spear phishing and other - amazon s3 · a zero day vulnerability refers to a hole in software that...
TRANSCRIPT
SpearPhishingandotherSocialMediaThreats
MikeLisenby,ManagingPartnerofRauschAdvisoryServicesSeptember12,2016
Whatyoudon’tknowcanhurtyou
SpeakerBioMike Lisenby is the Managing Partner of Rausch Advisory Services. Mike has over18+ years of experience in helping businesses manage their technology resourcesand compliance needs effectively. His experience includes consulting and co-sourcing, IT Security, IT audits, Regulatory compliance, and technology securityassessments, risk identification, assessment and evaluation; risk response; riskmonitoring; IT control design and implementation; and IT control monitoring andmaintenance. Mike has held leadership roles with Arthur Andersen and severalother National Consulting Firms, and has prior experience with Fortune Brands andPhilip Morris.
He designed a Virtual Security Technology Center for a National Consulting Firm andran an ethical hacking / penetration testing team for Arthur Andersen.He has served on the Board of Directors for the Information Systems Audit andControl Association (ISACA/Atlanta & Milwaukee), and he holds a CRISC (Certifiedin Risk and Information Systems Control) Certification.
Agenda
• Definitions• Zero-DayVulnerability• Malware• Ransomware• SpearPhishing• SocialNetworkingSites
• HackingViaSocialNetworking• RisksofSocialMedia• StepsforAuditorstoConsider
Asmuchas80%ofallmalwareattackscomefromphishingattemptsusingdifferentvariationsofsocialengineeringtechniques,asperthe VerizonDataBreachInvestigations
Report (DBIR)2015.
Azerodayvulnerabilityreferstoaholeinsoftwarethatisunknowntothevendor.Thissecurityholeisthenexploitedbyhackersbeforethevendorbecomesawareandhurriestofixit—thisexploitiscalledazerodayattack.Usesofzerodayattackscanincludeinfiltratingmalware, spyware orallowingunwantedaccesstouserinformation.Theterm“zeroday”referstotheunknownnatureoftheholetothoseoutsideofthehackers,specifically,thedevelopers.Oncethevulnerabilitybecomesknown,aracebeginsforthedeveloper,whomustprotectusers.
Zero-DayVulnerability
Malware,shortfor malicioussoftware,isanysoftwareusedtodisruptcomputeroperations,gathersensitiveinformation,gainaccesstoprivatecomputersystems,ordisplayunwantedadvertising. BeforethetermmalwarewascoinedbyYisraelRadaiin1990,malicioussoftwarewasreferredtoascomputerviruses.
Malwareisdefinedbyitsmaliciousintent,actingagainsttherequirementsofthecomputeruser,anddoesnotincludesoftwarethatcausesunintentionalharmduetosomedeficiency.
Malware
Ransomware iscomputer malware thatinstallscovertlyonavictim'scomputer,executesanattackthatadverselyaffectsit,anddemandsa ransom paymenttorestoreit.Simpleransomwaremaylockthesysteminawaywhichisnotdifficultforaknowledgeablepersontoreverse,and displayamessage requestingpaymenttounlockit.
Moreadvancedmalware encryptsthevictim'sfiles,makingtheminaccessible,anddemandsaransompaymenttodecryptthem. Theransomwaremayalsoencryptthecomputer's MasterFileTable (MFT)ortheentireharddrive. Thus,ransomwareisadenial-of-accessattackthatpreventscomputerusersfromaccessingfiles sinceitis intractable todecryptthefileswithoutthedecryption key.Ransomwareattacksaretypicallycarriedoutusinga Trojan thathasapayloaddisguisedasalegitimatefile.
Ransomware
CryptoWallisoneofthemostpervasiveformsofmalwarefromthepastyear.Avariantofmalwareknownasransomware,itencryptsauser’sfilesrenderingtheminaccessibleanddemandsthataransomispaidtotheperpetratorstoregainaccess.CryptoWall3thelatestvariantofMalwareisresponsiblefor406,887attemptedinfectionsandaccountsforapproximately$325millionindamagessinceitsdiscoveryinJanuary2015,accordingtoareport bythe CyberThreatAlliance.
Ransomware CryptoWall
Ransomware LockyLocky(detectedbySymantecas Trojan.Cryptolocker.AF)spreadquicklysinceitfirstappearedonTuesday(February16). Oneofthemainroutesofinfectionhasbeenthroughspamemailcampaigns,manyofwhicharedisguisedasinvoices.ThespamcampaignsspreadingLockyareoperatingonamassivescale.Symantecanti-spamsystemsblockedmorethan5millionemailsassociatedwiththesecampaignsinoneday!
