SpearPhishingandotherSocialMediaThreats

MikeLisenby,ManagingPartnerofRauschAdvisoryServicesSeptember12,2016

Whatyoudon’tknowcanhurtyou

SpeakerBioMike Lisenby is the Managing Partner of Rausch Advisory Services. Mike has over18+ years of experience in helping businesses manage their technology resourcesand compliance needs effectively. His experience includes consulting and co-sourcing, IT Security, IT audits, Regulatory compliance, and technology securityassessments, risk identification, assessment and evaluation; risk response; riskmonitoring; IT control design and implementation; and IT control monitoring andmaintenance. Mike has held leadership roles with Arthur Andersen and severalother National Consulting Firms, and has prior experience with Fortune Brands andPhilip Morris.

He designed a Virtual Security Technology Center for a National Consulting Firm andran an ethical hacking / penetration testing team for Arthur Andersen.He has served on the Board of Directors for the Information Systems Audit andControl Association (ISACA/Atlanta & Milwaukee), and he holds a CRISC (Certifiedin Risk and Information Systems Control) Certification.

Agenda

• Definitions• Zero-DayVulnerability• Malware• Ransomware• SpearPhishing• SocialNetworkingSites

• HackingViaSocialNetworking• RisksofSocialMedia• StepsforAuditorstoConsider

Asmuchas80%ofallmalwareattackscomefromphishingattemptsusingdifferentvariationsofsocialengineeringtechniques,asperthe VerizonDataBreachInvestigations

Report (DBIR)2015.

Azerodayvulnerabilityreferstoaholeinsoftwarethatisunknowntothevendor.Thissecurityholeisthenexploitedbyhackersbeforethevendorbecomesawareandhurriestofixit—thisexploitiscalledazerodayattack.Usesofzerodayattackscanincludeinfiltratingmalware, spyware orallowingunwantedaccesstouserinformation.Theterm“zeroday”referstotheunknownnatureoftheholetothoseoutsideofthehackers,specifically,thedevelopers.Oncethevulnerabilitybecomesknown,aracebeginsforthedeveloper,whomustprotectusers.

Zero-DayVulnerability

Malware,shortfor malicioussoftware,isanysoftwareusedtodisruptcomputeroperations,gathersensitiveinformation,gainaccesstoprivatecomputersystems,ordisplayunwantedadvertising. BeforethetermmalwarewascoinedbyYisraelRadaiin1990,malicioussoftwarewasreferredtoascomputerviruses.

Malwareisdefinedbyitsmaliciousintent,actingagainsttherequirementsofthecomputeruser,anddoesnotincludesoftwarethatcausesunintentionalharmduetosomedeficiency.

Malware

Ransomware iscomputer malware thatinstallscovertlyonavictim'scomputer,executesanattackthatadverselyaffectsit,anddemandsa ransom paymenttorestoreit.Simpleransomwaremaylockthesysteminawaywhichisnotdifficultforaknowledgeablepersontoreverse,and displayamessage requestingpaymenttounlockit.

Moreadvancedmalware encryptsthevictim'sfiles,makingtheminaccessible,anddemandsaransompaymenttodecryptthem. Theransomwaremayalsoencryptthecomputer's MasterFileTable (MFT)ortheentireharddrive. Thus,ransomwareisadenial-of-accessattackthatpreventscomputerusersfromaccessingfiles sinceitis intractable todecryptthefileswithoutthedecryption key.Ransomwareattacksaretypicallycarriedoutusinga Trojan thathasapayloaddisguisedasalegitimatefile.

Ransomware

CryptoWallisoneofthemostpervasiveformsofmalwarefromthepastyear.Avariantofmalwareknownasransomware,itencryptsauser’sfilesrenderingtheminaccessibleanddemandsthataransomispaidtotheperpetratorstoregainaccess.CryptoWall3thelatestvariantofMalwareisresponsiblefor406,887attemptedinfectionsandaccountsforapproximately$325millionindamagessinceitsdiscoveryinJanuary2015,accordingtoareport bythe CyberThreatAlliance.

Ransomware CryptoWall

Ransomware LockyLocky(detectedbySymantecas Trojan.Cryptolocker.AF)spreadquicklysinceitfirstappearedonTuesday(February16). Oneofthemainroutesofinfectionhasbeenthroughspamemailcampaigns,manyofwhicharedisguisedasinvoices.ThespamcampaignsspreadingLockyareoperatingonamassivescale.Symantecanti-spamsystemsblockedmorethan5millionemailsassociatedwiththesecampaignsinoneday!

