mindgrove presented by stan dormer director of education & training services 1 “it security...

103
Mind Grov e www.mindgrove.co.uk Presented by Stan Dormer Director of Education & Training Services www.mindgrove.co.u k 1 “IT Security Update” ISACA Scotland June 19 th 2012 Expert

Upload: gloria-goodman

Post on 24-Dec-2015

214 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Presented by Stan Dormer

Director of Education & Training Services

www.mindgrove.co.uk

1

“IT Security Update”ISACA Scotland June 19th 2012

Expe

rt

Page 2: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Administration

• Timings and Breaks

– 1115

– 1245

– 1500

– 1630ish

• Fire

• Phones

2

Page 3: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Today’s programme

• Are security experts getting it right – what happened to all of the predictions for a secure future?

• Are security architectures and standards sufficient and appropriate for the 21st century? What can we do more of or what could be done better?

• What type of attacks, hacks and compromises are giving rise to greatest concern, and can they be halted?

• What tools and techniques are the hackers and scamsters deploying, and how can we avoid being impacted?

• What tools and strategies are available to detect, patch and eliminate insecurity from the ground floor upwards?

• Are auditors getting the right information and probing the answers from their organisation?

• Are people the weakest link?

• A doomsday scenario and how we might avoid it …

3

Page 4: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

www.mindgrove.co.uk

MindGrove

Are security experts getting it right – what happened to all of the predictions for a secure future?

4

Page 5: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Back to the past– the year is 1999

• In Norway, the extremely dangerous data virus Win95.CIH has for the latest months been the fastest propagating virus.

• Win95.CIH has the ability to overwrite the hard disk with garbage as well as overwrite the Flash BIOS on some PCs. If the Flash BIOS is overwritten it may even be impossible to start the PC from a boot diskette???

• However, security experts say thatit is unlikely that any new type of viruswill exceed the notorious Mellissa virusthat infected as many as 100,000 hosts over a relatively short period.

• Security experts concluded that: “We will be much better prepared next time.”

5

Page 6: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

It’s 2001 and an expert claims …

“Software security has so much improved that I think it will be likely, within the next ten years, that even images that are altered will be instantly detectable and automatically alert the user to a potential fraud.”

“Viruses might be out there but private persons should be safe if they use their eyes, ears and a little bit of common sense.”

6

Page 7: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

In 2003 an expert predicts hoax viruses …

• But he didn’t predict scam software … like the notorious Security Shield scareware drive-by infection (2008, 2009, 2010, 2011 and 2012)

7

How to begin removal …

Page 8: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Or by how much scareware would take off …

8

The fake (looks like a Windows Dialogue Box) … that you pay for …

The cure

(free) …

Page 9: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

In 2007 an expert stated that hoax emails were so poorly put together and formatted that they were easy to spot …

Please circulate the following warning to your friends by forwarding this email:

URGENT – UK Police are Conducting Surveillance Activities!

Yesterday (14th June 2012) an announcement was made in Parliament concerning the Regulation of Investigatory Powers Act stating that police were about to be given access to all email, phone calls and personal computers.

They will be able remotely work through your copy of Microsoft Internet Explorer, Opera, Mozilla, Chrome, Firefox, Safari or Google and examine or gather evidence on what you are doing or even erase everything on your hard drive. They are looking for pornographic activities, untaxed commercial trading activities such as buying and selling items on eBay, movements of money between related bank accounts, and for potential crime suspects in Contact Lists. They can also view you if you have a webcam on a Macintosh or Microsoft laptop. This is new, legal and not many people as yet are aware of the impact of this intrusion into their private lives.

Pass this warning along to EVERYONE in your address book and please share it with all your online friends ASAP so that co-ordinated action can be taken through members of parliament to ensure that this threat to civil liberty is stopped.

Please take pre-cautionary measures such as using a browser not in the list above, erasing all of your email after reading it (print out any emails that you need to keep), covering your webcam with tape when not in use, blocking the web address www.pcremoteviewer.gov.uk and inform anyone that may have shared access to your computer to turn out lights in the room whilst working to make it difficult for the police to get a clear image. Forward this warning to everyone that might access the Internet.

Note: This legislation does not yet apply to Scotland or Wales.