Figure1.ExampleofspamemailusedtodistributeLocky
Spearphishing isamoreselectiveandeffectiveschemethantraditionalphishingplots.Thistechniquehasraisede-scamstoanewlevelandhaslatelybecomethego-tochoiceformanyattacksthreateningindividualsandbusinesses.Spearphishingisawayofobtaininginformationthroughdeceptive,morepersonalizede-mailmessagesandsocialengineeringthatisfinelytailoredtothetarget.Nolongeraretheattacksconductedatrandom,buttheyareratherfocusedandpersistenteffectivelytohitaspecificvictimorgroupofvictims.
Spearphishing
A socialnetworkingservice (also socialnetworkingsite, SNS or socialmedia)isanonlineplatformthatisusedbypeopletobuild socialnetworks or socialrelations withotherpeoplewhosharesimilarpersonalorcareerinterests,activities,backgroundsorreal-lifeconnections.[1]
[1] Buettner,R.(2016). GettingaJobviaCareer-orientedSocialNetworkingSites:TheWeaknessofTies. 49thAnnualHawaiiInternationalConferenceonSystemSciences
SocialNetworking
Bulkharvesting – Hackerscan“scrape”socialnetworksandlearnwhoknowswhom.Bycreatingadatabaseofsocialconnections,aspearphishercanlearnwhichofBob’sfriendswouldbebesttoimpersonate.
APIbreach – Theapplicationprogramminginterfaces(APIs)thatconnectbackendsystemstomobiledevicesandwebsitescanbeaweaklinkinthesecurityperimeter.Forexample, vulnerabilities havebeendiscoveredintheFacebookAPI,potentiallyenablinghackerstoaccessvastnumbersof“socialgraphs”ofFacebookmembers.
Impersonationthroughaccounthijacking – Insomecases,thehackerposingasBobwilltakeoverBob’sactualsocialnetworkaccount.Thisisknownas“accounthijacking.”Withthisapproach,thehackerisnearlyindistinguishablefromBob.He’sloggingintoBob’saccountandusingitinplaceofBob.
HackingviaSocialNetworking
• FakeLinkedInAccountusinganattractivefemale,doyouconnect?• Hackersutilizefakeaccountstosimplygainconnectionsandendorsementsatfirst.• Thehackerscontrollingthefakeidentitytargetunsuspectinguserstogather
informationonJobtitles,personalandpasthistoryandlaunchmoresophisticatedsocialengineeringattacksagainstemployeesinordertobreakintotheircomputers.
• InapopularexamplearoundtheChristmasholidayhackershavecreatedasiteswithaChristmascardandpostedthelinktoitonthefakesocialmediaprofiles.ConnectionswhovisitedthesitewerepromptedtoexecuteasignedJavaappletthatopenedareverseshellbacktotheattackerviaanSSLconnection.
• Theattackusedbuilt-inJavafunctionalitytogettheshellinsteadofexploitingavulnerabilityandrequireduserinteraction.Oncetheyhaveashell,thehackerscanuseprivilegeescalationexploitstogainadministrativerightsandcansniffpasswords,installotherapplicationsandstealdocumentswithsensitiveinformation.
HackingusingSocialNetworking– LinkedInExample
ArecentstudyconductedbytheITtradeassociationCompTIAfoundthathumanerroristherootcauseof52%ofallsecuritybreaches[1].Thestudysuggeststhat“themainreasonthatcompaniesexhibitalowlevelofconcernoverhumanerroristhatitisaproblemwithoutanobvioussolution.”
Onecouldarguethatthisproblemcouldbeaddressedwithasizableinvestmentintraining.Thestudygoesontonotethatonly54%ofcompaniesoffersomeformofcybersecuritytrainingwiththemostcommonformatbeingnewemployeeorientationsorannualrefreshercourses.
[1]http://www.cbsnews.com/news/the-human-element-and-computer-security/
HackingusingSocialNetworking- NoPatchforHumanStupidity
RisksofSocialMediaNothavingasocialmediapolicy
• AformerCFOpostedonYouTubecriticizingChick-Fil-A- wentviralanddestroyedhiscareer.
• AnApplebee'swaitresstooktoRedditandpostedscannedcopyofareceiptthatfeaturedahaughtycommentfromacustomer.