Figure1.ExampleofspamemailusedtodistributeLocky

Spearphishing isamoreselectiveandeffectiveschemethantraditionalphishingplots.Thistechniquehasraisede-scamstoanewlevelandhaslatelybecomethego-tochoiceformanyattacksthreateningindividualsandbusinesses.Spearphishingisawayofobtaininginformationthroughdeceptive,morepersonalizede-mailmessagesandsocialengineeringthatisfinelytailoredtothetarget.Nolongeraretheattacksconductedatrandom,buttheyareratherfocusedandpersistenteffectivelytohitaspecificvictimorgroupofvictims.

Spearphishing

A socialnetworkingservice (also socialnetworkingsite, SNS or socialmedia)isanonlineplatformthatisusedbypeopletobuild socialnetworks or socialrelations withotherpeoplewhosharesimilarpersonalorcareerinterests,activities,backgroundsorreal-lifeconnections.[1]

[1] Buettner,R.(2016). GettingaJobviaCareer-orientedSocialNetworkingSites:TheWeaknessofTies. 49thAnnualHawaiiInternationalConferenceonSystemSciences

SocialNetworking

Bulkharvesting – Hackerscan“scrape”socialnetworksandlearnwhoknowswhom.Bycreatingadatabaseofsocialconnections,aspearphishercanlearnwhichofBob’sfriendswouldbebesttoimpersonate.

APIbreach – Theapplicationprogramminginterfaces(APIs)thatconnectbackendsystemstomobiledevicesandwebsitescanbeaweaklinkinthesecurityperimeter.Forexample, vulnerabilities havebeendiscoveredintheFacebookAPI,potentiallyenablinghackerstoaccessvastnumbersof“socialgraphs”ofFacebookmembers.

Impersonationthroughaccounthijacking – Insomecases,thehackerposingasBobwilltakeoverBob’sactualsocialnetworkaccount.Thisisknownas“accounthijacking.”Withthisapproach,thehackerisnearlyindistinguishablefromBob.He’sloggingintoBob’saccountandusingitinplaceofBob.

HackingviaSocialNetworking

• FakeLinkedInAccountusinganattractivefemale,doyouconnect?• Hackersutilizefakeaccountstosimplygainconnectionsandendorsementsatfirst.• Thehackerscontrollingthefakeidentitytargetunsuspectinguserstogather

informationonJobtitles,personalandpasthistoryandlaunchmoresophisticatedsocialengineeringattacksagainstemployeesinordertobreakintotheircomputers.

• InapopularexamplearoundtheChristmasholidayhackershavecreatedasiteswithaChristmascardandpostedthelinktoitonthefakesocialmediaprofiles.ConnectionswhovisitedthesitewerepromptedtoexecuteasignedJavaappletthatopenedareverseshellbacktotheattackerviaanSSLconnection.

• Theattackusedbuilt-inJavafunctionalitytogettheshellinsteadofexploitingavulnerabilityandrequireduserinteraction.Oncetheyhaveashell,thehackerscanuseprivilegeescalationexploitstogainadministrativerightsandcansniffpasswords,installotherapplicationsandstealdocumentswithsensitiveinformation.

HackingusingSocialNetworking– LinkedInExample

ArecentstudyconductedbytheITtradeassociationCompTIAfoundthathumanerroristherootcauseof52%ofallsecuritybreaches[1].Thestudysuggeststhat“themainreasonthatcompaniesexhibitalowlevelofconcernoverhumanerroristhatitisaproblemwithoutanobvioussolution.”

Onecouldarguethatthisproblemcouldbeaddressedwithasizableinvestmentintraining.Thestudygoesontonotethatonly54%ofcompaniesoffersomeformofcybersecuritytrainingwiththemostcommonformatbeingnewemployeeorientationsorannualrefreshercourses.

[1]http://www.cbsnews.com/news/the-human-element-and-computer-security/

HackingusingSocialNetworking- NoPatchforHumanStupidity

RisksofSocialMediaNothavingasocialmediapolicy

• AformerCFOpostedonYouTubecriticizingChick-Fil-A- wentviralanddestroyedhiscareer.

• AnApplebee'swaitresstooktoRedditandpostedscannedcopyofareceiptthatfeaturedahaughtycommentfromacustomer.

• Ex-CFOGeneMorphisusedTwittertowriteaboutFrancesca'sHoldingsCorp.,itsresultsanddealingsbetweeninvestorsandhisboard.