9

Page 10: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk 10

OK, some are a bit more obvious than others …

Selecting this link takes you to HMRC’s bank interface (seen on

the next slide) …

Page 11: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Fake banks continue to multiply

11

Get your refund (or

rapid debit) here …

Page 12: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Even in 2011 no expert predicted so many fake on-line news stories via apparently real news agencies …

12

Page 13: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Or fake investor websites

13

Page 14: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Or that you could (attempt to) buy fake pharmaceuticals …

14

Page 15: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Or that history could be rewritten …

15

Page 16: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

www.mindgrove.co.uk

MindGrove

Are security architectures and standards sufficient and appropriate for the 21st century? What could be done better?

16

Page 17: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

ISO 27000x

• 27001: Tells you what to do – a process that you execute

– Risk analysis

– Priority assessment (what priority security?)

– Choice of mitigating strategy (how much mitigation?)

– Put controls chosen in place

– Review

– Review and check on periodic basis

• Based on risk assessment – problematical because depends on risk envisioning across entire technology dependent dimension

• Based on multipoint controls – assumes consistency

• Assumes zero psychological vector – doesn’t account for mood

17

Page 18: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Architectural approaches – Zachman and SABSA

18

Page 19: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Architectural approaches are not perfect either

• Expectation of normality – no aberrant behaviour

• Expectation of conformity – no bypass of rules or structures

• Expectation of testability – proof of correct operation

19

Page 20: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

COBIT and ITIL 3

• Great for establishing best practice, value and control

• Expectation of normality – no aberrant behaviour

• Expectation of conformity – no bypass of rules or structures

• Very dependent on directives as means of control and sometimes directives that are unrealistic or capable of being misinterpreted

20

Always use antivirus measures

Page 21: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Doing better: Expect the unexpected

• Penetration testing as ad-hoc assurance

• Microsoft’s (and others) SSDLC as best effort

• Create more compartmentalisation – watertightbulkheads

• Drive for simplicity, reduce complexity

• Assume all software is flawed don’t believe that one vendor’s software is better than another

21

Page 22: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Doing better: Build in risk psychology .. allow for the fact that

• People exaggerate spectacular but rare risks and downplay common risks

• People have trouble estimating risks for anything not exactly like their normal situation

• Personified risks are perceived to be greater than anonymous risks

• People underestimate risks they willingly take and overestimate risks in situations they can't control

• Last, people overestimate risks that are being talked about and remain an object of public scrutiny.

22

Page 23: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Psychological vector

23

Page 24: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

www.mindgrove.co.uk

MindGrove

What type of attacks, hacks and compromises are giving rise to greatest concern, and can they be halted?

24

Page 25: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Sophistication increasing

25

Page 26: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Default passwords are increasingly available – defaults being targeted

26

Page 27: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Easy to get hack advice from the net

27

For all the whiners saying: "Boohooooo my IP is tracked, i'm going to jail :'(" Learn how

to protect yourself BEFORE you start hacking. Hide your IP, use free software like the

Tor Project browser or ProXPN VPN. I once tried to hack a website but failed and they said they had tracked down

my IP. But I used Tor and ProXPN, so they ended up in Australia where I don't even

live! Ha Ha! -:D

Page 28: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Denial of service attacks are better co-ordinated

28

Page 29: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Botnets are increasingly demonstrating their presence

29

Page 30: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Spam botnets are a big money making deal

• Botnets make attacks very easy. Botnet are responsible for sending 87.9% of all the spam, according to the data in the Symantec Message Labs Intelligence Report.

30

Page 31: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Pay to use

31

Page 32: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Statistics from the cloud

• Spam accounts for 14.5 billion messages globally per day. Spam makes up at least 75% of all national emails. Spam email makes up an even greater portion of global emails, some 92% in fact. The United States is the number one generator of spam email.

• Because spam has inundated both the personal and corporate world of emailing surveys have found that spam has led to decreased public confidence and trust in Internet communications.

• Spam costs businesses £15 billion annually in decreased productivity not including technical costs. This approximates to an average loss per employee annually because of spam of £1800.

• Microsoft FOPE services filter millions of spam messages per day.

