Official Use Only

2

Official Use Only

Tony H. McMahonMITS Director, Transition 2

Program ManagerCust.Acct. Data Eng. Program Office

Washington, DC

Giselle C. JosephIT Security Specialist

MITS CyberSecurity OperationsHouston, Texas

3

Official Use Only

80% of American Taxpayers will file electronically by the year 2012

More PII than any other government agency

Largest IT environment of any U.S. civilian agency

Process $2.5T of revenues

Complex & diverse IT infrastructure

Complex & diverse business processes utilizing many channels (e-file, paper, internet, phone, walk-in)

700 + POD’s

4

Official Use Only

United States (US) 14,911,704

China (CN) 1,101,127

Canada (CA) 668,888

Great Britain (GB) 145,444

Japan 106,340

Germany (DE) 98,002

No Country

CodeEurope (EU) 55,002

Korea (KR 47,437

Netherlands (NL) 46,623

Russia (RU) 37,005

Top 10 Attacking Countries (denied) Hit CountHit Count is

Based on every3 months

5

Official Use Only

DATA– All information used and transmitted by the organizationSensitive But Unclassified (SBU) SBU data refers to sensitive but unclassified information originating within IRS offices. [Ex: Personal, Tax Return Information,

Personally Identifiable Information (PII).. PII includes the personal data of taxpayers, and also the personal information of employees, contractors, applicants, and visitors to the IRS [Ex: Home addresses, Names, Social Security Numbers, National Security Information - Cyber Espionage

HARDWARE- Desktop computers, servers, wireless access points (APs), networking equipment, and telecommunications connections etc…

SOFTWARE- Application programs, operating systems, and security software etc…

6

Official Use Only 6

No one knows who I am on the Internet

The Internet is a virtual world, so nothing bad can happen to me

Security software (anti-virus, firewall, etc.) will protect me

The IRS will protect me

Law enforcement will protect me

7

Official Use Only

Web-based attack activity, 2009–2010Source: Symantec Corporation

8

Official Use Only

Who are they?

No longer just techno-geeks.

.

Hackers, Attackers or Intruders

Script Kiddies

Computer Spy

Employees

Cybercriminals

Cyberterrorists

GANGS/GROUPS►Criminal gangs

►Employ individuals or groups of hackers to steal PII, credit card & banking information.

►Hacker Gangs►Create & sell botnets & hacker tools►Sometimes engage in activity to wage cyber war on

each other or to boost their reputation.

► Political or religious groups►Hacking for military and commercial secrets & to inflict

damage.

Well resourced - Funded by criminal enterprises, nations, political or religious entities.

Glory MotivatedFinancial Profit

Political MotivatedReligious Groups

“They have Shift from “Glory-Motivated-Vandals” to “Financially-Politically-Motivated-Cyber-Crime

9

Official Use Only

Joseph McElroyHacked US Dept

of Energy

Jeffrey Lee ParsonBlaster-B copycat

• Photos from colleagues at F-Secure

Chen Ih HuaCIH Virus

Jeremy Jaynes

$24M SPAM KING

Jay EchouafniCompetitive DDoS

Andrew SchwarmkoffRussian Mob Phisher

10

Official Use Only

Highly motivated, professionally trained & equipped adversaries

Espionage and sabotage aimed at US Government, Military & Commercial sites

Strategic & Tactical Attacks

Threat to the military & economic security of the United states

11

Official Use Only

Social EngineeringPhishing, Pharming etc…

Malware (Malicious Code) Viruses, Trojans, Spyware, Spam, Botnets etc…

Network Vulnerabilities & AttacksWeak Passwords, Backdoors, DoS, Spoofing, etc…

Hardware Base AttacksUSB drives, Cell phones etc…

Web Browser AttacksCookies, Active X etc…

Communication Based AttacksInstant Messaging (IM), peer-to-peer (P2P) etc…

Wireless Attacks & Protocol-Based AttacksWar Driving, Bluesnarfing etc…

Difficulties in Defending Against AttackersSpeed, Sophistication & Simplicity of Attacks etc…Lack of Education and Training (Security Awareness)

Smart People doing ‘NOT So Smart Things’Donate computer with uncleaned disk w/o sanitization.

12

Official Use Only

Combat Social Engineering: ► Never reveal or share your password► Never provide information about IRS

systems & networks.► Never change your password to

something that another person has requested.

► Never disclose Sensitive & Official Use Only (OUO) information.

► Never reply to e-mail messages that request your personal information.