• Ex-CFOGeneMorphisusedTwittertowriteaboutFrancesca'sHoldingsCorp.,itsresultsanddealingsbetweeninvestorsandhisboard.
Knowingthetemperatureandallowingopenreplies• JPMorganChaseaskedtwitterfollowerstosendquestionstoinvestment
bankerandcompanyvicechairmanJimmyLee."CanIhavemyhouseback?"and"Whatismoresatisfying:securitiesfraudonunsophisticatedpensionfundinvestors,orforeclosingonthoseyougaveAlt-Aloans?”
UserAccess:Nothavingacrisismanagementprogram• RetailerHMVstaffmemberslivetweetedacorporatebloodlettingintheU.K.
onthestore'sofficialfeed."We'retweetinglivefromHRwherewe'reallbeingfired!Exciting!!
AdditionalRisksofSocialMedia
Regulatory:Nothavingsocialmediatraining• TwoparamedicstudentswhowereintheERofMartinMemorialMedicalCenterin
Stuart,Floridaaspartoftheirtrainingtookdigitalphotosofapatient(sharkattackvictim),andsubsequentlye-mailedthephotostonumerousfriends.
• “[A]physician,onhisblog,calledapatient“lazy”and“ignorant”becauseshehadmadeseveralvisitstotheemergencyroomafterfailingtomonitorhersugarlevels.Inyetanothercase,amedicalstudentfilmedadoctorinsertingachesttubeintoapatient,whosefacewasclearlyvisible,andpostedthefootageonYouTube.
• HispanicsUnitedofBuffalo,acaseworkerthreatenedtocomplaintothebossthatotherswerenotworkinghardenough.Anotherworker,MarianaCole-Rivera,postedaFacebookmessageasking,“Myfellowco-workers,howdoyoufeel?”HispanicsfiredMs.Cole-Riveraandfourothercaseworkerswhorespondedtoher,sayingtheyhadviolatedthecompany’sharassmentpoliciesbygoingafterthecaseworkerwhocomplained.Ina3-to-1decisionthelaborboardconcludedthatthecaseworkershadbeenunlawfullyterminated.Itfoundthatthepostswerethetypeof“concertedactivity”for“mutualaid”thatisexpresslyprotectedbytheNationalLaborRelationsAct.
AdditionalRisksofSocialMedia
AdditionalRisksofSocialMediaInformation technology
– SpearPhishingBogusprofilesconnectingtogaincontactinformation
– Information leakageSitesleakyourwhereabouts
– Information integritySeveralsocialmediacampaignsusedtolureunsuspectinguserstoclickonhyperlinksinfectedwithmaliciouscode
– Inadequate authentication controls– Cross site scripting
Facebook'scontroversialInstantPersonalizationfeatureaffected– Insufficient anti-automation– (ex.Websense)– Nothavingaseatatthetable
.
Strategyandgovernance
43%ofbusinessesblockaccesstosocialmediaoncompany-ownedcomputersorhandhelddevices.- SocietyforHumanResourceManagementsurvey
BadIdeaifthisistheextentofyoursocialmediaStrategy&Governance.
Steps:Determination ofsocial media riskmanagementTheriskassociatedwithsocialmediaisidentified,evaluated,andalignedwithenterpriseriskprofilesandriskappetite.Riskmanagementisroutinelyevaluatedfornewandexistingsocialmediaprojects.– Risk mitigationstrategies employed– Included incrisis management plan– InitialRiskassessmentperformed– RePerformanceRiskassessmentsarere-performedwhensocialmedia
resourcesortechnologieschange– DataClassificationScheme
StepsforAuditorstoConsider
• Steps:Policies&ProceduresAneffectiveSocialMediapolicyaddresses:– Communicationprotocol– Standardizedterms/keywordsthatmayconveythecompanybrand,product,
image,campaign,businessinitiative,corporatesocialresponsibility– Useofstandardlogos,images,pictures,etc.– Employeepersonaluseofsocialmediaintheworkplace– Employeepersonaluseofsocialmediaoutsidetheworkplace– Employeeuseofsocialmediaforbusinesspurposes(personallyowned
devices)– Useofmobiledevicestoaccesssocialmedia– Requiredreview,monitoringandfollow-upprocessesforbrandprotection– Communicationofpolicyviasocialmediasitestoemployeesandacceptable
publicpostings– Notificationthatcompliancemonitoringwillbetherightofthecompany– Managementproceduresforcompanyaccountsonsocialmediasites– Responseprotocolsforresponseprocessonsocialmediaenvironments
StepsforAuditorstoConsider
Steps:Policies&Procedures
EffectiveSocialMediapolicies:– http://blog.adidas-group.com/wp-
content/uploads/2011/06/adidas-Group-Social-Media-Guidelines1.pdf
– http://hr.umich.edu/voices/docs/Social-Media-Guidelines.pdf
– http://www.coca-colacompany.com/stories/online-social-media-principles
AdditionalSocialMediaSamplePolicies
– http://socialmediagovernance.com/policies/
StepsforAuditorstoConsider
• Steps:People&Training– Legal:DeterminethatLegalcommunicateschangesingloballaws
andregulationsonsocialmedia– AssessmentofCompliance&Ethicsprogram:Determinethe
programcoverssocialmediarisks– IT:DeterminethatITincludessocialmedia,Malware,Ransomware
andSpearPhishingintheriskassessmentandmonitoring.Considerperiodicsocialmediausertestingsuchasspearphishingattempttraining.