32

Page 33: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

The security overhead

33

Page 34: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

The hidden administration

Layer 1 – Connection filtering (Approximately 80% of inbound spamrejected)

• DNS Block List (DNSBL)

• IP Allow/IP Block

• Sender ID (SPF)

Layer 2 – SMTP filtering (3% to 5% rejected)

• Sender

• Recipient

• Global safe list

• Global block list

• Sender ID

• Backscatter catching

Layer 3 – Content filtering (55% to 60% rejected)

• Cloudmark

• Automatic updates every 45 seconds

34

Page 35: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

On top of this all MS vulnerabilities continue

35

Page 36: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

And so does Apple’s infatuation with media

36

Page 37: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

And it may be time to drop Flash???

37

1 release

per week!

Page 38: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Social networks

• The primary blended attack method used in the most advanced attacks will be to go through your social media "friends," mobile devices and through the cloud.

• "We have already seen attacks that used the chat functionality of a compromised social network account to get to the right user. Expect this to be the primary vector, along with mobile and cloud exploits, in the most persistent and advanced attacks of 2012," Websense researchers have said.

38

Page 39: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Social scams to rise – targeting to improve

• The number of people falling victim to believable social engineering scams will rise significantly if the unscrupulous attackers find a way to use mobile location-based services to design hyper-specific geo-location social engineering attempts, the report said. "People have been predicting this for years, but in 2012 it actually started to happen."

• Also important are globally important events including the London Olympics or U.S. presidential elections. Cybercriminals will continue to take advantage of today's 24-hour, up-to-the minute news cycle, the report said, adding that now they will infect users where they are less suspicious. Sites designed to look like legitimate news services, Twitter feeds, Facebook posts/emails, LinkedIn updates, YouTube video comments, and forum conversations may proliferate it said.

39

Page 40: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Social media in the limelight – last week

• The latest threat report from GFI Labs in June2012 saw a further increase in attacks on social media sites. These included popular targets such as Facebook and Twitter, and were extended to include Google, LinkedIn and Skype. LinkedIn lost 6.5m passwords in May.

• LinkedIn users saw a huge increase in fake invitations, which redirects users to a site infected with a Blackhole exploit and downloads the Cridex trojan. The malware is not easy to detect and according to M86 Security Labs is only picked up by 10 out of 43 anti-virus products. Skype also came under attack; crooks targeted users by sending false spam which claimed to give Skype credit to those who followed a link. However, users were instead directed to a compromised site which was infected with malicious Java exploits.

• Google was the ‘hook' for a couple of scams, a SEO poisoning attack, which told searchers that Google systems had detected malware on their machine and led them to download a fake anti-virus package. In the second attack, a wave of spam claimed to make announcements for "Google Pharmacy”; users who followed the link ended up at notorious spam site Pharmacy Express, which has been linked to spam attacks since 2004.

• Celebrity stories are being used to spread spam and tempt social media users into clicking on a story which has a hidden layer of code overlaying the main image. Customers of CBS's Last.fm music site and EHarmony's dating site also had passwords stolen last week, both companies suggested that users change their passwords immediately!

40

Page 41: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Use agreed international frameworks

• Botnets can be markedly limited by authenticating every computer involved in an internet transaction, but traditionally this has been an unattainable goal as universal computer authentication would require the perfect and on-going cooperation of a massive number of computer owners and systems administrators around the world.

• Universal computer authentication can be achieved at the server level by a novel implementation of digital signature technology called Mail Transfer Agent Authentication.

41

Page 42: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

MTA Signing – M Kaplan

42

Page 43: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

MTA Signing – M Kaplan

43

Page 44: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

MTA Signing – M Kaplan

44

Page 45: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Must be spam

45

Page 46: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Applies to originators too

46

Page 47: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

SPF now works across MTAs

47

Page 48: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

MindGrove’s DNS SPF records

A TXT record (retrieved from MindGrove’s DNS records) associates with

.mindgrove.co.uk the value

v=spf1 include:outlook.com ~all

– This indicates that mail from Office 365 Outlook for a MindGrove Domain is to be treated as authentic when received from this outgoing MTA

– And from an inbound email header MTA was

• @AMSPRD0702MB106.eurprd07.prod.outlook.com

48

Page 49: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

www.mindgrove.co.uk

MindGrove

What tools and techniques are the hackers and scamsters deploying, and how can we avoid being impacted?

