mindgrove presented by stan dormer director of education & training services 1 “it security...
TRANSCRIPT
MindGrove
www.mindgrove.co.uk
Presented by Stan Dormer
Director of Education & Training Services
www.mindgrove.co.uk
1
“IT Security Update”ISACA Scotland June 19th 2012
Expe
rt
MindGrove
www.mindgrove.co.uk
Administration
• Timings and Breaks
– 1115
– 1245
– 1500
– 1630ish
• Fire
• Phones
2
MindGrove
www.mindgrove.co.uk
Today’s programme
• Are security experts getting it right – what happened to all of the predictions for a secure future?
• Are security architectures and standards sufficient and appropriate for the 21st century? What can we do more of or what could be done better?
• What type of attacks, hacks and compromises are giving rise to greatest concern, and can they be halted?
• What tools and techniques are the hackers and scamsters deploying, and how can we avoid being impacted?
• What tools and strategies are available to detect, patch and eliminate insecurity from the ground floor upwards?
• Are auditors getting the right information and probing the answers from their organisation?
• Are people the weakest link?
• A doomsday scenario and how we might avoid it …
3
www.mindgrove.co.uk
MindGrove
Are security experts getting it right – what happened to all of the predictions for a secure future?
4
MindGrove
www.mindgrove.co.uk
Back to the past– the year is 1999
• In Norway, the extremely dangerous data virus Win95.CIH has for the latest months been the fastest propagating virus.
• Win95.CIH has the ability to overwrite the hard disk with garbage as well as overwrite the Flash BIOS on some PCs. If the Flash BIOS is overwritten it may even be impossible to start the PC from a boot diskette???
• However, security experts say thatit is unlikely that any new type of viruswill exceed the notorious Mellissa virusthat infected as many as 100,000 hosts over a relatively short period.
• Security experts concluded that: “We will be much better prepared next time.”
5
MindGrove
www.mindgrove.co.uk
It’s 2001 and an expert claims …
“Software security has so much improved that I think it will be likely, within the next ten years, that even images that are altered will be instantly detectable and automatically alert the user to a potential fraud.”
“Viruses might be out there but private persons should be safe if they use their eyes, ears and a little bit of common sense.”
6
MindGrove
www.mindgrove.co.uk
In 2003 an expert predicts hoax viruses …
• But he didn’t predict scam software … like the notorious Security Shield scareware drive-by infection (2008, 2009, 2010, 2011 and 2012)
7
How to begin removal …
MindGrove
www.mindgrove.co.uk
Or by how much scareware would take off …
8
The fake (looks like a Windows Dialogue Box) … that you pay for …
The cure
(free) …
MindGrove
www.mindgrove.co.uk
In 2007 an expert stated that hoax emails were so poorly put together and formatted that they were easy to spot …
Please circulate the following warning to your friends by forwarding this email:
URGENT – UK Police are Conducting Surveillance Activities!
Yesterday (14th June 2012) an announcement was made in Parliament concerning the Regulation of Investigatory Powers Act stating that police were about to be given access to all email, phone calls and personal computers.
They will be able remotely work through your copy of Microsoft Internet Explorer, Opera, Mozilla, Chrome, Firefox, Safari or Google and examine or gather evidence on what you are doing or even erase everything on your hard drive. They are looking for pornographic activities, untaxed commercial trading activities such as buying and selling items on eBay, movements of money between related bank accounts, and for potential crime suspects in Contact Lists. They can also view you if you have a webcam on a Macintosh or Microsoft laptop. This is new, legal and not many people as yet are aware of the impact of this intrusion into their private lives.
Pass this warning along to EVERYONE in your address book and please share it with all your online friends ASAP so that co-ordinated action can be taken through members of parliament to ensure that this threat to civil liberty is stopped.
Please take pre-cautionary measures such as using a browser not in the list above, erasing all of your email after reading it (print out any emails that you need to keep), covering your webcam with tape when not in use, blocking the web address www.pcremoteviewer.gov.uk and inform anyone that may have shared access to your computer to turn out lights in the room whilst working to make it difficult for the police to get a clear image. Forward this warning to everyone that might access the Internet.
Note: This legislation does not yet apply to Scotland or Wales.
