hackers you! · forensic investigations division big data & analytics division about me 22...
TRANSCRIPT
Hackers ♥ You! Why our behavior makes us easy targets for hackersL A N N Y M O R R O W, E N C E , C T F I | S E N I O R D ATA S C I E N T I S T | B K D , L L P
INTRODUCTIONS
Lanny Morrow, EnCE, CTFISenior Data Scientist
BKD, LLP Forensic Investigations DivisionBig Data & Analytics Division
About me22 years with BKDForensic Investigations, Cybersecurity, AnalyticsLead Digital Forensics ExaminerSenior Data Scientist in Big Data & Analytics practiceFounded fraud data analytics practice
The Geeky StuffArtificial Intelligence research and developmentDeveloped proprietary A.I. in 2009 to assist with investigationsA.I. “reads” emotion in communications, combs through social
media and documents for suspicious patterns, identify patterns in numeric/text dataCurrent focus: risk management in “systems”
Personal StuffMarried for 23 years this year5 children (3 girls, 2 boys), and 5 grandchildrenHobbies: video gaming, reading, gardening,
1950’s scifi & horror books and movies
Who are “hackers” anyway?
4
COMMON PERCEPTIONS OF “HACKERS”
5
THE REAL “HACKERS”
6
EVOLUTION OF HACKERS AND THEIR MOTIVATIONS
Traditional:Thrill seekersPioneersTeenagers
Current:TerroristsHacktivistsOrganized crimeState-sponsoredHacking as a business model
7
EVOLUTION OF HACKERS AND THEIR MOTIVATIONS
Old Tactics:• Highly sophisticated technical attacks• Required advanced training, intelligence
Current Tactics:• Social Engineering• Understanding of human nature and psychology• Social media, phone, email are primary tools• They let us do most of the work for them
8
CHARACTERISTICS Some may surprise you
SkilledPersistentSophisticatedTacticalWell fundedDifficult to detectWorks very well in teamsNot as sophisticated as you think – they don’t
need to beVery patientTypically not egotistical or arrogant
9
JUST HOW GOOD ARE THEY?
• Hackers shown 13 voting machines used in state and federal elections• No user guide, passwords, etc. – they were only connected to wifi• First machine was hacked in 30 minutes• All 13 machines were hacked within 90 minutes• Most of the hackers worked in ad-hoc teams – they had never met each other
10
HOW EASY IS IT TO HACK SOMETHING?
Resources abound
Current cyber threat landscape
12
THE TOP CYBERCRIMES
• Email compromise – 2,370% increase, $5 billion• Ransomware – 400% increase• Account takeover• Identity theft• Theft of sensitive data• Theft of intellectual property• Denial of service
13
INTERESTING STATISTICS
In 98% of breaches, it took attackers minutes or less to compromise systems
In 79% of cases, it took weeks or more to discover an incident occurred
Attackers take easiest route (81% leveraged weak, default or stolen passwords)
88% of breaches were made possible poor IT support processes, employee error & insider/privilege misuse of access
Lost / stolen devices a major source of breachesIn 86% of the cases where breach was through software
vulnerability, the patch for that weakness had been publicly available – for over a year
In 90% of those cases, IT had checked “yes’ on risk assessment questionnaire about whether software patches were up-to-date…
14
THE WEAKEST LINK IS….
YOU! (AND ME)
Human Attributes Exploited by HackersDistractedOverworkedCompartmentalizedDisengagedTrustingNaïveHurried
Situational factors vary the degree of these weaknesses, and hackers know how to capitalize on them:Attacks come on Friday afternoonsAttacks come at month/quarter/fiscal endsAttacks come just before holidays or days offTakes advantage of social media and timing of events
Why do they want your data?
“Follow the Money…”
• Credit/debit card information
• Potential Protected Health Information (PHI)
• Employee, customer, student data (PII)
• SSN, DOB, Address data
• User names & passwords
• Citizen data
• Email contents
• Computer contents (internet history, etc.)
TYPES OF DATA AT RISK
What is this “Dark Web”?• Less than 10% of the internet is accessible
through typical search engines
• The Deep Web is a part of the web that contains the most sensitive information
• The Dark Web is the part of the deep web that is intentionally hidden
Requiring an anonymizer to access (ex. Tor)
Uses .onion link; links often shift
Tor – The Onion Router
The Black Market of the Internet!