Knowingthetemperatureandallowingopenreplies• JPMorganChaseaskedtwitterfollowerstosendquestionstoinvestment

bankerandcompanyvicechairmanJimmyLee."CanIhavemyhouseback?"and"Whatismoresatisfying:securitiesfraudonunsophisticatedpensionfundinvestors,orforeclosingonthoseyougaveAlt-Aloans?”

UserAccess:Nothavingacrisismanagementprogram• RetailerHMVstaffmemberslivetweetedacorporatebloodlettingintheU.K.

onthestore'sofficialfeed."We'retweetinglivefromHRwherewe'reallbeingfired!Exciting!!

AdditionalRisksofSocialMedia

Regulatory:Nothavingsocialmediatraining• TwoparamedicstudentswhowereintheERofMartinMemorialMedicalCenterin

Stuart,Floridaaspartoftheirtrainingtookdigitalphotosofapatient(sharkattackvictim),andsubsequentlye-mailedthephotostonumerousfriends.

• “[A]physician,onhisblog,calledapatient“lazy”and“ignorant”becauseshehadmadeseveralvisitstotheemergencyroomafterfailingtomonitorhersugarlevels.Inyetanothercase,amedicalstudentfilmedadoctorinsertingachesttubeintoapatient,whosefacewasclearlyvisible,andpostedthefootageonYouTube.

• HispanicsUnitedofBuffalo,acaseworkerthreatenedtocomplaintothebossthatotherswerenotworkinghardenough.Anotherworker,MarianaCole-Rivera,postedaFacebookmessageasking,“Myfellowco-workers,howdoyoufeel?”HispanicsfiredMs.Cole-Riveraandfourothercaseworkerswhorespondedtoher,sayingtheyhadviolatedthecompany’sharassmentpoliciesbygoingafterthecaseworkerwhocomplained.Ina3-to-1decisionthelaborboardconcludedthatthecaseworkershadbeenunlawfullyterminated.Itfoundthatthepostswerethetypeof“concertedactivity”for“mutualaid”thatisexpresslyprotectedbytheNationalLaborRelationsAct.

AdditionalRisksofSocialMedia

AdditionalRisksofSocialMediaInformation technology

– SpearPhishingBogusprofilesconnectingtogaincontactinformation

– Information leakageSitesleakyourwhereabouts

– Information integritySeveralsocialmediacampaignsusedtolureunsuspectinguserstoclickonhyperlinksinfectedwithmaliciouscode

– Inadequate authentication controls– Cross site scripting

Facebook'scontroversialInstantPersonalizationfeatureaffected– Insufficient anti-automation– (ex.Websense)– Nothavingaseatatthetable

.

Strategyandgovernance

43%ofbusinessesblockaccesstosocialmediaoncompany-ownedcomputersorhandhelddevices.- SocietyforHumanResourceManagementsurvey

BadIdeaifthisistheextentofyoursocialmediaStrategy&Governance.

Steps:Determination ofsocial media riskmanagementTheriskassociatedwithsocialmediaisidentified,evaluated,andalignedwithenterpriseriskprofilesandriskappetite.Riskmanagementisroutinelyevaluatedfornewandexistingsocialmediaprojects.– Risk mitigationstrategies employed– Included incrisis management plan– InitialRiskassessmentperformed– RePerformanceRiskassessmentsarere-performedwhensocialmedia

resourcesortechnologieschange– DataClassificationScheme

StepsforAuditorstoConsider

• Steps:Policies&ProceduresAneffectiveSocialMediapolicyaddresses:– Communicationprotocol– Standardizedterms/keywordsthatmayconveythecompanybrand,product,

image,campaign,businessinitiative,corporatesocialresponsibility– Useofstandardlogos,images,pictures,etc.– Employeepersonaluseofsocialmediaintheworkplace– Employeepersonaluseofsocialmediaoutsidetheworkplace– Employeeuseofsocialmediaforbusinesspurposes(personallyowned

devices)– Useofmobiledevicestoaccesssocialmedia– Requiredreview,monitoringandfollow-upprocessesforbrandprotection– Communicationofpolicyviasocialmediasitestoemployeesandacceptable

publicpostings– Notificationthatcompliancemonitoringwillbetherightofthecompany– Managementproceduresforcompanyaccountsonsocialmediasites– Responseprotocolsforresponseprocessonsocialmediaenvironments