49

Page 50: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

ATM physical fraud getting more sophisticated

50

Page 51: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Sir or Madam: “Your PC is infected …

• You get a call from someone who says your computer is at risk of crashing because of a virus or malicious software. The caller suggests he or she works for Microsoft and is aware of issues with your system.

• You will be asked to open a program called Windows Events Viewer, whose contents are worrisome. Given phone guidance you are taken to a long list of errors.

• The caller offers to guide you through the steps to fixing it …!

51

Page 52: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Step 1: Showing you the error

52

Page 53: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Step 2: Proving that the caller knows the unique id for your machine – therefore can be trusted

• Run Cmd

• Enter ‘Assoc’

• Check result …

53

Page 54: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Step 3: Now allow remote access

54

Page 55: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Step 4: Say goodbye to your money …

55

Page 56: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

But just a minute – what’s this

56

Page 57: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

More about the yield from the scam

• The selling of fake anti-virus programs accounts for up to 80 per cent of frauds reported daily. Users often give remote access or their log-in information, so the caller has access to their computer, and pays them, typically, £100 - £200 for a service contract.

– The irony: By falling for a service that falsely claims to remove viruses from your computer, you will be installing keyloggers that are even harder to remove and once you have downloaded the software, there is no guarantee that any reputable anti-malware program will get rid of it.

• If you put your name on the TPS do-not-call list, you’re not immune to these pitches. These people don’t have to follow the law since they’re calling from outside the UK- typically calls come in from India or Holland.

• They of course are ultimately targeting the capture of sensitive data such as your online banking user names and passwords.

57

Page 58: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

More about Botnets

• The DNS Changer botnet takedown announced by the U.S. Department of Justice compromised over four million machines, or more than twice the size of the Rustock botnet that Microsoft and U.S. law enforcement officials brought to its knees in March 2011. About a quarter of the bots were Windows PCs and Macs based in the U.S.

• The DOJ charged seven men -- six Estonians and one Russian -- with 27 counts of wire fraud, money laundering and illegal computer access, alleging that the group operated a lucrative clickjacking scheme that generated over $14 million during a four-year period.

• The malware responsible for hijacking users' clicks -- which were then redirected to hacker-created sites that resembled real domains -- came in a variety of forms, said researchers and authorities.

• According to the Internet Storm Center, some of whose security experts were part of a working group that advised the DOJ, the botnet was created with several malware families, including the pernicious TDSS rootkit -- also known as "Alureon" -- as well as Trojan horses crafted for Mac OS X.

• The federal indictment said that the gang infected personal computers by luring users to malicious websites or by duping them into downloading and installing purported video codecs that the scams claimed were necessary to view videos.

• Trend Micro, which said it had been tracking the DNS Changer botnet since 2006, added that the alleged criminals updated the malware daily to change the DNS (domain name system) settings of each bot.

58

Page 59: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Rootkits – DNS Changer

• As much of a nightmare as TDSS, also known as Alureon or TDL4, can be, an infection by DNS Changer can be just as problematic in some respects.

• The malware's main function is to hijack the victim's Web traffic by changing the DNS settings on the infected machine, redirecting him to malicious sites rather than whichever ones he's aiming to visit.

• So once the Trojan has changed the DNS configuration on the machine, DNS queries from the PC will be redirected to the attacker-controlled DNS servers, allowing the attackers to force the user to visit malicious sites.

59

Page 60: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Have you been hit???

• Users can check their DNS settings on a Windows machine by going to the command line and typing: ipconfig/all. If the DNS server field shows an address in any of the following ranges, Secureworks researchers say, it's infected:

85.255.112.0 through 85.255.127.255

67.210.0.0 through 67.210.15.255

93.188.160.0 through 93.188.167.255

77.67.83.0 through 77.67.83.255

213.109.64.0 through 213.109.79.255

64.28.176.0 through 64.28.191.255

60

PHEW!!!

Page 61: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

More attacks on public bodies

• Prosecutors from the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT) have dismantled a criminal group consisting of 14 members, who engaged in cybercriminal activities that included accessing computer systems without authorization, copying confidential data stored on them and publishing the captured information online, DIICOT said on Tuesday.

• The twelve suspects are believed to be associated with the Anonymous hacktivist collective, local media reports said. However, DIICOT declined to confirm this.

