to make the world a better place, but…

• That potential will not be fully realized if we don’t get security right

Getting security right means

• Getting the right combination of technology and people

• ESET makes security technology, but understands that alone is not enough

• So it pays my team to learn about threats and threat trends

• Then share knowledge of threats/trends and their practical implications

We have the technology

• Anti-malware• Firewalls• Authentication • Encryption• Network monitoring• Threat intelligence

But we also need techno-people• Not everyone needs to be technically

trained, but:–We are all computer users– IT security is everyone’s responsibility–We all need to understand the threats–And the defensive strategies

The threats can seem huge and overwhelming

• But if we analyze security incidents– Verizon Data Breach Investigation Report

• We see 92% of incidents can be categorized into 9 patterns– True for 95% of breaches in the last 3 years

• And for most sectors, just 3 or 4 patterns account for most of the threats

The Big 9 Basic Patterns

The Big 9 Basic Patterns

1. Point-of-sale intrusions2. Web app attacks3. Insider/privilege misuse4. Physical theft and loss5. Miscellaneous errors6. Crimeware7. Payment card skimmers8. Denial of service9. Cyber-espionage

Industry sectors not affected equally

34%

24%21%

19%

2%MiscellaneousInsider MisuseCrimewareTheft/LossEverything Else

Just 4 main patterns where victim industry = Public

2014 Verizon Data Breach Investigation Report

Let’s count down the top 4

• Miscellaneous• Insider and privilege misuse• Crimeware• Physical theft/loss

Pattern #4: Physical theft and loss

• Cause of 19% of public sector security incidents

• It’s people!• Screen, educate,

supervise• Reduce impact

by using encryption Database

Tapes

Other

Flash drive

Desktop

Documents

Laptop

Other

11

36

39

102

108

140

308

892

2014 Verizon Data Breach Investigation Report

Pattern #3: Crimeware

• Accounts for 21%• It’s people abusing

technology• Can be solved with

the right anti-malware, anti-phishing strategy– Endpoint AND

server scanning

• AND end user education*

Removable mediaUnknown

Remote injectionOther

Download by malwareEmail link

Email attachmentNetwork propogation

Web downloadWeb drive-by

1%

1%

1%

2%

2%

4%

5%

6%

38%

43%

2014 Verizon Data Breach Investigation Report

Pattern #2: Insider and privilege misuse

• 24% of incidents• Again it’s people!• Can be fixed!– Education– Awareness– Screening

AuditorSystem admin

DeveloperOther

ExecutiveCall center

ManagerFinance

End-userCashier

1%

6%

6%

7%

7%

9%

13%

13%

17%

23%

2014 Verizon Data Breach Investigation Report

Pattern #1: Miscellaneous Errors

• 34% of incidents• Human error!• Can be fixed!– Education– Awareness– Oversight

Maintenance errorOther

OmissionGaffe

Programming errorMalfunction

MisconfigurationDisposal error

Publishing errorMisdelivery

1%1%1%1%3%3%

6%20%22%

44%

2014 Verizon Data Breach Investigation Report

Strategies for doing better

• Technologies and people must be working together

• If they don’t you get: Target– Malware was detected– Exfiltration detected– But nobody reacted– Education and awareness?– Probably not enough

Security education and awareness

• You need both, but what’s the difference?

• Education– Ensure people at different levels of IT

engagement have the knowledge they need to maintain and promote security

• Awareness – Ensure all people at all levels know the

threats and the defensive measures they must use, and why

Security education is for?

• Everyone, but not in the same way:–All-hands education– IT staff education–Security staff education

How to deliver security education

• In person• In groups• Online• On paper• In house• Outside contractor• Mix and match• Be creative

Incentives?

• They work!– Drive engagement– Encourage compliance

• But need reinforcement– Security in job descriptions– Evaluations– Rewards

Use your internal organs

• Of communication!• Newsletter• Internal social media• Physical posters• Add to meeting agendas• Email blasts

Making security awareness work

• Make it fun• Make it relevant• Leverage the news• Remember:– Everyone now has a

vested interested in staying current on threats to their/your data

• Meet McDumpals

Government PII breach example

• July 2013, hackers get PII belonging to 104,000+ people from a DOE system

• Social Security numbers, birth dates and locations, bank account numbers– Plus security questions and answers

• DOE Inspector General: cost = $3.7 million– Just for assisting affected individuals and

the lost productivity– Not including the costs of fixing vulnerable

systems

What went wrong?

• SSNs stored in 354 database tables• None were encrypted• All were accessible without 2FA or VPN• “The Department had not taken

appropriate action to remediate known vulnerabilities in its systems either through patches, system enhancements, or upgrades.”

What happens to the stolen data?

• Sold to criminal enterprises – For identity theft, raiding bank accounts,

buying luxury goods, laundering money

• Lucrative scams like tax identity fraud– Billions of taxpayer dollars stolen per

year– Hundreds of thousands of victims– Time to rectify?– Nine months

Elements of cybercrime operations• Host an exploit kit on a server• Put malware on different server• Send malicious email linked to exploit kit• Find holes in visiting systems• Use holes to infect visitors with malware• Use console on command and control box• To steal, DDoS, spread more malware• Use markets to sell/rent infected systems• Use markets to sell any data you can find

• E.g. Community Health Systems 4.5m IDs

From a chart by DeepEnd Research

•Exploit Kits•Buy or rent•A few hundred dollars to thousands•Add new exploits over time•Note all of the Java exploits

Cybercrime tools are readily available

Proliferation and variety of exploit kits over time

Markets for Cybercrime Tools and Stolen Data (RAND, 2014)

Market for stolen data has matured

Thanks to krebsonsecurity.com for screenshots

An evolved, market-based industry

Specialization Modularity

Division of labor Standards

Markets

Do your employees know this?

• Are they aware of the value of PII stored in municipal data systems?

• Do they know that cyber criminals are well-organized, well-motivated, pitiless, and relentless?

Techniques: phish traps

• Train on phishing• Send out a

phishing message• Track responses• Report card and re-

education– No naming &

shaming

Techniques: flash phish

• Train on media scanning• Sprinkle USB/flash drives

– Sample file/autorun

• Track results – Inserted? Scanned? Reported?

• Rewards or re-education– Again, avoid name+shame

LAWKNOWLEDGE

DIP

LOM

AC

Y

What more can we do?

CYBERCRIME

TECHNOLOGY

DIP

LOM

AC

Y

CYBERCRIME

We need better cybercrime deterrence, which means stepping up law enforcement and diplomacy

TECHNOLOGY

LAW

KNOWLEDGE

Resources to tap• MS-ISAC > msisac.cisecurity.org• California Cyber Security Task Force• State Threat Assessment System (Fusion)• NIST Framework (I agree with Ken)• Local ISSA and (ISC)2

• Your security vendors• MISAC NASCIO CCISDA• NCSAM > StaySafeOnline.org• Websites

– CSOonline.com– KrebsOnSecurity.com– SecuringOureCity.com– WeLiveSecurity.com

Thank you!

• Stephen Cobb• stephen.cobb@eset.com• @zcobb @ESET

• We Live Security• www.welivesecurity.com

• Webinars• www.brighttalk.com/channel/1718