9
MindGrove
www.mindgrove.co.uk 10
OK, some are a bit more obvious than others …
Selecting this link takes you to HMRC’s bank interface (seen on
the next slide) …
MindGrove
www.mindgrove.co.uk
Fake banks continue to multiply
11
Get your refund (or
rapid debit) here …
MindGrove
www.mindgrove.co.uk
Even in 2011 no expert predicted so many fake on-line news stories via apparently real news agencies …
12
MindGrove
www.mindgrove.co.uk
Or fake investor websites
13
MindGrove
www.mindgrove.co.uk
Or that you could (attempt to) buy fake pharmaceuticals …
14
MindGrove
www.mindgrove.co.uk
Or that history could be rewritten …
15
www.mindgrove.co.uk
MindGrove
Are security architectures and standards sufficient and appropriate for the 21st century? What could be done better?
16
MindGrove
www.mindgrove.co.uk
ISO 27000x
• 27001: Tells you what to do – a process that you execute
– Risk analysis
– Priority assessment (what priority security?)
– Choice of mitigating strategy (how much mitigation?)
– Put controls chosen in place
– Review
– Review and check on periodic basis
• Based on risk assessment – problematical because depends on risk envisioning across entire technology dependent dimension
• Based on multipoint controls – assumes consistency
• Assumes zero psychological vector – doesn’t account for mood
17
MindGrove
www.mindgrove.co.uk
Architectural approaches – Zachman and SABSA
18
MindGrove
www.mindgrove.co.uk
Architectural approaches are not perfect either
• Expectation of normality – no aberrant behaviour
• Expectation of conformity – no bypass of rules or structures
• Expectation of testability – proof of correct operation
19
MindGrove
www.mindgrove.co.uk
COBIT and ITIL 3
• Great for establishing best practice, value and control
• Expectation of normality – no aberrant behaviour
• Expectation of conformity – no bypass of rules or structures
• Very dependent on directives as means of control and sometimes directives that are unrealistic or capable of being misinterpreted
20
Always use antivirus measures
MindGrove
www.mindgrove.co.uk
Doing better: Expect the unexpected
• Penetration testing as ad-hoc assurance
• Microsoft’s (and others) SSDLC as best effort
• Create more compartmentalisation – watertightbulkheads
• Drive for simplicity, reduce complexity
• Assume all software is flawed don’t believe that one vendor’s software is better than another
21
MindGrove
www.mindgrove.co.uk
Doing better: Build in risk psychology .. allow for the fact that
• People exaggerate spectacular but rare risks and downplay common risks
• People have trouble estimating risks for anything not exactly like their normal situation
• Personified risks are perceived to be greater than anonymous risks
• People underestimate risks they willingly take and overestimate risks in situations they can't control
• Last, people overestimate risks that are being talked about and remain an object of public scrutiny.
22
MindGrove
www.mindgrove.co.uk
Psychological vector
23
www.mindgrove.co.uk
MindGrove
What type of attacks, hacks and compromises are giving rise to greatest concern, and can they be halted?
24
MindGrove
www.mindgrove.co.uk
Sophistication increasing
25
MindGrove
www.mindgrove.co.uk
Default passwords are increasingly available – defaults being targeted
26
MindGrove
www.mindgrove.co.uk
Easy to get hack advice from the net
27
For all the whiners saying: "Boohooooo my IP is tracked, i'm going to jail :'(" Learn how
to protect yourself BEFORE you start hacking. Hide your IP, use free software like the
Tor Project browser or ProXPN VPN. I once tried to hack a website but failed and they said they had tracked down
my IP. But I used Tor and ProXPN, so they ended up in Australia where I don't even
live! Ha Ha! -:D
MindGrove
www.mindgrove.co.uk
Denial of service attacks are better co-ordinated
28
MindGrove
www.mindgrove.co.uk
Botnets are increasingly demonstrating their presence
29
MindGrove
www.mindgrove.co.uk
Spam botnets are a big money making deal
• Botnets make attacks very easy. Botnet are responsible for sending 87.9% of all the spam, according to the data in the Symantec Message Labs Intelligence Report.
30
MindGrove
www.mindgrove.co.uk
Pay to use
31
MindGrove
www.mindgrove.co.uk
Statistics from the cloud
• Spam accounts for 14.5 billion messages globally per day. Spam makes up at least 75% of all national emails. Spam email makes up an even greater portion of global emails, some 92% in fact. The United States is the number one generator of spam email.
• Because spam has inundated both the personal and corporate world of emailing surveys have found that spam has led to decreased public confidence and trust in Internet communications.
• Spam costs businesses £15 billion annually in decreased productivity not including technical costs. This approximates to an average loss per employee annually because of spam of £1800.
• Microsoft FOPE services filter millions of spam messages per day.