• DIICOT believes that the leader of the criminal group is a 24-year-old man named Gabriel Baleasa from the city of Piatra Neamt, who used the online aliases lulzcart, anonsboat, anonsweb and cartman.

• During the past few months, several hackers who claimed affiliation with Anonymous, including one using the lulzcart Twitter handle -- which is now disabled -- have taken credit for hacking into the websites of several Romanian public institutions, including the Bucharest City Hall, the Romanian Social Services and Child Protection Agency, the Romanian National Institute of Research and Development for Optoelectronics and the Romanian National Institute of Physics and Nuclear Engineering.

• Baleasa is believed to have created the hacker group together with two men named Fabian Gabor and Mihai Emil Picos, with other members joining at a later time, DIICOT said.

61

Page 62: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Following scripts – reset root MySQL password

• Using supplied memory key execute programme 2 then login as root to the Unix, Linux or BSD machine with the MySQL server.

• Stop the MySQL server by using either of the following commands:

– Linux: /etc/rc.d/init.d/mysql stopFreeBSD: /usr/local/etc/rc.d/mysql-server.sh stop

• Open the mysql server startup script (i.e. mysql-server.sh – the file executed to start or stop MySQL server.

• Add –skip-grant-tables to the end of the line that contains the mysqld_safe command as its parameter.

• Start MySQL server with the following commands:

– Linux: /etc/rc.d/init.d/mysql startFreeBSD: /usr/local/etc/rc.d/mysql-server.sh start

• Alternatively, start the MySQL server directly and skip the editing with the following command:

– mysqld_safe –skip-grant-tables &

• Run the following commands to login as the mysql user and connect to mysql user/permission database:# mysql -u root mysql

• Run the update queries to change the MySQL password:

– mysql> UPDATE user SET Password=PASSWORD(‘newrootpassword’) WHERE User=’root’;mysql> FLUSH PRIVILEGES;

• Note: Replace newrootpassword with the new root password for MySQL server. Flush Privileges is needed to making the password change effect immediately.

• Exit mysql database client by typing exit.

• Stop MySQL server with commands listed at step 2.

• Open the mysql server startup script edit in step 3 again and remove the –skip-grant-tables parameter that has been added.

• Start MySQL server by using command from step 5 or 6.

62

Page 63: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Good old oldies …

• Pre-pay scams – pay for a new credit card, qualification or to gain access to ‘found funds’

• Disaster relief and phoney charity scams via email and then lured to bogus website

• Travel scams – turn up, no room at inn

• Electronic pyramid selling or make money fastscams

• Fake pharmacy sales

63

Page 64: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

And some newbies

• Hackers are again gunning for Britain's 25 million internet banking users after cracking the latest generation of security devices. Criminals have burst through banks' new calculator-style keypads to raid customers' accounts, a BBC investigation has found.

• The likes of HSBC's new Secure Key and Barclays' PINSentry were supposed to quash crime to near zero. But dangerous new viruses could add to the millions stolen online last year, experts say.

• Gary Clark, of data protection company Safenet, said the findings 'raise serious questions' over ordinary anti-virus protection. In October, This is Money explained how malicious bugs can masquerade as internet bank pages, fooling unwitting account holders into handing over their cash.

• Now BBC technology experts have found a bug that tricks users into taking part in training for an 'upgraded security system' - an opportunistic ploy given the roll-out of new technology in recent months.

64

Page 65: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

A-Z of Malware – hall of shame

• Backdoor

• Bot / Botnet

• Browser hijack

• Clickjack

• Dropper

• Image spam

• IP Spoofing

• IRC-bots

• Keylogger

• Pharming

• Phishing

• Ransomeware

• Rogueware

• Rootkit

• Scareware

• Smishing

• Spam

• Spyware

• SQL Injection

• Trojan

• Virus

• Vishing

• Worm

65

Page 66: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

www.mindgrove.co.uk

MindGrove

What tools and strategies are available to detect, patch and eliminate insecurity from the ground floor upwards.

66

Page 67: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Critical Actions and in-place Tool Requirements

• Inventory of Authorised and Unauthorised Devices – many tools

• Inventory of Authorised and Unauthorised Software – many tools

• Secure Configuration of Hardware and Software on Laptops, Workstations, and Servers conforming to CIS or better

• Continuous Vulnerability Assessment and Remediation – CERT alerting and actions

67

Page 68: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Patching: Client-side software that remains unpatched – patch them!

• Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access.

• On average, major organisations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities. In other words the highest priority risk is getting less attention than the lower priority risk.

68

Page 69: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Patching: Internet-facing web sites that are vulnerable – patch them!

• Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits.

• Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered.

• Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience.

69

Page 70: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Patching: Application Vulnerabilities Exceed OS Vulnerabilities – Patch them!

• During the last few years, the number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities discovered in operating systems. As a result, more exploitation attempts are recorded on application programs. The most "popular" applications for exploitation tend to change over time since the rationale for targeting a particular application often depends on factors like prevalence or the inability to effectively patch.

70

Page 71: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Critical Actions and in-place Tool Requirements

• Malware Defences: Multilayer

71

Page 72: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Critical Actions and in-place Tool Requirements

• Malware Defences: Best A/V Solution?

72

Page 73: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

How good is anti-malware

• Taken from the net

73

This 2012 discussion is about

Security Shield Rogueware (first

released in 2008)!

Page 74: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Critical Actions and in-place Tool Requirements

• Application Software Security – design in or buy in integrated solutions

• Wireless Device Control – attenuate, encrypt (no WEP), register, authenticate (Radius or other)

• Data Recovery Capability – incident management

• Secure Configurations for Network Devices such as Firewalls, Routers, and Switches – no defaults present

74

Page 75: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Critical Actions and in-place Tool Requirements

• Limitation and Control of Network Ports, Protocols, and Services - minimisation

• Controlled Use of Administrative Privileges – fewest possible

• Boundary Defences – Admission control or thin client

• Maintenance, Monitoring, and Analysis of Security Audit Logs

• Controlled Access Based on the Need to Know+ RBAC (AM in AD)

75

Page 76: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Critical Actions and in-place Tool Requirements

• Account Monitoring and Supervisory Control - tools

• Data Loss Prevention – tools – Network and Application DLP

• Secure Network Engineering

• Penetration Tests

76

Page 77: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

www.mindgrove.co.uk

MindGrove

Are auditors getting the right information and probing the answers from their organisation?

77

Page 78: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Are IT Auditors?

1. Too far down the food chain to be able to persuade their organisation's to improve security - status?

2. Not taken seriously because they sound paranoid?

3. Dealing with luddites that are reluctant to change?

4. Finding that their organisations are too mean to pay for security but want it when things go wrong?

5. Constantly thwarted by being told that security and controls slow down operational systems and that the users will not tolerate that?

6. Challenging when operational convenience overtakes common sense?

78

Page 79: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

www.mindgrove.co.uk

MindGrove

Are people the weakest link?

79

Page 80: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Eight difficult things to control with people

1. Divulging passwords – much more common than security specialists imagine – three drivers

– Social interactions - trust

– Length of password leads to recording of password

– Mistakes

2. Gullibility – people fall forsimple ruses

– Security Audit … Pretend compromise .. Link to reset in Email or advising to use new password via email (because there has been a security compromise!)

– Loan / Reset scam – on your behalf!

80

Page 81: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Card reset scam

• Victims are caught out by telephone calls where it is suggested their credit or debit card needs replacing owing to fraud on their account.

• A courier is sent to collect the card and the victim is asked to enter their PIN into the couriers hand held device.

81

Page 82: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Eight difficult things to control with people

3. Storage of credentials in insecure settings

– Under the keyboard, under the desk, base of phone, on the back of the mouse pad, on the inside of an over monitor cupboard, or on base of chair

– Within cell phone storage – PIN unprotected

– Paper diaries, journals, or written operating procedures (annotated)

– Notes in Outlook or Cached in browser (where forbidden to) – also think CLOUD

4. Leaving devices switched on and visible – notebooks and smart phones, and not resetting Wi-Fi passwords from supplied and labelled default

5. Courtesy actions

– Encouraging tailgating or giving directions to strangers in buildings

– Resetting passwords without adequate proof

82

Page 83: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Eight difficult things to control with people

6. Waiting too long before reporting odd events, or attempting to fix problem when a system is already out of control

7. Taking materials or giving away corporate property

– Paper, toner inks and cartridges

– Printers and notebooks not returned

– Computers, Memory sticks, CDs and DVDs – £325,000 fine by ICO

– Software, data and images – no notion of value of data assets or data class security

– Licence keys - common

83

Page 84: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Eight difficult things to control with people

8. Misconceptions of risk - Airports

– People under 12 and over 65 need not take off their shoes for airport scanning?