► Never click links in suspicious e-mail.► Never unsubscribe from Email unless

it’s a reputable business.► Never download from the Internet on

IRS computers.► Always be careful whom and where you

download from on home computers.► Always verify the identity of callers► Always discard sensitive information

appropriately (shred, locked burn bens etc…)

► When dealing with companies make sure you do your homework to ensure that they are legitimate Better Business Bureau (BBB).

Social Engineering Tactics

Social Engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim.

► E-Mail Phishing, Pharming, Computer hoaxes etc…

► Telephone

► In PersonShoulder Surfing, Stealing,

Browsing► Dumpster Diving

► InternetUnsafe Web Sites

► In Writing

13

Official Use Only

Three main objectives of Malware:

Infecting Malware: Viruses, Worms

Concealing Malware: Trojan Horses, Rootkits, Logic Bombs, Backdoors, and Privilege Escalation

Malware for Profit: Spam, Spyware, and Botnets

MALWARE

Malware is software that enters a computer system without the owner’s knowledgeor consent. Malware is also referred to as Malicious Code or Malicious Content. Malware's most common pathway from criminals to users is through the Internet:primarily by e-mail and the World Wide Web. Malware is a variety ofdamaging and/or annoying software.

14

Official Use Only

Trojans are approximately 90% of the Malicious code

events detected by IRS every quarter. 80% or more of these Trojans come from Malicious Websites According to Symantec, Trojans are the Most important source

of potential infections. In 2010, 56 percent of the volume of the top 50 malicious code samples

reported were classified as Trojans—the same percentage as in 2009.

Trojan Horses

Spyware(Malware)

Spyware is a general term used to describe software that violates a user’spersonal security. Spyware creators are motivated by profit: generate income through advertisements or by acquiring personal information and may change configurations. Although attackers use several different spyware tools, the twomost common are adware and key loggers.

Trojan Horse or Trojan, are a type of malware that disguise themselves as legitimate, it is destructive program that masquerades as an application. When an end-user attempts to install or run the seemingly-benign executable file, their system becomes infected with malicious code, which gives an attacker access to the user’s privileges and sensitive information. [Malware]

Adware (Spyware tool) typically display advertising banners or pop-up Ads or opens Web browser while user is on the Internet.Keylogger (Spyware tool) is a small hardware device or a program that monitors each keystroke a user types on the computer’s keyboard.

Spyware usually performs one of the following functions on a user’s computer: Advertising, (Pop-ups), Collecting personal information or Changing computer configurations.NOTE: Your Personal Information can be obtained through [zabasearch.com, & Spokeo,]

15

Official Use Only

Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. ► Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter

details at a fake website whose look and feel are almost identical to the legitimate one. ► Phishers like to use variations of a legitimate address ex: www.ebay_secure.com► In many cases when clicking open pop-ups it will attach Malware to your computer.

Most SPAM comes in forms of Chain letters, Jokes, Hoaxes, and Advertisement.► Botnets, networks of virus-infected computers, are used to send about 80% of spam. ► Spammers collect e-mail addresses from chatrooms, websites, customer lists, newsgroups, and

viruses which harvest users' address books, and are sold to other spammers. ► Spam averages 80% of all e-mail sent with many containing attachments of Malware. ► In the year 2011 the estimated figure for spam messages are around seven trillion.

NOTE: For Hoaxes check out Snoopes.com and/or TruthorFiction.com

PHISHING

SPAM is unsolicited, junk e-mail. It continues to escalate through the Internet. On average it costs U.S. Organizations $1000.(or more) per person annually in lost productivity. [Social Engineering / Malware]

SPAM

Phishing is an attack that sends an e-mail or displays a Web announcementthat falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information. [Social Engineering]

16

Official Use Only

UNSAFE WEB SITES –Many legitimate web sites unknowingly have been infected and have malware attached to downloads. Users should never log on to a web site from a link in an e-mail; instead they should open a new browser window and type the legitimate address.► IRM 10.8.27.3 (1) states “Employees should not download unauthorized program. DOWNLOADING NOT

PERMITTED.► Any Web site in which the user is asked to enter personal information should start with “https” instead of “http”

and should include a padlock in the browser status bar. ► One way to check the links in an e-mail you receive is to place your mouse cursor over the link BUT DO NOT

CLICK. This will display the true link as shown in the image below.

REMOVABLE MEDIA – Some types of removable media are blu-ray discs, DVDs, CDs, Memory Cards, Floppy disks, Magnetic tapes, paper data storage, USB drives etc.. iPods, MP3 Players, digital cameras, and smart phones connected to your computer system are also considered to be removable media. ► In 2010 IRS saw an increasing trend of malware related infections resulting from users connecting either IRS

issued or personally owned removable media to IRS systems.