32
MindGrove
www.mindgrove.co.uk
The security overhead
33
MindGrove
www.mindgrove.co.uk
The hidden administration
Layer 1 – Connection filtering (Approximately 80% of inbound spamrejected)
• DNS Block List (DNSBL)
• IP Allow/IP Block
• Sender ID (SPF)
Layer 2 – SMTP filtering (3% to 5% rejected)
• Sender
• Recipient
• Global safe list
• Global block list
• Sender ID
• Backscatter catching
Layer 3 – Content filtering (55% to 60% rejected)
• Cloudmark
• Automatic updates every 45 seconds
34
MindGrove
www.mindgrove.co.uk
On top of this all MS vulnerabilities continue
35
MindGrove
www.mindgrove.co.uk
And so does Apple’s infatuation with media
36
MindGrove
www.mindgrove.co.uk
And it may be time to drop Flash???
37
1 release
per week!
MindGrove
www.mindgrove.co.uk
Social networks
• The primary blended attack method used in the most advanced attacks will be to go through your social media "friends," mobile devices and through the cloud.
• "We have already seen attacks that used the chat functionality of a compromised social network account to get to the right user. Expect this to be the primary vector, along with mobile and cloud exploits, in the most persistent and advanced attacks of 2012," Websense researchers have said.
38
MindGrove
www.mindgrove.co.uk
Social scams to rise – targeting to improve
• The number of people falling victim to believable social engineering scams will rise significantly if the unscrupulous attackers find a way to use mobile location-based services to design hyper-specific geo-location social engineering attempts, the report said. "People have been predicting this for years, but in 2012 it actually started to happen."
• Also important are globally important events including the London Olympics or U.S. presidential elections. Cybercriminals will continue to take advantage of today's 24-hour, up-to-the minute news cycle, the report said, adding that now they will infect users where they are less suspicious. Sites designed to look like legitimate news services, Twitter feeds, Facebook posts/emails, LinkedIn updates, YouTube video comments, and forum conversations may proliferate it said.
39
MindGrove
www.mindgrove.co.uk
Social media in the limelight – last week
• The latest threat report from GFI Labs in June2012 saw a further increase in attacks on social media sites. These included popular targets such as Facebook and Twitter, and were extended to include Google, LinkedIn and Skype. LinkedIn lost 6.5m passwords in May.
• LinkedIn users saw a huge increase in fake invitations, which redirects users to a site infected with a Blackhole exploit and downloads the Cridex trojan. The malware is not easy to detect and according to M86 Security Labs is only picked up by 10 out of 43 anti-virus products. Skype also came under attack; crooks targeted users by sending false spam which claimed to give Skype credit to those who followed a link. However, users were instead directed to a compromised site which was infected with malicious Java exploits.
• Google was the ‘hook' for a couple of scams, a SEO poisoning attack, which told searchers that Google systems had detected malware on their machine and led them to download a fake anti-virus package. In the second attack, a wave of spam claimed to make announcements for "Google Pharmacy”; users who followed the link ended up at notorious spam site Pharmacy Express, which has been linked to spam attacks since 2004.
• Celebrity stories are being used to spread spam and tempt social media users into clicking on a story which has a hidden layer of code overlaying the main image. Customers of CBS's Last.fm music site and EHarmony's dating site also had passwords stolen last week, both companies suggested that users change their passwords immediately!
40
MindGrove
www.mindgrove.co.uk
Use agreed international frameworks
• Botnets can be markedly limited by authenticating every computer involved in an internet transaction, but traditionally this has been an unattainable goal as universal computer authentication would require the perfect and on-going cooperation of a massive number of computer owners and systems administrators around the world.
• Universal computer authentication can be achieved at the server level by a novel implementation of digital signature technology called Mail Transfer Agent Authentication.
41
MindGrove
www.mindgrove.co.uk
MTA Signing – M Kaplan
42
MindGrove
www.mindgrove.co.uk
MTA Signing – M Kaplan
43
MindGrove
www.mindgrove.co.uk
MTA Signing – M Kaplan
44
MindGrove
www.mindgrove.co.uk
Must be spam
45
MindGrove
www.mindgrove.co.uk
Applies to originators too
46
MindGrove
www.mindgrove.co.uk
SPF now works across MTAs
47
MindGrove
www.mindgrove.co.uk
MindGrove’s DNS SPF records
A TXT record (retrieved from MindGrove’s DNS records) associates with
.mindgrove.co.uk the value
v=spf1 include:outlook.com ~all
– This indicates that mail from Office 365 Outlook for a MindGrove Domain is to be treated as authentic when received from this outgoing MTA
– And from an inbound email header MTA was
• @AMSPRD0702MB106.eurprd07.prod.outlook.com
48
www.mindgrove.co.uk
MindGrove
What tools and techniques are the hackers and scamsters deploying, and how can we avoid being impacted?