– Bottles must not contain more than 100ml of fluid, but multiple bottles of 100ml each are acceptable, a half empty 150ml bottle is unacceptable, and baby formula can be in any volume?

– Laptops must be removed from bags (some airports), kept in bags (other airports), started up (a few airports) but the rules don’t apply to laptops with screens less than 11” or to tablets or portable games consoles????

84

Page 85: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Eight difficult things to control with people

8. Misconceptions of Risk – At work or in the home

• Most hacks are performed by outsiders

• They won’t attack us we have nothing of value

• The alarm system or CCTV will scare them off

85

Page 86: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Maybe nine difficult things to control with people

86

Page 87: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

www.mindgrove.co.uk

MindGrove

A doomsday scenario and how we might avoid it.

87

Page 88: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Poor weather continues

• 14-10-2013 09:00 - “Extraordinarily cold weather has now enveloped North America and Europe for more than three weeks yielding temperatures as much as twenty degrees below the seasonal norm.

• It’s believed that this is in part a consequence of the long cool wet summer and the inability of the land mass to achieve normal summer ground temperatures and in part the effects of upper atmosphere volcanic ash discharged in August from Mt. Baekdu, North Korea.”

88

Page 89: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Fierce demand on electricity suppliers

• 28-10-2013 09:00 – “The continuing cold weather has put an exceptional demand on Power Suppliers and 40,000 homes in Brooklyn and Queens have been without power for nearly 3 days.

• Lineco Electricity said that they believed that the blackout had been caused by a failure in a SCADA driven control application and the reason for this was still under investigation. Sabotage had not been ruled out.”

89

Page 90: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Hackers group claim responsibility for worm in LineCo System

• The hacking group “NKIR” claim that they infiltrated LineCo and used a Stuxnet worm derivative to punish the USA for its cyber-attacks on other countries”.

• Experts that had asserted that the likelihood of such attacks on industrial plant were low because they were not connected to the Internet admitted that there would be other ways, such as the use of mobile media, to introduce malware into industrial systems.

90

Page 91: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Attempt to restart plant triggers failures

• 29-10-2013 09:00 – “An attempt to restart the LineCo plant today triggered further blackouts at two other power utilities. More than 200,000 families are without power.

• A government representative stated that: “Everything was being done to bring the situation back into control and that security experts had been deployed to assist the power generation utilities.”

91

Page 92: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Tension grows as millions of systems incapacitated

• In Europe a novice hacker, excited by the actions of NKIR, admits to having released a multi-facetted malware package that is acquired by innocent users as a drive-by download. “It was for fun and I wanted to be part of it”, he said.

• The payload launches a worm, that uses a heuristic algorithm to constantly change its form, a virus executable that is self-contained that will run on both Unix and Windows systems and that blocks the launch of any other program whilst producing a dialogue box that covers the entire visible screen.

• Millions of users lose the ability to communicate with each other at home or at work.

92

Page 93: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Gas companies attacked

• 03-11-2013 09:00 – CERT warns of targeted phishing attacks against gas pipeline firms

• In an advisory issued last week, ICS-CERT said it has received information about targeted attacks and intrusions into multiple organizations over the past few days.

• The attacks are related to a single campaign and appear to have started in late October, the advisory noted. "Analysis shows that the spear-phishing attempts have targeted a variety of personnel within these organizations; however, the number of persons targeted appears to be tightly focused," the ICS-CERT said.

• "In addition, the e-mails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization."

• Iran, Russia and Korea send out a general warning to China and the West to prepare for dire consequences if these attacks continue.

• China denies all knowledge of the attacks and points the finger at Western activists and hackers citing the Lultz group as probable agents.

93

Page 94: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

It’s too late

• 05-11-2013 09:00 Transactions from an unknown country flood all major power facilities, GPS systems and transport power supplies.

• A massive DNS worm is released by Nihil International – the hacking arm of Activists International – all DNS servers in the Internet and many at Domain registrars are poisoned – the Internet goes down and does not recover.