. Source: CISO Platform http://www.cisoplatform.com/profiles/blogs/surface-web-deep-web-and-dark-web-are-they-different
Less than 10% of Internet
Carding ForumJoker’s Stash is the most popular “carding” forum on the Dark Web. Credit cards, just $1 each!
Health Insurance Card for Sale
Email CompromiseOne of the two threats you’re most likely to experience
Current Trends• 2370% increase in past year• 2016 marked beginning of a heavy period of W-2 scams• Real estate transaction schemes increased 480% in 2017• Wire transfer frauds growing fastest• Increase in home PC compromise as conduit to organization
• Less security at home• Hackers infect machine with spyware• Gain webmail and other credentials• Two-factor authentication best defense
EXAMPLE: BUSINESS EMAIL COMPROMISE
• Controller receives email from “CFO” requesting all employee W-2s pursuant to an IRS inquiry
• Numerous employees contacted by real IRS about issues with their returns, or why they submitted two returns
• Needs it today (received in the afternoon)• Controller puts it all together into one PDF,
alphabetized• Hacker responds, telling her “this is more
than I had hoped for”• Compromised W-2 information sold on the
underground market
“Footprinting”
• Hackers monitor employees via corporate website, media & their personal social media
• Fake emails sent for purposes of reading “out-of-office” replies
• Learn their lingo, travel patterns, associations, when they take vacations
• Follow, steal mobile devices, set up fake hotspots near them
• Will strike when employees are out of pocket (vacations)
MANAGING EMAIL COMPROMISE RISK
Managing Email Compromise Risk
• Increase training & awareness• Require manual verification
• For example, call the customer/vendor to verify change in account info or wire transfer instructions
• Double check email addresses• In previous examples, email instructions involved or came from a different email
provider or domain than legitimate emails
• Do not open email messages or attachments from unknown individuals• Especially zip files• Or links embedded in suspicious looking emails
Managing Email Compromise Risk
• Know the habits of your vendors, including the details of, reasons behind & amount of payments
• Maintain a file, preferably in nonelectronic form, of vendor contact information for those who are authorized to approve changes in payment instructions
• Limit the number of employees within a business who have the authority to approve &/or conduct wire transfers
• Slow it down – does it really have to go out now?
Managing Email Compromise Risk
• Avoid free email accounts for business; get an established domain• Be careful what you post to social media & company websites,
especially job duties & descriptions, hierarchal information & out-of-office details
• Be suspicious of requests for secrecy or pressure to take action quickly
• Two-factor authentication• Watch for poor grammar, use of terms like “Kindly”
Suspicious lingo
• General poor English grammar, syntax or conflicting tenses
• "Kindly", such as "kindly update payment information" "kindly use this new account information"
• Requestor statements such as, "the usual bank account cannot receive payments at this time" or "our banking information recently changed" or “our regular bank account is under audit”
• Emails expressing urgency or immediate action such as "payment is supposed to /must be made today" "confirm you can get this done today" "process this as soon as possible". Often in tandem with a promise to send formal documentation or authorization later
• Emails that begin with "Are you in the office?" or "Are you available to process a payment?"
• "I can't take calls now", "can you do it without me?" in response to a verbal authorization attempt, or insisting on email communication only.
RansomwareOne of the two threats you’re district or organization is most likely to experience
Current Trends
Actors seek propagation to the entire networkMost institutions are hit again within a year after the first attackRansomware event is increasingly becoming a smokescreen for the
larger purpose of data exfiltration (data theft)Leveraging of social media to gain intel on the organization before
attacking. Sometimes months in the planning, but minutes in the execution
Increasing trend for ransom to be requested before the actual system attack
Current Bitcoin Pricing
MANAGING RANSOMWARE RISK
Managing the Ransomware ThreatEducation is key to preventing the “fatal click” IT Risk Assessment or Audit will draw out potential weaknesses In lieu of payment, can restore from backupsBackup policy should include special class of “essential operating items.”