49
MindGrove
www.mindgrove.co.uk
ATM physical fraud getting more sophisticated
50
MindGrove
www.mindgrove.co.uk
Sir or Madam: “Your PC is infected …
• You get a call from someone who says your computer is at risk of crashing because of a virus or malicious software. The caller suggests he or she works for Microsoft and is aware of issues with your system.
• You will be asked to open a program called Windows Events Viewer, whose contents are worrisome. Given phone guidance you are taken to a long list of errors.
• The caller offers to guide you through the steps to fixing it …!
51
MindGrove
www.mindgrove.co.uk
Step 1: Showing you the error
52
MindGrove
www.mindgrove.co.uk
Step 2: Proving that the caller knows the unique id for your machine – therefore can be trusted
• Run Cmd
• Enter ‘Assoc’
• Check result …
53
MindGrove
www.mindgrove.co.uk
Step 3: Now allow remote access
54
MindGrove
www.mindgrove.co.uk
Step 4: Say goodbye to your money …
55
MindGrove
www.mindgrove.co.uk
But just a minute – what’s this
56
MindGrove
www.mindgrove.co.uk
More about the yield from the scam
• The selling of fake anti-virus programs accounts for up to 80 per cent of frauds reported daily. Users often give remote access or their log-in information, so the caller has access to their computer, and pays them, typically, £100 - £200 for a service contract.
– The irony: By falling for a service that falsely claims to remove viruses from your computer, you will be installing keyloggers that are even harder to remove and once you have downloaded the software, there is no guarantee that any reputable anti-malware program will get rid of it.
• If you put your name on the TPS do-not-call list, you’re not immune to these pitches. These people don’t have to follow the law since they’re calling from outside the UK- typically calls come in from India or Holland.
• They of course are ultimately targeting the capture of sensitive data such as your online banking user names and passwords.
57
MindGrove
www.mindgrove.co.uk
More about Botnets
• The DNS Changer botnet takedown announced by the U.S. Department of Justice compromised over four million machines, or more than twice the size of the Rustock botnet that Microsoft and U.S. law enforcement officials brought to its knees in March 2011. About a quarter of the bots were Windows PCs and Macs based in the U.S.
• The DOJ charged seven men -- six Estonians and one Russian -- with 27 counts of wire fraud, money laundering and illegal computer access, alleging that the group operated a lucrative clickjacking scheme that generated over $14 million during a four-year period.
• The malware responsible for hijacking users' clicks -- which were then redirected to hacker-created sites that resembled real domains -- came in a variety of forms, said researchers and authorities.
• According to the Internet Storm Center, some of whose security experts were part of a working group that advised the DOJ, the botnet was created with several malware families, including the pernicious TDSS rootkit -- also known as "Alureon" -- as well as Trojan horses crafted for Mac OS X.
• The federal indictment said that the gang infected personal computers by luring users to malicious websites or by duping them into downloading and installing purported video codecs that the scams claimed were necessary to view videos.
• Trend Micro, which said it had been tracking the DNS Changer botnet since 2006, added that the alleged criminals updated the malware daily to change the DNS (domain name system) settings of each bot.
58
MindGrove
www.mindgrove.co.uk
Rootkits – DNS Changer
• As much of a nightmare as TDSS, also known as Alureon or TDL4, can be, an infection by DNS Changer can be just as problematic in some respects.
• The malware's main function is to hijack the victim's Web traffic by changing the DNS settings on the infected machine, redirecting him to malicious sites rather than whichever ones he's aiming to visit.
• So once the Trojan has changed the DNS configuration on the machine, DNS queries from the PC will be redirected to the attacker-controlled DNS servers, allowing the attackers to force the user to visit malicious sites.
59
MindGrove
www.mindgrove.co.uk
Have you been hit???
• Users can check their DNS settings on a Windows machine by going to the command line and typing: ipconfig/all. If the DNS server field shows an address in any of the following ranges, Secureworks researchers say, it's infected:
85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255
60
PHEW!!!
MindGrove
www.mindgrove.co.uk
More attacks on public bodies
• Prosecutors from the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT) have dismantled a criminal group consisting of 14 members, who engaged in cybercriminal activities that included accessing computer systems without authorization, copying confidential data stored on them and publishing the captured information online, DIICOT said on Tuesday.