WebBrowsing

RemovableMedia

Web Browsing – Surfing the web can often lead to unsafe websites. In addition, There are many E-mail messages that direct users to unsafe websites. [Phishing]

Removable Media is designed to be removed from the computer without powering the computer off. Despite advantages, Removable media are widely used to spread malware. [Hardware Based Attack]

17

Official Use Only

Botnet(Malware)

Zero DayAttacks

Botnets – One of the popular payloads of malware today that is carried byTrojan horses, worms and viruses is a program that will allow the infected computerTo be placed under the remote control of an attacker. This infected “robot” Computer is known as a zombie. When hundreds, thousands, or even tens ofThousands of zombie computers are under the control of an attacker, this createsA botnet. [Malware]

Botnets enables attackers to send massive amounts of spam, harvest e-mail addresses, spread malware, manipulate online polls, denying services, floodingServers with request until servers cannot respond or function properly.

A denial-of-service (DOS) attack attempts to consume network resources so thatThe network or its devices cannot respond to legitimate requests.

NOTE: Although DoS attacks are not widespread on wireless networks, inadvertentInterference from other RF devices (cordless telephones, microwave ovens, baby monitors)Can sometimes actually cause DoS. When slow transmission happens either turn themOff or cut them off.

Denial of Service Attacks

Zero-Day Attack - This type of attack occurs when an attacker discovers and exploitsA previously unknown flaw, providing “zero days’ of warning.

18

Official Use Only

Network AttacksNetwork Attacks – Networks have been the favorite targets of attackers for several reasons.An attacker who can successfully penetrate a computer network might have access tohundreds and or even thousands of desktop systems, servers, and storage devices. Also,Networks have had notoriously weak security, such as default passwords left set onNetwork devices. And because networks offer many services to users, it is sometimesDifficult to ensure that each service is properly protected against attackers.

Network Vulnerabilities: weak passwords, default accounts, backdoors, and privilegeescalation.Network Categories and Methods of Attacks: denial-of-service, spoofing, man-in-the-middle, and replay attacks, protocol-based or wireless etc…

Communication Based Attacks – Some of the most common communications-basedAttacks are SMTP open relays, instant messaging, and peer-to-peer (P2P) networks.

CommunicationBased Attacks

Wireless AttacksWireless Attacks – As wireless networks have become commonplace, new attacks have Been created to target networks. These attacks include rogue access points, war driving, Bluesnarfing, and blue jacking.

19

Official Use Only

IRS CSIRC Bulletin - 03022011-001-Bulletin Malicious Email Entitled "W-2 form update" in Circulation

What is the problem? The CSIRC team is aware of malicious code circulating via phishing email messages entitled "Important: W-2 form

update". These email messages appear to come from the Internal Revenue Service and offer a link that suggests it

will take you to the "updated version of the W-2 form". The link contained within the email messages seem to be

legitimate but is in fact a way of luring unsuspecting users into downloading malicious software in the form of a Trojan.

Pictured below is an example of the recent phishing message currently in circulation, the incorrect punctuation and

misspellings are an immediate red flag. However, this threat could take virtually any form as the subject and content

could vary according to the objective of the true sender.

##

Many Emails may lead to unsafe websitesEither containing Malicious Code or trying to

Obtain personal information. (Look at the address link)

FALSE – This notice is yet another redirection scam (also known as “phishing”)Intended to deceive recipients into disclosing their card information, account

Information, social security numbers, passwords and other sensitive information.

www.phishing@irs.gov www.spam@irs.gov

<A> Billing: Pxxx xxx

<A> xxx xxx Road

<A> Suite 400

<A> xxx, CA xxx

<A> US

<A> Phone: xxxxxx7605

<A> e-mail: pxxx.xxx@atf.gov

<A> Payment Method: Credit Card

<A> Name On Card: Pxxx x. xxx

<A> Credit Card #: 5568xxxxxxxxxxxx

<A> Credit Type: MasterCard

<A> Expires: 05/2009

<A> CVV2: 421

20

Official Use Only

##

www.phishing@irs.gov www.spam@irs.gov

Attackers take advantage of majorevents to get monies or to expose

your computer to a Malicious Code.

21

Official Use Only

One of the most common ways for cybercriminals to steal money from people is through the use of fake security software, according to the most recent Microsoft Security Intelligence Report. This kind of software is also known as “scareware” or “rogue security software.” Cybercriminals use it to scare people into downloading more malicious software onto their computer or pay for a fake product. For more information, see Watch out for fake virus alerts. Here are examples of the graphics used by cybercriminals trick you into downloading their security software. Microsoft Security Tips