– Marketing:Determinethatsocialmediaisincludedinstrategyandriskassessmentandthatmetricsareutilizedtomeasurereturnoninvestment.
– HR:Determinethatsocialmediaisbeingutilizedappropriatelyandconsistentlyinrecruitingandemploymentdecisions
StepsforAuditorstoConsider
Inthe2013SHRMsurvey,22percentofrespondentssaidtheyusesocialmediawebsiteslikeFacebookorInstagramtoresearchjobcandidates,adeclinefrom34percentin2008.
• Steps:ConsiderthefollowingwhenusingSocialMediaforHiring– Neveraskforpasswords.Askingforanapplicant’s(or
employee’s)passwordcreatesarealriskofviolatingthefederalStoredCommunicationsAct.
– HaveHRdoit.TheHRprofessionalismorelikelytoknowwhatheorshecanandcannotconsider.
– Looklaterintheprocess.Afteranapplicanthasbeeninterviewed,whenhisorhermembershipinprotectedgroupsislikelyalreadyknown.
– Beconsistent.Don’tlookatonlyoneapplicant’ssocialmediaprofiles.
– Documentdecisions.– Considerthesource.Thereareimpostorsocialmediaaccounts
outthere.– Beawarethatotherlawsmayapply
StepsforAuditorstoConsider
Steps:TrainingProgramInformationSecuritytrainingintheworkplacewouldbeascommonasethicsanddiversitytraining!Determineifthetrainingawarenessprogramaddresses:– Business&Personalsocialmediaactivitiesusingenterprise-
ownedequipment– Business&Personalsocialmediaactivitiesusingpersonallyor
third-partyownedequipment– Personalsocialmediaactivitiesusingpersonallyorthird-party
ownedequipmentduringbusinesshours– Personalsocialmediaactivitiesdiscussingenterpriseactivities– Alignmentofbothbusinessandsocialmediaactivitieswiththe
dataclassificationscheme– Consequencesforfailingtoadheretosocialmediapolicies– SpearPhishing&Fraudulentemailsthedo’sandDon'ts– Malware&Ransomwarehowtheendusercanhelptoavoidit.
StepsforAuditorstoConsider
Steps:SocialMediaProcesses
– Doprocessesexisttomanagenewandexistingsocialmediaprogramstoadheretoenterprisestrategy,governanceandmanagementobjectivesandpolicies
– Istheenterprisebrandprotectedfromnegativepublicityoradversereputationalissues
– Isenterpriseinformationprotectedfromunauthorizedaccessorleakagethrough/bysocialmedia
StepsforAuditorstoConsider
Steps: TechnologyInfrastructureDoestheITinfrastructuresupportsrisksintroducedbysocialmedia– Antimalware,antivirusantivirus&anti-ransomwaretools&Firewall,makesurethereuptodate– ReviewyourPatchmanagementprogram– Informationsecurityresponseplan– ContentFiltering&Siteblocking– Dataleakpreventionproducts– Haveyouimplementedthe 3-2-1rule forbackingupyourfiles– Makesureallsoftwareisuptodate,includingyouroperatingsystem,browserandanytoolbarplug-
insyouuse.
Steps:SocialMediaMonitoringDetermination that operational risksare monitored– Monitoring of channels– Third-party vendor management– IT infrastructure andsecurity
*ISACA: Social MediaAudit /Assurance Programhttp://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Social-Media-Audit-Assurance-Program.aspx
StepsforAuditorstoConsider
Questions&AnswersMichaelLisenbyManagingPartner(404)-281-8005
www.rauschadvisory.com
Followuson