• The twelve suspects are believed to be associated with the Anonymous hacktivist collective, local media reports said. However, DIICOT declined to confirm this.
• DIICOT believes that the leader of the criminal group is a 24-year-old man named Gabriel Baleasa from the city of Piatra Neamt, who used the online aliases lulzcart, anonsboat, anonsweb and cartman.
• During the past few months, several hackers who claimed affiliation with Anonymous, including one using the lulzcart Twitter handle -- which is now disabled -- have taken credit for hacking into the websites of several Romanian public institutions, including the Bucharest City Hall, the Romanian Social Services and Child Protection Agency, the Romanian National Institute of Research and Development for Optoelectronics and the Romanian National Institute of Physics and Nuclear Engineering.
• Baleasa is believed to have created the hacker group together with two men named Fabian Gabor and Mihai Emil Picos, with other members joining at a later time, DIICOT said.
61
MindGrove
www.mindgrove.co.uk
Following scripts – reset root MySQL password
• Using supplied memory key execute programme 2 then login as root to the Unix, Linux or BSD machine with the MySQL server.
• Stop the MySQL server by using either of the following commands:
– Linux: /etc/rc.d/init.d/mysql stopFreeBSD: /usr/local/etc/rc.d/mysql-server.sh stop
• Open the mysql server startup script (i.e. mysql-server.sh – the file executed to start or stop MySQL server.
• Add –skip-grant-tables to the end of the line that contains the mysqld_safe command as its parameter.
• Start MySQL server with the following commands:
– Linux: /etc/rc.d/init.d/mysql startFreeBSD: /usr/local/etc/rc.d/mysql-server.sh start
• Alternatively, start the MySQL server directly and skip the editing with the following command:
– mysqld_safe –skip-grant-tables &
• Run the following commands to login as the mysql user and connect to mysql user/permission database:# mysql -u root mysql
• Run the update queries to change the MySQL password:
– mysql> UPDATE user SET Password=PASSWORD(‘newrootpassword’) WHERE User=’root’;mysql> FLUSH PRIVILEGES;
• Note: Replace newrootpassword with the new root password for MySQL server. Flush Privileges is needed to making the password change effect immediately.
• Exit mysql database client by typing exit.
• Stop MySQL server with commands listed at step 2.
• Open the mysql server startup script edit in step 3 again and remove the –skip-grant-tables parameter that has been added.
• Start MySQL server by using command from step 5 or 6.
62
MindGrove
www.mindgrove.co.uk
Good old oldies …
• Pre-pay scams – pay for a new credit card, qualification or to gain access to ‘found funds’
• Disaster relief and phoney charity scams via email and then lured to bogus website
• Travel scams – turn up, no room at inn
• Electronic pyramid selling or make money fastscams
• Fake pharmacy sales
63
MindGrove
www.mindgrove.co.uk
And some newbies
• Hackers are again gunning for Britain's 25 million internet banking users after cracking the latest generation of security devices. Criminals have burst through banks' new calculator-style keypads to raid customers' accounts, a BBC investigation has found.
• The likes of HSBC's new Secure Key and Barclays' PINSentry were supposed to quash crime to near zero. But dangerous new viruses could add to the millions stolen online last year, experts say.
• Gary Clark, of data protection company Safenet, said the findings 'raise serious questions' over ordinary anti-virus protection. In October, This is Money explained how malicious bugs can masquerade as internet bank pages, fooling unwitting account holders into handing over their cash.
• Now BBC technology experts have found a bug that tricks users into taking part in training for an 'upgraded security system' - an opportunistic ploy given the roll-out of new technology in recent months.
64
MindGrove
www.mindgrove.co.uk
A-Z of Malware – hall of shame
• Backdoor
• Bot / Botnet
• Browser hijack
• Clickjack
• Dropper
• Image spam
• IP Spoofing
• IRC-bots
• Keylogger
• Pharming
• Phishing
• Ransomeware
• Rogueware
• Rootkit
• Scareware
• Smishing
• Spam
• Spyware
• SQL Injection
• Trojan
• Virus
• Vishing
• Worm
65
www.mindgrove.co.uk
MindGrove
What tools and strategies are available to detect, patch and eliminate insecurity from the ground floor upwards.
66
MindGrove
www.mindgrove.co.uk
Critical Actions and in-place Tool Requirements
• Inventory of Authorised and Unauthorised Devices – many tools
• Inventory of Authorised and Unauthorised Software – many tools
• Secure Configuration of Hardware and Software on Laptops, Workstations, and Servers conforming to CIS or better
• Continuous Vulnerability Assessment and Remediation – CERT alerting and actions
67
MindGrove
www.mindgrove.co.uk
Patching: Client-side software that remains unpatched – patch them!
• Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access.
• On average, major organisations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities. In other words the highest priority risk is getting less attention than the lower priority risk.
68
MindGrove
www.mindgrove.co.uk
Patching: Internet-facing web sites that are vulnerable – patch them!
• Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits.
• Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered.
• Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience.
69
MindGrove
www.mindgrove.co.uk
Patching: Application Vulnerabilities Exceed OS Vulnerabilities – Patch them!
• During the last few years, the number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities discovered in operating systems. As a result, more exploitation attempts are recorded on application programs. The most "popular" applications for exploitation tend to change over time since the rationale for targeting a particular application often depends on factors like prevalence or the inability to effectively patch.
70
MindGrove
www.mindgrove.co.uk
Critical Actions and in-place Tool Requirements
• Malware Defences: Multilayer
71
MindGrove
www.mindgrove.co.uk
Critical Actions and in-place Tool Requirements
• Malware Defences: Best A/V Solution?
72
MindGrove
www.mindgrove.co.uk
How good is anti-malware
• Taken from the net
73
This 2012 discussion is about
Security Shield Rogueware (first
released in 2008)!
MindGrove
www.mindgrove.co.uk
Critical Actions and in-place Tool Requirements
• Application Software Security – design in or buy in integrated solutions
• Wireless Device Control – attenuate, encrypt (no WEP), register, authenticate (Radius or other)
• Data Recovery Capability – incident management
• Secure Configurations for Network Devices such as Firewalls, Routers, and Switches – no defaults present
74
MindGrove
www.mindgrove.co.uk
Critical Actions and in-place Tool Requirements
• Limitation and Control of Network Ports, Protocols, and Services - minimisation
• Controlled Use of Administrative Privileges – fewest possible
• Boundary Defences – Admission control or thin client
• Maintenance, Monitoring, and Analysis of Security Audit Logs
• Controlled Access Based on the Need to Know+ RBAC (AM in AD)
75
MindGrove
www.mindgrove.co.uk
Critical Actions and in-place Tool Requirements
• Account Monitoring and Supervisory Control - tools
• Data Loss Prevention – tools – Network and Application DLP
• Secure Network Engineering
• Penetration Tests
76
www.mindgrove.co.uk
MindGrove
Are auditors getting the right information and probing the answers from their organisation?
77
MindGrove
www.mindgrove.co.uk
Are IT Auditors?
1. Too far down the food chain to be able to persuade their organisation's to improve security - status?
2. Not taken seriously because they sound paranoid?
3. Dealing with luddites that are reluctant to change?
4. Finding that their organisations are too mean to pay for security but want it when things go wrong?
5. Constantly thwarted by being told that security and controls slow down operational systems and that the users will not tolerate that?
6. Challenging when operational convenience overtakes common sense?
78
www.mindgrove.co.uk
MindGrove
Are people the weakest link?
79
MindGrove
www.mindgrove.co.uk
Eight difficult things to control with people
1. Divulging passwords – much more common than security specialists imagine – three drivers
– Social interactions - trust
– Length of password leads to recording of password
– Mistakes
2. Gullibility – people fall forsimple ruses
– Security Audit … Pretend compromise .. Link to reset in Email or advising to use new password via email (because there has been a security compromise!)
– Loan / Reset scam – on your behalf!
80
MindGrove
www.mindgrove.co.uk
Card reset scam
• Victims are caught out by telephone calls where it is suggested their credit or debit card needs replacing owing to fraud on their account.
• A courier is sent to collect the card and the victim is asked to enter their PIN into the couriers hand held device.
81
MindGrove
www.mindgrove.co.uk
Eight difficult things to control with people
3. Storage of credentials in insecure settings
– Under the keyboard, under the desk, base of phone, on the back of the mouse pad, on the inside of an over monitor cupboard, or on base of chair
– Within cell phone storage – PIN unprotected
– Paper diaries, journals, or written operating procedures (annotated)
– Notes in Outlook or Cached in browser (where forbidden to) – also think CLOUD
4. Leaving devices switched on and visible – notebooks and smart phones, and not resetting Wi-Fi passwords from supplied and labelled default
5. Courtesy actions
– Encouraging tailgating or giving directions to strangers in buildings
– Resetting passwords without adequate proof
82
MindGrove
www.mindgrove.co.uk
Eight difficult things to control with people
6. Waiting too long before reporting odd events, or attempting to fix problem when a system is already out of control
7. Taking materials or giving away corporate property
– Paper, toner inks and cartridges
– Printers and notebooks not returned
– Computers, Memory sticks, CDs and DVDs – £325,000 fine by ICO
– Software, data and images – no notion of value of data assets or data class security
– Licence keys - common
83
MindGrove
www.mindgrove.co.uk
Eight difficult things to control with people
8. Misconceptions of risk - Airports
– People under 12 and over 65 need not take off their shoes for airport scanning?