StepsforAuditorstoConsider

Steps:Policies&Procedures

EffectiveSocialMediapolicies:– http://blog.adidas-group.com/wp-

content/uploads/2011/06/adidas-Group-Social-Media-Guidelines1.pdf

– http://hr.umich.edu/voices/docs/Social-Media-Guidelines.pdf

– http://www.coca-colacompany.com/stories/online-social-media-principles

AdditionalSocialMediaSamplePolicies

– http://socialmediagovernance.com/policies/

StepsforAuditorstoConsider

• Steps:People&Training– Legal:DeterminethatLegalcommunicateschangesingloballaws

andregulationsonsocialmedia– AssessmentofCompliance&Ethicsprogram:Determinethe

programcoverssocialmediarisks– IT:DeterminethatITincludessocialmedia,Malware,Ransomware

andSpearPhishingintheriskassessmentandmonitoring.Considerperiodicsocialmediausertestingsuchasspearphishingattempttraining.

– Marketing:Determinethatsocialmediaisincludedinstrategyandriskassessmentandthatmetricsareutilizedtomeasurereturnoninvestment.

– HR:Determinethatsocialmediaisbeingutilizedappropriatelyandconsistentlyinrecruitingandemploymentdecisions

StepsforAuditorstoConsider

Inthe2013SHRMsurvey,22percentofrespondentssaidtheyusesocialmediawebsiteslikeFacebookorInstagramtoresearchjobcandidates,adeclinefrom34percentin2008.

• Steps:ConsiderthefollowingwhenusingSocialMediaforHiring– Neveraskforpasswords.Askingforanapplicant’s(or

employee’s)passwordcreatesarealriskofviolatingthefederalStoredCommunicationsAct.

– HaveHRdoit.TheHRprofessionalismorelikelytoknowwhatheorshecanandcannotconsider.

– Looklaterintheprocess.Afteranapplicanthasbeeninterviewed,whenhisorhermembershipinprotectedgroupsislikelyalreadyknown.

– Beconsistent.Don’tlookatonlyoneapplicant’ssocialmediaprofiles.

– Documentdecisions.– Considerthesource.Thereareimpostorsocialmediaaccounts

outthere.– Beawarethatotherlawsmayapply

StepsforAuditorstoConsider

Steps:TrainingProgramInformationSecuritytrainingintheworkplacewouldbeascommonasethicsanddiversitytraining!Determineifthetrainingawarenessprogramaddresses:– Business&Personalsocialmediaactivitiesusingenterprise-

ownedequipment– Business&Personalsocialmediaactivitiesusingpersonallyor

third-partyownedequipment– Personalsocialmediaactivitiesusingpersonallyorthird-party

ownedequipmentduringbusinesshours– Personalsocialmediaactivitiesdiscussingenterpriseactivities– Alignmentofbothbusinessandsocialmediaactivitieswiththe

dataclassificationscheme– Consequencesforfailingtoadheretosocialmediapolicies– SpearPhishing&Fraudulentemailsthedo’sandDon'ts– Malware&Ransomwarehowtheendusercanhelptoavoidit.

StepsforAuditorstoConsider

Steps:SocialMediaProcesses

– Doprocessesexisttomanagenewandexistingsocialmediaprogramstoadheretoenterprisestrategy,governanceandmanagementobjectivesandpolicies

– Istheenterprisebrandprotectedfromnegativepublicityoradversereputationalissues

– Isenterpriseinformationprotectedfromunauthorizedaccessorleakagethrough/bysocialmedia

StepsforAuditorstoConsider

Steps: TechnologyInfrastructureDoestheITinfrastructuresupportsrisksintroducedbysocialmedia– Antimalware,antivirusantivirus&anti-ransomwaretools&Firewall,makesurethereuptodate– ReviewyourPatchmanagementprogram– Informationsecurityresponseplan– ContentFiltering&Siteblocking– Dataleakpreventionproducts– Haveyouimplementedthe 3-2-1rule forbackingupyourfiles– Makesureallsoftwareisuptodate,includingyouroperatingsystem,browserandanytoolbarplug-

insyouuse.

Steps:SocialMediaMonitoringDetermination that operational risksare monitored– Monitoring of channels– Third-party vendor management– IT infrastructure andsecurity

*ISACA: Social MediaAudit /Assurance Programhttp://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Social-Media-Audit-Assurance-Program.aspx

StepsforAuditorstoConsider

Questions&AnswersMichaelLisenbyManagingPartner(404)-281-8005

mlisenby@rauschadvisory.com

www.rauschadvisory.com

Followuson