These should be backed up dailyRestoring from a smaller set of essential files saves lots of time & money,
reduces down timeNotify local law enforcement. Paying the ransom will only encourage future
attemptsBut… many organizations stockpiling some BitCoin, just in case. Banks also
holding as a service to their customers
Preparing for the InevitableLife in an “not if but when” world
THE STORY … Executive of large industrial conglomerate was “footprinted”
by hackers through social media, corporate postings & email replies
Followed when on vacation; tablet was stolen when left unattended
Executive Footprinting
Tablet was not protected with a passcode Linked to corporate email account Executive didn’t disclose to IT until a barrage of phishing
incidents began Two weeks elapsed from theft to disclosure Elements of Equifax & Target incidents
Missteps
THE FALLOUT … Personally identifiable information (PII) of dozens of high-
ranking employees Personal tax return & SSN of executive & family Strategic plans, including acquisition/takeover plans
deemed “highly confidential” Trade secret information related to formulas, production
processes, etc. Personal website username/password information Password-protected documents – with password for those
documents provided in the “next email” Lingo used to request/authorize wire transfers Worse yet: communication lingo & patterns, identification
of employees responsible for wire transfers & holding sensitive information, etc.
Contents of Email
Account
Incident response plan brought into action All email account credentials changed Wire transfer protocols suspended – went to manual auth. Corporate account access credentials changed Law enforcement, external counsel, insurance notified Forensic preservation/investigation of affected assets Notification to affected parties; provided monitoring
Immediate Actions
Ironically, the executive did not fire himself for not taking cybersecurity more seriously …
Full IT risk audit was performed, including penetration testing (“stress testing”)
Training provided to executives & employees in key areas on cybersecurity awareness & habits
New policies created/enforced related to personal device usage
Others
THE EPILOGUE …
Personal cybersecurity
Most Common Passwords1. “password”
2. “12345”
3. Birthdate, anniversary date, or variation
4. Sports teams, hobbies, interests, children’s activities
5. Bonus question – most common garage door code?Mortgage Payoff Date (“0524”)
Personal Cybersecurity = Organizational Cybersecurity
• Don’t use Hotel or Public Wi-Fi!
• Personal VPNs (Nord, IPVanish, HMA - $2.99 - $9.99/month)
• Don’t comingle personal assets with work, you’re security probably isn’t as robust as your employer
• Set passcodes on mobile devices
• Don’t browse the web while logged in to accounts
• Links in emails – hover over them, don’t click
• Employers should provide VPN and/or mobile broadband cards to traveling employees
Public Wi-Fi and “Honeypots”
Personal Cybersecurity = Organizational Cybersecurity
• Use Two-Factor Authentication
• Secure wallets
• Use a “burn card”, carry cash as a backup
• Shred your personal trash
• Don’t be so open on social media
• Don’t throw away hard drives or USBs
• Cards with EMV chips
• If it feels weird, don’t do it
• Passwords – don’t be predictable
• Join a monitoring and protection service
• Search for yourself (haveibeenpwned.com)
Perils of Social Media
Perils of Social Media
Observations Scoreboard Team name Google photo search
for same picture on other social media
Facial recognition EXIF metadata (may
show geotag)
C.U.P.P.
The role of cyber insurance
Cyber Insurance• Traditional fraud / loss policies may not cover cyber events• Contact your insurance provider to see what is offered• When planning coverage, ask about various scenarios• Many insurers require incident response plans, proper protections before
they will pay• Many insurers require a forensic or law enforcement report of the incident,
performed by a 3rd party• Remember, insurance companies are not in the business of insuring
negligence
Final Thoughts
• Get Cyber Insurance
• Invest in education, training, awareness
• Test, test, test your incident response plan
• Risk cannot be eliminated or mitigated in the long run – think in terms of “managing”
• Develop your response team – and have frequent meetings, and resources to do their job.
• Partner with 3rd parties such as forensics, legal, and PR firms
• Watch your “personal cyber hygiene”
• The price of cybersecurity is eternal vigilance
Lanny MorrowSenior Data ScientistBKD, LLP1201 Walnut Street, Suite 1700Kansas City, Missouri 64106816.701.0225 [email protected]: @LannyMorrowLinkedIn: http://www.linkedin.com/in/lannymorrow
bkdrisk.com bkdforensics.com