– Bottles must not contain more than 100ml of fluid, but multiple bottles of 100ml each are acceptable, a half empty 150ml bottle is unacceptable, and baby formula can be in any volume?
– Laptops must be removed from bags (some airports), kept in bags (other airports), started up (a few airports) but the rules don’t apply to laptops with screens less than 11” or to tablets or portable games consoles????
84
MindGrove
www.mindgrove.co.uk
Eight difficult things to control with people
8. Misconceptions of Risk – At work or in the home
• Most hacks are performed by outsiders
• They won’t attack us we have nothing of value
• The alarm system or CCTV will scare them off
85
MindGrove
www.mindgrove.co.uk
Maybe nine difficult things to control with people
86
www.mindgrove.co.uk
MindGrove
A doomsday scenario and how we might avoid it.
87
MindGrove
www.mindgrove.co.uk
Poor weather continues
• 14-10-2013 09:00 - “Extraordinarily cold weather has now enveloped North America and Europe for more than three weeks yielding temperatures as much as twenty degrees below the seasonal norm.
• It’s believed that this is in part a consequence of the long cool wet summer and the inability of the land mass to achieve normal summer ground temperatures and in part the effects of upper atmosphere volcanic ash discharged in August from Mt. Baekdu, North Korea.”
88
MindGrove
www.mindgrove.co.uk
Fierce demand on electricity suppliers
• 28-10-2013 09:00 – “The continuing cold weather has put an exceptional demand on Power Suppliers and 40,000 homes in Brooklyn and Queens have been without power for nearly 3 days.
• Lineco Electricity said that they believed that the blackout had been caused by a failure in a SCADA driven control application and the reason for this was still under investigation. Sabotage had not been ruled out.”
89
MindGrove
www.mindgrove.co.uk
Hackers group claim responsibility for worm in LineCo System
• The hacking group “NKIR” claim that they infiltrated LineCo and used a Stuxnet worm derivative to punish the USA for its cyber-attacks on other countries”.
• Experts that had asserted that the likelihood of such attacks on industrial plant were low because they were not connected to the Internet admitted that there would be other ways, such as the use of mobile media, to introduce malware into industrial systems.
90
MindGrove
www.mindgrove.co.uk
Attempt to restart plant triggers failures
• 29-10-2013 09:00 – “An attempt to restart the LineCo plant today triggered further blackouts at two other power utilities. More than 200,000 families are without power.
• A government representative stated that: “Everything was being done to bring the situation back into control and that security experts had been deployed to assist the power generation utilities.”
91
MindGrove
www.mindgrove.co.uk
Tension grows as millions of systems incapacitated
• In Europe a novice hacker, excited by the actions of NKIR, admits to having released a multi-facetted malware package that is acquired by innocent users as a drive-by download. “It was for fun and I wanted to be part of it”, he said.
• The payload launches a worm, that uses a heuristic algorithm to constantly change its form, a virus executable that is self-contained that will run on both Unix and Windows systems and that blocks the launch of any other program whilst producing a dialogue box that covers the entire visible screen.
• Millions of users lose the ability to communicate with each other at home or at work.
92
MindGrove
www.mindgrove.co.uk
Gas companies attacked
• 03-11-2013 09:00 – CERT warns of targeted phishing attacks against gas pipeline firms
• In an advisory issued last week, ICS-CERT said it has received information about targeted attacks and intrusions into multiple organizations over the past few days.
• The attacks are related to a single campaign and appear to have started in late October, the advisory noted. "Analysis shows that the spear-phishing attempts have targeted a variety of personnel within these organizations; however, the number of persons targeted appears to be tightly focused," the ICS-CERT said.
• "In addition, the e-mails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization."
• Iran, Russia and Korea send out a general warning to China and the West to prepare for dire consequences if these attacks continue.
• China denies all knowledge of the attacks and points the finger at Western activists and hackers citing the Lultz group as probable agents.
93
MindGrove
www.mindgrove.co.uk
It’s too late
• 05-11-2013 09:00 Transactions from an unknown country flood all major power facilities, GPS systems and transport power supplies.