• Power stations are forced to close all over the world.

• China, Russia and America blame each other and threaten nuclear retaliation.

• Outside air temperatures drop to minus 25 throughout most of North America, Europe and Asia due to further volcanic eruptions jettisoning ash, from Mt. Baekdu, North Korea, into the sky forming clouds blanketing the sun.

94

Page 95: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk 95

Page 96: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Web War II

• A team of IT specialists were detailed to attack nine other teams located all over Europe. At their terminals in the Nato Co-operative Cyber Defence Centre of Excellence, they cooked up viruses, worms, Trojan Horses and other internet attacks, to hijack and extract data from the computers of their pretend enemies.

• The idea was to learn valuable lessons in how to forestall such attacks on military and commercial networks. The cyber threat is one that the Western alliance is taking seriously. Here are some quotes:

• "Sophisticated cyber attackers could do things like cause power blackouts - not just by shutting off the power but by permanently damaging generators that would take months to replace. They could do things like cause [oil or gas] pipelines to explode. They could ground aircraft."

• At the heart of the problem are the interfaces between the digital and physical worlds known as Scada - or Supervisory Control And Data Acquisition - systems. Hack into these networks, and in theory you have control of national electricity grids, water supplies, distribution systems for manufacturers or supermarkets, and other critical infrastructure.

• Moreover, critical infrastructure software can be surprisingly exposed. A power station, for example, might have less anti-virus protection than the average laptop. And when vulnerabilities are detected, it can be impossible to repair them immediately with a software patch. "It requires you to re-boot," it has been pointed out. "And a power plant has to run 24-7, with only a yearly power-down for maintenance." So until the power station has its annual stoppage, new software cannot normally be installed.

96

Page 97: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Total disruption?

• Professor Peter Sommer, an expert in cyber-crime, points out that: "You don't necessarily want to cause total disruption because results are likely to be unforeseen and uncontrollable. Although one can conceive of attacks that might bring down the world financial system or bring down the internet, why would one want to do that? You would end up with something not that different from a nuclear winter."

• If cyber weapons become widespread, their targets will lie mostly in the west, rather than in countries like Iran, which have relatively little internet dependence. This means that the old rules of military deterrence which favoured powerful, technologically advanced countries like the United States do not apply: Responding in kind to a cyber-attack could be effectively impossible.

• Although military and other critical networks are supposedly isolated from the public internet, attackers can target contractors and suppliers, who plug into the "air-gapped" system at various times. Somewhere down the food chain, a vulnerable website or a rogue email will provide a way in.

• According to Richard Clarke, the mighty American armed forces themselves are not immune, since their command & control, supplies, and even some weapons systems, also rely on digital systems. "The US military ran headlong into the cyber age," he says. "And we became very dependent on cyber devices without thinking it through. Without thinking that if someone got control of our software, what would we be able to do? Do we have backup systems? Can we go back to the old days?"

• The answer it seems is no. A new form of weapon appears to be emerging. And the world may have to learn to adapt.

97

Page 98: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Bruce Schneier

I have no doubt that smarter and better-funded militaries are planning for cyber-war.

• They have Internet attack tools: denial-of-service tools; exploits that would allow military intelligence to penetrate military systems; viruses and worms similar to what we see now, but perhaps country- or network-specific; and Trojans that eavesdrop on networks, disrupt operations, or allow an attacker to penetrate other networks.

• I believe militaries know of vulnerabilities in operating systems, generic or custom military applications, and code to exploit those vulnerabilities. It would be irresponsible for them not to.

98

Page 99: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

To cheer you up …

99

Page 100: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Because sometimes you’ve just got to smile

100

Page 101: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

And we still have experts working on the ultimate defence!

101

Page 102: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

[email protected]

+44 1925 730 200

Additional resources on web site:

www.mindgrove.co.uk

Your after day contact data

Page 103: MindGrove  Presented by Stan Dormer Director of Education & Training Services  1 “IT Security Update” ISACA Scotland

MindGrove

www.mindgrove.co.uk

Presented by Stan Dormer

Director of Education & Training Services

www.mindgrove.co.uk

103

“IT Security Update”ISACA Scotland June 19th 2012

Expe

rt