• A massive DNS worm is released by Nihil International – the hacking arm of Activists International – all DNS servers in the Internet and many at Domain registrars are poisoned – the Internet goes down and does not recover.
• Power stations are forced to close all over the world.
• China, Russia and America blame each other and threaten nuclear retaliation.
• Outside air temperatures drop to minus 25 throughout most of North America, Europe and Asia due to further volcanic eruptions jettisoning ash, from Mt. Baekdu, North Korea, into the sky forming clouds blanketing the sun.
94
MindGrove
www.mindgrove.co.uk 95
MindGrove
www.mindgrove.co.uk
Web War II
• A team of IT specialists were detailed to attack nine other teams located all over Europe. At their terminals in the Nato Co-operative Cyber Defence Centre of Excellence, they cooked up viruses, worms, Trojan Horses and other internet attacks, to hijack and extract data from the computers of their pretend enemies.
• The idea was to learn valuable lessons in how to forestall such attacks on military and commercial networks. The cyber threat is one that the Western alliance is taking seriously. Here are some quotes:
• "Sophisticated cyber attackers could do things like cause power blackouts - not just by shutting off the power but by permanently damaging generators that would take months to replace. They could do things like cause [oil or gas] pipelines to explode. They could ground aircraft."
• At the heart of the problem are the interfaces between the digital and physical worlds known as Scada - or Supervisory Control And Data Acquisition - systems. Hack into these networks, and in theory you have control of national electricity grids, water supplies, distribution systems for manufacturers or supermarkets, and other critical infrastructure.
• Moreover, critical infrastructure software can be surprisingly exposed. A power station, for example, might have less anti-virus protection than the average laptop. And when vulnerabilities are detected, it can be impossible to repair them immediately with a software patch. "It requires you to re-boot," it has been pointed out. "And a power plant has to run 24-7, with only a yearly power-down for maintenance." So until the power station has its annual stoppage, new software cannot normally be installed.
96
MindGrove
www.mindgrove.co.uk
Total disruption?
• Professor Peter Sommer, an expert in cyber-crime, points out that: "You don't necessarily want to cause total disruption because results are likely to be unforeseen and uncontrollable. Although one can conceive of attacks that might bring down the world financial system or bring down the internet, why would one want to do that? You would end up with something not that different from a nuclear winter."
• If cyber weapons become widespread, their targets will lie mostly in the west, rather than in countries like Iran, which have relatively little internet dependence. This means that the old rules of military deterrence which favoured powerful, technologically advanced countries like the United States do not apply: Responding in kind to a cyber-attack could be effectively impossible.
• Although military and other critical networks are supposedly isolated from the public internet, attackers can target contractors and suppliers, who plug into the "air-gapped" system at various times. Somewhere down the food chain, a vulnerable website or a rogue email will provide a way in.
• According to Richard Clarke, the mighty American armed forces themselves are not immune, since their command & control, supplies, and even some weapons systems, also rely on digital systems. "The US military ran headlong into the cyber age," he says. "And we became very dependent on cyber devices without thinking it through. Without thinking that if someone got control of our software, what would we be able to do? Do we have backup systems? Can we go back to the old days?"
• The answer it seems is no. A new form of weapon appears to be emerging. And the world may have to learn to adapt.
97
MindGrove
www.mindgrove.co.uk
Bruce Schneier
I have no doubt that smarter and better-funded militaries are planning for cyber-war.
• They have Internet attack tools: denial-of-service tools; exploits that would allow military intelligence to penetrate military systems; viruses and worms similar to what we see now, but perhaps country- or network-specific; and Trojans that eavesdrop on networks, disrupt operations, or allow an attacker to penetrate other networks.
• I believe militaries know of vulnerabilities in operating systems, generic or custom military applications, and code to exploit those vulnerabilities. It would be irresponsible for them not to.
98
MindGrove
www.mindgrove.co.uk
To cheer you up …
99
MindGrove
www.mindgrove.co.uk
Because sometimes you’ve just got to smile
100
MindGrove
www.mindgrove.co.uk
And we still have experts working on the ultimate defence!
101
MindGrove
www.mindgrove.co.uk
+44 1925 730 200
Additional resources on web site:
www.mindgrove.co.uk
Your after day contact data
MindGrove
www.mindgrove.co.uk
Presented by Stan Dormer
Director of Education & Training Services
www.mindgrove.co.uk
103
“IT Security Update”ISACA Scotland June 19th 2012
Expe
rt